Static Policy-Based External Connection
Connect to a remote site that supports policy-based VPN with static configuration from any local gateway (Unmapped) or connect overlapping networks between the cloud and on-prem from any local gateway (Mapped).
To set up an static policy-based external connection:
-
Go to Networking > Connectivity > External Connections (S2C) tab.
-
Click + External Connection.
-
Select or enter the following values:
Parameter |
Description |
Name |
A name for this connection. |
Connect Public Cloud To |
Select the External Device radio button. Click on the dropdown menu and select Static Policy-Based. |
Local Gateway |
The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device. |
Local Subnet CIDR(s) |
The subnet CIDR range(s) for the local gateway. |
Remote Gateway Type |
Any other Remote Gateways listed here are only valid with Controller version 6.7 or lower. If using a higher Controller version, only select Generic or Aviatrix. |
Remote Subnet CIDR(s) |
The subnet CIDR range(s) for the remote gateway, or the on-prem gateway you are connecting to the cloud. |
Advanced Settings |
|
Authentication Method |
You can authenticate the connection using PSK or certificate-based authentication.
|
Over Private Network |
Select this option if your underlying infrastructure is private network, such as AWS Direct Connect and Azure ExpressRoute. See the "How does it work" section for more details. When this option is selected, BGP and IPsec run over private IP addresses. |
IKev2 |
Select the option to connect to the remote site using the IKEv2 protocol. This is the recommended protocol. If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate. |
Algorithms |
If the Algorithms checkbox is unmarked, the default values will be used. If it is marked, you can set any of the fields defined below.
|
Connection |
|
Single IP HA |
Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection. |
+Connection |
Click here to add a remote gateway, or an on-prem gateway to connect to the cloud.
|
-
Click Save.
The new static route-based external connection appears in the table.