About External Device Connection Settings

The following are configuration settings for creating an external connection, and general settings that you can configure after the external connection is created.

About External Device Connection Settings

Connect Public Cloud to

Create an External Device Connection that uses BGP; a Static Route-Based or Static Policy-Based (Mapped or Unmapped) connection; or an AWS VGW/Azure VNG connection.

For the Static options, you should select Unmapped (any Static option not marked as Mapped) unless the Local Subnet and the Remote Subnet overlap. Then you must select a Mapped connection.

Local Gateway

The Transit Gateway on which to apply the external connection.

Local Subnet CIDR(s)

The CIDR(s) of the Local Gateway selected in this external connection (the name changes to Real Local Subnet CIDR(s) if a Mapped connection is selected).

Remote Gateway Type

Select the gateway type of the external connection.

You should select 'Generic' for most connections (used for most third-party routers and firewalls). Select 'Aviatrix' if you are terminating on an Avatrix on-premise gateway.

Any other Remote Gateways listed here are only valid with Controller version 6.7 or lower.

Remote Subnet CIDR(s)

The CIDR(s) of the remote gateway selected in this external connection (the name changes to Real Remote Subnet CIDR(s) if a mapped connection is selected).

Virtual Local Subnet CIDR(s) (Mapped connections only)

Virtual local network CIDRs that are mapped to the real local subnet.

Virtual Remote Subnet CIDR(s) (Mapped connections only)

Virtual remote network CIDR(s) that are mapped to the real remote subnet.

Authentication Method

PSK-based or Cert-based. If the latter is selected, you upload or import a remote CA certificate and enter the SAN of the certificate in the Remote Identifier field. If HA is enabled for the selected gateway you also enter the SAN of the HA gateway in the Remote Identifier field.

Pre-Shared Key

Used in authentication. It is a string you enter when you configure your connection. If you do not specify one, it is auto-generated.

Local ASN (BGP connections only)

The BGP AS number the Transit GW will use to exchange routes with external device.

Remote ASN

When BGP is selected, the BGP AS number the external device will use to exchange routes Aviatrix Transit GW.

Over Private Network (all connections except BGP over LAN)

Select this option if your underlying infrastructure is a private network, such as AWS Direct Connect and Azure ExpressRoute. See the "How does it work" section for more details. When this option is selected, BGP and IPsec run over private IP addresses.

IKEv2 (all connections except BGP over GRE and BGP over LAN)

Select the option to connect to the remote site using IKEv2 protocol.

If you configure IKEv1 in a Site2Cloud connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the Site2Cloud connection will go down until you add the new certficate.

Algorithms (not applicable for BGP over GRE, BGP over LAN)

Aviatrix-supported encryption algorithms. If this is turned on, you can configure the following algorithms:

  • Phase 1 Authentication: default is SHA-256

  • Phase 1 DH Groups: default is 14

  • Phase 1 Encryption: default is AES-256-CBC

  • Phase 2 Authentication: default is HMAC-SHA-256

  • Phase 2 DH Groups: default is 14

  • Phase 2 Encryption: default is AES-256-CBC

Single IP HA

Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection.

Learned CIDR Approval

An approval process for gateway-learned CIDRs. When this is On, an email notification is sent to the administrator to approve the learned CIDRs before they are propagated to the Spoke VPC/VNet route table.

Remote Gateway IP

IP address of the remote device.

Local Gateway Instance (not applicable for BGP connections or Static Route-Based ActiveMesh)

The instance on the local gateway …​

Local Tunnel IP

Optional parameter. This field is for the tunnel inside IP address of the Transit Gateway. Leave it blank.

Remote Tunnel IP

Optional parameter. This field is for the tunnel inside IP address of the external device. Leave it blank.

Aviatrix Gateway (Azure VNG only)

Select the Aviatrix Gatway to link to the Azure VNG.

VGW Region

The AWS region where VGW is created.

VGW Account Name

The name of the AWS account that the VGW is created with.

VGW ID (AWS VGW only)

VGW that is created in the VGW region in the AWS VGW account.

VNG Name (Azure VNG only)

Select the VNG Name (only displays if an Aviatrix Gateway is selected).

About External Connection General Settings

Active-Active HA

Allow gateways to support Active-Active mode where both tunnels are up and packets are routed to both gateways via respective VPC/VNet route tables.

To enable this, slide the toggle switch to turn it On.

Forward Traffic to Transit Gateway (Static Route-Based Mapped Only)

Typically you enable the Forward Traffic to Transit Gateway option when you have a connection that has overlapping CIDRs. This forwarding ensures that traffic is sent between on-prem routers and local Spoke and Transit gateways.

In most cases you will enable this so that your on-premise traffic is forwarded.

Jumbo Frame

Jumbo Frame improves Aviatrix Gateway throughput performance.

Jumbo Frame is enabled by default for AWS and OCI. It is not supported for Azure or GCP.

Dead Peer Connection

Dead Peer Detection (DPD) is a standard mechanism (RFC 3706) between IPsec tunnels to send periodic messages to ensure the remote site is up.

By default DPD detection is enabled.

Field

Value

Description

Delay

>= 1

Keepalive timer (in seconds)

Retry Delay

>= 1

How long should the tunnel wait before declaring keep alive failed. (in seconds)

Maxfail

>= 1

Number of tries before considering the peer is dead.

Local Gateway Identifier

By default, Aviatrix configures gateway’s public IP as the Local Identifier. You can adjust these settings to your gateway’s private IP.

Remote Gateway Identifier

Aviatrix only supports IP_ADDRESS and KEY_ID as the IKE identity type for the remote identifier in the pre-shared key authentication. The IP_ADDRESS must be a valid IPv4 IP address. The KEY_ID is a remote device ID during the key authentication.

By default, Aviatrix configures the public IPv4 address of the peer device as the Remote Identifier for pre-shared key authentication. You can adjust this setting to the private IPv4 address of the peer device.

Clear Sessions

Clear Session allows you to reset all the active sessions on a selected Site2Cloud connection. Click Clear to clear these connections.