You must add a new gateway and configure routing and backhaul tunnel details to establish S2S VPN connectivity with the customer network.
Procedure
Step 1 | In the CDO dashboard, navigate to Secure Connect Choice > Overview. |
Step 2 | In the Backhaul Tunnel Connection area, click Setup. |
Step 3 | In the Add Gateway list, click Add New Gateway. |
Step 4 | In the Gateway Name field, specify a name for your gateway. |
Step 5 | Select one of the following:
- Customer edge device (IPSec): Select this option to deploy a site-to-site VPN tunnel between Cisco’s AWS and the customer network over the public internet.
- Direct Connect Gateway: Select this option to connect the customer AWS environment directly to the Choice AWS environment without using public internet.
|
Step 6 | In the Backhaul Termination Device Type list, select a device. |
Step 7 | In the Routing area, select one of the following:
-
Static: Provides a non-dynamic routing option. Both on the transit gateway and customer gateway, configure static routes for prefixes to be sent over a secured backhaul tunnel.
-
BGP ASN: Broder Gateway Protocol (BGP) Autonomous System Number (ASN) provides a dynamic routing option. The BGP relationship is formed over a tunnel between Secure Connect Choice and the customer environment to exchange routing information.
|
Step 8 | If you have selected BGP ASN, enter the autonomous system number of your customer's gateway device. |
Step 9 | In the Client Reachable Prefixes field, specify the public and private IP address range used internally by your organization. You can separate multiple values using a comma. |
Step 10 | In the Backhaul Tunnel area, provide the following information:
-
Customer Peer IP: Specify the public static IP address on the customer gateway device. The default traffic selector is ‘any – any’. If you don't want to expose all internal traffic, choose specific subnets as part of the traffic selector over the VPN tunnel.
-
Customer DNS Server IP: Specify your customer’s internal DNS server IP address.
-
Customer IP Range: Specify the IP address range used by the customer.
-
Autogenerate Tunnel IP: Check this option to allow AWS to generate tunnel addresses.
If unchecked, enter the interface IP address for the tunnels.
-
Autogenerate Pre-shared Keys: Check this option to allow AWS to generate the shared secret key.
If unchecked, enter the pre-shared key for tunnels.
|
Step 11 | If you have selected Direct Connect Gateway, provide the AWS details by referring to the customer’s AWS management console. |
Step 12 | Click Save. |