I want to use AWS Site-to-Site VPN to build a certificate-based IP Security (IPsec) virtual private network (VPN).
Short description
AWS Site-to-Site VPN supports certificate-based authentication through integration with AWS Private Certificate Authority (AWS Private CA). Use digital certificates to build IPsec tunnels with static or dynamic customer gateway IP addresses instead of pre-shared keys for Internet Key Exchange (IKE) authentication.
Note: You can't use an external self-signed certificate for Site-to-Site VPN. For more information on certificate options, see Site-to-Site VPN tunnel authentication options.
Resolution
Install a root and subordinate private CA certificate
Create and install a root CA certificate and a subordinate CA certificate.
Request or create a private certificate
If you have an existing private certificate, then AWS Certificate Manager (ACM) can request the certificate to use as the identity certificate for your customer gateway device. If you don't have an existing private certificate, then create one.
Only the subordinate CA can issue the private certificate, and the subordinate CA must be in AWS Certificate Manager (ACM). If your subordinate CA isn't in ACM, then you can create a certificate signing request (CSR) and import the signed subordinate CA into ACM.
Create a customer gateway
Create a customer gateway for your VPN connection:
- Open the Amazon Virtual Private Cloud (Amazon VPC) console.
- Choose Customer Gateways. Then, choose Create Customer Gateway.
- For Name, enter a name for your customer gateway.
- For Routing, select the routing type for your use case.
- If your customer gateway IP address is dynamic, then leave the IP Address field empty. If your customer gateway IP address is static, then you can choose to leave this field empty, or specify the IP address.
- For Certificate ARN, choose the certificate ARN for your private certificate.
- (Optional) For Device, enter a device name.
- Choose Create Customer Gateway.
Configure the Site-to-Site VPN
Configure the AWS Site-to-Site VPN connection with a virtual private gateway.
Copy certificates to the customer gateway device
Copy the private certificate, root CA certificate, and subordinate CA certificate to the customer gateway device.
Note: When the AWS VPN requests a certificate for authentication, the customer gateway device presents the private certificate. However, the customer gateway device must have all three certificates present. If the customer gateway device doesn't have all the certificates, then VPN authentication fails.
Related information
Requirements for your customer gateway device
Private certificate from AWS Private Certificate Authority