bg-gradient-green
Dec, 4 2020

How to setup an IPsec using EMnify CloudConnect

integration_guides

EMnify offers the possibility to setup an IPsec to keep all data communication between your application server and our mobile core private. Thanks to the EMnify CloudConnect you can create an IPsec in a few easy steps.

1. IPsec configuration on EMnify side

1.1 Portal configuration

To create an IPsec, click on Integration in the Portal menu. Scroll down to the Secure Connection section and Click on ADD under IPsec.

IPSec config

You will be logged into the old portal. 

Select again IPSec:

TGW Configuration new prices


Fill out the form:

 

2020-02-04_13h44_26.png

Enter the requested information:

  • Enter a name of your choice;
  • Choose the region to which you would like to connect to. Make sure you select the same region in your Service Profile;
  • Enter your VPN Public IP;
  • Add up to 3 CIDRs used in your VPC. Select the CIDRs to which data will be sent to. Note that the CIDRs must be valid RFC 1918 private address prefixes and the ranges must be between /32 and /22. The default /16 CIDR will be declined. If the CIDR is already taken on our side, a warning will be displayed when you try to validate the TGW because AWS TGW does not support overlapping IP addresses;
  • PSK will be created automatically;
  • Select Dynamic VPN if you want to use BGP features; (for this step, just select the checkbox "Dynamic VPN" in the CloudConnect UI, configure the BGP ASN of your side and follow the instructions here: https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html) Note: CloudConnect side is using the AWS default ASN 64512
  • Add a description of your choice.

On the next screen, a summary of your configuration is available.

2020-02-04_13h47_22.png

Make sure everything is correct and click on "create attachment". If the entered CIDR is not correct or not available, a warning will be displayed.

In this case, enter a new CIDR and repeat the same process. Once the setup is complete, the status of the VPN will be "pending" until the automatic IPsec creation on our side is complete. Once the status is "not connected", you can display the VPN configuration which you need to apply on your side.

2020-02-04_13h53_33.png

 

NOTE: Once the attachment is created, you will be billed in the end of the month as notified when creating the CloudConnect request

1.3. IP range configuration

All IP ranges assigned to the customer's account need to be configured on the EMnify side. By default, each account has a /24 range. Inform EMnify via ticket when a new range is manually added to your account. Send an email to support@emnify.com stating which new range should be configured for your IPsec.

2020-02-06_14h59_03.png

2. IPsec configuration on Customer's side

2.1. Redundancy

Two tunnels have been created. This is thought for redundancy. We advise you to configure both on your side as well but this is optional.

To handle the configuration, you can use the help available on the amazon knowledge base: https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html. Simply select the gateway device you are using and apply the configuration.

2.2. Firewall rules (incoming traffic)

Traffic coming from EMnify endpoint IP addresses need to be allowed on the customer's side. This can be done by enabling our complete IP range or only the ranges assigned to your EMnify account:

  • If you can, allow traffic from the following ranges 100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14. You will then be sure that traffic from your endpoints will be allowed
  • If you have overlapping rules, you can allow only the IP ranges assigned to your account. In this case, you need to update your configuration each time a new IP range is assigned to your account.2020-10-05_14h32_18.png

2.3. Routing tables (outgoing traffic)

The routing table also needs to be updated as all traffic going to you devices (EMnify IP ranges) need to go through the IPsec. Here as well two solutions are possible:

  • If you can, send all traffic to the following ranges 100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14 through the IPSec.
  • If you have overlapping rules, you can configure only IP ranges assigned to your account. In this case, you need to update your configuration each time a new IP range is assigned to your account. Secure Connection
/bg-gradient-blue

Subscribe to our Developer Newsletter