I must be missing something.
I’ve got a customer site with a dynamic IP and a hardware router. (3G modem with IPSec VPN support)
Everything seems to require a static IP for the customer site. Is there a way around this, or something I’m missing there? I need to have the LAN segment behind this 3G modem able to connect into my VPC. It supports SSL, IPSec and PPTP.
What’s the bit of the picture I’m missing here?
The AWS VPN requires a static IP. Your best bet is to setup an ec2 instance with your VPN of choice (strongswan, openswan, openvpn, etc). Good luck.
Who’s your ISP? Even on residential internet plans, you can pay like $10/month for a static IP. I imagine you have something similar available.
You must have a static IP for the aws virtual private gateway VPN. Optionally you can use another site to site VPN but you’ll need to manage that VPN server or pair of servers within aws. Taking account for availability you should weigh your cost of ownership and make a decision.
Which services are you connecting to at AWS through the vpn, or on prem from the vpc through the vpn?
And do you have any specific requirements for high availability?
This is what I’m looking at now. Thanks for that.
Telstra 3G/4G Cellular connection. Static IP is not available.
I wish. Every ISP I’ve dealt with forces you to go to a Business plan and pay at least triple to get the privilege of then paying extra for a static IP.
Yeah, looking at doing this now with another machine to run that VPN. Static IP is flat out not available on cellular connections here.
All I want is for this one VM on AWS to be able to reach a number of VM’s inside the network behind the router.
Basically this it to be a back-up back-door to our network in the event of a primary WAN failure. We can’t do failover of the WAN link for [reasons], but the idea is to have this 3G modem connected to the core switch, and maintaining a connection via IPSec to AWS. (the cellular network in this country cannot do inbound connections due to double-NAT, so the cellular router has to be making an outbound connection) – The idea being if the WAN or firewall fail at the primary network, I can RDP into this AWS box, and be able to access the switches, ESXi, the firewall, etc, even if the WAN link is down.
The AWS offering for IPsec is designed for static peers, if you want something to support peers with unknown IPs then you will have to use either something like strong swan or if the dynamic IP doesn’t change often (by often I mean during the lifetime of a session), you could write a script to stand up the AWS vpn gateway on demand using your current dynamically assigned IP address. You should be able to bring up the tunnel by sending packets to the AWS side if the network assuming this weird NAT situation doesn’t affect your ability to do IPsec completely.