...
External firewall rules may need to be adjusted so the IPsec tunnel connections can be established (see "Necessary Firewall Rules" below).
IP routes within the network may need to be adjusted. It's important that traffic from our side of the site-to-site VPN connection can reach the necessary hosts and ports. It's also important that IP traffic originating from those sources or any of your internal IPs can reach the dedicated network IP ranges on our side.
After your network has been configured, please coordinate with someone on the Sandbox team to launch the tunnels. This can be accomplished by sending an IP packet from your side to a specific private IP address that we'll provide.
Step 5:
You should configure a recurring IP traffic transmission job to keep the IPsec tunnels alive. Unfortunately, recurring traffic scheduled by Sandbox would NOT revive any tunnels that go down because tunnels can only be launched by traffic originating from your side of the VPN).
...
Site-to-Site IPsec VPN Limitations
There are limitations to the site-to-site VPN configurations we can support:
Your side of the connection must initiate traffic to launch the tunnels
While IKEv1 and IKEv2 are both theoretically possible, we’ve only established IKEv1 tunnels thus farIKEv2 is required.
Only AES-256 encryption can be used for IKE and IPsec security
Only SHA-256 hashing is used for authentication during IKE and IPsec establishmentOnly static routing can be supported
Static routing is acceptable on single-VPN setups, but we encourage using BGP if using a DR VPN.
Only the following Diffie-Hellman Phase groups during IKE are allowed:
o Phase 1: 14-18, 22, 23, and 24
o Phase 2: 14-18, 22, 23, and 24
...
Your firewall will need to allow the following traffic for us to jointly establish the VPN:
INBOUND
o Protocol: UDP, Source IP: Sandbox-Tunnel-1 Public IP, Source Port: 500, Destination IP: Your
Router Public IP, Destination Port: 500
o Protocol: UDP, Source IP: Sandbox-Tunnel-2 Public IP, Source Port: 500, Destination IP: Your
Router Public IP, Destination Port: 500
o Protocol: IP 50 (ESP), Source IP: Sandbox-Tunnel-1 Public IP, Destination IP: Your Router Public IP
o Protocol: IP 50 (ESP), Source IP: Sandbox-Tunnel-2 Public IP, Destination IP: Your Router Public IPOUTBOUND
o Protocol: UDP, Source IP: Your Router Public IP, Source Port: 500, Destination IP:
Sandbox-Tunnel-1 Public IP, Destination Port: 500
o Protocol: UDP, Source IP: Your Router Public IP, Source Port: 500, Destination IP:
Sandbox-Tunnel-2 Public IP, Destination Port: 500
o Protocol: IP 50 (ESP), Source IP: Your Router Public IP, Destination IP: Sandbox-Tunnel-1 Public IP
o Protocol: IP 50 (ESP), Source IP: Your Router Public IP, Destination IP: Sandbox-Tunnel-2 Public IP
Furthermore, if you are using NAT traversal then the firewall must allow UDP traffic over port 4500 (see
https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html).
Additional Documentation
Sandbox uses AWS managed Site-to-Site VPN Connections to establish IPsec tunnels, and AWS has published significant documentation regarding their setup. The following guide is a good starting point if
more information would be helpful:
...