Versions Compared

Version Old Version 3 New Version Current
Changes made by

Sandy Robles

Sandy Robles

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Step 1:

Please provide the Sandbox team with the following information:

  1. The model of your network's site-to-site VPN router.

  2. The public IP address of your network's site-to-site VPN router.

  3. The internal IP ranges of your network.

  4. The internal or public IP addresses of any development, test, or production hosts with which Sandbox will communicate. These hosts may include middleware servers, SFTP servers, desktop client software machines, etc.

Info

Please note that you should have completed the above requested information via a form that was emailed to the Network contact provided to us. If you did not complete the form, please reach out to your Sandbox Banking Project Manager for assistance.

Step 2:

Sandbox will use the information to establish our side of the connection and securely provide your team with the following:

  1. Public IP addresses for the primary and secondary tunnel endpoints on our side.

  2. The internal IP ranges for the dedicated network on our side that will contain your Sandbox Platform instances.

  3. A configuration file specific to your network router that can be used establish your side of the VPN connection

Step 3:

Your team will need to use the configuration file from step (2) to set up the connection within your network router. The configuration can be customized within certain constraints (see "Site-to-Site IPsec VPN Limitations" below).

Step 4:

Your team will also probably need to make a few additional networking changes:

  1. External firewall rules may need to be adjusted so the IPsec tunnel connections can be established (see "Necessary Firewall Rules" below).

  2. IP routes within the network may need to be adjusted. It's important that traffic from our side of the site-to-site VPN connection can reach the necessary hosts and ports. It's also important that IP traffic originating from those sources or any of your internal IPs can reach the dedicated network IP ranges on our side.

  3. After your network has been configured, please coordinate with someone on the Sandbox team to launch the tunnels. This can be accomplished by sending an IP packet from your side to a specific private IP address that we'll provide.

Step 5:

You should configure a recurring IP traffic transmission job to keep the IPsec tunnels alive. Unfortunately, recurring traffic scheduled by Sandbox would NOT revive any tunnels that go down because tunnels can only be launched by traffic originating from your side of the VPN).

...

Site-to-Site IPsec VPN Limitations

There are limitations to the site-to-site VPN configurations we can support:

  • Your side of the connection must initiate traffic to launch the tunnels

  • While IKEv1 and IKEv2 are both theoretically possible, we’ve only established IKEv1 tunnels thus farIKEv2 is required.

  • Only AES-256 encryption can be used for IKE and IPsec security

  • Only SHA-256 hashing is used for authentication during IKE and IPsec establishmentOnly static routing can be supported

  • Static routing is acceptable on single-VPN setups, but we encourage using BGP if using a DR VPN.

  • Only the following Diffie-Hellman Phase groups during IKE are allowed:
    o Phase 1: 14-18, 22, 23, and 24
    o Phase 2: 14-18, 22, 23, and 24

Necessary Firewall Rules

Your firewall will need to allow the following traffic for us to jointly establish the VPN:

  • INBOUND
    o Protocol: UDP, Source IP: Sandbox-Tunnel-1 Public IP, Source Port: 500, Destination IP: Your
    Router Public IP, Destination Port: 500
    o Protocol: UDP, Source IP: Sandbox-Tunnel-2 Public IP, Source Port: 500, Destination IP: Your
    Router Public IP, Destination Port: 500
    o Protocol: IP 50 (ESP), Source IP: Sandbox-Tunnel-1 Public IP, Destination IP: Your Router Public IP
    o Protocol: IP 50 (ESP), Source IP: Sandbox-Tunnel-2 Public IP, Destination IP: Your Router Public IP

  • OUTBOUND
    o Protocol: UDP, Source IP: Your Router Public IP, Source Port: 500, Destination IP:
    Sandbox-Tunnel-1 Public IP, Destination Port: 500
    o Protocol: UDP, Source IP: Your Router Public IP, Source Port: 500, Destination IP:
    Sandbox-Tunnel-2 Public IP, Destination Port: 500
    o Protocol: IP 50 (ESP), Source IP: Your Router Public IP, Destination IP: Sandbox-Tunnel-1 Public IP
    o Protocol: IP 50 (ESP), Source IP: Your Router Public IP, Destination IP: Sandbox-Tunnel-2 Public IP

Furthermore, if you are using NAT traversal then the firewall must allow UDP traffic over port 4500 (see
https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html).

Additional Documentation

Sandbox uses AWS managed Site-to-Site VPN Connections to establish IPsec tunnels, and AWS has published significant documentation regarding their setup. The following guide is a good starting point if
more information would be helpful:

...