Site-to-Site IPsec VPN Setup Guide

Owned by Sandy Robles
Last updated: Nov 30, 2023
3 min read

Step 1:

Please provide the Sandbox team with the following information:

  1. The model of your network's site-to-site VPN router.

  2. The public IP address of your network's site-to-site VPN router.

  3. The internal IP ranges of your network.

  4. The internal or public IP addresses of any development, test, or production hosts with which Sandbox will communicate. These hosts may include middleware servers, SFTP servers, desktop client software machines, etc.

Please note that you should have completed the above requested information via a form that was emailed to the Network contact provided to us. If you did not complete the form, please reach out to your Sandbox Banking Project Manager for assistance.

 

Step 2:

Sandbox will use the information to establish our side of the connection and securely provide your team with the following:

  1. Public IP addresses for the primary and secondary tunnel endpoints on our side.

  2. The internal IP ranges for the dedicated network on our side that will contain your Sandbox Platform instances.

  3. A configuration file specific to your network router that can be used establish your side of the VPN connection

Step 3:

Your team will need to use the configuration file from step (2) to set up the connection within your network router. The configuration can be customized within certain constraints (see "Site-to-Site IPsec VPN Limitations" below).

Step 4:

Your team will also probably need to make a few additional networking changes:

  1. External firewall rules may need to be adjusted so the IPsec tunnel connections can be established (see "Necessary Firewall Rules" below).

  2. IP routes within the network may need to be adjusted. It's important that traffic from our side of the site-to-site VPN connection can reach the necessary hosts and ports. It's also important that IP traffic originating from those sources or any of your internal IPs can reach the dedicated network IP ranges on our side.

  3. After your network has been configured, please coordinate with someone on the Sandbox team to launch the tunnels. This can be accomplished by sending an IP packet from your side to a specific private IP address that we'll provide.

Site-to-Site IPsec VPN Limitations

There are limitations to the site-to-site VPN configurations we can support:

  • IKEv2 is required.

  • Only AES-256 encryption can be used for IKE and IPsec security

  • Only SHA-256 hashing is used for authentication during IKE and IPsec establishment

  • Static routing is acceptable on single-VPN setups, but we encourage using BGP if using a DR VPN.

  • Only the following Diffie-Hellman Phase groups during IKE are allowed:
    o Phase 1: 14-18, 22, 23, and 24
    o Phase 2: 14-18, 22, 23, and 24

Necessary Firewall Rules

Your firewall will need to allow the following traffic for us to jointly establish the VPN:

  • INBOUND
    o Protocol: UDP, Destination Port: 500
    o Protocol: UDP, Destination Port: 500
    o Protocol: IP 50 (ESP)
    o Protocol: IP 50 (ESP)

  • OUTBOUND
    o Protocol: UDP, Destination Port: 500
    o Protocol: UDP, Destination Port: 500
    o Protocol: IP 50 (ESP), Source IP
    o Protocol: IP 50 (ESP), Source IP

Furthermore, if you are using NAT traversal then the firewall must allow UDP traffic over port 4500 (see
https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html).

Additional Documentation

Sandbox uses AWS managed Site-to-Site VPN Connections to establish IPsec tunnels, and AWS has published significant documentation regarding their setup. The following guide is a good starting point if
more information would be helpful:


https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html.


Furthermore, the following guide has been useful for jointly debugging issues we've encountered in the
past: https://aws.amazon.com/premiumsupport/knowledge-center/vpn-tunnel-troubleshooting/.