EMnify offers the possibility to setup an IPSec to keep all data communication between your application server and our mobile core private. Thanks to the EMnify CloudConnect you can create an IPSec in a few easy steps.

1. IPsec configuration on EMnify side

1.1 EUI configuration

To create an IPSec, click on link symbol on the top right corner of the EMnify portal and scroll down to the option "Cloud Connect".

Click on "+create" and select "IPSec VPN". The following window should appear:

Enter the requested information:

• Enter a name of your choice;
• Choose the region to which you would like to connect to. Make sure you select the same region in your Service Profile;
• Enter your VPN Public IP;
  
• Add up to 3 private CIDRs to which you wish to forward the traffic to. The CIDRs The CIDRs must be between /30 and /22. If one CIDR is already taken on our side, a warning will be displayed when you try to validate the VPN;
• PSK will be created automatically;
• Select Dynamic VPN if you want to use BGP features;
• Add a description of your choice.

On the next screen, a summary of your configuration is available.

Make sure everything is correct and click on "create attachment". If the entered CIDR is not correct or not available, a warning will be displayed:

In this case, enter a new CIDR and repeat the same process. Once the setup is complete, the status of the VPN will be "pending" until the automatic IPSec creation on our side is complete. Once the status is "not connected", you can display the VPN configuration which you need to apply on your side.

1.2. EMnify firewall rule configuration

The firewall configuration on the EMnify side is not automatically done yet. Please make a screenshot of the VPN configuration available in the CloudConnect part once the VPN is up, send the file to support@emnify.com and request them to finalize the IPsec configuration. In the email to support, please precise your organization ID. This can take up to 4 weeks.

1.3. IP range configuration

All IP ranges assigned to the customer's account need to be configured on the EMnify side. By default, each account has a /24 range. Inform EMnify via ticket when a new range is manually added to your account. Send an email to support@emnify.com stating which new range should be configured for your IPSec.

2. IPSec configuration on Customer's side

Two tunnels have been created. This is thought for redundancy. We advise you to configure both on your side but this is optional.

To handle the configuration, you can use the help available on the amazon knowledge base: https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html. Simply select the gateway device you are using and apply the configuration.

When configuring the IPSec, make sure all traffic coming from the ranges 100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14 are allowed. These are our advertising IP and traffic might come from any of them. If you cannot accept traffic from all the ranges, you can de-aggregate the advertised IP with the feature BGP conditional route injection if you have chosen a dynamic VPN configuration. In this case, you need to update your configuration each time a new /22 IP range is assigned to your account.