EMnify offers the possibility to setup an IPsec to keep all data communication between your application server and our mobile core private. Thanks to the EMnify CloudConnect you can create an IPsec in a few easy steps.
1. IPsec configuration on EMnify side
1.1 EUI configuration
To create an IPsec, click on link symbol on the top right corner of the EMnify portal and scroll down to the option "Cloud Connect".
Click on "+create" and select "IPsec VPN". The following window should appear:
Enter the requested information:
- Enter a name of your choice;
- Choose the region to which you would like to connect to. Make sure you select the same region in your Service Profile;
- Enter your VPN Public IP;
- Add up to 3 CIDRs used in your VPC. Select the CIDRs to which data will be sent to. Note that the CIDRs must be valid RFC 1918 private address prefixes and the ranges must be between /32 and /22. The default /16 CIDR will be declined. If the CIDR is already taken on our side, a warning will be displayed when you try to validate the TGW because AWS TGW does not support overlapping IP addresses;
- PSK will be created automatically;
- Select Dynamic VPN if you want to use BGP features; (for this step, just select the checkbox "Dynamic VPN" in the CloudConnect UI, configure the BGP ASN of your side and follow the instructions here: https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html.) Note: CloudConnect side is using the AWS default ASN 64512
- Add a description of your choice.
On the next screen, a summary of your configuration is available.
Make sure everything is correct and click on "create attachment". If the entered CIDR is not correct or not available, a warning will be displayed:
In this case, enter a new CIDR and repeat the same process. Once the setup is complete, the status of the VPN will be "pending" until the automatic IPsec creation on our side is complete. Once the status is "not connected", you can display the VPN configuration which you need to apply on your side.
1.2. EMnify firewall rule configuration
The firewall configuration on the EMnify side is not automatically done yet. Please make a screenshot of the VPN configuration available in the CloudConnect part once the configuration is available, send the file to firstname.lastname@example.org and request them to finalize the IPsec configuration. In the email to support, please precise your organization ID. This can take up to 4 weeks.
1.3. IP range configuration
All IP ranges assigned to the customer's account need to be configured on the EMnify side. By default, each account has a /24 range. Inform EMnify via ticket when a new range is manually added to your account. Send an email to email@example.com stating which new range should be configured for your IPsec.
2. IPsec configuration on Customer's side
Two tunnels have been created. This is thought for redundancy. We advise you to configure both on your side as well but this is optional.
To handle the configuration, you can use the help available on the amazon knowledge base: https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html. Simply select the gateway device you are using and apply the configuration.
When configuring the IPsec, make sure all traffic coming from the ranges 100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14 is allowed. These are our advertising IP and traffic might come from any of them.
If you cannot accept traffic from all the ranges, you can allow traffic coming only from the IP address range assigned to your account. In this case, you need to update your configuration each time a new IP range is assigned to your account.
In case you selected a dynamic VPN you can de-aggregate the advertised IP with the feature BGP conditional route advertisement if you have chosen a dynamic VPN configuration.