SAP IoT Connect 365 allows you to setup an IPsec to keep all data communication between your application server and our mobile core private. Thanks to the CloudConnect you can create an IPsec in a few easy steps.
Configuring IPsec on SAP IoT Connect 365
To create an IPsec, log in to the SAP IoT Connect 365 UI with your user account and select the Tokens, IPs and VPN Setup icon in the top right corner:
The Setup page is displayed. Scroll down to the Cloud Connect section:
Click +Create and select the IPsec VPN option. The Create Attachment form is displayed:
Enter the requested information:
Enter a name of your choice.
Choose the region to which you would like to connect to. Make sure you select the same region in your Service Profile.
Enter your VPN Public IP address.
Add up to 3 CIDRs used in your VPC. Select the CIDRs to which data will be sent to. Note that the CIDRs must be valid RFC 1918 private address prefixes and the ranges must be between /32 and /22. The default /16 CIDR will be declined. If the CIDR is already taken on our side, a warning will be displayed when you try to validate the TGW because AWS TGW does not support overlapping IP addresses.
PSK will be created automatically.
Select Dynamic VPN if you want to use BGP features
Add a description of your choice.
Click Next. A summary of your configuration you selected is displayed:
Ensure all the settings are correct and click Create attachment. If the specified CIDR is not correct or not available, a warning message will be displayed stating that the CIDR is not available. In this case, enter a new CIDR and repeat the same process.
Once the setup is complete, the status of the VPN will be "pending" until the automatic IPsec creation has been completed. Once the status changes to "not connected", you can display the VPN configuration which you need to apply on your side:
Firewall rule configuration
The firewall configuration on the SAP IoT Connect 365 side has not been automatically completed yet. Please take a screenshot of the VPN configuration available in the CloudConnect part once the VPN is up, send the file by email to the SAP IoT Connect 365 Onboarding team: firstname.lastname@example.org and request them to finalize the IPsec configuration. Please ensure you include your organization ID in the email.
Note:This process can take up to 4 weeks.
IP range configuration
All IP ranges assigned to the customer's account need to be configured on the SAP IoT Connect 365 side. By default, each account has a /24 range. Inform SAP IoT Connect 365 via ticket when a new range is manually added to your account. Send an email to the SAP IoT Connect 365 Onboarding team: email@example.com stating which new range needs to be configured for your IPsec.
IPsec configuration on Customer's side
Two tunnels have been created to take into account redundancy. We advise you to configure both on your side but this is optional. To handle the configuration, you can use the help available on the amazon knowledge base: https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html. Simply select the gateway device you are using and apply the configuration.
When configuring the IPsec, make sure you allow all traffic coming from the following ranges:
100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14
These are our advertising IP addresses and traffic might come from any of them. If you cannot accept traffic from all the ranges, you can de-aggregate the advertised IP with the feature BGP conditional route injection if you have chosen a dynamic VPN configuration. In this case, you need to update your configuration each time a new /22 IP range is assigned to your account. Refer to the article How to add a new IP address range using the SAP IoT Connect 365 UI for how to do this.
Shahzad Ismail Head of Knowledge Management and Community Engagement, Sinch