How can I configure a NAT IP in AWS so that outgoing traffic from my subnet uses that IP in the context of a site-to-site VPN connection

Question

How can I configure a NAT IP in AWS so that outgoing traffic from my subnet uses that IP in the context of a site-to-site VPN connection with the following Phase 1 and Phase 2 parameters?

Phase 1:
* IKEv2
* AES256
* SHA256
* Group 14

Phase 2:
* AES256
* SHA256
* PFS Group 14
* TUNNEL mode

I have successfully achieved Phase 1, but in Phase 2, the connection gets stuck at this point: 
[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

My current configuration is as follows:

```
conn cbp-ipsec-ikev2-vpn
    keyexchange=ikev2
    type=tunnel
    ike=aes256-sha256-modp2048
    esp=aes256-sha256-modp2048
    ikelifetime=86400s
    lifetime=3600s
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=[private-local-ip]
    leftid=[public-local-ip]
    leftsubnet=172.31.32.0/20 [private-local-subnet]
    right=[public-remote-ip]
    rightdns=8.8.8.8
    rightsubnet=[private-remote-ip]
    rightid=[public-remote-ip]
    auto=start
    authby=secret
    compress=no
    dpdaction=restart
```

However, when I try to assign the provided [NAT IP], I am unable to establish Phase 1. Any suggestions on how to resolve this issue?

Answer

I think you should take a look at [this other question](https://repost.aws/questions/QURLDcCVqiQfSnvfYaFxzcpA/how-to-setup-a-nat-gateway-together-with-a-vpn) because it is likely to help you.

Note that the NAT IP address that the instances in the VPC use must be a private IP address that is within the range of IP addresses allocated to the VPC.

How can I configure a NAT IP in AWS so that outgoing traffic from my subnet uses that IP in the context of a site-to-site VPN connection

Relevant content