To link your IaaS organisation with an onsite or remote network, you can utilise the VPN system built into each edge gateway.
These VPN tunnels are IPSec based, so please ensure your equipment supports IPSec before creating your tunnel.
To create a new VPN tunnel, navigate to your Edge Gateway by selecting Edge Gateways then clicking the label of your edge gateway.
Please take note of the IP address assigned to the external network on the overview tab, as this will be used in the VPN configuration. For example:
Navigate to the VPN Service tab of the edge gateway, then click New VPN Tunnel. You will be presented with the following options, detailed below
|Name||Provide the name for this VPN connection|
|Enabled||Enable or disable this VPN connection|
|Description||Provide a detailed description of the connection|
|Local Native Address||Enter the external IP of your edge gateway|
Select the organisation networks you wish to have accessible over this VPN
Enter the IP address of the far-end of the tunnel. If the device is behind a NAT router, this should be the internal IP address. If not, enter the public IP
|Peer Behind NAT||
Ensure this is enabled
|Peer Native Address||
Enter the public (internet) IP of the far-end of the tunnel
Enter the network/s at the far end that should be reachable over this tunnel in CIDR notation (eg. 192.168.0.0/24)
|Shared Secret Encrypted||
Select this if you wish to also encrypt the shared secret
Select any protocol supported by your far-end device. AES256 is recommended if available
This is the encryption key used by both ends of the tunnel. A random key is generated automatically, but you may replace this if desired
Override the tunnel's MTU, to ensure it fits within the MTU of the link to the far end
Once filled out, click Create. The edge gateway will create your tunnel per the above configuration and will show the VPN in the list when complete.
When configuring the far-end peers, the Edge Gateways use the following:
- Main mode
- AES/ AES 256 Preferred/ TripleDES [Set as above]
- MODP (DH) group 2 (MODP1024 bits)
- pre-shared secret [Set as above]
- SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
- ISAKMP aggressive mode disabled
AES/ AES 256 Preferred/ TripleDES /[Will match the Phase 1 setting]
ESP tunnel mode
MODP (DH) group 2 (MODP1024 bits)
Perfect forward secrecy for rekeying
SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
You may now proceed to configure your far-end device's IPSec using the above fields and global configuration. Please consult your device's manual for information on how to complete this.
NB: There is a known bug in the vmware stack that may show the VPN marked as down, even though it is actually up. VMware have acknowledged this issue, but have not provided a fix at time of writing.