IaaS VPN Configuration

To link your IaaS organisation with an onsite or remote network, you can utilise the VPN system built into each edge gateway.

These VPN tunnels are IPSec based, so please ensure your equipment supports IPSec before creating your tunnel.

To create a new VPN tunnel, navigate to your Edge Gateway by selecting Edge Gateways then clicking the label of your edge gateway.

edgesel.png

Please take note of the IP address assigned to the external network on the overview tab, as this will be used in the VPN configuration. For example:

egextern.png 

Navigate to the VPN Service tab of the edge gateway, then click New VPN Tunnel. You will be presented with the following options, detailed below

vpn.png

Name Provide the name for this VPN connection
Enabled Enable or disable this VPN connection
Description Provide a detailed description of the connection
Local Native Address Enter the external IP of your edge gateway
Local Networks

Select the organisation networks you wish to have accessible over this VPN

Peer ID

Enter the IP address of the far-end of the tunnel. If the device is behind a NAT router, this should be the internal IP address. If not, enter the public IP

Peer Behind NAT

Ensure this is enabled

Peer Native Address

Enter the public (internet) IP of the far-end of the tunnel

Peer Networks

Enter the network/s at the far end that should be reachable over this tunnel in CIDR notation (eg. 192.168.0.0/24)

Shared Secret Encrypted

Select this if you wish to also encrypt the shared secret

Encryption Protocol

Select any protocol supported by your far-end device. AES256 is recommended if available

Prehashed Key

This is the encryption key used by both ends of the tunnel. A random key is generated automatically, but you may replace this if desired

MTU

Override the tunnel's MTU, to ensure it fits within the MTU of the link to the far end

Once filled out, click Create. The edge gateway will create your tunnel per the above configuration and will show the VPN in the list when complete.

When configuring the far-end peers, the Edge Gateways use the following:

The IKE Phase 1 parameters used by the Edge include:
    • Main mode
    • AES/ AES 256 Preferred/ TripleDES [Set as above]
    • SHA-1
    • MODP (DH) group 2 (MODP1024 bits)
    • pre-shared secret [Set as above]
    • SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
    • ISAKMP aggressive mode disabled
The IKE Phase 2 parameters supported by Edge include:
    • AES/ AES 256 Preferred/ TripleDES /[Will match the Phase 1 setting]
    • SHA-1
    • ESP tunnel mode
    • MODP (DH) group 2 (MODP1024 bits)
    • Perfect forward secrecy for rekeying
    • SA lifetime of 3600 seconds (one hour) with no kbytes rekeying

You may now proceed to configure your far-end device's IPSec using the above fields and global configuration. Please consult your device's manual for information on how to complete this.

 

NB: There is a known bug in the vmware stack that may show the VPN marked as down, even though it is actually up. VMware have acknowledged this issue, but have not provided a fix at time of writing.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk