Configuring VPN connections in VPNaaS without use of endpoint groups (legacy way)¶
Endpoint groups are entities that allow the grouping of local networks, after which these groups can be used when configuring the IPsec connection. Here, the configuration of the connection is described without endpoint groups. Local networks that participate in the configuration are specified directly, in appropriate fields.
Note
To set up an IPsec VPN connection, the following required conditions must be met:
Network availability between routers:
- Protocol: UDP, port 500 (for IKE, to manage encryption keys).
- Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode).
- Protocol: ESP, value 50 (for IPSEC).
- Protocol: AH, value 51 (for IPSEC).
The firewall rules must not block network traffic between the routers and the private subnetworks.
Private subnetworks that will be connected by means of IPSec must be different and must not include each other.
Configuring a VPN service consists of the following steps:
Add the IKE policy¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “IKE POLICIES” tab.
- Click ADD IKE POLICY.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of policy Encryption algorithm Select the required encryption algorithm IKE version Select the required IKE version Leave the remaining fields in their default settings.
- Click ADD.
Add the IPsec policy¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “IPSEC POLICIES” tab.
- Click “ADD IPSEC POLICY”.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of policy Encryption algorithm Select the required encryption algorithm Leave the remaining fields in their default settings.
- Click “ADD”.
Add the VPN service¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “VPN SERVICES” tab.
- Click ‘ADD VPN SERVICE’.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of policy Router Select the required encryption algorithm Subnet Select the required IKE version Leave the remaining fields in their default settings.
- Click “ADD”.
Warning
Ensure that the interface from the private network specified in Subnet is added to the router. Otherwise the VPN service cannot be added.
Note
Once created, the VPN service appears with the status PENDING_CREATE. Once the IPsec connection is successfully created, this status changes to ACTIVE. Therefore do not wait for it to change now but continue to the next step.
Add the IPSec connection¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “IPSEC SITE CONNECTIONS” tab.
- Click ADD IPSEC SITE CONNECTIONS.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of connection VPN service associated with this connection The VPN service that was created in the previous step IKE policy associated with this connection The IKE policy that was created in the previous steps IPsec policy associated with this connection The IPsec policy that was created in the previous steps Peer gateway public IPv4/IPv6 Address or FQDN The public IP address of the remote side Peer router identity for authentication (Peer ID) Can be an IPv4/IPv6 address, an e-mail address, an ID key or an FQDN. Generally the IP from the previous field is used Remote peer subnet(s) Give the local network(s) of the remote side for routing. If there are several subnetworks, they must be separated by commas Pre-Shared Key (PSK) string The PSK key required between two VPN connection points Leave the remaining fields in their default settings.
- Click “ADD”.
Warning
Ensure that the interface from the private network specified in Subnet is added to the router. Otherwise the VPN service cannot be added.
Note
Once created, the VPN service appears with the status PENDING_CREATE. Once the IPsec connection is successfully created, this status changes to ACTIVE. Therefore do not wait for it to change now but continue to the next step.
Configure the VPN connection using Openstack CLI¶
All the steps described can also be performed using the Openstack CLI command-line interface..A detailed description of all steps in configuring VPNaaS is given in the official Openstack documentation.
The VPN connection from the VPNaaS service has now been created.¶
Now it is necessary to perform the configuration from the other side. Note that the parameters for the policies used in the configuration must be identical.Warning
The IPsec protocol requires that the policies and encryption algorithms created must be the same on both sides of the tunnel. If they do not match, the tunnel will not be created.