Configuring VPN connections in VPNaaS without use of endpoint groups (legacy way)

Endpoint groups are entities that allow the grouping of local networks, after which these groups can be used when configuring the IPsec connection. Here, the configuration of the connection is described without endpoint groups. Local networks that participate in the configuration are specified directly, in appropriate fields.

Note

To set up an IPsec VPN connection, the following required conditions must be met:

• Network availability between routers:

  • Protocol: UDP, port 500 (for IKE, to manage encryption keys).
  • Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode).
  • Protocol: ESP, value 50 (for IPSEC).
  • Protocol: AH, value 51 (for IPSEC).

• The firewall rules must not block network traffic between the routers and the private subnetworks.

• Private subnetworks that will be connected by means of IPSec must be different and must not include each other.

Configuring a VPN service consists of the following steps:

• Add the IKE policy
• Add the IPsec policy
• Add the VPN service
• Add the IPSec connection
• Configure the VPN connection using Openstack CLI

Add the IKE policy

1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
2. Open the “IKE POLICIES” tab.
3. Click ADD IKE POLICY.
4. In the dialog that opens, complete the following fields:

“Add IKE Policy”

Name	Enter name of policy
Encryption algorithm	Select the required encryption algorithm
IKE version	Select the required IKE version

Leave the remaining fields in their default settings.

5. Click ADD.

Add the IPsec policy

1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
2. Open the “IPSEC POLICIES” tab.
3. Click “ADD IPSEC POLICY”.
4. In the dialog that opens, complete the following fields:

“Add IPSec Policy”

Name	Enter name of policy
Encryption algorithm	Select the required encryption algorithm

Leave the remaining fields in their default settings.

5. Click “ADD”.

Add the VPN service

1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
2. Open the “VPN SERVICES” tab.
3. Click ‘ADD VPN SERVICE’.
4. In the dialog that opens, complete the following fields:

“Add IKE Policy”

Name	Enter name of policy
Router	Select the required encryption algorithm
Subnet	Select the required IKE version

Leave the remaining fields in their default settings.

5. Click “ADD”.

Warning

Ensure that the interface from the private network specified in Subnet is added to the router. Otherwise the VPN service cannot be added.

Note

Once created, the VPN service appears with the status PENDING_CREATE. Once the IPsec connection is successfully created, this status changes to ACTIVE. Therefore do not wait for it to change now but continue to the next step.

Add the IPSec connection

1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
2. Open the “IPSEC SITE CONNECTIONS” tab.
3. Click ADD IPSEC SITE CONNECTIONS.
4. In the dialog that opens, complete the following fields:

“Add IPSec Site Connection”

Name	Enter name of connection
VPN service associated with this connection	The VPN service that was created in the previous step
IKE policy associated with this connection	The IKE policy that was created in the previous steps
IPsec policy associated with this connection	The IPsec policy that was created in the previous steps
Peer gateway public IPv4/IPv6 Address or FQDN	The public IP address of the remote side
Peer router identity for authentication (Peer ID)	Can be an IPv4/IPv6 address, an e-mail address, an ID key or an FQDN. Generally the IP from the previous field is used
Remote peer subnet(s)	Give the local network(s) of the remote side for routing. If there are several subnetworks, they must be separated by commas
Pre-Shared Key (PSK) string	The PSK key required between two VPN connection points

Leave the remaining fields in their default settings.

5. Click “ADD”.

Warning

Ensure that the interface from the private network specified in Subnet is added to the router. Otherwise the VPN service cannot be added.

Note

Once created, the VPN service appears with the status PENDING_CREATE. Once the IPsec connection is successfully created, this status changes to ACTIVE. Therefore do not wait for it to change now but continue to the next step.

Configure the VPN connection using Openstack CLI

All the steps described can also be performed using the Openstack CLI command-line interface..

A detailed description of all steps in configuring VPNaaS is given in the official Openstack documentation.

The VPN connection from the VPNaaS service has now been created.

Now it is necessary to perform the configuration from the other side. Note that the parameters for the policies used in the configuration must be identical.

Warning

The IPsec protocol requires that the policies and encryption algorithms created must be the same on both sides of the tunnel. If they do not match, the tunnel will not be created.