VPN Customer Gateway
In the Antyxsoft Cloud Platform, a VPN Customer Gateway is a configuration that allows secure connectivity between your on-premises network (or another external network) and your VPC. It acts as the endpoint on the customer’s side for a VPN connection, enabling encrypted communication over the internet. By setting up a VPN Customer Gateway, you can establish a secure IPsec tunnel between your cloud environment and your external network, facilitating safe data transfer, remote access, and hybrid cloud setups.
To create an VPN Gateway follow these steps:
From the side panel click on Networks.
Navigate to VPN Customer Gateway.
When you click on the plus (+) button located on the top right a you'll see a form where you'll have to enter the required details for the VPN Gateway creation.
- Project: Select the Project of which the Gateway will be made for.
- Zone: Select the zone where the Gateway will be made at.
- Name: Enter the name of the newly created VPN Customer Gateway.
- CIDR List: The guest CIDR list of the remote subnets. Enter a CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR list is not overlapped with the VPC’s CIDR, or another guest CIDR. The CIDR must be RFC1918-compliant.
- Gateway: The IP address for the remote gateway.
- IPsec Preshared Key: Preshared keying is a method where the endpoints of the VPN share a secret key. This key value is used to authenticate the customer gateway and the VPC VPN gateway to each other. The sequence cannot contain a newline or double-quote.
- IKE Lifetime: The phase-1 lifetime of the security association in seconds. Default is 86400 seconds (1 day). Whenever the time expires, a new phase-1 exchange is performed.
- ESP Lifetime: The phase-2 lifetime of the security association in seconds. Default is 3600 seconds (1 hour). Whenever the value is exceeded, a re-key is initiated to provide a new IPsec encryption and authentication session keys.
- IKE Encryption: The Internet Key Exchange (IKE) policy for phase-1.
- IKE Hash: The IKE hash for phase-1.
- IKE Version: Select the IKE version that will be used.
- IKE DH: Set the Diffie-Hellman group number. A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel.
- Perfect Forward Secrecy: Perfect Forward Secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised. This property enforces a new Diffie-Hellman key exchange. It provides the keying material that has greater key material life and thereby greater resistance to cryptographic attacks.
- ESP Encryption: Encapsulating Security Payload (ESP) algorithm within phase-2.
- ESP Hash: Encapsulating Security Payload (ESP) hash for phase-2.
- Dead Pear Detection: A method to detect an unavailable Internet Key Exchange (IKE) peer. Select this option if you want the virtual router to query the liveliness of its IKE peer at regular intervals. It’s recommended to have the same configuration of DPD on both side of VPN connection.
- Force Encapsulation: Force Encapsulation for NAT traversal
- Split Connections: Route specific traffic (CIDR List option) through the VPN, while other traffic accesses the internet directly for improved performance and flexibility.
ESP and IKE details must be the same on both sites.
Project and Zone can't be changed after creation! Make sure that the VPC you want to make the IPsec connection to is in the same zone as the VPN Customer Gateway.
Once you enter the required details click on the Save button.
After creating a VPN Customer Gateway to establish the connection between the sites you will have to do the following.
- Navigate to the target VPC.
Click on the VPN Connections menu.
- Click on the + Add Site To Site VPN button located at the top right.
And select the VPN Customer Gateway that you created for the VPC.
- Once you click on Save the VPN Customer Gateway will be added to the VPC. You can view the nessesary infomation to connect to it. Also from Actions you can delete or reset the connection.
