Configuring VPN connections in VPNaaS using endpoint groups (recommended)¶
By default, when configuring a VPN service in VPNaaS, only one local network can be specified. Endpoint groups are entities that allow the grouping of local networks, after which these groups can be used when configuring the IPsec connection. Here, the configuration of the connection is described using endpoint groups. The internal networks involved in the configuration (local and remote) are specified in endpoint groups.
Note
To set up an IPsec VPN connection, the following required conditions must be met:
Network availability between routers:
- Protocol: UDP, port 500 (for IKE, to manage encryption keys).
- Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode).
- Protocol: ESP, value 50 (for IPSEC).
- Protocol: AH, value 51 (for IPSEC).
The firewall rules must not block network traffic between the routers and the private subnetworks.
Private subnetworks that will be connected by means of IPSec must be different and must not include each other.
Configuring a VPNaaS service using endpoint groups consists of the following steps:
Add the IKE policy¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “IKE POLICIES” tab.
- Click ADD IKE POLICY.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of policy Encryption algorithm Select the required encryption algorithm IKE version Select the required IKE version Leave the remaining fields in their default settings.
- Click ADD.
Add the IPsec policy¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “IPSEC POLICIES” tab.
- Click “ADD IPSEC POLICY”.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of policy Encryption algorithm Select the required encryption algorithm Leave the remaining fields in their default settings.
- Click “ADD”.
Add the VPN service¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “VPN SERVICES” tab.
- Click ‘ADD VPN SERVICE’.
- In the dialog that opens, complete the following fields:
¶ Name Enter service name Router Select the project router that will be used Leave the remaining fields in their default settings.
- Click “ADD”.
Note
Once created, the VPN service appears with the status PENDING_CREATE. Once the IPsec connection is successfully created, this status changes to ACTIVE. Therefore do not wait for it to change now but continue to the next step.
Create an endpoint group for local networks of the cloud project¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “ENDPOINT GROUPS” tab.
- Click “ADD ENDPOINT GROUP”.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of group Type Select SUBNET(FOR LOCAL SYSTEMS) Local System Subnets Select the required local network(s) set up in the cloud project Leave the remaining fields in their default settings.
- Click “ADD”.
Warning
Ensure that the interface from the private network(s) that will be selected in Local System Subnets is added to the router. Otherwise the previous step, ADD IPSEC SITE CONNECTIONS, will result in an error.
Create an endpoint group for remote local networks¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “ENDPOINT GROUPS” tab.
- Click “ADD ENDPOINT GROUP”.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of group Type Select ‘CIDR’ (FOR EXTERNAL SYSTEMS) External System CIDRs Give the remote local network(s) (separated by commas) Leave the remaining fields in their default settings.
- Click “ADD”.
Add the IPSec connection¶
- Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
- Open the “IPSEC SITE CONNECTIONS” tab.
- Click “ADD IPSEC SITE CONNECTIONS”.
- In the dialog that opens, complete the following fields:
¶ Name Enter name of connection VPN service associated with this connection The VPN service that was created in the previous step Endpoint group for local subnet(s) Select a previously created endpoint group for local networks of the cloud project IKE policy associated with this connection The IKE policy that was created in the previous steps IPsec policy associated with this connection The IPsec policy that was created in the previous steps Peer gateway public IPv4/IPv6 Address or FQDN The public IP address of the remote side Peer router identity for authentication (Peer ID) Can be an IPv4/IPv6 address, an e-mail address, an ID key or an FQDN. Generally the IP from the previous field is used Endpoint group for remote peer CIDR(s) Select a previously created endpoint group for local networks of the remote side Pre-Shared Key (PSK) string The PSK key required between two VPN connection points Leave the remaining fields in their default settings.
- Click “ADD”.
Configure the VPN connection using Openstack CLI¶
All the steps described can also be performed using the Openstack CLI command-line interface.A detailed description of all steps in configuring VPNaaS is given in the official Openstack documentation.
The VPN connection from the VPNaaS service has now been created¶
Now it is necessary to perform the configuration from the other side. Note that the parameters for the policies used in the configuration must be identical.
Warning
The IPsec protocol requires that the policies and encryption algorithms created must be the same on both sides of the tunnel. If they do not match, the tunnel will not be created.