Logo

Description of the "SIM-Cloud"

  • General information
    • Description of the SIM-Cloud service
      • Key features
      • Main characteristics
      • SIM-Cloud structure
    • Regions and Availability Zones
      • Regions and Availability Zones
        • Regions resources
        • What is an availability zone
        • Availability zones benefits
        • Zone resources
        • Accounting and quotas
        • How availability zones may be implemented
        • List of available regions and zones
        • Restrictions
      • Migrating instances between Availability Zones
      • Migrating volumes between AZ
      • Use cases for several Availability Zones
        • Use-cases-AZ
    • Resource management
    • Storage
    • Network organisation
      • Security groups
      • Floating IP
      • VPN
      • Virtual routers
        • Mikrotik
        • Pfsense
        • Opnsense
      • Firewall as a service
      • NAT
      • DNS
    • Instance types (Flavor)
    • OS Images
      • Description
      • Microsoft Windows
      • Linux
      • FreeBSD
      • vRouter virtual routers
      • Other images
    • Instances
    • Security
    • Backup and restore

BEGINNING OF WORK

  • Quick start
  • Frequently asked Questions (FAQs)
    • General issues
      • How do I recover my login details/password?
      • How do I change my password?
      • How do I create an additional user?
    • Technical issues
    • Billing issues
  • Video tutorials
    • Quick start
    • General operations

Management interfaces

  • Management interfaces
    • Dashboard
    • CLI Tools
      • SIM-Cloud CLI. General information
      • Managing the system via a command line interface (CLI) in the Linux OS
        • Obtaining the archives with the utility and accompanying libraries from the official website openstack.org, then decompressing and installing them
        • Authorisation in SIM-Cloud using the RC file
        • Launching the openstack utility and obtaining general information about the project in SIM-Cloud
      • Examples of practical solutions using a command line interface (CLI)
        • Changing the IP address assigned to the instance port
    • API
      • SIM-Cloud API. General information
      • Managing a project through an API using the cURL console utility in Linux OS
        • Authentication using a RC file
        • Obtaining the token ID
        • Sending the API request
        • Handling the response
      • Examples of practical solutions using the REST API and cURL console utility
        • Changing the IP address assigned to the instance port

Fundamental cloud operations

  • Fundamental operations in the cloud
    • Operations with instances
      • Creating an instance
        • Launchan instance with cloud-images
          • Using a key pair (ssh-key) for instances with cloud images
            • 1. Creating a key pair in the “Sim-Cloud” project control panel when creating an instance.
            • 2. Creation of a key pair on the local computer, import of the public key into the “SIM-Cloud” project.
            • 3. Connecting to an instance from multiple access points
            • 4. Adding a key pair to an existing instance.
      • Changing instance type (flavor)
      • Starting an instance
      • Rebooting an instance
      • Shutting down an instance
      • Deleting an instance
    • Network operations
      • Security groups
        • Setting up security groups
      • IP addressing
        • IPv4
        • IPv6
      • Create an IPv6 “/ 64” subnet
      • Working with local networks
        • IPv4
        • IPv6
      • Floating IP
      • Allowed address pairs
      • Defining the MAC address for the network interface of an instance
      • Network restart
        • Network restart via SIM-Cloud web interface
        • Network restart via command line interface
    • VPN configuration
      • IPSec “Site-to-Site”
        • VPN IPSec (site-to-site) between Mikrotik virtual routers behind NAT Traversal (NAT-T)
        • Site-to-site IPSec VPN between VPNaaS (SIM-Cloud) and OPNsense router (remote office)
          • Description
          • Initial conditions
          • Site A configuration (VPNaaS)
          • Site B configuration (OPNsense)
          • Tunnel function check
        • Site-to-site IPSec VPN between VPNaaS (SIM-Cloud) and pfSense router (remote office)
          • Description
          • Initial conditions
          • Site A configuration (VPNaaS)
          • Site B configuration (pfSense)
          • Tunnel function check
        • Site-to-site IPSec VPN between VPNaaS (SIM-Cloud) and MikroTik router (remote office)
          • Description
          • Initial conditions
          • Site A configuration (VPNaaS)
          • Site B configuration (MikroTik)
          • Tunnel function check
      • Troubleshooting
        • L2TP
          • Windows does not connect to L2TP / IPSec server behind NAT
          • Access to Windows is lost when VPN L2TP tunnel is successfully established
    • Volume operations
      • Disc types
      • Creating a disk from an image
      • Creating a disk snapshot
      • Creating a disk from a snapshot
      • Changing the size of a virtual disk
        • Expanding a disk in the cloud
        • Expanding a disk in MS Windows Server
        • Expanding a LVM disk (without changing its structure)
        • Expanding a disk in CentOS
        • Expanding a disk in FreeBSD
        • Disk Expansion for 3CX Instance
      • Volume-transfer
      • Changing the disk type
      • Creating a complete copy of an existing disk (cloning a disk)
        • Creating a snapshot of the disk and a temporary image
        • Using the BaaS service
      • Attaching an additional disk to an instance
      • Detaching a volume
      • Deleting a volume
      • Creating an image from a disk
    • Operations with project quotas
    • Migration to the Cloud
      • Preparing Windows VMs for Cloud Migration
      • Migration with “Virt-V2V”
        • Description
        • Migration using a pre-installed “SIM-V2V” -image
        • Deploying the system
        • Converting a disk in manual mode

Services

  • Services
    • BaaS
      • Backup as a service - BaaS
        • Description of the service
        • How it works
        • Performance
        • Benefits of SIM-Cloud BaaS
        • Accessibility
        • Ordering the service
        • How to select a storage quota
        • The interface and basic actions
          • Overview
          • Backup plans
          • Creating
          • Deleting
          • Editing
          • Execute
          • Tasks running
          • Task history
          • Backups
          • Recovery
          • Deleting a backup copy of a disk
          • Disconnecting a disk
        • Notifications
        • Restrictions
      • Use examples of BaaS
        • Use Case №1
        • Use Case №2
        • Use Case №3
        • Use Case №4
        • Use Case №5
        • Use Case №6
        • Use Case №7
        • Use Case №8
      • SIM-Cloud BaaS service ordering
        • Algorithm for ordering SIM-Cloud BaaS through the website
        • Algorithm for ordering SIM-Cloud BaaS in SIM-Networks billing together with the main service SIM-Cloud
        • Algorithm for ordering SIM-Cloud BaaS in SIM-Networks billing in addition to the already used SIM-Cloud service
      • SIM-Cloud BaaS API
      • Backup Notifications (BaaS)
    • VPNaaS
      • VPNaaS - VPN as a service
        • Description of the service
        • Initial requirements
        • Practical application
      • Configuring VPN connections in VPNaaS without use of endpoint groups (legacy way)
        • Add the IKE policy
        • Add the IPsec policy
        • Add the VPN service
        • Add the IPSec connection
        • Configure the VPN connection using Openstack CLI
        • The VPN connection from the VPNaaS service has now been created.
      • Configuring VPN connections in VPNaaS using endpoint groups (recommended)
        • Add the IKE policy
        • Add the IPsec policy
        • Add the VPN service
        • Create an endpoint group for local networks of the cloud project
        • Create an endpoint group for remote local networks
        • Add the IPSec connection
        • Configure the VPN connection using Openstack CLI
        • The VPN connection from the VPNaaS service has now been created
      • VPNaaS - restarting the service
        • Restart IPsec connection via SIM-Cloud web interface
        • Restart IPsec connection via command line interface
      • Tuning VPNaaS settings
    • S3
      • S3-compatible storage
        • What it is built on
        • Configuration
        • The advantages of S3-compatible object storage
        • Situations in which S3 cloud storage is used
        • Cost cutting
        • Cases
        • Recommended software for use with S3
        • Backup products for use with S3
        • Cost

Application solutions

  • Recommendations for deployment
    • Protection of user infrastructure in the SIM-Cloud using a router on the basis of a separate instance
      • Description
      • Basic information
      • First steps
    • Backup/Recovery
      • Backing up a MySQL database to S3 storage
        • Description
        • Basic information
      • Creating a disk image file
        • Description
        • Basic information
        • Basic steps for converting a disk to an image file
          • Initial requirements
          • Creating a temporary instance on the basis of a Linux family OS image
          • Preparing the source disk
          • Converting the source disk to a file image of the required format
          • Completion phase
    • LAMP stack
    • LEMP stack
    • Windows terminal server
  • Virtual routers
    • Mikrotik
      • Basic configuration system for RouterOS (Mikrotik)
      • VPN IPSec (site-to-site) between Mikrotik virtual routers behind NAT Traversal (NAT-T)
    • Pfsense
      • Basic configuration of the pfSense v.2.4.4-p2 operating system in SIM-Cloud
    • Opnsense
      • Basic configuration of the OPNsense v.19.1.4 operating system in SIM-Cloud
    • FortiGate (FortiOS)
      • Basic configuration of the FortiOS v.6.2 operating system in SIM-Cloud

How to...

  • HOW TO
    • Solutions based on Windows OS
      • Preparing Windows Server OS for activation
      • Remotely connecting a USB device to the instance via RDP
      • Changing the default RDP port
    • Solutions based on Linux OS
      • Attaching an additional disk to a Linux server

Restrictions

  • Restrictions
    • Limitations on working with volumes
    • Limitations on working with networks
    • Unsupported / illegal actions

Support

  • Technical support
    • Diagnostics
      • Storage diagnostics
        • Diagnosing storage performance on Windows OS instances
        • Diagnosing storage performance on Linux OS instances
    • Fault resolution/troubleshooting
      • Troubleshoot network problems
        • Reloading the project router
    • Known bugs in the system
      • Initialisation of the Generic Bus driver for Win2016
    • Structure of technical support
      • How to create a ticket on the website
    • SLA

SIM-Cloud releases

  • Releases/Updates
    • SIM-Cloud 3.0
    • SIM-Cloud 4.0
    • SIM-Cloud 5.0
    • SIM-Cloud 6.0
    • SIM-Cloud 7.0
    • Service development plans

Glossary

  • Glossary
SIM-Cloud
  • »
  • Services »
  • VPNaaS »
  • Configuring VPN connections in VPNaaS using endpoint groups (recommended)
Next Previous

Configuring VPN connections in VPNaaS using endpoint groups (recommended)¶

By default, when configuring a VPN service in VPNaaS, only one local network can be specified. Endpoint groups are entities that allow the grouping of local networks, after which these groups can be used when configuring the IPsec connection. Here, the configuration of the connection is described using endpoint groups. The internal networks involved in the configuration (local and remote) are specified in endpoint groups.

Note

To set up an IPsec VPN connection, the following required conditions must be met:

  • Network availability between routers:

    • Protocol: UDP, port 500 (for IKE, to manage encryption keys).
    • Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode).
    • Protocol: ESP, value 50 (for IPSEC).
    • Protocol: AH, value 51 (for IPSEC).

  • The firewall rules must not block network traffic between the routers and the private subnetworks.

  • Private subnetworks that will be connected by means of IPSec must be different and must not include each other.

Configuring a VPNaaS service using endpoint groups consists of the following steps:

  • Add the IKE policy
  • Add the IPsec policy
  • Add the VPN service
  • Create an endpoint group for local networks of the cloud project
  • Create an endpoint group for remote local networks
  • Add the IPSec connection
  • Configure the VPN connection using Openstack CLI

Add the IKE policy¶

  1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
  2. Open the “IKE POLICIES” tab.
  3. Click ADD IKE POLICY.
  4. In the dialog that opens, complete the following fields:
“Add IKE Policy”¶
Name Enter name of policy
Encryption algorithm Select the required encryption algorithm
IKE version Select the required IKE version

Leave the remaining fields in their default settings.

  1. Click ADD.

Add the IPsec policy¶

  1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
  2. Open the “IPSEC POLICIES” tab.
  3. Click “ADD IPSEC POLICY”.
  4. In the dialog that opens, complete the following fields:
“Add IPSec Policy”¶
Name Enter name of policy
Encryption algorithm Select the required encryption algorithm

Leave the remaining fields in their default settings.

  1. Click “ADD”.

Add the VPN service¶

  1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
  2. Open the “VPN SERVICES” tab.
  3. Click ‘ADD VPN SERVICE’.
  4. In the dialog that opens, complete the following fields:
“Add IKE Policy”¶
Name Enter service name
Router Select the project router that will be used

Leave the remaining fields in their default settings.

  1. Click “ADD”.

Note

Once created, the VPN service appears with the status PENDING_CREATE. Once the IPsec connection is successfully created, this status changes to ACTIVE. Therefore do not wait for it to change now but continue to the next step.

Create an endpoint group for local networks of the cloud project¶

  1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
  2. Open the “ENDPOINT GROUPS” tab.
  3. Click “ADD ENDPOINT GROUP”.
  4. In the dialog that opens, complete the following fields:
“Add Local Endpoint Group”¶
Name Enter name of group
Type Select SUBNET(FOR LOCAL SYSTEMS)
Local System Subnets Select the required local network(s) set up in the cloud project

Leave the remaining fields in their default settings.

  1. Click “ADD”.

Warning

Ensure that the interface from the private network(s) that will be selected in Local System Subnets is added to the router. Otherwise the previous step, ADD IPSEC SITE CONNECTIONS, will result in an error.

Create an endpoint group for remote local networks¶

  1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
  2. Open the “ENDPOINT GROUPS” tab.
  3. Click “ADD ENDPOINT GROUP”.
  4. In the dialog that opens, complete the following fields:
“Add Remote Endpoint Group”¶
Name Enter name of group
Type Select ‘CIDR’ (FOR EXTERNAL SYSTEMS)
External System CIDRs Give the remote local network(s) (separated by commas)

Leave the remaining fields in their default settings.

  1. Click “ADD”.

Add the IPSec connection¶

  1. Go to “PROJECT” → “NETWORK” → “VPN” in the SIM-Cloud dashboard.
  2. Open the “IPSEC SITE CONNECTIONS” tab.
  3. Click “ADD IPSEC SITE CONNECTIONS”.
  4. In the dialog that opens, complete the following fields:
“Add IPSec Site Connection”¶
Name Enter name of connection
VPN service associated with this connection The VPN service that was created in the previous step
Endpoint group for local subnet(s) Select a previously created endpoint group for local networks of the cloud project
IKE policy associated with this connection The IKE policy that was created in the previous steps
IPsec policy associated with this connection The IPsec policy that was created in the previous steps
Peer gateway public IPv4/IPv6 Address or FQDN The public IP address of the remote side
Peer router identity for authentication (Peer ID) Can be an IPv4/IPv6 address, an e-mail address, an ID key or an FQDN. Generally the IP from the previous field is used
Endpoint group for remote peer CIDR(s) Select a previously created endpoint group for local networks of the remote side
Pre-Shared Key (PSK) string The PSK key required between two VPN connection points

Leave the remaining fields in their default settings.

  1. Click “ADD”.

Configure the VPN connection using Openstack CLI¶

All the steps described can also be performed using the Openstack CLI command-line interface.
A detailed description of all steps in configuring VPNaaS is given in the official Openstack documentation.

The VPN connection from the VPNaaS service has now been created¶

Now it is necessary to perform the configuration from the other side. Note that the parameters for the policies used in the configuration must be identical.

Warning

The IPsec protocol requires that the policies and encryption algorithms created must be the same on both sides of the tunnel. If they do not match, the tunnel will not be created.

Next Previous

© Copyright 2016-2025, SIM-Cloud. Last updated on Feb 19, 2025.

Language: English / Русский / Deutsch
We use cookies on this website. By continuing to browse the site, you are agreeing to our use of cookies and give your consent for us to store and process your personal data. Learn more.