FAQs

Fundamentals

What is a Site-to-Site VPN Gateway?

A Site-to-Site VPN Gateway is a network solution that establishes a secure, encrypted connection between two or more networks over the internet. This setup allows an on-premises network to connect securely with cloud resources, enabling seamless data transfer while ensuring data privacy and integrity. For example, IONOS VPN Gateway is a fully managed service that connects your data center or branch office to your IONOS Cloud resources using IPSec tunnels or WireGuard peers.

What VPN protocols are supported?

Our VPN Gateway supports both IPSec and WireGuard protocols. IPSec is widely used for its robust security features and flexibility, while WireGuard is known for its simplicity and high performance. These options allow you to choose the protocol that best suits your network's security and performance needs.

How does a Site-to-Site VPN enhance my network’s security?

A Site-to-Site VPN enhances network security by encrypting data traffic between your on-premises network and your cloud resources. This encryption protects data from interception and tampering during transit, ensuring that sensitive information remains confidential and secure. It also provides a secure connection for applications and services that require a high level of security.

Getting Started

How do I set up a Site-to-Site VPN Gateway using IPSec?

Setting up a Site-to-Site VPN Gateway with IPSec involves several key steps:

  1. Reserve a public IPv4 address via our Data Center Designer (DCD) or Cloud API.

  2. Create an IPSec VPN gateway, configuring it with the IP address, virtual data center, and LANs that will use the gateway.

  3. Configure the IPSec tunnels by specifying parameters such as the pre-shared key (PSK), IKE version, encryption, and integrity algorithms.

  4. Set up your on-premises VPN device to match these parameters.

  5. Establish the connection and verify that the tunnel is active by checking the tunnel status and logs.

How do I set up a Site-to-Site VPN Gateway using WireGuard?

Setting up a Site-to-Site VPN Gateway with WireGuard involves these steps:

  1. Reserve a public IPv4 address via our DCD or Cloud API.

  2. Create a WireGuard VPN gateway, configuring it with the IP address, virtual data center, and LANs that will use the gateway.

  3. Generate public and private keys for your WireGuard peers.

  4. Configure the WireGuard interface by adding peers, allowed IPs, and endpoints.

  5. Sync the configuration with your on-premises WireGuard devices.

  6. Establish the connection and verify its status by checking the tunnel status and logs.

Can I use both IPSec and WireGuard tunnels simultaneously?

Yes, you can use both IPSec and WireGuard tunnels simultaneously to connect resources between the same virtual data center networks and remote networks. This setup requires creating and configuring separate VPN gateway instances for each protocol, allowing you to take advantage of the unique benefits of each protocol.

How much does a VPN gateway cost?

The cost of a VPN Gateway is determined by the lifetime of the instance and the amount of egress traffic. For detailed pricing information, please refer to our Price List.

Are there limits to how many LANs I can connect to a given VPN gateway?

Yes, you can connect up to five LANs to a single VPN gateway. All LANs must belong to the same virtual data center, ensuring streamlined management and configuration.

Are there limits to how many tunnels I can create for a given VPN gateway?

You can create up to 10 IPSec tunnels or WireGuard peers per gateway. This allows for extensive connectivity options while maintaining manageable configurations.

Is there a VPN Gateway API for automation?

Yes, we provide a comprehensive VPN Gateway API, along with a GO SDK and Terraform tooling. These tools enable automation of various gateway-related tasks, ensuring seamless integration with your DevOps workflow and simplifying the management of VPN gateways.

Is dual stack supported?

Yes, our VPN Gateway supports both IPv4 and IPv6, allowing your traffic to be sent across both network types. This capability helps future-proof your services and ensures broad accessibility. Note that tunnel endpoint and Gateway IP addresses are IPv4 only.

What routing options are available for the VPN gateway?

Currently, only static routing is available for the VPN gateway. Dynamic routing protocols like BGP are not supported at this time.

Can I use VPN Gateway to connect virtual data centers in different IONOS locations or regions?

Yes, you can connect virtual data centers (VDCs) across different IONOS locations or regions. There are no region constraints, allowing one VDC to connect to another, regardless of their geographical location.

Security

How secure is the Site-to-Site VPN Gateway?

Our VPN Gateway employs industry-standard encryption techniques to ensure data security. IPSec uses strong encryption algorithms such as AES-256, while WireGuard leverages modern cryptographic primitives like ChaCha20 and Poly1305. These methods provide high levels of data security, protecting your information during transit.

Can I customize encryption and hashing algorithms for IPSec tunnels?

Yes, you can customize the encryption and integrity algorithms used in IPSec tunnels. Supported algorithms include AES-128, AES-256, SHA-256, SHA-384, and SHA-512. These settings can be configured in the DCD or through the Cloud API, allowing you to tailor security to your specific requirements.

How does the VPN Gateway ensure data integrity over the connection?

The VPN Gateway ensures data integrity through cryptographic hashing algorithms like SHA-256, SHA-384, and SHA-512. These algorithms verify that data has not been altered during transit, providing a secure communication channel and maintaining data integrity.

How does my IPSec VPN tunnel get authenticated?

Our VPN gateway uses PSK (Pre-Shared Key) authentication. To authenticate your IPSec VPN tunnel, you must generate a pre-shared key (PSK) and provide it during the creation of the tunnel. For security, it is recommended to use a strong 32-character pre-shared key.

Which IKE version is supported for the IPSec VPN gateway?

Our IPSec VPN gateway supports IKEv2, a modern and secure version of the Internet Key Exchange protocol.

Yes, access management is possible. Contract owners and administrators can enable access for sub-users by providing the “Access and Manage VPN” group privilege. Detailed information on setting up access management can be found in our guide. Additionally, you can view audit logs for VPN operations via the Activity log functionality, ensuring transparency and accountability.

Does the VPN service store or process customer data?

No, our VPN service does not store or process customer data. It is designed to provide secure and private connections without handling or retaining user data.

Performance and Scalability

What are the performance considerations for using IPSec vs. WireGuard?

WireGuard is known for its high performance and simplicity, offering lower overhead and faster connection setup times. IPSec, while more established, provides robust security and broader configurability but may have higher processing overhead. The choice between IPSec and WireGuard depends on your specific use cases and performance requirements.

Does the VPN Gateway support automatic failover?

During the limited access phase, our VPN Gateway does not support automatic failover. However, this feature will be available during general availability, ensuring high availability by automatically rerouting traffic through a backup tunnel if one tunnel goes down.

What should I consider for optimal VPN Gateway performance?

For optimal VPN Gateway performance, consider the following:

  • Ensure appropriate bandwidth on both ends of the connection.

  • Select the right encryption and integrity algorithms based on your performance needs.

  • Regularly monitor your VPN connections and adjust configurations as needed to handle traffic load.

What is the approximate maximum throughput of a Site-to-Site VPN connection?

Each tunnel supports a maximum throughput of up to 1 Gbps, providing high-speed connectivity for data-intensive applications.

What factors affect the throughput of my VPN connection?

Several factors can influence VPN connection throughput, including the capability of your remote gateway, the bandwidth capacity of your connection, the average packet size, the protocol in use (TCP vs. UDP), and the network latency between the VPN Gateway and the remote network.

Troubleshooting

What should I do if the VPN connection is down?

If the VPN connection is down, follow these troubleshooting steps:

  1. Verify that the configuration settings on both sides of the tunnel match.

  2. Check network connectivity, static routes, and firewall rules.

  3. Ensure that the pre-shared keys and encryption algorithms are correctly configured.

  4. Review logs for any error messages and diagnostic information.

  5. If issues persist, contact our support team for further assistance.

Last updated