Create an IPSec Tunnel between a VDC and On-Premises Gateway
Introduction
This tutorial demonstrates configuring an IPSec site-to-site VPN Gateway for secure and encrypted communications, establishing a connection between an IONOS Cloud VDC and a simulated user-managed on-premises installation. It utilizes a managed VPN Gateway in the IONOS Cloud and a user-managed on-premises gateway.
Overview
This tutorial demonstrates the use of the following:
Components
Description
Two VDCs
- ionos-cloud-txl
as IONOS's VDC.
- user-on-prem-lhr
simulates a user-managed on-premises setup.
Managed gateways
We use a single managed gateway in ionos-cloud-txl
for the cloud side.
For a user-managed gateway, we use on-premises simulation, install the components, and manually configure IPSec on a virtual server to complete the setup.

Before you begin
The following information is necessary to set up an IPSec connection between a VDC and on-premises VDC:
Components
IONOS Cloud (Left) ionos-cloud-txl
User On-Premises (Right) user-on-prem-lhr
VDC Name
ionos-cloud-txl
user-on-prem-lhr
Gateway Public Address
203.0.113.10
203.0.113.20
LAN ID
1
Not applicable
LAN Subnet
192.168.1.0/24
192.168.2.0/24
Gateway LAN Address
192.168.1.5
192.168.2.5
LAN Host 1
192.168.1.11
192.168.2.11
LAN Host 2
192.168.1.12
192.168.2.12
Pre-Shared Key
Remember to use the appropriate key.
Example: vPabcdefg123435hij565k7lmno8pq=
. This is a sample key used as an example in this document. Do not use this key for real-world scenarios.
Reserve IP addresses
Before proceeding, ensure you have an IP block with at least one free IP address to assign to each gateway. For more information, see Reserve an IPv4 Address.
IONOS Cloud (Left) ionos-cloud-txl
Gateway Public Address
User On-Premises (Right) user-on-prem-lhr
Gateway Public Address
203.0.113.10
203.0.113.20
Configure LAN
This tutorial uses 192.168.1.0/24
and 192.168.2.0/24
for private LANs in IONOS Cloud (Left) ionos-cloud-txl
and User On-Premises (Right) user-on-prem-lhr
respectively. Remember to assign an IP address from the subnet to each gateway. The chosen IP address must be outside the DHCP pool and range from .2 - .9
.
Components
IONOS Cloud (Left) ionos-cloud-txl
User On-Premises (Right) user-on-prem-lhr
LAN ID
1
Not applicable
LAN Subnet
192.168.1.0/24
192.168.2.0/24
Gateway LAN Address
192.168.1.5
192.168.2.5
Generate Pre-Shared Key (PSK)
Our current IPSec implementation supports PSK (which is expected to support certificates in the future). When provisioning gateways, ensure you generate a PSK at least 32 characters long. Optionally, you can also generate a PSK while creating an IPSec tunnel. The following commands explain how to generate PSK for Linux and Windows, respectively:
Execute either of these commands:
openssl rand -base64 48
head -c 32 /dev/urandom | base64
Execution
The execution process is divided into the following steps:
1. Simulate IONOS Cloud 2. Simulate on-premises setup 3. Provision the VPN Gateway 4. Configure the VPN tunnel 5. Deploy on-premises IPSec instance 6. Configure routing on LAN hosts
1. Simulate IONOS Cloud ionos-cloud-txl
ionos-cloud-txl
Below are some screenshots from the DCD that contains the required VDCs.
To begin with, two virtual servers on the IONOS Cloud are provisioned and connected to each other via a private LAN. In this instance, LAN1 uses a custom subnet of 192.168.1.0/24
. We designate these two servers as 192.168.1.11
and 192.168.1.12
, respectively.

2. Simulate on-premises user-on-prem-lhr
setup
user-on-prem-lhr
setupImagine the user-on-prem-lhr
VDC as a user-managed site where you provision three virtual servers. Here, we will use the LAN subnet 192.168.2.0/24
. The Users VPN GW has been configured with internet access IP address: 203.0.113.20
and a private LAN address of 192.168.2.5
, this will function as the on-premises host acting as a user-managed gateway. The two private LAN hosts are addressed as 192.168.2.11
and 192.168.2.12
, respectively.

3. Provision the VPN Gateway
1. In the DCD, go to Menu > Network Services > VPN Gateway.
2. Click Create VPN Gateway from the VPN Gateways window.
3. Enter the following details:
Components
Description
Example
Name
Enter a descriptive name for the gateway instance. It is not required to be globally unique but must be limited to 255 characters.
site_to_site
Description
Enter a descriptive text for the gateway. It is limited to 1024 characters.
VPN Gateway for creating an IPSec Tunnel between a VDC and on-premises gateway
.
Location
Select a location from the drop-down list of available locations for VPN Gateway.
de/txl
IP Address
Select an IP address from the drop-down list of available public IPv4 addresses.
203.0.113.10

4. Click Save and wait for the gateway to complete provisioning. The process typically takes about 8-10 minutes, but further operations on the gateway will be instantaneous.
4. Configure the VPN tunnel
Now that the VPN Gateway instance is provisioned, the next step is to configure a tunnel to permit the two sides to talk to each other. We will need to configure a tunnel on both gateways, but the on-premises will be configured using IPSec configuration files.
1. Click Create Tunnels to begin configuring a new tunnel.

Enter the following details to configure a tunnel:
Components
Description
Example
Tunnel Name
Specify a name for the tunnel. It does not need to be globally unique and can be up to 255 characters long.
customer_site
Description
Enter more descriptive text for the peer, not exceeding 1024 characters.
Not applicable
Remote Host
The public IPv4 address of the remote VPN Gateway.
203.0.113.20

2. Click Save to save the tunnel configuration. This operation usually takes about one to two minutes to complete.
5. Deploy on-premises IPSec instance
In this tutorial, Users VPN GW in user-on-prem-lhr
acts as a user-managed gateway. It has internet access, so SSH can be used instead of the web console. Start establishing an SSH connection to Users VPN GW's public IPv4 address in London, remember to forward your ssh key when establishing this session. You will need this key while establishing a console session to the LAN hosts.

6. Configure routing on LAN hosts
Currently, it is impossible to automate the addition of routes to LAN hosts to route the required subnets over the VPN Gateway. In this section, we will manually add the required routes. Remember to add them to the LAN hosts in both the VDCs.
6.1 Configure routing for IONOS Cloud LAN hosts ionos-cloud-txl
ionos-cloud-txl
6.2 Set persistent routes
In the 6.1 Configure routing for IONOS Cloud LAN hosts ionos-cloud-txl
section, we added routes that will not persist during a reboot. You must determine how to set persistent routes for your choice of operating system.
6.3 Configure routing for on-premises LAN hosts user-on-prem-lhr
user-on-prem-lhr
Verify connectivity
You should now be able to ping hosts in the simulated on-premises setup in user-on-prem-lhr
from cloud hosts in ionos-cloud-txl
and vice-versa.
root@lanhost1:~# ping -c 5 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
64 bytes from 192.168.2.12 icmp_seq=1 ttl=62 time=18.8 ms
64 bytes from 192.168.2.12 icmp_seq=2 ttl=62 time=19.3 ms
64 bytes from 192.168.2.12 icmp_seq=3 ttl=62 time=19.0 ms
64 bytes from 192.168.2.12 icmp_seq=4 ttl=62 time=18.8 ms
64 bytes from 192.168.2.12 icmp_seq=5 ttl=62 time=19.1 ms
--- 192.168.2.12 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 18.782/18.995/19.270/0.188 ms
root@lanhost1:~#
Summary
You have successfully configured a site-to-site VPN between the IONOS Cloud ionos-cloud-txl
and a user-managed on-premises setup user-on-prem-lhr
by utilizing a managed VPN Gateway in the cloud and a user-managed on-premises gateway.
Last updated
Was this helpful?