Log inSign up

Create an IPSec Tunnel between a VDC and On-Premises Gateway

Introduction

This tutorial demonstrates configuring an IPSec site-to-site VPN Gateway for secure and encrypted communications, establishing a connection between an IONOS Cloud VDC and a simulated user-managed on-premises installation. It utilizes a managed VPN Gateway in the IONOS Cloud and a user-managed on-premises gateway.

Overview

This tutorial demonstrates the use of the following:

Components

Description

Two VDCs

- ionos-cloud-txl as IONOS's VDC. - user-on-prem-lhr simulates a user-managed on-premises setup.

Managed gateways

We use a single managed gateway in ionos-cloud-txl for the cloud side. For a user-managed gateway, we use on-premises simulation, install the components, and manually configure IPSec on a virtual server to complete the setup.

Architecture depicts IONOS Cloud and on-premises simulation connected over an IPSec tunnel

Before you begin

The following information is necessary to set up an IPSec connection between a VDC and on-premises VDC:

Components

IONOS Cloud (Left) ionos-cloud-txl

User On-Premises (Right) user-on-prem-lhr

VDC Name

ionos-cloud-txl

user-on-prem-lhr

Gateway Public Address

203.0.113.10

203.0.113.20

LAN ID

1

Not applicable

LAN Subnet

192.168.1.0/24

192.168.2.0/24

Gateway LAN Address

192.168.1.5

192.168.2.5

LAN Host 1

192.168.1.11

192.168.2.11

LAN Host 2

192.168.1.12

192.168.2.12

Pre-Shared Key

Remember to use the appropriate key.

Example: vPabcdefg123435hij565k7lmno8pq=. This is a sample key used as an example in this document. Do not use this key for real-world scenarios.

Note:

  • Ensure that the IONOS Cloud (Left) and User On-Premises (Right) LAN subnets are unique and do not overlap.

  • Using the same subnet CIDR in the IONOS Cloud (Left) or User On-Premises (Right) does not work. In such a scenario, we recommend either of the following options:

    • Move one of them to a different subnet.

    • Add an additional network connection to LAN hosts on one side using a unique subnet, and then route the unique subnet via the VPN Gateway.

Reserve IP addresses

Before proceeding, ensure you have an IP block with at least one free IP address to assign to each gateway. For more information, see Reserve an IPv4 Address.

IONOS Cloud (Left) ionos-cloud-txl Gateway Public Address

User On-Premises (Right) user-on-prem-lhr Gateway Public Address

203.0.113.10

203.0.113.20

Configure LAN

This tutorial uses 192.168.1.0/24 and 192.168.2.0/24 for private LANs in IONOS Cloud (Left) ionos-cloud-txl and User On-Premises (Right) user-on-prem-lhr respectively. Remember to assign an IP address from the subnet to each gateway. The chosen IP address must be outside the DHCP pool and range from .2 - .9.

Components

IONOS Cloud (Left) ionos-cloud-txl

User On-Premises (Right) user-on-prem-lhr

LAN ID

1

Not applicable

LAN Subnet

192.168.1.0/24

192.168.2.0/24

Gateway LAN Address

192.168.1.5

192.168.2.5

Generate Pre-Shared Key (PSK)

Our current IPSec implementation supports PSK (which is expected to support certificates in the future). When provisioning gateways, ensure you generate a PSK at least 32 characters long. Optionally, you can also generate a PSK while creating an IPSec tunnel. The following commands explain how to generate PSK for Linux and Windows, respectively:

Execute either of these commands:

openssl rand -base64 48 
head -c 32 /dev/urandom | base64

Execution

The execution process is divided into the following steps:

1. Simulate IONOS Cloud 2. Simulate on-premises setup 3. Provision the VPN Gateway 4. Configure the VPN tunnel 5. Deploy on-premises IPSec instance 6. Configure routing on LAN hosts

1. Simulate IONOS Cloud ionos-cloud-txl

Below are some screenshots from the DCD that contains the required VDCs.

To begin with, two virtual servers on the IONOS Cloud are provisioned and connected to each other via a private LAN. In this instance, LAN1 uses a custom subnet of 192.168.1.0/24. We designate these two servers as 192.168.1.11 and 192.168.1.12, respectively.

Configuration on IONOS Cloud

2. Simulate on-premises user-on-prem-lhr setup

Imagine the user-on-prem-lhr VDC as a user-managed site where you provision three virtual servers. Here, we will use the LAN subnet 192.168.2.0/24. The Users VPN GW has been configured with internet access IP address: 203.0.113.20 and a private LAN address of 192.168.2.5, this will function as the on-premises host acting as a user-managed gateway. The two private LAN hosts are addressed as 192.168.2.11 and 192.168.2.12, respectively.

Configuration on a user-managed on-premises setup

3. Provision the VPN Gateway

1. In the DCD, go to Menu > Network Services > VPN Gateway.

2. Click Create VPN Gateway from the VPN Gateways window.

3. Enter the following details:

Components

Description

Example

Name

Enter a descriptive name for the gateway instance. It is not required to be globally unique but must be limited to 255 characters.

site_to_site

Description

Enter a descriptive text for the gateway. It is limited to 1024 characters.

VPN Gateway for creating an IPSec Tunnel between a VDC and on-premises gateway.

Location

Select a location from the drop-down list of available locations for VPN Gateway.

de/txl

IP Address

Select an IP address from the drop-down list of available public IPv4 addresses.

203.0.113.10

Define properties

4. Click Save and wait for the gateway to complete provisioning. The process typically takes about 8-10 minutes, but further operations on the gateway will be instantaneous.

4. Configure the VPN tunnel

Now that the VPN Gateway instance is provisioned, the next step is to configure a tunnel to permit the two sides to talk to each other. We will need to configure a tunnel on both gateways, but the on-premises will be configured using IPSec configuration files.

1. Click Create Tunnels to begin configuring a new tunnel.

Configure a tunnel

Enter the following details to configure a tunnel:

Components

Description

Example

Tunnel Name

Specify a name for the tunnel. It does not need to be globally unique and can be up to 255 characters long.

customer_site

Description

Enter more descriptive text for the peer, not exceeding 1024 characters.

Not applicable

Remote Host

The public IPv4 address of the remote VPN Gateway.

203.0.113.20

Configure tunnel properties

2. Click Save to save the tunnel configuration. This operation usually takes about one to two minutes to complete.

5. Deploy on-premises IPSec instance

In this tutorial, Users VPN GW in user-on-prem-lhr acts as a user-managed gateway. It has internet access, so SSH can be used instead of the web console. Start establishing an SSH connection to Users VPN GW's public IPv4 address in London, remember to forward your ssh key when establishing this session. You will need this key while establishing a console session to the LAN hosts.

Deploy on-premises IPSec instance
5.1 Install pre-requisite software

Note: This tutorial performs a basic install and setup of Strongswan on Ubuntu. It is neither an in-depth guide nor does it contain detailed information about the configuration files' content. It is an exercise for the reader to determine the correct installation procedure for a secure production environment.

Update the package lists and install the required packages:

apt-get update
apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y
5.2 Enable IP Forwarding

The VPN Gateway acts as a router and, therefore, is required to forward packets:

sysctl -w net.ipv4.ip_forward=1

This tutorial does not use an IPv6 address. If you intend to use one, ensure net.ipv6.config.all.forwarding=1 exists.

5.3 Configure IPSec

This tutorial will walk you through specific options for configuring IPSec, but the rest of the configuration remains an exercise for the reader. This section contains the configuration files and content specific to this installation and peer setup.

1. Populate secrets file

Currently, IPSec supports only pre-shared Keys (PSK), so ensure the /etc/ipsec.secrets file contains the key, so IPSec can read it from the file:

203.0.113.10 203.0.113.20 : PSK "vPabcdefg123435hij565k7lmno8pq="

2. Populate IPSec config file

Next, populate the /etc/ipsec.conf file. This file contains a basic config setup section and a conn section that defines the configuration of the remote tunnel.

config setup
    charondebug=all
    uniqueids=yes
 
conn ionos-cloud-de-txl-demo
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret
    left=203.0.113.10
    leftsubnet=192.168.1.0/24
    right=203.0.113.20
    rightsubnet=192.168.2.0/24
    ike=aes128ctr-sha256-modp3072
    esp=aes128ctr-sha256-modp3072
    aggressive=no
    keyingtries=%forever
    ikelifetime=86400s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

3. Enable and start the IPSec service

Run the following commands to start IPSec and ensure it also starts on boot:

systemctl enable ipsec
systemctl start ipsec

4. Verify status of the tunnel connection

Run the ipsec status command to check if the tunnel connection is established.

root@users-vpn-gw# ipsec status
Security Associations (1 up, 0 connecting):
d44-5c8-48-87-28f9[2]: ESTABLISHED 3 minutes ago, 203.0.113.20[203.0.113.20]...203.0.113.10[203.0.113.10]
d44-5c8-48-87-28f9{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8f59a5e_i caa486ae_o
d44-5c8-48-87-28f9{2}:   192.168.2.0/24 === 192.168.1.0/24

6. Configure routing on LAN hosts

Currently, it is impossible to automate the addition of routes to LAN hosts to route the required subnets over the VPN Gateway. In this section, we will manually add the required routes. Remember to add them to the LAN hosts in both the VDCs.

6.1 Configure routing for IONOS Cloud LAN hosts ionos-cloud-txl

Step 1: Establish a console session to the LAN host(s)

We will use the web console to test connectivity for the LAN hosts without internet access. Open a console session and ping the LAN address assigned to the VPN Gateway, 192.168.1.5. Begin by pinging the IP address: 

root@lanhost1:~# ping -c 3 192.168.1.5 
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5 icmp_seq=1 ttl=64 time=0.456 ms
64 bytes from 192.168.1.5 icmp_seq=2 ttl=64 time=0.352 ms
64 bytes from 192.168.1.5 icmp_seq=3 ttl=64 time=0.503 ms

--- 192.168.1.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2019ms
rtt min/avg/max/mdev = 0.352/0.437/0.503/0.063 ms
root@lanhost1:~#
Step 2: Configure the VPN route

The LAN host(s) must know where to route the traffic. To accomplish this, we will add a route for the user-on-prem-lhr LAN subnet (192.168.2.0/24) via the ionos-cloud-txl gateway's LAN address (192.168.1.5):

ip route add 192.168.2.0/24 via 192.168.1.5

We cannot ping hosts in the user-on-prem-lhr region because those servers do not yet know how to route the traffic. To resolve this issue, continue adding routes for LAN hosts in user-on-prem-lhr.

6.2 Set persistent routes

In the 6.1 Configure routing for IONOS Cloud LAN hosts ionos-cloud-txl section, we added routes that will not persist during a reboot. You must determine how to set persistent routes for your choice of operating system.

Persistent routes

First, add the configuration to your system's appropriate network or routing configuration files to set persistent routes. The exact method depends on your operating system. The following examples show how to make a route persistent across reboots for Debian, Ubuntu, CentOS, and RHEL.

Debian/Ubuntu

You can add the route to any of the following:

  • the /etc/network/interfaces file.

  • in a specific file under /etc/network/. Example: /etc/network/interfaces.d/.

  • use the ip route command in a startup script. Example: /etc/rc.local.

Example of /etc/network/interfaces:

{{auto eth0 
iface eth0 inet static 
address 192.168.1.11 
netmask 255.255.255.0 
post-up ip route add 192.168.2.0/24 via 192.168.1.5}}

CentOS/RHEL

You can add the route in /etc/sysconfig/network-scripts/route-eth0 and adjust it according to the relevant interface. Example: 192.168.2.0/24 via 192.168.1.5.

Save the configuration file changes and restart the network service to apply the changes.

6.3 Configure routing for on-premises LAN hosts user-on-prem-lhr

Note: Configure the host acting as a user-managed gateway, as it can already route traffic based on the IPSec configuration. This section focuses solely on the other on-premises hosts connected to the same LAN.

Step 1: Establish a console session to the LAN hosts

The user-managed gateway user-on-prem-lhr is connected to the internet and can be used as a jump-host to reach the on-premises LAN hosts. From the user-managed gateway, establish an SSH connection to the first LAN host 192.168.2.11, alternatively you may use the web console to login to the LAN hosts.

You can test the connectivity to the LAN address assigned to the user-managed gateway VPN Gateway user-on-prem-lhr using a console session. In this case, the user-managed gateway address is 192.168.2.5. Let us begin by attempting to ping this IP address.

root@users-vpn-gw# ssh 192.168.2.11
root@lanhost1# ping 192.168.2.5
PING 192.168.2.5 (192.168.2.5) 56(84) bytes of data.
64 bytes from 192.168.2.5 icmp_seq=1 ttl=62 time=0.239 ms
64 bytes from 192.168.2.5 icmp_seq=2 ttl=62 time=0.296 ms
64 bytes from 192.168.2.5 icmp_seq=3 ttl=62 time=0.268 ms
64 bytes from 192.168.2.5 icmp_seq=4 ttl=62 time=0.369 ms

--- 192.168.2.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2019ms
rtt min/avg/max/mdev = 0.352/0.437/0.503/0.063 ms
root@lanhost1:~#
Step 2: Configure the VPN route

The LAN host(s) must know where to route return traffic. Hence, we will add a route for the ionos-cloud-txl LAN subnet (192.168.1.0/24) via the user-on-prem-lhr user-managed gateway's LAN address (192.168.2.5).

ip route add 192.168.1.0/24 via 192.168.2.5

Repeat this process for all on-premises LAN hosts that need to send or receive traffic over the tunnel. At this point, the two sites can establish complete connectivity via the VPN Gateway.

Verify connectivity

You should now be able to ping hosts in the simulated on-premises setup in user-on-prem-lhr from cloud hosts in ionos-cloud-txl and vice-versa.

root@lanhost1:~# ping -c 5 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
64 bytes from 192.168.2.12 icmp_seq=1 ttl=62 time=18.8 ms
64 bytes from 192.168.2.12 icmp_seq=2 ttl=62 time=19.3 ms
64 bytes from 192.168.2.12 icmp_seq=3 ttl=62 time=19.0 ms
64 bytes from 192.168.2.12 icmp_seq=4 ttl=62 time=18.8 ms
64 bytes from 192.168.2.12 icmp_seq=5 ttl=62 time=19.1 ms

--- 192.168.2.12 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 18.782/18.995/19.270/0.188 ms
root@lanhost1:~#

Summary

You have successfully configured a site-to-site VPN between the IONOS Cloud ionos-cloud-txl and a user-managed on-premises setup user-on-prem-lhr by utilizing a managed VPN Gateway in the cloud and a user-managed on-premises gateway.

Note: Ensure you remove the VPN Gateway before attempting to delete VMs, LANs, or the VDC.

PreviousTutorialsNextCreate an IPSec Tunnel between two VDCs

Last updated

Was this helpful?