# Create an IPsec VPN Connection
This article explains how to create an IPsec VPN connection in space.vars.ionos\_cloud Panel to ensure a stable and secure connection to your IONOS Private Cloud and the vSphere management network.
OpenVPN is used by default for the connection to the vSphere management network of Private Cloud, which only allows one end device connection at a time. Alternatively, you can create an **IPsec VPN connection** in the Cloud Panel to establish a connection to vSphere. The IPsec VPN service integrated in Cloud Panel uses an automatically provided VyOS backend gateway. This makes it possible to establish one or more IPsec connections to different endpoints. To create an IPsec VPN connection, complete the following:
## Preparation
1. Log in to your [IONOS CLOUD account](https://dcd.ionos.com).
2. In the [**Data Center Designer (DCD)**](https://docs.ionos.com/cloud/support/general-information/glossary-of-terms#data-center-designer-dcd), go to **Menu** > **Private Cloud** > **Login**.
3. Log in to the [Cloud Panel](https://cloudpanel.ionos.de/login) with your credentials.
4. Click **Menu > Servers & Cloud** in the title bar.
5. **Optional:** If you have multiple server contracts, select the desired contract.
6. Click **Private Cloud Network > IPsec VPN** in the navigation bar on the left. The IPsec VPN area is displayed.
7. Click **Create**. The Create IPsec VPN area is displayed.
## Enter Configuration Data
In this section, you define the basic parameters of the connection.
1. Enter a unique name for the IPsec VPN connection in the **Name** field.
2. Some networks use NAT (Network Address Translation). This means that the devices in your network use a private IP address, but communicate with the outside world (the Internet) via a single public IP address.
* **Activate NAT** if the device that establishes the VPN tunnel (example: your router or firewall) uses a private IP address, which is then translated to establish the tunnel. In this case, it is often necessary to specify a remote identifier so that the space.vars.ionos\_cloud system can forward the VPN traffic correctly.
* **Deactivate NAT** if the device setting up the VPN tunnel has a public IP address. This is the default configuration for most home and office networks, so you do not usually need to tick this checkbox.
3. If you activate the NAT option, the **Remote identifier** field is displayed. Enter the private IP address used by the device in this field.
4. Enter the public IP address of your network device (router/firewall) in the **Remote address** field. This is the endpoint from which you connect to IONOS Private Cloud.
5. In the **Remote network** field, enter the private IP address range of your local network in CIDR notation. This is the address range that your router uses for the devices in your network. Example: `10.22.0.0/19`
6. **Optional:** To add further remote networks, click on **Add**.
## Set Up Authentication
1. Authentication must be configured so that only authorised devices can establish the VPN tunnel. A pre-shared key (PSK) is used for authentication. Create a strong, unique key.
2. Enter the pre-shared key in the **Pre-installed key (PSK)** and **Repeat pre-shared key** fields.
{% hint style="info" %}
**Important:** The key you enter must match exactly the key you use in the VPN configuration on your local device (router or firewall).
{% endhint %}
## Configure Encryption and Lifetime
The encryption settings define which cryptographic algorithms and parameters are used for key exchange (phase 1) and for data traffic (phase 2). **These settings must match the settings of your local VPN device.**
1. Select a suitable group from the **Diffie-Hellman Group** drop-down menu (for example, 15).
{% hint style="info" %}
**Note:** The Diffie-Hellman group (DH group) determines the strength of the key exchange procedure in phase 1 (IKE phase 1). Higher numbers generally offer more security, but also require more computing power. Group 15 uses a 3072-bit key, which is a good standard.
{% endhint %}
2. Select the desired encryption standard from the **Encryption type** drop-down menu. **AES256** is the currently recommended standard and offers a high level of security.
3. In the **Hash type** drop-down menu, select the algorithm for the integrity check (for example, **SHA256**). The hash type ensures that the data has not been manipulated during transmission. SHA256 is a safe choice for this.
4. In the **Lifetime 1 (s)** field, enter the desired duration for phase 1 (IKE phase 1) in seconds (for example, **86400**). This is the validity period of the first security key (IKE-SA). 86400 seconds corresponds to 24 hours.
5. Enter the desired duration for phase 2 (IKE phase 2) in seconds (for example, **3600**) in the **Lifetime 2 (s)** field. This is the validity period of the second, actual data traffic key (IPsec-SA).
## Create IPsec VPN
1. Finally, check the summary on the right-hand side of the window.
2. To set up the IPsec VPN connection, click on **Create**.
Once the connection has been created, you must enter the **exact parameters** (remote address, PSK, DH group, encryption type, hash type, and lifetimes) in the VPN configuration of your local firewall or router to establish the tunnel and change the status from "Down" to "Up".
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ionos.com/cloud/private-cloud/ionos-private-cloud/getting-started/create-ipsec-vpn-connection.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.