Establish an IPSec Tunnel between a VDC and an On-Prem
Last updated
Last updated
A VPN Gateway enables secure, encrypted communications between roaming users, on-premise networks, and cloud resources. This tutorial demonstrates how you can configure VPN Gateway in IONOS Cloud to create a site-to-site setup between an IONOS Cloud VDC and a simulated on-prem installation.
The primary goal of this tutorial is to configure a site-to-site VPN between IONOS Cloud and your on-premise setup by utilising a Managed VPN Gateway in the IONOS Cloud and a user-managed on-prem gateway.
This tutorial demonstrates the use of two VDCs:
de/txl as IONOS's VDC
gb/lhr simulates your on-prem setup.
Instead of two managed gateways per the VDC to VDC use case, this demonstration uses:
a single managed gateway in de/txl.
For user-managed gateway, we use an on-prem simulation, install the components and manually configure IPSec on a virtual server to complete the setup.
The following information is necessary to set up a connection between an IPSec VDC and an on-prem VDC:
Components
Left (de/txl)
Right (gb/lhr)
Gateway Public Address
212.132.124.163
194.164.123.149
LAN ID
1
2 (Not applicable in this use case)
LAN Subnet
10.10.1.0/24
10.10.2.0/24
Gateway LAN Address
10.10.1.5
10.10.2.10
Pre-Shared Key
Remember to use your key.
Example: vP7ypxAiVbmXv8mCwLMpYcsCCzZBwu/nbhxUImkb8ks=
Each VPN Gateway must be assigned a public IP address. Ensure you have an IPBlock with at least one free IP to assign to each gateway before proceeding.
Left (de/txl) Gateway Public Address
Right (gb/lhr) Gateway Public Address
212.132.124.163
194.164.123.149
This tutorial uses 10.10.1.0/24 and 10.10.2.0/24 for private LANs in the IONOS Cloud. Each gateway must be assigned an IP Address from the subnet. We will use .5 as the VPN Gateway is not DHCP aware. You should assign an IP address outside of the DHCP Pool ranging from .2 to .9.
Note: gb/lhr is a user-managed gateway and it uses its LAN host address of .10 instead. Hence the above statement does not apply to this data center.
Components
Left (de/txl)
Right (gb/lhr)
LAN ID
1
2 (But not applicable here)
LAN Subnet
10.10.1.0/24
10.10.2.0/24
Gateway LAN Address
10.10.1.5
10.10.2.10
Our current IPSec implementation supports PSK (expected to support certificates in the future). When provisioning gateways with DCD, ensure to generate a PSK that is at least 32 characters long. The following explain how to generate your own PSK:
Linux
openssl rand -base64 48
head -c 32 /dev/urandom | base64
Windows
[System.Convert]::ToBase64String((New-Object byte[] 32))| Set-Content -Path .\psk.txt -Encoding ASCII
The execution process is divided into the following steps:
Below are some screenshots from the DCD that contains the required VDCs.
Two virtual servers are provisioned on IONOS Cloud connected to each other via a private LAN. In this instance, LAN1 uses a custom subnet of 10.10.1.0/24.
We address these two servers as .10 and .11 respectively.
Imagine, the gb/lhr VDC as your site. Two virtual servers are provisioned, host 1 has been configured with internet access and will be the on-prem host acting as your managed gateway. We address these two servers as .10 and .11 respectively.
In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
Click Create VPN Gateway from the VPN Gateways window.
Enter the following details:
Components
Description
Example
Description
A descriptive text for the gateway. It is limited to 1024 characters.
IP Address
A drop-down list of available public IPv4 Addresses.
212.132.124.163
Location
A drop-down list of available locations for VPN Gateway.
de/txl
Name
A descriptive name for the gateway instance. This does not need to be globally unique, but is restricted to 255 characters.
site_to_site
The IPSec protocol is selected by default and no other configuration parameters are required.
Attach a VPN Gateway to LANs in IONOS Cloud. Note that it is only possible to connect to LANs present in the same location that the VPN Gateway was provisioned. Let us look at the parameters required:
Components
Description
Example
Datacenter
A drop-down that lists VDCs in the same location as the gatweway
de/txl
Connections
A list of connected LANs and the LAN addresses
See Below
Once a Datacenter has been selected, click Add LAN Connection to launch an additional pop-up window to set the following properties:
Components
Description
Example
LAN
The ID of the LAN to connect to
1
IPv4 CIDR
The LAN IPv4 address assigned to the gateway for this subnet in CIDR notation
10.10.1.5/24
IPv6 CIDR
The LAN IPv6 address assigned to the gateway for this subnet in CIDR Notation
Not applicable
Click Save and wait for the gateway to complete provisioning. This will typically take 10-15 minutes but further operations on the gateway will be instantaneous.
Now that the VPN Gateway instance is provisioned, next step is to configure a tunnel to permit the two sides to talk with each other. We will need to configure a tunnel on both gateways but the on-prem will be configured using IPSec configuration files.
Click Create Tunnels to begin configuring a new tunnel.
Enter the following details to configure a tunnel:
Components
Description
Example
Tunnel Name
Specify a name for the tunnel. It does not need to be globally unique and is limited to 255 characters.
customer_site
Description
More descriptive text for the peer, limited to 1024 characters
Not applicable
Remote Host
The Gateway Public IPv4 address of the remote VPN Gateway
194.164.123.149
Set the PSK as shown:
Components
Description
Example
Pre-Shared Key
A strong key with a minimum of 32 characters.
vP7ypxAiVbmXv8mCwLMpYcsCCzZBwu/nbhxUImkb8ks=
Note: Typically, both sites will have the same exchange settings. If, however, the configuration differs on both sides, the two gateways will negotiate to agree on the most secure settings.
Here you can set the various encryption and integrity algorithms, Diffie-Hellman Group and lifetimes for the IKE exchange phase. The available options here are aligned with BSI best practices, for the purposes of the demonstration. However, we will accept the default selections.
Components
Description
Example
Diffe-Hellman
The Diffie-Hellman (DH) key exchange algorithm is a method used to make a shared encryption key available to two entities without an exchange of the key. The encryption key for the two devices is used as a symmetric key for encrypting data. Only the two parties involved in the DH key exchange can deduce the shared key, and the key is never sent over the wire.
15-MODP3072
Encryption Algorithm
Encryption algorithms protect the data so it cannot be read by a third-party while in transit.
AES128-CTR
Integrity Algorithm
Integrity algorithms provide authentication of messages and randomness, ensuring that packets are authentic and were not altered by a third party before arriving, and also for constructing keying material for encryption.
SHA256
Lifetime
The length of time (in seconds) that a negotiated IKE SA key is effective. Before the key lifetime expires, the SA must be re-keyed; otherwise, upon expiration, the SA must begin a new IKEv2 IKE SA re-key.
86400
Note: Typically, both sites will have the same ESP settings. If, however, the configuration differs on both sides, the two gateways will negotiate to agree on the most secure settings.
Here you can set the various encryption and integrity algorithms, Diffie-Hellman Group and lifetimes for the ESP phase. The available options here are aligned with BSI best practices, for the purposes of the demonstration. However, we will accept the default selections.
Components
Description
Example
Diffe-Hellman
The Diffie-Hellman (DH) key exchange algorithm is a method used to make a shared encryption key available to two entities without an exchange of the key. The encryption key for the two devices is used as a symmetric key for encrypting data. Only the two parties involved in the DH key exchange can deduce the shared key, and the key is never sent over the wire.
15-MODP3072
Encryption Algorithm
Encryption algorithms protect the data so it cannot be read by a third-party while in transit.
AES128-CTR
Integrity Algorithm
Integrity algorithms provide authentication of messages and randomness, ensuring that packets are authentic and were not altered by a third party before arriving, and also for constructing keying material for encryption.
SHA256
Lifetime
The ESP SA determines how long the keys generated during the IKE negotiation are valid for encrypting and authenticating the actual data packets being transmitted.
3600
Configure the appropriate subnets in CIDR format that are permitted to connect to the tunnel.
Components
Description
Example
Cloud Network CIDRs
Network addresses on the cloud side that are permitted to connect to the tunnel
10.10.1.0/24
Peer Network CIDRs
Network addresses on the cloud side that are permitted to connect to the tunnel
10.10.2.0/24
Click Save to save the tunnel configuration. This operation should typically be completed within a minute or two.
In this tutorial, Host 1 in gb/lhr acts as user-managed gateway. The host has internet access and thus SSH can be used instead of the web console. Start by establishing an SSH connection to the public IPv4 address of host 1 in London.
Currently, it is impossible to automate the addition of routes to LAN hosts to route the required subnets over the VPN Gateway. In this section, we will manually add the required routes. Remember to add them to the LAN hosts in both VDCs.
Note: In the above example, we added routes that will not persist during a reboot. You must determine how to set persistent routes for their choice of operating system.
de/txl RouteYou should now be able to ping hosts in the simulated on-prem setup in gb/ldn from cloud hosts in de/txl and vice-versa.
You have successfully configured a site-to-site VPN between the IONOS Cloud and your on-premise setup by utilising a Managed VPN Gateway in the cloud and a user-managed on-prem gateway.
