# Create IPSec Tunnel or a WireGuard Peer After creating a VPN Gateway, you can create a Tunnel or a Peer based on your chosen VPN Gateway protocol. To create tunnels or peers, follow these steps: 1\. In the **DCD**, go to **Menu** > **Network Services** > **VPN Gateway**. 2\. On the **VPN Gateways** page, click **Create Tunnels** or **Create Peers** based on the chosen VPN Gateway protocol. ![Create Tunnels](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-68ec560f025cc9220a96e601fd4ce7616986d5e6%2Fcreate-tunnels.png?alt=media) ![Create Peers](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-deca5786b6d8ba2059cd83b1bad4ae23079dacd4%2Fcreate-peers.png?alt=media) 3\. Enter the following details: {% tabs %} {% tab title="Tunnels" %} Enter the following details in the **Create IPSec Tunnel** page:
### Properties * **Tunnel name:** Enter a tunnel name. * **Description:** *(Optional)*. Enter a description. * **Remote host:** Enter a valid public IPv4 address or an Fully Qualified Domain Name (FQDN). ![Define Tunnel Properties](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-f31d24ef12b3223dc3d9ab132a9753281de1845f%2Fcreate-tunnel-properties.png?alt=media) ### Authentication * **Pre-shared key (PSK):** Enter a valid key or click **Generate** to automatically generate a key. ### Initial Exchange (IKE\_SA\_INIT) Settings Select an appropriate value from the drop-down list for the following: | Settings | Values | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Diffie-Hellman Group** |

15-MODP3072
16-MODP4096
19-ECP256
20-ECP384
21-ECP521
28-ECP256BP
29-ECP384BP
30-ECP512BP

| | **Encryption Algorithm** |

AES128-CTR
AES256-CTR
AES128-GCM-16
AES256-GCM-16
AES128-GCM-12
AES256-GCM-12
AES128-CCM-12
AES256-CCM-12
AES128
AES256

| | **Integrity Algorithm** |

SHA256
SHA384
SHA512
AES-XCBC

| | **Lifetime** | Specify a value starting from 3600 seconds to a maximum of 86400 seconds. | For more information about determining the appropriate combination of encryption and hashing algorithms based on your need, see the [FAQ](https://docs.ionos.com/sections-test/guides/network-services/faqs#how-can-i-determine-the-right-combination-of-encryption-and-hashing-algorithm-for-my-requirements). ### Child SA/IPSec SA Settings (ESP) Select an appropriate value from the drop-down list for the following: | Settings | Values | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Diffie-Hellman Group** |

15-MODP3072
16-MODP4096
19-ECP256
20-ECP384
21-ECP521
28-ECP256BP
29-ECP384BP
30-ECP512BP

| | **Encryption Algorithm** |

AES128-CTR
AES256-CTR
AES128-GCM-16
AES256-GCM-16
AES128-GCM-12
AES256-GCM-12
AES128-CCM-12
AES256-CCM-12
AES128
AES256

| | **Integrity Algorithm** |

SHA256
SHA384
SHA512
AES-XCBC

| | **Lifetime** | Specify a value starting from 600 seconds to a maximum of 14400 seconds. | For more information about the combination of encryption and hashing algorithms for your needs, see the [FAQ](https://docs.ionos.com/sections-test/guides/network-services/faqs#how-can-i-determine-the-right-combination-of-encryption-and-hashing-algorithm-for-my-requirements). ![Define Tunnel Properties](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-28c721ef30c9f4cd9c20f9ec5acba5f207dc29b1%2Fcreate-tunnel-exchange.png?alt=media) ### Network CIDRs
Enter the following details: * **Cloud Network CIDRs:** Specify up to 20 IPv4 or IPv6 network addresses, separated by commas, on IONOS Cloud that can connect to the tunnel. * **Peer Network CIDRs:** Specify up to to 20 IPv4 or IPv6 addresses, separated by commas, on the peer side that can connect to the tunnel. {% endtab %} {% tab title="Peers" %} Enter the following details in the **Create WireGuard peer** page:
### Properties
* **Peer Name:** Enter a peer name. * **Description:** *(Optional)*. Enter a description. ### Endpoint Configuration (optional)
You can specify the following optional details to enable the peer to use the specified IP address to connect with its remote peer. The peer connects via any available IP address when you do not specify the IP address. * **Endpoint host:** Enter a public IPv4 address or an FQDN. * **Endpoint port:** Enter a port number or you can also use the up or down arrows to choose a port number from the list. The port number indicates the UDP port on which a WireGuard interface will listen for incoming encrypted VPN packets. ### Peers Configuration
Specify the following details to establish a secure connection. * **Allowed IPs:** Specify up to 20 IPv4 or IPv6 network addresses, separated by commas from which the traffic must be allowed to reach the respective peer. Traffic from all IP addresses are sent to the peer if you do not specify the network addresses. * **Public Key:** Remember to specify a public key for a secure transmission. The key is used to validate the sender and encrypt the data. ![Define Peer Properties](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-00c853f86177be7ed9821153e4aff6cf44f778ea%2Fcreate-peers-properties.png?alt=media) {% endtab %} {% endtabs %} 4\. Click **Save** to save the configuration.