search
User GuidesDeveloper ReferenceSupportFAQLog in

ionoscloud_vpn_ipsec_tunnel

IPSec Gateway Tunnel

An IPSec Gateway Tunnel resource manages the creation, management, and deletion of VPN IPSec Gateway Tunnels within the IONOS Cloud infrastructure. This resource facilitates the creation of VPN IPSec Gateway Tunnels, enabling secure connections between your network resources.

hashtag
Usage example

# Basic example

resource "ionoscloud_datacenter" "test_datacenter" {
  name = "test_vpn_gateway_basic"
  location = "de/fra"
}

resource "ionoscloud_lan" "test_lan" {
  name = "test_lan_basic"
  public = false
  datacenter_id = ionoscloud_datacenter.test_datacenter.id
}

resource "ionoscloud_ipblock" "test_ipblock" {
  name = "test_ipblock_basic"
  location = "de/fra"
  size = 1
}

resource "ionoscloud_vpn_ipsec_gateway" "example" {
  name = "ipsec_gateway_basic"
  location = "de/fra"
  gateway_ip = ionoscloud_ipblock.test_ipblock.ips[0]
  version = "IKEv2"
  description = "This gateway connects site A to VDC X."

  connections {
    datacenter_id = ionoscloud_datacenter.test_datacenter.id
    lan_id = ionoscloud_lan.test_lan.id
    ipv4_cidr = "192.168.100.10/24"
  }
}

resource "ionoscloud_vpn_ipsec_tunnel" "example" {
    location = "de/fra"
    gateway_id = ionoscloud_vpn_ipsec_gateway.example.id
    
    name = "example-tunnel"
    remote_host = "vpn.mycompany.com"
    description = "Allows local subnet X to connect to virtual network Y."
    
    auth {
        method = "PSK"
        psk_key = "X2wosbaw74M8hQGbK3jCCaEusR6CCFRa"
    }
    
    ike {
        diffie_hellman_group = "16-MODP4096"
        encryption_algorithm = "AES256"
        integrity_algorithm = "SHA256"
        lifetime             = 86400
    }
    
    esp {
        diffie_hellman_group = "16-MODP4096"
        encryption_algorithm = "AES256"
        integrity_algorithm = "SHA256"
        lifetime             = 3600
    }
    
    cloud_network_cidrs = [
        "0.0.0.0/0"
    ]
    
    peer_network_cidrs = [
        "1.2.3.4/32"
    ]
}

hashtag
Argument reference

  • name - (Required)[string] The name of the IPSec Gateway Tunnel.

  • location - (Optional)[string] The location of the IPSec Gateway Tunnel. Supported locations: de/fra, de/fra/2, de/txl, es/vit, gb/lhr, us/ewr, us/las, us/mci, fr/par.

  • gateway_id - (Required)[string] The ID of the IPSec Gateway that the tunnel belongs to.

  • description - (Optional)[string] The human-readable description of your IPSec Gateway Tunnel.

  • remote_host - (Required)[string] The remote peer host fully qualified domain name or public IPV4 IP to connect to.

  • ike - (Required)[list] Settings for the initial security exchange phase. Minimum items: 1. Maximum items: 1.

    • diffie_hellman_group - (Optional)[string] The Diffie-Hellman Group to use for IPSec Encryption. Possible values: 15-MODP3072, 16-MODP4096, 19-ECP256, 20-ECP384, 21-ECP521, 28-ECP256BP, 29-ECP384BP, 30-ECP512BP. Default value: 16-MODP4096.

    • encryption_algorithm - (Optional)[string] The encryption algorithm to use for IPSec Encryption. Possible values: AES128, AES256, AES128-CTR, AES256-CTR, AES128-GCM-16, AES256-GCM-16, AES128-GCM-12, AES256-GCM-12, AES128-CCM-12, AES256-CCM-12. Default value: AES256.

    • integrity_algorithm - (Optional)[string] The integrity algorithm to use for IPSec Encryption. Possible values: SHA256, SHA384, SHA512, AES-XCBC. Default value: SHA256.

    • lifetime - (Optional)[string] The phase lifetime in seconds. Minimum value: 3600. Maximum value: 86400. Default value: 86400.

  • esp - (Required)[list] Settings for the IPSec SA (ESP) phase. Minimum items: 1. Maximum items: 1.

    • diffie_hellman_group - (Optional)[string] The Diffie-Hellman Group to use for IPSec Encryption. Possible values: 15-MODP3072, 16-MODP4096, 19-ECP256, 20-ECP384, 21-ECP521, 28-ECP256BP, 29-ECP384BP, 30-ECP512BP. Default value: 16-MODP4096.

    • encryption_algorithm - (Optional)[string] The encryption algorithm to use for IPSec Encryption. Possible values: AES128, AES256, AES128-CTR, AES256-CTR, AES128-GCM-16, AES256-GCM-16, AES128-GCM-12, AES256-GCM-12, AES128-CCM-12, AES256-CCM-12. Default value: AES256.

    • integrity_algorithm - (Optional)[string] The integrity algorithm to use for IPSec Encryption. Possible values: SHA256, SHA384, SHA512, AES-XCBC. Default value: SHA256.

    • lifetime - (Optional)[string] The phase lifetime in seconds. Minimum value: 3600. Maximum value: 86400. Default value: 86400.

  • auth - (Required)[string] Properties with all data needed to define IPSec Authentication. Minimum items: 1. Maximum items: 1.

    • method - (Optional)[string] The authentication method to use for IPSec Authentication. Possible values: PSK. Default value: PSK.

    • psk_key - (Optional)[string] The pre-shared key to use for IPSec Authentication. Note: Required if method is PSK.

  • cloud_network_cidrs - (Required)[list] The network CIDRs on the "Left" side that are allowed to connect to the IPSec tunnel, i.e. the CIDRs within your IONOS Cloud LAN. Specify "0.0.0.0/0" or "::/0" for all addresses. Minimum items: 1. Maximum items: 20.

  • peer_network_cidrs - (Required)[list] The network CIDRs on the "Right" side that are allowed to connect to the IPSec tunnel. Specify "0.0.0.0/0" or "::/0" for all addresses. Minimum items: 1. Maximum items: 20.

hashtag
Import

The resource can be imported using the location, gateway_id and tunnel_id, for example:

Previousionoscloud_vpn_ipsec_gatewayNextionoscloud_vpn_wireguard_gateway

Last updated