Creating VPN connections

Limitations

  • A virtual machine must have no floating IP addresses assigned to its private network interface. Otherwise, the VM traffic cannot be routed through a VPN tunnel.

Prerequisites

  • You have a virtual router created, as described in Managing virtual routers.
  • The virtual router connects the physical network with virtual networks that you want to be exposed.
  • Networks that will be connected via a VPN tunnel must have non-overlapping IP ranges.

To create a VPN connection

  1. On the VPN screen, click Create VPN.

  2. On the Configure IKE step, specify parameters for the IKE policy that will be used to establish a VPN connection. You can choose to use an existing IKE policy or create a new one. For the new IKE policy, do the following:

    1. Specify a custom name for the IKE policy.
    2. Specify the key lifetime, in seconds, that will define the rekeying interval. The IKE key lifetime must be greater than that of the IPsec key.
    3. Select the authentication algorithm that will be used to verify the data integrity and authenticity.
    4. Select the encryption algorithm that will be used to ensure that data is not viewable while in transit.
    5. Select the IKE version 1 or 2. Version 1 has limitations, for example, it does not support multiple subnets.
    6. Select the Diffie-Hellman (DH) group that will be used to build the encryption key for the key exchange process. Higher group numbers are more secure but require additional time for the key to compute.
    7. Click Next.

  3. On the Configure IPsec step, specify parameters for the IPsec policy that will be used to encrypt the VPN traffic. You can choose to use an existing IPsec policy or create a new one. For the new IPsec policy, do the following:

    1. Specify a custom name for the IPsec policy.
    2. Specify the key lifetime, in seconds, that will define the rekeying interval. The IPsec key lifetime must not be greater than that of the IKE key.
    3. Select the authentication algorithm that will be used to verify the data integrity and authenticity.
    4. Select the encryption algorithm that will be used to ensure that data is not viewable while in transit.
    5. Select the Diffie-Hellman (DH) group that will be used to build the encryption key for the key exchange process. Higher group numbers are more secure but require additional time for the key to compute.
    6. Click Next.

  4. On the Create endpoint groups step, select a virtual router and specify local and remote subnets that will be connected by the VPN tunnel. You can choose to use existing local and remote endpoints, or create new ones. For the new endpoints, do the following:

    1. Specify a custom name for the local endpoint, and then select local subnets.
    2. Specify a custom name for the remote endpoint, and then add remote subnets in the CIDR format.
    3. Click Next.

  5. On the Configure VPN step, specify parameters to establish the VPN connection with a remote gateway:

    1. Specify a custom name for the VPN connection.
    2. Specify the public IPv4 address of the remote gateway, that is, peer IP address.
    3. Generate the pre-shared key that will be used for the peer authentication.

    4. If necessary, you can also configure additional settings by selecting Advanced settings and specifying the following parameters:

      • The peer ID for authentication and the mode for establishing a connection.
      • The Dead Peer Detection (DPD) policy, interval, and timeout, in seconds.
    5. Click Next.

  6. On the Summary step, review the configuration, and then click Create.

When the VPN connection is created, its status will change from "Pending creation" to "Down". The connection will become active once the VPN tunnel is configured by the other VPN party and the IKE authorization is successful.

The IKE and IPsec configuration must match for both communicating parties. Otherwise, the VPN connection between them will not be established.