With Virtual Private Network (VPN) as a service, self-service users can extend virtual networks across public networks, such as the Internet. To connect two or more remote endpoints, VPNs use virtual connections tunneled through physical networks. To secure VPN communication, the traffic that flows between remote endpoints is encrypted. The VPN implementation uses the Internet Key Exchange (IKE) and IP Security (IPsec) protocols to establish secure VPN connections and is based on the strongSwan IPsec solution.
To better understand how a VPN works, consider the following example:
- In the cluster 1, the virtual machine VM1 is connected to the virtual network privnet1 (192.168.10.0/24) via the network interface with IP address 192.168.10.10. The network privnet1 is exposed to public networks via the router router1 with the external port 10.10.10.5.
- In the cluster 2, the virtual machine VM2 is connected to the virtual network privnet2 (192.168.20.0/24) via the network interface with IP address 192.168.20.20. The network privnet2 is exposed to public networks via the router router2 with the external port 10.10.10.4.
- The VPN tunnel is created between the routers router1 and router2 that serve as VPN gateways, thus allowing mutual connectivity between the networks privnet1 and privnet2.
- The virtual machines VM1 and VM2 are visible to each other at their private IP addresses. That is, VM1 can access VM2 at 192.168.20.20, and VM2 can access VM1 at 192.168.10.10.
For key exchange between communicating parties, two IKE versions are available: IKE version 1 (IKEv1) and IKE version 2 (IKEv2). IKEv2 is the latest version of the IKE protocol and it supports connecting multiple remote subnets.
In the example above:
- VPN1 uses the IKEv1 and connects the network network1 with the network3.
- VPN2 uses the IKEv2 and connects the network network2 with the two networks network4 and network5.