Create a VPN Connection
Limitations
A virtual machine must have no Elastic IP addresses assigned to its private network interface. Otherwise, the Virtual Machine traffic cannot be routed through a VPN tunnel.
Prerequisites
- You have a virtual router created.
- The virtual router connects the physical network with the virtual networks that you want to be exposed to.
- Networks that will be connected via a VPN tunnel must have non-overlapping IP ranges.
Create a VPN Connection
-
On the "VPN" page, click "Add New".
-
In the "Configure IKE" step, specify the parameters for the IKE policy that will be used to establish a VPN connection. You can choose to use an existing IKE policy or create a new one. For the new IKE policy, do the following:
-
Specify a custom name for the IKE policy.
-
Specify the key lifetime, in seconds, that will define the rekeying interval. The IKE key lifetime must be greater than that of the IPsec key.
-
Select the authentication algorithm that will be used to verify data integrity and authenticity.
-
Select the encryption algorithm that will be used to ensure that data is not viewable while in transit.
-
Select IKE version 1 or 2. Version 1 has limitations, for example, it does not support multiple subnets.
-
Select the Diffie-Hellman (DH) group that will be used to build the encryption key for the key exchange process. Higher group numbers are more secure but require additional time for the key to compute.
-
Click "Save & Continue".
-
-
In the "Configure IPsec" step, specify parameters for the IPsec policy that will be used to encrypt VPN traffic. You can choose to use an existing IPsec policy or create a new one. For the new IPsec policy, do the following:
- Specify a custom name for the IPsec policy.
- Specify the key lifetime, in seconds, that will define the rekeying interval. The IPsec key lifetime must not be greater than that of the IKE key.
- Select the authentication algorithm that will be used to verify data integrity and authenticity.
- Select the encryption algorithm that will be used to ensure that data is not viewable while in transit.
- Select the Diffie-Hellman (DH) group that will be used to build the encryption key for the key exchange process. Higher group numbers are more secure but require additional time for the key to compute.
- Click "Save & Continue".
note- We support all authentication and encryption algorithms you see on the screen. The choice you make here may vary depending on your needs and the speed-security balance.
-
On the "Create Endpoint Groups" step, select a virtual router and specify local and remote subnets that will be connected by the VPN tunnel. You can choose to use existing local and remote endpoints, or create new ones. For the new endpoints, do the following:
-
Specify a custom name for the local endpoint, and then select local subnets.
-
Specify a custom name for the remote endpoint, and then add remote subnets in the CIDR format.
-
Click "Save & Continue".
-
-
In the "Configure VPN" step, specify parameters to establish the VPN connection with a remote gateway:
-
Specify a custom name for the VPN connection.
-
Specify the public IPv4 address of the remote gateway, that is, the peer IP address.
-
Generate the pre-shared key that will be used for the peer authentication.
-
If necessary, you can also configure additional settings by selecting Advanced Settings and specifying the following parameters:
- The peer ID for authentication and the mode for establishing a connection.
- The Dead Peer Detection (DPD) policy, interval, and timeout, in seconds.
-
Click "Create a VPN".
-
-
When the VPN connection is created, its status will change from "Pending creation" to "Down". The connection will become active once the VPN tunnel is configured by the other VPN party and IKE authorization is successful.
-
The IKE, IPsec and Pre-shared Key configuration must match for both communicating parties. Otherwise, the VPN connection between them will not be established.