Creating a Self-Service IPsec (Site-to-Site) VPN Tunnel

Updated by Chris Little on Oct 26, 2021
Article Code: kb/73

Description

IPsec is a framework of open standards for ensuring private communications over public networks. It has become the most common network layer security control, typically used to create a VPN tunnel. The Lumen Cloud platform enables self-service support to configure Site-to-Site (Point-to-Point, Gateway-to-Gateway) IPsec VPN Tunnels. This model protects communications between two specific networks, such as an organization’s main office network and a branch office network, or two business partner’s networks. 

Audience

  • Lumen Cloud customers (system administrators) who wish to extend their network and/or infrastructure to the cloud platform

Prerequisites

  • Must have Account Administrator permissions on the platform.
  • Listing of the cloud network(s) you wish to connect to across your tunnel.
  • The make, model, and code version of the endpoint device you'll be terminating to.
  • Static IP of the peering interface on your device.
  • The network blocks you wish to have be reached on your end of the tunnel -- these must be private IP blocks (RFC-1918).
  • You must have resources (server and a network) provisioned for the account and the Cloud data center you wish to connect to.

Detailed Steps

  • Note: When making an update to an existing tunnel, a renegotiation may occur depending on what is updated. Making any changes to the Phase1 or Phase2 values will reset the tunnel. Changes to the tunnel encrypted subnets on either side will only affect those subnets modified.

    1. Log on to the Control Portal. Using the left side navigation bar, click Network > VPN.

    2. Select the create point to point VPN button.

    3. Select the appropriate Cloud Data Center for the VPN Tunnel.

    4. Select the the network blocks you want reachable under your account. It is permissible to supply tunnel access to specific servers or small subnets within your cloud networks.

    5. Input 'Your Site' Information:

      • Site Name (ex. Montreal Office)
      • Device Type (ex. Cisco ASA5520 v8.3)
      • VPN Peer IPv4 Address:  Static IP of the peering interface on your device
      • Tunnel Encrypted Subnets:  The network blocks you wish to have be reached on your end of the tunnel -- these must be private IP blocks (RFC-1918). Please note that the 172.17.1.0/24 network is in use by CLC for management purposes and should not be used as a remote network. If your remote networks conflict with the CLC customer network blocks in use for the specified datacenter then your VPN becomes a Non-standard configuration that will require NAT. You can email help@ctl.io for a list of CLC customer network blocks for a specified datacenter.

    6. Input the Phase 1 (IKE) information

      • Protocol Mode (Main or Aggressive). We recommend 'Main' mode.
      • Encryption Algorithm (AES-128; AES-192; AES-256; 3DES). We recommend AES-128 or better.
      • Hashing Algorithm (SHA1 96; SHA1 256; MD5). We recommend SHA1 for most customers.
      • Pre-Shared Key:  The pre-shared key is a shared secret that secures the VPN tunnel. This value must be identical on both ends of the connection.
      • Diffie-Helman Group (Group 1; Group 2; Group 5). If using AES with a cipher strength greater than 128-bit, or SHA2 for hashing, we recommend Group 5, otherwise Group 2 is sufficient.
      • Lifetime Value (1 hour; 8 hours; 24 hours). Lifetime is set to 8 hrs for IKE - This is not required to match, as the negotiation will choose the shortest value supplied by either peer.
      • DPD State (Dead-peer detection):  Specify if you wish this enabled or disabled - check your device defaults - for example Cisco ASA defaults to "on" while Netscreen/Juniper SSG or Juniper SRX default to "off"). Our default is "off".
      • NAT-T State:   Allows connections to VPN end-points behind a NAT device. Defaults to 'off' - if you require NAT-T, you also need to provide the private IP address that your VPN endpoint will use to identify itself.
      • Remote Identity:  The Private IP Address that your VPN endpoint will use to identify itself. Required only when NAT-T state is on. 

    7. Input the Phase 2 (IPSEC) information and select Finish to complete the tunnel configuration.

      • IPSEC Protocol (ESP or AH). ESP is preferred.
      • Encryption Algorithm (AES-128; AES-192; AES-256; 3DES). We recommend AES-128 or better.
      • Hashing Algorithm (SHA1 96; MD5). We recommend SHA1 for most customers.
      • PFS Enabled:  We suggest enabled, using Group 2, though Group 5 is recommended with SHA2 hasing or AES-192 or AES-256.
      • Lifetime Value (1 hour; 8 hours; 24 hours). Lifetime is set to 1 Hour (and unlimited KB). This setting is not required to match, as the negotiation process will choose the shortest value supplied by either peer.

    Standard Troubleshooting

    Our configuration will be established based on the parameters in the Control Portal self-service interface. If you need to open a ticket reporting trouble establishing a tunnel, please also start a continuous ping with traffic interesting to the VPN configuration. We can validate our configuration and supply any relevant log messages indicating the source of the problem.

    It remains up to you, the customer, to correct your own configuration, submit new configurations with changed settings, or seek troubleshooting assistance with your own resources (for example using your equipment manufacturer's maintenance contract). Unfortunately due to the variety of devices and technologies, we cannot be responsible for the end-to-end VPN configuration

    Non-standard configurations

    If you require any additional assistance beyond the options available in self-service, that would fall into the "non-standard" configuration category.

    We define non-standard configurations as anything deviating from the above process, or utilizing configuration options specifically listed as out-of-scope. These configurations need to be addressed as a Service Task engagement, which is a fee-based deployment performed manually on the applicable data center firewall (depending on the data center you wish to connect). Once the task is engaged as a Service Task, we will send you a standard form which we require to be filled out and sent back on the request ticket. This information will define the Site-to-Site VPN specifications we'll use to build and deploy the configuration. Contact your account manager with any questions, or send mail to help@ctl.io and we will advise further.

    Common reasons for non-standard VPN tunnels include:

    • IKEv2 VPNs
    • Requesting an engineer to perform a live turn-up with you on a conference call
    • Requesting Lumen Cloud complete your organization's VPN information, or provide network documentation beyond what is included in this article.
    • Any requirement for an engineer to attend a live meeting or telephone call.
    • NAT requirement (generally this is a requirement when the cloud servers need to be presented as a public IP address via the tunnel) - please note this is only for NAT on the encrypted network addresses. We fully support NAT-Traversal (NAT between gateways) with our standard configuration.
      • Regarding the addresses used for NAT presentation - if you require less than 5 total addresses, we can assign /32 mappings from our public space for the data center-side. If you require a larger block of addresses, you (the customer) will need to supply the public IP address space to be used to present your data center resources.
    • Using the VPN as a fail-over for direct-connect customers (ex. you want to back-up your MPLS WAN with a VPN tunnel)
    • Redundant VPN - Verified with SonicWall using Dead Peer Detection - Note that some customer endpoints will not support redundancy, we will work with you on a case by case basis to determine compatiblity
    • Certificate-based authentication
    • Non-IP Address IKE identity (such as used with a dynamic remote peer IP address, or hostname-based identity strings)
    • User requires assistance with their device (no technical expertise in-house) - we can provide one-time configuration assistance for most enterprise-class VPN endpoints:
      • Cisco PIX / ASA
      • Cisco IOS-based
      • Netscreen / Juniper SSG
      • Juniper SRX
      • Sonicwall
      • ... and many others. For most firewall-type devices, configuration assistance can be provided. We can generally find an engineer with relevant experience within our staff.