Site-to-site VPN setting

[Update: June 22, 2017]

The following is an explanation on the site-to-site VPN function (site-to-site IPsec VPN function) of a VPC router.

1. Overview of the site-to-site VPN function

The site-to-site VPN function is to make a VPN connection with a VPC router created on SAKURA Cloud and a device that supports site-to-site VPN connection installed in another network.

Networks connected via the Internet are connected by a virtual dedicated IP line encrypted by IPsec VPN and the network constructed within SAKURA Cloud can be seamlessly used as an extended part of the existing network. This makes it possible to easily construct a virtual private cloud environment that utilizes IaaS as a foundation that can construct a flexible and immediate server/network environment.

VPC router specifications

The specifications of the site-to-site VPN function of the VPC router are as follows. You can use the site-to-site VPN function by using equipment that supports the specifications on the opposite endpoint.

Authentication method Pre-Shared Key (*1)
Cryptographic algorithm AES128
Cipher using mode CBC
Hash algorithm SHA1
Message authentication code HMAC
PFS (Perfect Forward Secrecy) Enable
DH (Diffie-Hellman) Group MODP1024 (Group 2)
Lifespan of ISAKMP SA 28,800 seconds
Lifespan of IPsec SA 1,800 seconds
Exchange mode Main mode (not supporting aggressive mode)
IKE phase 1 ID Global IP address of the VPC router
IKE phase 2 ID TYPE 1(ID_IPV4_ADDR)
Vendor ID Do not accept/Do not send
IKE keep-alive (DPD) Enable (interval 15 seconds/time-out 30 seconds)
Netmask opposing endpoint prefix/local prefix length /8 to /32

*1 You can use the characters that are a combination of alphabet (upper-case or lower-case), numbers, and underscore (_). The number of characters is from 1 to 40.

Operation confirmed appliances

The appliances confirmed by us that it is possible to establish site-to-site VPN connection with a VPC router are as follows.

  • YAMAHA RTX series (*1)
  • Juniper NetScreen/SSG series
  • Vyatta / VyOS
  • Cisco ISR series (*2)
  • Fortinet Fortigate series (*3)

*1: The models of which we have confirmed the operation are RTX 1200 and RTX 1210. *2: The model of which we have confirmed the operation is Cisco891F. *3: The model of which we have confirmed the operation is Fortigate-60C (FortiOS4 series).

2. Example of settings

Examples of setting a VPC router and 3 types of appliances of which the operations have been confirmed by us are provided here.

This is a general configuration example when only the basic functions are used. Please contact the manufacturer of each appliance for detailed setting methods (For the equipment outside of SAKURA Cloud network, we will not provide a support.). Also, connection with a VPC router is not guaranteed in the future, for example, when specifications are changed by each company.

Network configuration example

The network configuration assumes the following.

Configuration diagram

Network information

  VPC router side Opposing endpoint appliance side
Global IP address 203.0.113.180 (*1) 198.51.100.124 (/27)
IPsec ID 203.0.113.180 (*2) 198.51.100.124 (*3)
Default gateway 198.51.100.97
Private IP address 172.16.0.0/16 10.0.0.0/24
Pre-Shared Secret test12345 test12345

*1 For the standard plan, the IP address assigned to the global interface is used, and for the premium plan, the virtual IP address set for the global interface is used.
*2 The IPsec ID is the same value as the global IP address.
*3 For YAMAHA RTX series, specify the IP address (e.g. 10.0.0.1) that is set for the private interface.

Setting a VPC router

From the settings screen of the VPC router you want to configure, select the [Site-to-Site VPN] tab. A list of the set site-to-site VPN settings will appear. Click the [Add] button to add a new one.

The site-to-site VPN settings screen will appear. Enter the information in each setting item.

Opposing endpoint IP address Enter the IP address of the VPN connected appliance.
Opposing endpoint ID Enter the ID of the VPN connected appliance.
Pre-Shared Secret Enter the character string you want to set as the Pre Shared Key.
Opposing endpoint Prefix Enter the address block of the VPN connected network.
Local Prefix Enter the address block of the network under the VPC router.

*All of them are required items.

Multiple IP address blocks can be entered in the [Opposing Endpoint Prefix] and [Local Prefix] sections (up to 4 each).
After entering one IP address block, press the enter key or the right arrow key to add it to the list. You can delete it from the list by clicking the “x” icon on the right of each IP address.

Click the [Apply] button.

When the setting is completed, it is added to the list. The created entries can be edited with the pencil icon on the right of the list and deleted with the delete icon.

Note

When you add, change, or delete any site-to-site VPN settings, you need to click the [Apply] button to update the settings to the VPC router side. (Even if the VPC router is in the active state, the setting is updated by clicking the [Apply] button without turning it off.)
Also, clicking the [Apply] button does not affect the existing site-to-site VPN connection (does not cause disconnection, etc.).

Setting on the appliance side

Vyatta/VyOS

  1. Set the IP address and default gateway. (It is assumed that the global interface name is eth0 and the private interface name is eth1.)
interfaces {
     ethernet eth0 {
         address 198.51.100.124/27
     }
     ethernet eth1 {
         address 10.0.0.1/24
     }
 }
 protocols {
     static {
         route 0.0.0.0/0 {
             next-hop 198.51.100.97 {
             }
         }
     }
 }

The set commands are as follows.

set interfaces ethernet eth0 address 198.51.100.124/27
set interfaces ethernet eth1 address 10.0.0.1/24
set protocols static route 0.0.0.0/0 next-hop 198.51.100.97
  1. Set the site-to-site VPN.
vpn {
     ipsec {
         esp-group ESP {
             compression disable
             lifetime 1800
             mode tunnel
             pfs enable
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ike-group IKE {
             dead-peer-detection {
                 action restart
                 interval 15
                 timeout 30
             }
             lifetime 28800
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer 203.0.113.180 {
                 authentication {
                     id 198.51.100.124
                     mode pre-shared-secret
                     pre-shared-secret test12345
                     remote-id 203.0.113.180
                 }
                 connection-type initiate
                 default-esp-group ESP
                 ike-group IKE
                 local-address 198.51.100.124
                 tunnel 1 {
                     local {
                         prefix 10.0.0.0/24
                     }
                     remote {
                         prefix 172.16.0.0/16
                     }
                 }
             }
         }
     }
 }

The set commands are as follows.

set vpn ipsec esp-group ESP compression disable
set vpn ipsec esp-group ESP lifetime 1800
set vpn ipsec esp-group ESP mode tunnel
set vpn ipsec esp-group ESP pfs enable
set vpn ipsec esp-group ESP proposal 1 encryption aes128
set vpn ipsec esp-group ESP proposal 1 hash sha1
set vpn ipsec ike-group IKE dead-peer-detection action restart
set vpn ipsec ike-group IKE dead-peer-detection interval 15
set vpn ipsec ike-group IKE dead-peer-detection timeout 30
set vpn ipsec ike-group IKE lifetime 28800
set vpn ipsec ike-group IKE proposal 1 encryption aes128
set vpn ipsec ike-group IKE proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec site-to-site peer 203.0.113.180 authentication id 198.51.100.124
set vpn ipsec site-to-site peer 203.0.113.180 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.180 authentication pre-shared-secret test12345
set vpn ipsec site-to-site peer 203.0.113.180 authentication remote-id 203.0.113.180
set vpn ipsec site-to-site peer 203.0.113.180 connection-type initiate
set vpn ipsec site-to-site peer 203.0.113.180 default-esp-group ESP
set vpn ipsec site-to-site peer 203.0.113.180 ike-group IKE
set vpn ipsec site-to-site peer 203.0.113.180 local-address 198.51.100.124
set vpn ipsec site-to-site peer 203.0.113.180 tunnel 1 local prefix 10.0.0.0/24
set vpn ipsec site-to-site peer 203.0.113.180 tunnel 1 remote prefix 172.16.0.0/16
  1. Configure settings to exclude communications destined for VPN from NAT processing (when NAT is used).
nat {
     source {
         rule 10 {
             destination {
                 address 172.16.0.0/16
             }
             exclude
             outbound-interface eth0
         }
         rule 999 {
             outbound-interface eth0
             translation {
                 address masquerade
             }
         }
     }
}

The set commands are as follows.

set nat source rule 10 destination address 172.16.0.0/16
set nat source rule 10 exclude
set nat source rule 10 outbound-interface eth0
set nat source rule 999 outbound-interface eth0
set nat source rule 999 translation address masquerade
  1. Confirm that VPN connection is possible.
vyatta@vc66:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
203.0.113.180                           198.51.100.124

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     126.4K/126.4K  aes128   sha1  no     1044    1800    all

YAMAHA RTX series

Hint

Examples of settings for RTX830 and RTX1210 are available on Yamaha’s official website . Please refer to these examples when using RTX830 and RTX1210.

  1. Set the IP address and default gateway. (it is assumed that the private interface name is lan1 and the global interface name is lan2.)
ip lan1 address 10.0.0.1/24
ip lan2 address 198.51.100.124/27
ip route default gateway 198.51.100.97
  1. Set the site-to-site VPN.
tunnel select 1
 ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac
  ipsec ike always-on 1 on
  ipsec ike encryption 1 aes-cbc
  ipsec ike group 1 modp1024
  ipsec ike hash 1 sha
  ipsec ike keepalive use 1 on dpd 15 2
  ipsec ike local address 1 198.51.100.124
  ipsec ike local id 1 198.51.100.124
  ipsec ike pfs 1 on
  ipsec ike pre-shared-key 1 text test12345
  ipsec ike remote address 1 203.0.113.180
  ipsec ike remote id 1 203.0.113.180
  ipsec auto refresh 1 on
 ip tunnel mtu 1280
 ip tunnel tcp mss limit auto
 tunnel enable 1

ip route 172.16.0.0/16 gateway tunnel 1

nat descriptor masquerade static 1000 1 198.51.100.124 udp 500
nat descriptor masquerade static 1000 2 198.51.100.124 esp

*Cautions

The ipsec ike local address and the IP address that is specified by ipsec ike local id must match the IP addresses of settings that allow UDP 500 port and ESP communication at nat descriptor masquerade static.

When the private IP address is set as follows

nat descriptor masquerade static 1000 1 10.0.0.1 udp 500
nat descriptor masquerade static 1000 2 10.0.0.1 esp

Change the ipsec ike local address and the IP address specified by ipsec ike local id to 10.0.0.1.

ipsec ike local address 1 10.0.0.1
ipsec ike local id 1 10.0.0.1

Change the opposing endpoint ID of the site-to-site VPN setting of the VPC router to 10.0.0.1 on the cloud control panel.

  1. Confirm that VPN connection is possible.
# show ipsec sa gateway 1

1   U     1 10.0.0.1       203.0.113.180    i:2 s:1 r:1

sa   sgw connection   dir  life[s] remote-id
--------------------------------------------------------------------------
6    1   isakmp       -    28571   203.0.113.180
8    1   isakmp       -    28743   203.0.113.180
10   1   tun[001]esp  send 1744    203.0.113.180
11   1   tun[001]esp  recv 1744    203.0.113.180

Juniper SRX series/Firefly

  1. Set the IP address and default gateway. (it is assumed that the global interface name is ge-0/0/0 and private interface name is ge-0/0/1.)
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 198.51.100.124/27;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.0.0.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 198.51.100.97;
    }
}
  1. Set the site-to-site VPN.
security {
    ike {
        proposal ike-proposal {
            authentication-method pre-shared-keys;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
        }
        policy ike-policy {
            mode main;
            proposals ike-proposal;
            pre-shared-key ascii-text test12345
        }
        gateway ike-gateway {
            ike-policy ike-policy;
            address 203.0.113.180;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal ipsec-proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
        }
        policy ipsec-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-proposal;
        }
        vpn ipsec-vpn {
            bind-interface st0.0;
            ike {
                gateway ike-gateway;
                proxy-identity {
                    local 10.0.0.0/24;
                    remote 172.16.0.0/16;
                }
                ipsec-policy ipsec-policy;
            }
        }
    }
}
interfaces {
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 172.16.0.0/16 next-hop st0.0;
    }
}
  1. Set the security zone and policy.
security {
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone vpn {
            interfaces {
                st0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone vpn {
            policy trust-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
  1. Confirm that VPN connection is possible.
root@firefly> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
1323201 UP     37c7189f604XXXXX  b2319ba9f19XXXXX  Main           203.0.113.180

root@firefly> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  131073 ESP:aes-cbc-128/sha1 ce9d6928 199/ unlim - root 500 203.0.113.180
  131073 ESP:aes-cbc-128/sha1 c7cd96a1 1176/ unlim - root 500 203.0.113.180

Cisco ISR series

  1. Set the IP address and default gateway. (it is assumed that the global interface name is GigabitEthernet8 and the private interface name is Vlan1.)
interface GigabitEthernet8
 ip address 198.51.100.124 255.255.255.224
 ip nat outside
 duplex auto
 speed auto
 crypto map map-ipsec
exit

interface Vlan1
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
exit
  1. Set the site-to-site VPN.
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 28800
exit

crypto isakmp key test12345 address 203.0.113.180
crypto isakmp keepalive 30 periodic

crypto ipsec security-association lifetime seconds 1800

crypto ipsec transform-set ipsec esp-aes esp-sha-hmac
 mode tunnel

crypto map map-ipsec 1 ipsec-isakmp
 set peer 203.0.113.180
 set transform-set ipsec
 match address 101
exit

access-list 101 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
  1. Confirm that VPN connection is possible.
#ping 172.16.0.1 source 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Fortinet Fortigate series (FortiOS4 series)

  1. Log in to Fortigate’s Web-UI, click VPN and then Automatic Key (IKE), and click [Create Phase 1] on the upper right.

 Enter an arbitrary name.
 Enter the global IP address of the VPC router in the IP address.
 Enter the same character string as the Pre Shared Secret set in the VPC router in the Pre-Shared Key.
 Click OK.

  1. Click [Create Phase 2].

 Enter an arbitrary name, create the phase 1 that you just created and click [Special Option].

 Encryption: AES128, authentication: It is SHA1. Other methods should be deleted.
 Check auto keep-alive of Automatic Key.
 Select the IP address on the LAN side of Fortigate.
 Select the IP address on the LAN side of the VPC router.
 Click OK.

  1. Next, register the policy for IPsec communication.

3. Concerning special tags

By assigning a special tag, it is possible to fine-tune the settings of a VPC router.
Display the information screen of the VPC router you want to work on. Click the [Edit] button at the bottom right of this screen to display the dialog box to change the VPC router information.

Fill in the following special tag in the [Tag] entry section and press the Enter key.
Click the [Update] button to save the settings.

@sitetosite-use-vti

Configure settings to use Virtual Tunnel Interface (VTI) for the site-to-site VPN function. It may improve interconnectivity of IKE when connecting a specific model with multiple Prefix. After setting this tag, please click the [Apply] button of the VPC router once.

Attention

*Normally, there is no need to use it. Please use it when a VPC router does not work well in the initial condition.
*This is a special tag dedicated to a VPC router. Please make sure not to use it for the server.
*This tag may be needed if there are multiple private subnets.
*Also, when this tag is configured, remote access by L2TP/Ipsec will be unavailable.

4. Concerning closed connection function

The closed connection function is a function to connect traffic in the cloud environment via a router within the user’s network through a route that is encrypted by Ipsec without directly communicating through the Internet.

By using this function, it is possible to easily control and audit the communication performed by your router even for the communication of resources on the cloud.

Setting method

Set “0.0.0.0 / 0” in the [Opposing Endpoint Prefix] section on the site-to-site VPN settings screen.

This way, all traffic coming in and out of the VPC router will go through the opposing endpoint appliance side.

Cautions

  • If this function is used, the following functions will be unavailable because the traffic other than the site-to-site VPN cannot be sent or received directly through the Internet.
    • Forward NAT
    • Static NAT
    • Port forwarding (it is not applied for the site-to-site VPN communication.)
    • Firewall (it is not applied for the site-to-site VPN communication.)
    • Remote access (PPTP, L2TP/IPsec)
  • If the site-to-site VPN session fails, communication will be completely disconnected without fallback.
  • It is possible to set 0.0.0.0/0 as the opposing endpoint Prefix for only one site of the site-to-site VPN. (If you enter the same prefix on multiple sites, an error will occur.)

5. View VPN log

Click the [Log] tab on the details screen of a VPC router and click the [VPN] tab. The log is displayed.

*The latest 100 recorded logs will appear.
*We do not have a plan to implement the function to show the past logs older than the latest 100 records on the control panel. Please use the syslog transfer function.

6. Reference information

These are the points that should be noted when you construct a site-to-site VPN with a YAMAHA router.
Important points for setting site-to-site VPN with VPC routers: Example using RTX1210—Introduction to SAKURA Cloud (7)

These are tips for the settings when the network is segmented using a virtual server within VPC.
VPN settings when using a multi-stage network in VPC—Introduction to SAKURA Cloud (8)