Site-to-site VPN setting¶
[Update: June 22, 2017]
The following is an explanation on the site-to-site VPN function (site-to-site IPsec VPN function) of a VPC router.
1. Overview of the site-to-site VPN function¶
The site-to-site VPN function is to make a VPN connection with a VPC router created on SAKURA Cloud and a device that supports site-to-site VPN connection installed in another network.
Networks connected via the Internet are connected by a virtual dedicated IP line encrypted by IPsec VPN and the network constructed within SAKURA Cloud can be seamlessly used as an extended part of the existing network. This makes it possible to easily construct a virtual private cloud environment that utilizes IaaS as a foundation that can construct a flexible and immediate server/network environment.
VPC router specifications¶
The specifications of the site-to-site VPN function of the VPC router are as follows. You can use the site-to-site VPN function by using equipment that supports the specifications on the opposite endpoint.
| Authentication method | Pre-Shared Key (*1) |
|---|---|
| Cryptographic algorithm | AES128 |
| Cipher using mode | CBC |
| Hash algorithm | SHA1 |
| Message authentication code | HMAC |
| PFS (Perfect Forward Secrecy) | Enable |
| DH (Diffie-Hellman) Group | MODP1024 (Group 2) |
| Lifespan of ISAKMP SA | 28,800 seconds |
| Lifespan of IPsec SA | 1,800 seconds |
| Exchange mode | Main mode (not supporting aggressive mode) |
| IKE phase 1 ID | Global IP address of the VPC router |
| IKE phase 2 ID | TYPE 1(ID_IPV4_ADDR) |
| Vendor ID | Do not accept/Do not send |
| IKE keep-alive (DPD) | Enable (interval 15 seconds/time-out 30 seconds) |
| Netmask opposing endpoint prefix/local prefix length | /8 to /32 |
*1 You can use the characters that are a combination of alphabet (upper-case or lower-case), numbers, and underscore (_). The number of characters is from 1 to 40.
Operation confirmed appliances¶
The appliances confirmed by us that it is possible to establish site-to-site VPN connection with a VPC router are as follows.
- YAMAHA RTX series (*1)
- Examples of settings for RTX830 and RTX1210 are available on Yamaha’s official website Connection with SAKURA Cloud .
- Juniper NetScreen/SSG series
- Vyatta / VyOS
- Cisco ISR series (*2)
- Fortinet Fortigate series (*3)
*1: The models of which we have confirmed the operation are RTX 1200 and RTX 1210. *2: The model of which we have confirmed the operation is Cisco891F. *3: The model of which we have confirmed the operation is Fortigate-60C (FortiOS4 series).
2. Example of settings¶
Examples of setting a VPC router and 3 types of appliances of which the operations have been confirmed by us are provided here.
This is a general configuration example when only the basic functions are used. Please contact the manufacturer of each appliance for detailed setting methods (For the equipment outside of SAKURA Cloud network, we will not provide a support.). Also, connection with a VPC router is not guaranteed in the future, for example, when specifications are changed by each company.
Network configuration example¶
The network configuration assumes the following.
Configuration diagram¶
Network information¶
| VPC router side | Opposing endpoint appliance side | |
|---|---|---|
| Global IP address | 203.0.113.180 (*1) | 198.51.100.124 (/27) |
| IPsec ID | 203.0.113.180 (*2) | 198.51.100.124 (*3) |
| Default gateway | – | 198.51.100.97 |
| Private IP address | 172.16.0.0/16 | 10.0.0.0/24 |
| Pre-Shared Secret | test12345 | test12345 |
*1 For the standard plan, the IP address assigned to the global interface is used, and for the premium plan, the virtual IP address set for the global interface is used.
*2 The IPsec ID is the same value as the global IP address.
*3 For YAMAHA RTX series, specify the IP address (e.g. 10.0.0.1) that is set for the private interface.
Setting a VPC router¶
From the settings screen of the VPC router you want to configure, select the [Site-to-Site VPN] tab. A list of the set site-to-site VPN settings will appear. Click the [Add] button to add a new one.
The site-to-site VPN settings screen will appear. Enter the information in each setting item.
| Opposing endpoint IP address | Enter the IP address of the VPN connected appliance. |
|---|---|
| Opposing endpoint ID | Enter the ID of the VPN connected appliance. |
| Pre-Shared Secret | Enter the character string you want to set as the Pre Shared Key. |
| Opposing endpoint Prefix | Enter the address block of the VPN connected network. |
| Local Prefix | Enter the address block of the network under the VPC router. |
*All of them are required items.
Multiple IP address blocks can be entered in the [Opposing Endpoint Prefix] and [Local Prefix] sections (up to 4 each).
After entering one IP address block, press the enter key or the right arrow key to add it to the list. You can delete it from the list by clicking the “x” icon on the right of each IP address.
Click the [Apply] button.
When the setting is completed, it is added to the list. The created entries can be edited with the pencil icon on the right of the list and deleted with the delete icon.
Note
When you add, change, or delete any site-to-site VPN settings, you need to click the [Apply] button to update the settings to the VPC router side. (Even if the VPC router is in the active state, the setting is updated by clicking the [Apply] button without turning it off.)
Also, clicking the [Apply] button does not affect the existing site-to-site VPN connection (does not cause disconnection, etc.).
Setting on the appliance side¶
Vyatta/VyOS¶
- Set the IP address and default gateway. (It is assumed that the global interface name is eth0 and the private interface name is eth1.)
interfaces {
ethernet eth0 {
address 198.51.100.124/27
}
ethernet eth1 {
address 10.0.0.1/24
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 198.51.100.97 {
}
}
}
}
The set commands are as follows.
set interfaces ethernet eth0 address 198.51.100.124/27
set interfaces ethernet eth1 address 10.0.0.1/24
set protocols static route 0.0.0.0/0 next-hop 198.51.100.97
- Set the site-to-site VPN.
vpn {
ipsec {
esp-group ESP {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group IKE {
dead-peer-detection {
action restart
interval 15
timeout 30
}
lifetime 28800
proposal 1 {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 203.0.113.180 {
authentication {
id 198.51.100.124
mode pre-shared-secret
pre-shared-secret test12345
remote-id 203.0.113.180
}
connection-type initiate
default-esp-group ESP
ike-group IKE
local-address 198.51.100.124
tunnel 1 {
local {
prefix 10.0.0.0/24
}
remote {
prefix 172.16.0.0/16
}
}
}
}
}
}
The set commands are as follows.
set vpn ipsec esp-group ESP compression disable
set vpn ipsec esp-group ESP lifetime 1800
set vpn ipsec esp-group ESP mode tunnel
set vpn ipsec esp-group ESP pfs enable
set vpn ipsec esp-group ESP proposal 1 encryption aes128
set vpn ipsec esp-group ESP proposal 1 hash sha1
set vpn ipsec ike-group IKE dead-peer-detection action restart
set vpn ipsec ike-group IKE dead-peer-detection interval 15
set vpn ipsec ike-group IKE dead-peer-detection timeout 30
set vpn ipsec ike-group IKE lifetime 28800
set vpn ipsec ike-group IKE proposal 1 encryption aes128
set vpn ipsec ike-group IKE proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec site-to-site peer 203.0.113.180 authentication id 198.51.100.124
set vpn ipsec site-to-site peer 203.0.113.180 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.180 authentication pre-shared-secret test12345
set vpn ipsec site-to-site peer 203.0.113.180 authentication remote-id 203.0.113.180
set vpn ipsec site-to-site peer 203.0.113.180 connection-type initiate
set vpn ipsec site-to-site peer 203.0.113.180 default-esp-group ESP
set vpn ipsec site-to-site peer 203.0.113.180 ike-group IKE
set vpn ipsec site-to-site peer 203.0.113.180 local-address 198.51.100.124
set vpn ipsec site-to-site peer 203.0.113.180 tunnel 1 local prefix 10.0.0.0/24
set vpn ipsec site-to-site peer 203.0.113.180 tunnel 1 remote prefix 172.16.0.0/16
- Configure settings to exclude communications destined for VPN from NAT processing (when NAT is used).
nat {
source {
rule 10 {
destination {
address 172.16.0.0/16
}
exclude
outbound-interface eth0
}
rule 999 {
outbound-interface eth0
translation {
address masquerade
}
}
}
}
The set commands are as follows.
set nat source rule 10 destination address 172.16.0.0/16
set nat source rule 10 exclude
set nat source rule 10 outbound-interface eth0
set nat source rule 999 outbound-interface eth0
set nat source rule 999 translation address masquerade
- Confirm that VPN connection is possible.
vyatta@vc66:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
203.0.113.180 198.51.100.124
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
1 up 126.4K/126.4K aes128 sha1 no 1044 1800 all
YAMAHA RTX series¶
Hint
Examples of settings for RTX830 and RTX1210 are available on Yamaha’s official website . Please refer to these examples when using RTX830 and RTX1210.
- Set the IP address and default gateway. (it is assumed that the private interface name is lan1 and the global interface name is lan2.)
ip lan1 address 10.0.0.1/24
ip lan2 address 198.51.100.124/27
ip route default gateway 198.51.100.97
- Set the site-to-site VPN.
tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike always-on 1 on
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike keepalive use 1 on dpd 15 2
ipsec ike local address 1 198.51.100.124
ipsec ike local id 1 198.51.100.124
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text test12345
ipsec ike remote address 1 203.0.113.180
ipsec ike remote id 1 203.0.113.180
ipsec auto refresh 1 on
ip tunnel mtu 1280
ip tunnel tcp mss limit auto
tunnel enable 1
ip route 172.16.0.0/16 gateway tunnel 1
nat descriptor masquerade static 1000 1 198.51.100.124 udp 500
nat descriptor masquerade static 1000 2 198.51.100.124 esp
*Cautions
The ipsec ike local address and the IP address that is specified by ipsec ike local id must match the IP addresses of settings that allow UDP 500 port and ESP communication at nat descriptor masquerade static.
When the private IP address is set as follows
nat descriptor masquerade static 1000 1 10.0.0.1 udp 500
nat descriptor masquerade static 1000 2 10.0.0.1 esp
Change the ipsec ike local address and the IP address specified by ipsec ike local id to 10.0.0.1.
ipsec ike local address 1 10.0.0.1
ipsec ike local id 1 10.0.0.1
Change the opposing endpoint ID of the site-to-site VPN setting of the VPC router to 10.0.0.1 on the cloud control panel.
- Confirm that VPN connection is possible.
# show ipsec sa gateway 1
1 U 1 10.0.0.1 203.0.113.180 i:2 s:1 r:1
sa sgw connection dir life[s] remote-id
--------------------------------------------------------------------------
6 1 isakmp - 28571 203.0.113.180
8 1 isakmp - 28743 203.0.113.180
10 1 tun[001]esp send 1744 203.0.113.180
11 1 tun[001]esp recv 1744 203.0.113.180
Juniper SRX series/Firefly¶
- Set the IP address and default gateway. (it is assumed that the global interface name is ge-0/0/0 and private interface name is ge-0/0/1.)
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 198.51.100.124/27;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 198.51.100.97;
}
}
- Set the site-to-site VPN.
security {
ike {
proposal ike-proposal {
authentication-method pre-shared-keys;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-policy {
mode main;
proposals ike-proposal;
pre-shared-key ascii-text test12345
}
gateway ike-gateway {
ike-policy ike-policy;
address 203.0.113.180;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal ipsec-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-proposal;
}
vpn ipsec-vpn {
bind-interface st0.0;
ike {
gateway ike-gateway;
proxy-identity {
local 10.0.0.0/24;
remote 172.16.0.0/16;
}
ipsec-policy ipsec-policy;
}
}
}
}
interfaces {
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 172.16.0.0/16 next-hop st0.0;
}
}
- Set the security zone and policy.
security {
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone vpn {
interfaces {
st0.0;
}
}
}
policies {
from-zone trust to-zone vpn {
policy trust-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
- Confirm that VPN connection is possible.
root@firefly> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1323201 UP 37c7189f604XXXXX b2319ba9f19XXXXX Main 203.0.113.180
root@firefly> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
131073 ESP:aes-cbc-128/sha1 ce9d6928 199/ unlim - root 500 203.0.113.180
131073 ESP:aes-cbc-128/sha1 c7cd96a1 1176/ unlim - root 500 203.0.113.180
Cisco ISR series¶
- Set the IP address and default gateway. (it is assumed that the global interface name is GigabitEthernet8 and the private interface name is Vlan1.)
interface GigabitEthernet8
ip address 198.51.100.124 255.255.255.224
ip nat outside
duplex auto
speed auto
crypto map map-ipsec
exit
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
exit
- Set the site-to-site VPN.
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 28800
exit
crypto isakmp key test12345 address 203.0.113.180
crypto isakmp keepalive 30 periodic
crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set ipsec esp-aes esp-sha-hmac
mode tunnel
crypto map map-ipsec 1 ipsec-isakmp
set peer 203.0.113.180
set transform-set ipsec
match address 101
exit
access-list 101 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
- Confirm that VPN connection is possible.
#ping 172.16.0.1 source 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Fortinet Fortigate series (FortiOS4 series)¶
- Log in to Fortigate’s Web-UI, click VPN and then Automatic Key (IKE), and click [Create Phase 1] on the upper right.
Enter an arbitrary name.
Enter the global IP address of the VPC router in the IP address.
Enter the same character string as the Pre Shared Secret set in the VPC router in the Pre-Shared Key.
Click OK.
- Click [Create Phase 2].
Enter an arbitrary name, create the phase 1 that you just created and click [Special Option].
Encryption: AES128, authentication: It is SHA1. Other methods should be deleted.
Check auto keep-alive of Automatic Key.
Select the IP address on the LAN side of Fortigate.
Select the IP address on the LAN side of the VPC router.
Click OK.
- Next, register the policy for IPsec communication.
3. Concerning special tags¶
By assigning a special tag, it is possible to fine-tune the settings of a VPC router.
Display the information screen of the VPC router you want to work on. Click the [Edit] button at the bottom right of this screen to display the dialog box to change the VPC router information.
Fill in the following special tag in the [Tag] entry section and press the Enter key.
Click the [Update] button to save the settings.
@sitetosite-use-vti¶
Configure settings to use Virtual Tunnel Interface (VTI) for the site-to-site VPN function. It may improve interconnectivity of IKE when connecting a specific model with multiple Prefix. After setting this tag, please click the [Apply] button of the VPC router once.
Attention
*Normally, there is no need to use it. Please use it when a VPC router does not work well in the initial condition.
*This is a special tag dedicated to a VPC router. Please make sure not to use it for the server.
*This tag may be needed if there are multiple private subnets.
*Also, when this tag is configured, remote access by L2TP/Ipsec will be unavailable.
4. Concerning closed connection function¶
The closed connection function is a function to connect traffic in the cloud environment via a router within the user’s network through a route that is encrypted by Ipsec without directly communicating through the Internet.
By using this function, it is possible to easily control and audit the communication performed by your router even for the communication of resources on the cloud.
Setting method¶
Set “0.0.0.0 / 0” in the [Opposing Endpoint Prefix] section on the site-to-site VPN settings screen.
This way, all traffic coming in and out of the VPC router will go through the opposing endpoint appliance side.
Cautions¶
- If this function is used, the following functions will be unavailable because the traffic other than the site-to-site VPN cannot be sent or received directly through the Internet.
- Forward NAT
- Static NAT
- Port forwarding (it is not applied for the site-to-site VPN communication.)
- Firewall (it is not applied for the site-to-site VPN communication.)
- Remote access (PPTP, L2TP/IPsec)
- If the site-to-site VPN session fails, communication will be completely disconnected without fallback.
- It is possible to set 0.0.0.0/0 as the opposing endpoint Prefix for only one site of the site-to-site VPN. (If you enter the same prefix on multiple sites, an error will occur.)
5. View VPN log¶
Click the [Log] tab on the details screen of a VPC router and click the [VPN] tab. The log is displayed.
*The latest 100 recorded logs will appear.
*We do not have a plan to implement the function to show the past logs older than the latest 100 records on the control panel. Please use the syslog transfer function.
6. Reference information¶
These are the points that should be noted when you construct a site-to-site VPN with a YAMAHA router.
Important points for setting site-to-site VPN with VPC routers: Example using RTX1210—Introduction to SAKURA Cloud (7)
These are tips for the settings when the network is segmented using a virtual server within VPC.
VPN settings when using a multi-stage network in VPC—Introduction to SAKURA Cloud (8)