Knowledge Base  /  CenturyLink Private Cloud on VMware Cloud Foundation  /  Security
Knowledge Base  /  CenturyLink Private Cloud on VMware Cloud Foundation  /  Security

Configuring Site-to-Site (IPsec VPN Sites) VPN

Updated by Anthony Hakim on Nov 12, 2019
Article Code: kb/1267

Description

This KB article steps through the process to stand up a Site-to-Site VPN between CenturyLink Private Cloud on VMware Cloud Foundation™ (CPC on vCF) and CenturyLink Cloud (CLC).

Prerequisites

  • CPC on vCF account
  • CLC account
  • Local Endpoint (Public IP for IPsec VPN on the CPC on vCF side)
  • Local Subnets in CIDR format (local networks to be accessible to IPsec VPN on the CPC on vCF side)
  • Peer Endpoint (Public IP for IPsec VPN on the CLC side)
  • Peer subnets in CIDR format (local networks to be accessible to IPsec VPN on the CLC side)
  • Firewall ports IP Protocol ID 50 (ESP), UDP Port 500 (IKE), and UDP Port 4500 are configured on both ends

Steps

Login to your CenturyLink Private Cloud on VMware Cloud Foundation environment.

Login to CenturyLink Private Cloud on VMware Cloud Foundation

Once logged in, click Edges in the menu on the left side of the screen, select the Edge Gateway, then click Configure Services. A popup will appear.

IPsec VPN Sites

In the Edge Gateway popup, click on the VPN tab, select IPsec VPN Sites, then click the + button to add a new configuration.

IPsec VPN Sites

In the Edit IPsec VPN page:

  • Enabled: (Checked)
  • Enable perfect forward secrecy (PFS): (Checked)
  • Name: (Preferred name)
  • Local Id: (Preferred name)
  • Local Endpoint: (Public IP for IPsec VPN on the CPC on vCF side)
  • Local Subnets: (Local networks to be accessible to IPsec VPN on the CPC on vCF side)
  • Peer Id: (preferred name)
  • Peer Endpoint: (Public IP for IPsec VPN on the CLC side)
  • Peer Subnets: (Local networks to be accessible to IPsec VPN on the CLC side)
  • Encryption Algorithm: AES256
  • Authentication: PSK
  • Change Shared Key: (Default)
  • Pre-Shared Key: (Your Pre-Shared Key)
  • Display Shared Key: (Default)
  • Diffie-Hellman Group: DH2
  • Extension: (Default)
  • Digest Algorithm: Sha1
  • IKE Option: IKEv1
  • IKE Responder Only: (Default)
  • Session Type: Policy Based Session

Click KEEP

IPsec VPN Sites

In the IPsec VPN Configuration page, click Save changes.

IPsec VPN Sites

In the IPsec VPN Configuration page, click the Activation Status tab, then click the slider to enable the IPsec VPN Service Status. Click Save changes.

IPsec VPN Sites

Login to your CenturyLink Cloud environment.

IPsec VPN Sites

In the left pane, click Network, then select Site-To-Site VPN.

IPsec VPN Sites

In the Site-to-Site VPN page, click on the + site to site vpn button.

IPsec VPN Sites

In the Create Site-to-Site VPN page, select your Control Portal Site (CLC data center), then click on the add network block button.

IPsec VPN Sites

In the Select Destination Network or Subnet page, select your network, subnet size and starting ip address, then click add network block.

IPsec VPN Sites

In Create Site-to-Site VPN page, in the Your Site section, enter your Site Name, Device Type and VPN Peer IPv4 Address, then click on the add network block button.

IPsec VPN Sites

Upon clicking the add network block button above, a new field appears named Tunnel Encrypted Subnets. Enter your local network subnet block (on the CPC on vCF side). Click next: phase 1.

IPsec VPN Sites

In the Phase 1 (IKE) page, enter as follows:

  • IKE Protocol: IKEv1
  • Protocol Mode: Main
  • Encryption Algorithm: AES-256
  • Hashing Algorithm: SHA1 (96)
  • Pre-Shared Key: Same pre-shared key you used previously
  • Diffie-Hellman Group: Group 2
  • Lifetime Value: 8 hours
  • DPD State: On
  • NAT-T State: Default

Click next: phase 2

IPsec VPN Sites

In the Phase 2 (IPSEC) page, enter as follows:

  • IPSEC Protocol: ESP
  • Encryption Algorithm: AES-256
  • Hashing Algorithm: SHA1 (96)
  • PFS Enabled: On, Group 2
  • Lifetime Value: 1 hour

Click finish

IPsec VPN Sites

Once completed, you will be presented with the summary page.

IPsec VPN Sites

To test the Site-To-Site VPN, try pinging the gateway of a tunneled subnet of the other side i.e. ping from a VM in CLC on the 10.100.67.0/24 network to the gateway on the CPC on vCF side - 10.23.30.1.