Creating a Self-Service IPsec (Site-to-Site) VPN Tunnel

Updated by Chris Little on Nov 5, 2014

Description

IPsec is a framework of open standards for ensuring private communications over public networks. It has become the most common network layer security control, typically used to create a VPN tunnel. The CenturyLink Cloud platform enables self-service support to configure Site-to-Site (Point-to-Point, Gateway-to-Gateway) IPsec VPN Tunnels. This model protects communications between two specific networks, such as an organization’s main office network and a branch office network, or two business partner’s networks. 

Audience

  • CenturyLink Cloud customers (system administrators) who wish to extend their network and/or infrastructure to the cloud platform

Prerequisites

  • Must have Account Administrator permissions on the platform
  • Listing of the cloud network(s) you wish to connect to across your tunnel
  • The make, model, and code version of the endpoint device you'll be terminating to
  • Static IP of the peering interface on your device
  • The network blocks you wish to have be reached on your end of the tunnel - these must be private IP blocks (RFC-1918)
  • You must have resources (server and a network) provisioned for the account and the Cloud data center you wish to connect to.

Detailed Steps

  1. Log on to the [Control Portal](https://control.ctl.io/). Using the left side navigation bar, click on **Network** > **VPN**.
  2. 2. Select the create point to point VPN button

    ipsec_image_02.jpg

    3. Select the appropriate Cloud Data Center for the VPN Tunnel

    ipsec_image_03.jpg

    4. Select the the network blocks you want reachable under your account. It is permissible to supply tunnel access to specific servers or small subnets within your cloud networks.

    ipsec_image_04.jpg

    5. Input 'Your Site' Information:

      • Site Name (ex. Montreal Office)
      • Device Type (ex. Cisco ASA5520 v8.3)
      • VPN Peer IPv4 Address:  Static IP of the peering interface on your device
      • Tunnel Encrypted Subnets:  The network blocks you wish to have be reached on your end of the tunnel - these must be private IP blocks (RFC-1918)

    ipsec_image_05.jpg

    6. Input the Phase 1 (IKE) information

      • Protocol Mode (Main or Aggressive). We recommend 'Main' mode.
      • Encryption Algorithm (AES-128; AES-192; AES-256; 3DES). We recommend AES-128 or better.
      • Hashing Algorithm (SHA1 96; SHA1 256; MD5). We recommend SHA1 for most customers.
      • Pre-Shared Key:  The pre-shared key is a shared secret that secures the VPN tunnel. This value must be identical on both ends of the connection.
      • Diffie-Helman Group (Group 1; Group 2; Group 5). If using AES with a cipher strength greater than 128-bit, or SHA2 for hashing, we recommend Group 5, otherwise Group 2 is sufficient.
      • Lifetime Value (1 hour; 8 hours; 24 hours). Lifetime is set to 8 hrs for IKE - This is not required to match, as the negotiation will choose the shortest value supplied by either peer.
      • DPD State (Dead-peer detection):  Specify if you wish this enabled or disabled - check your device defaults - for example Cisco ASA defaults to "on" while Netscreen/Juniper SSG or Juniper SRX default to "off"). Our default is "off".
      • NAT-T State:   Allows connections to VPN end-points behind a NAT device. Defaults to 'off' - if you require NAT-T, you also need to provide the private IP address that your VPN endpoint will use to identify itself.
      • Remote Identity:  The Private IP Address that your VPN endpoint will use to identify itself. Required only when NAT-T state is on. 

    update_nat-t.png

    7. Input the Phase 2 (IPSEC) information and select Finish to complete the tunnel configuration.

      • IPSEC Protocol (ESP or AH). ESP is preferred.
      • Encryption Algorithm (AES-128; AES-192; AES-256; 3DES). We recommend AES-128 or better.
      • Hashing Algorithm (SHA1 96; MD5). We recommend SHA1 for most customers.
      • PFS Enabled:  We suggest enabled, using Group 2, though Group 5 is recommended with SHA2 hasing or AES-192 or AES-256.
      • Lifetime Value (1 hour; 8 hours; 24 hours). Lifetime is set to 1 Hour (and unlimited KB). This setting is not required to match, as the negotiation process will choose the shortest value supplied by either peer.

    ipsec_image_07.jpg

    Standard Troubleshooting

    Our configuration will be established based on the parameters in the Control Portal self-service interface. If you need to open a ticket reporting trouble establishing a tunnel, please also start a continuous ping with traffic interesting to the VPN configuration. We can validate our configuration and supply any relevant log messages indicating the source of the problem.

    It remains up to you, the customer, to correct your own configuration, submit new configurations with changed settings, or seek troubleshooting assistance with your own resources (for example using your equipment manufacturer's maintenance contract). Unfortunately due to the variety of devices and technologies, we cannot be responsible for the end-to-end VPN configuration

    Non-standard configurations

    If you require any additional assistance beyond the options available in self-service, that would fall into the "non-standard" configuration category.

    We define non-standard configurations as anything deviating from the above process, or utilizing configuration options specifically listed as out-of-scope. These configurations need to be addressed as a service task engagement. Contact your account manager with any questions.

    Common reasons for non-standard VPN tunnels include:

    • Requesting an engineer to perform a live turn-up with you on a conference call
    • Requesting CenturyLink Cloud complete your organization's VPN information, or provide network documentation beyond what is included in this article.
    • Any requirement for an engineer to attend a live meeting or telephone call.
    • NAT requirement (generally this is a requirement when the cloud servers need to be presented as a public IP address via the tunnel) - please note this is only for NAT on the encrypted network addresses. We fully support NAT-Traversal (NAT between gateways) with our standard configuration.
      • Regarding the addresses used for NAT presentation - if you require less than 5 total addresses, we can assign /32 mappings from our public space for the data center-side. If you require a larger block of addresses, you (the customer) will need to supply the public IP address space to be used to present your data center resources.
    • Using the VPN as a fail-over for direct-connect customers (ex. you want to back-up your MPLS WAN with a VPN tunnel)
    • Certificate-based authentication
    • Non-IP Address IKE identity (such as used with a dynamic remote peer IP address, or hostname-based identity strings)
    • User requires assistance with their device (no technical expertise in-house) - we can provide one-time configuration assistance for most enterprise-class VPN endpoints:
      • Cisco PIX / ASA
      • Cisco IOS-based
      • Netscreen / Juniper SSG
      • Juniper SRX
      • Sonicwall
      • ... and many others. For most firewall-type devices, configuration assistance can be provided. We can generally find an engineer with relevant experience within our staff.

     

Customer Support

Can’t find what you need?
Give us a call.

1.888.638.6771

M – F, 8am to 6pm