Knowledge Base
Networking
VPNs
13 min
overview vpn provides a secure communications tunnel over a public network for remote user access and site to site connections (e g branch offices that need to collaborate and share resources) ipsec korgrid supports ipsec compatibility to allow for configuration of a vpn tunnel between your tenant and a third party ipsec peer ipsec tunnels is an advanced configuration it is recommended to use wireguard when possible as it provides better performance and a simpler configuration docid\ ftydkxvkyy8bococibj6o docid\ ftydkxvkyy8bococibj6o as necessary create a docid\ ftydkxvkyy8bococibj6o create a docid\ ftydkxvkyy8bococibj6o configure docid\ ftydkxvkyy8bococibj6o create a vpn network from the top menu , click networks > + new vpn enter a name for the network (optional), enter a description set layer 2 type to none set interface network none to create a separate vpn network, where connections to other tenant networks is handled via layer 3 routing (recommended) (recommended) \[existing network] select an existing network to attach the vpn network directly to via layer 2 set ip address type to static enter an ip address for the network (e g , 10 1 1 1 ) enter a network address (e g , 10 1 1 0/24 ) (optional), enter a hostname for the layer 3 routed interface click submit after creating the network, you must power it on for it to become active from the left menu , click power on edit ipsec configuration from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click edit ipsec configuration mode normal (recommended) (recommended) this option is typically used and includes common ipsec fields advanced allows for extensive or out of the ordinary ipsec configuration through the use of configuration (conf) files unique ids yes keep particular participant ids unique (e g , replace) never will ignore initial contact notify, will not replace old ike sas no will replace ike sas only upon initial contact notify propose ipcomp compressions utilizes a special protocol designed to compress the payload of ip packets must be supported by the remote peer exclude my network this setting should typically be enabled cisco extensions this setting should remain disabled unless specifically needed to support configuration of the remote ipsec peer unencrypted id and hash payloads it's generally recommended to keep this option disabled transmitting id and hash payloads unencrypted during initial exchange introduces several security vulnerabilities mss clamp in some situations, mss clamping can improve performance in ipsec tunnels however, it's critical to thoroughly understand your network to calculate and set mss accurately an incorrect setting can lead to suboptimal performance and/or packet loss strict crl policy a strict crl (certificate revocation list) policy will not accept revoked certificates during authentication make before break new sas are established while old ones are still active; removing old sas only when the new ones are ready click submit phase 1 configuration from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click ipsec tunnels from the left menu , click new enter a name for the tunnel (optional), enter a description set key exchange version auto (recommended) (recommended) uses the ike version initiated by the remote peer ikev1 uses ikev1 ikev2 uses ikev2 enter remote gateway ℹ️ the wan address of the ipsec remote peer configure phase 1 (encryption) algorithm aes 256 gcm is recommended key length varies depending on algorithm selected hash varies depending on algorithm selected dh group varies depending on algorithm selected lifetime auto expiration setting for sas configure phase 1 proposal (authentication) pre shared key can be manually entered or you may press ⭮ to generate a pre shared key for you negotiation mode main (recommended) (recommended) slower negotiation, but more secure aggressive faster negotiation but exposes identities identifier the identity presented to the remote peer during ike negotiation when left blank, the current ip is used typically, the tenants wan ip address should be entered as it's the source address from the remote peer's perspective peer identifier the identity to expect from the remote peer; typically can be left blank to use the address currently specified as the vpn remote gateway configure phase 1 advanced options connection behavior defines the behavior to occur at ipsec startup responder only loads connection but doesn't start on demand loads a connection and starts it if traffic is detected between the networks start loads and starts the connection immediately force udp encapsulation when enabled, udp encapsulation is forced, even when nat is not detected rekey can be disabled to prevent local initiation of renegotiating a connection about to expire; however, it doesn't affect renegotiation requests that come from the remote peer margintime defines the length of time to elapse before a replacement negotiation for expired keying channel/connection this setting is only relevant locally (remote peer does not need to match setting) dead peer detection defines the default action to perform on timeout clear closes the connection hold monitors for new traffic and renegotiates connection if traffic between the networks is detected restart tries to renegotiate the connection immediately none disables sending dpd messages dpd delay defines time internal r u there messages are sent to the peer only sent when there is no other traffic dpd failures defines the maximum number of failures before automatically deleting peer connections after inactivity (does not apply to ikev2) click submit phase 2 configuration from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click ipsec tunnels select the newly created phase 1 configuration xxx from the left menu , click new set mode tunnel transport enter local network , the subnet of ip addresses to include on this side of the vpn (e g , 192 168 100 0/24 ) enter remote network , the network of the remote peer in cidr format (e g , 10 128 1 0/24 ) set protocol esp (recommended) encapsulating security payload ah authentication only set lifetime , the duration of the sa established during phase 2 configure phase 2 (encryption) algorithm aes 256 gcm is recommended key length varies depending on algorithm selected hash varies depending on algorithm selected dh group varies depending on algorithm selected click submit firewall & routing rules the following rules are automatically created on the new vpn network additional network configuration may be necessary for ipsec traffic beyond the default auto created network rules, depending on your specific network and ipsec design direction action protocol port incoming allow udp 500 incoming allow udp 4500 incoming allow esp incoming allow ah wireguard wireguard is a modern, open source vpn software and tunnel protocol that provides fast communication, utilizing state of the art cryptography wireguard has been integrated directly into our platform for the implementation of secure tunnels with minimal setup effort these secure tunnels can be used for both remote user access and site to site connectivity interface configuration wireguard is attached to one network this should be a network that has access to all networks which the wireguard vpn should reach from the top menu , click networks > list select the desired network from the left menu , click view from the left menu , click wireguard (vpn) from the left menu , click new interface enter a name for the vpn interface (optional), enter a description enter an ip address defines the ip/network address for the interface ℹ️ this should be a unique address space that has been specifically set aside for the vpn and will not conflict with addressing on participating networks within the tenant or vpn peers example internal network that uses an addressing scheme of 192 168 0 1/24 and a peer that uses an addressing scheme of 10 10 100 0/24 could have a wireguard interface that uses 172 16 1 1/24 (optional), specify a listen port , can typically be left to the default 51820 enter a private key , can typically be left blank to allow the key pair to auto generate, however, a specific private key can be entered if desired ⚠️ wireguard requires base64 encoded public and private keys any manually entered private key must be a complete base64 key https //www convertsimple com/random base64 generator/ (optional), enter an endpoint ip the external address to which a peer will connect (optional), toggle configure firewall (recommended) (recommended) automatically configure pat rules on the external network (optional), toggle auto apply firewall rules (recommended) (recommended) automatically apply new firewall rules on the wireguard network and the external network click submit create peer definition(s) a peer definition must be created for each entity that will connect to your wireguard instance for example, to create a site to site vpn implementation, each side would have a wireguard interface and configure the other as a peer using the public key from the other side in the peer record to create a remote access system for users, a peer record is created for each user that will connect, each with a different public key from the top menu , click networks > list select the desired network from the left menu , click view from the left menu , click wireguard (vpn) from the left menu , click new peer enter a name for the peer (optional), enter a description toggle auto generate peer configuration (recommended) (recommended) creates a configuration file to be used by the remote access users enter an endpoint the external facing ip or hostname of the peer; the address from which this system would access the peer (optional), specify a listen port , can typically be left to the default 51820 enter a peer ip the ip address that routes the traffic here; typically, this is the internal address assigned to the local interface on this peer enter a public key the base64 public key from the peer (optional), enter a preshared key can be entered to provide an extra layer of security select configure firewall site to site creates firewall rules for a site peer remote user creates firewall rules for a remote user peer don't create rules doesn't auto generate any firewall rules; rules must be configured manually set keepalive by default this is set to 0 , which means keepalives are disabled it's not generally necessary to change this value configure allowed ips one or more ip address segments, in cidr format (e g , 10 1 2 0/24 ) click submit when network rules are modified, you must apply rules before they are live create cluster to cluster tunnel on cluster 1 create an docid\ ftydkxvkyy8bococibj6o copy the generated public key (for the interface) for later use on cluster 2 create an docid\ ftydkxvkyy8bococibj6o docid\ ftydkxvkyy8bococibj6o set public key to the generated public key you copied from cluster 1 set allowed ips to include the address of the wireguard interface from cluster 1 copy the generated public key for later use on cluster 1 docid\ ftydkxvkyy8bococibj6o set public key to the generated public key you copied from cluster 2 set allowed ips to include the address of the wireguard interface from cluster 2 on cluster 1 & cluster 2 apply rules create remote user access tunnel create an docid\ ftydkxvkyy8bococibj6o from the left menu , click new peer enter a name for the peer, such as the remote user's name (optional), enter a description toggle auto generate peer configuration enter the endpoint for the peer, the external facing ip address, hostname, or url this tunnel will use to communicate with the peer set configure firewall to remote user click submit configure client on the peer record, download the configuration file by clicking the ⭳ download button https //www wireguard com/install/ on the client machine after installation, launch wireguard client click add tunnel open the configuration file you downloaded earlier click activate