vCloud IPSec

 

0.

IPSec VPN

 

IPSec is on of best solutions to have access to your vCloud from internal network.
If you wannt to acces from office to server, but don't wannt open server for world you can use VPN, that means, taht all traffice between your vCloud network or server and your office or home starts going in crypted tunnel what no one can see. Usually IPSec use with NAT

 

ipsecScheeme.PNG

 

1.

Open vCloud admin console and go to Network Edge Gateway settings (CONFIGURE SERVICES)

 

Edge.PNG

 

  • Go to VPN tab and choose IPsec VPN Sites

 

 

2.

Create new IPSec tunnel

 

  • Enable IPSec
  • Enable PFS
  • Name → Name of IPSec tunnel
  • Local ID → Edge Gateway external ip
  • Local Endpoint → Edge Gateway external ip
  • Local Subnets → Internal NAT network for IPSec
  • Peer Id → External gateway of tunnel
  • Peer Endpoint → External gateway of tunnel
  • Peer Subnets → External NAT network for IPSec
  • Encryption Algorithm → Crypto algorithm
  • Authentication → PSK
  • Pre-Shared Key → password for tunnel, if disabled enable Change Shared Key checkbox
  • Diffie-Hellman Group → DH group

 

VPN1.PNG VPN2.PNG

 

3.

Save and apply all changes

If all good Edge gateway create all firewall rules and starts your IPSec tunnel

 

4.

Example of Mikrotik IPSec tunnel conf

If you use Edge Gateway with office Mikrotik. Open Mikrotik terminal and paste conf with corrections.

  • /ip ipsec proposal add name=VPN_Cloud auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=none
  • /ip ipsec policy add dst-address=192.168.2.0/24 proposal=VPN_Cloud sa-dst-address=8.79.116.14 sa-src-address=2.65.41.2 src-address=192.168.3.0/24 tunnel=yes protocol=255 action=encrypt level=require ipsec-protocols=esp
  • /ip ipsec peer add address=8.79.116.14/32 port=500 enc-algorithm=3des lifetime=8h nat-traversal=yes secret=#YourPassword# passive=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=sha1 dh-group=modp1024 generate-policy=no dpd-interval=120 dpd-maximum-failures=5
  • /ip firewall filter add chain=forward dst-address=192.168.3.0/24 src-address=192.168.2.0/24
  • /ip firewall filter add chain=forward dst-address=192.168.2.0/24 src-address=192.168.3.0/24
  • /ip firewall nat add chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.2.0/24
  • /ip firewall nat add chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.3.0/24
  • /ip ipsec export

Address: Endla 16, Tallinn 10142, EstoniaPhone: (+372) 685 0000@email