Site to Site IPSec VPN
CyberEdge Site to Site IPSec VPN enables bringing cloud and remote resources on to the corporate network. The following outlines the initial setup and configuration requirements. Recommended setup flow includes:
Note
Configuration of remote equipment is outside the scope of this guide.
Tunnel Creation
The following steps describe how to create a Site to Site VPN Tunnel:
Navigate to the Networks > Connections page, click “+ Add” and choose “IPSec Tunnel”. Add the following:
Name: Add a meaningful name for the IPSec Tunnel
External Identifier: Set this to the IP address or fully qualified domain name to listen on or connect out from (this will usually be the primary IP of your internet connection) e.g. 123.45.6.7 or 12345.slsecure.zone
Remote Identifier: Set this to the IP address or fully qualified domain name to connect to. Consult the documentation of the other end of the tunnel for this value
Validate Remote ID: This checks that the Local ID sent by the remote end matches our Remote Identifier configured above. In general these should be set the same unless NAT is in use
Preshared Key: Enter the Preshared Key (Shared Secret) configured on the remote end of the tunnel
IKE Protocol: Select IKE version to negotiate (recommended IKEv2)
Dead Peer Detection: Enable Dead Peer Detection to bring this tunnel down if something happens to the remote end
Zone: Choose the network zone that the Remote Networks will be placed in. This will affect how VPN client traffic is routed to other networks managed by the CyberEdge, and how firewall policies are applied
Remote Networks: Enter IPv4 or IPv6 networks in CIDR format to connect to via the tunnel. e.g. 10.123.0.0/16
Set the IKE Phase 1 & 2 settings to match the remote end of the tunnel
Click “Save” and apply changes
Verification
Once an IPSec Tunnel has been created, it is dormant until the remote end attempts to make connection or until packets from the CyberEdge attempt to transit to one of the Remote Networks.
Logs
Logs for Site to Site IPSec tunnels are available under Status > Log Viewer under the “IPSec” source.
Connection Status Page
Information about the parameters for any active Site to Site IPSec tunnels is available under Status > Site-to-Site Tunnels.
Internet over IPSec
The following steps describe how to create a Site to Site VPN tunnel to use a remote gateway as an internet connection:
Navigate to the Networks > Connections page and create a new IPSec tunnel following the steps from Tunnel Creation
Update the following settings:
Remote Networks: Ensure that the gateway from the remote end of the tunnel is available in the Remote Networks
Zone: Place this connection in the Internet Zone or a similar custom zone
IPv4 Gateway: Enter the IP Address of the remote gateway
Local IPv4 Address: Create a new IP address (not in any other local subnet) to use as the source of this connection
Click “Save”
Ensure that the remote end of the IPSec tunnel has been updated to route traffic to the configured Local IPv4 Address: via the tunnel, and any local networks if SNAT should be disabled
Navigate to Routing > SNAT and ensure that the desired SNAT conditions are configured
Add a static route on all other active internet connections to the IP address(es) of the remote end of the VPN tunnel. If this step is not followed, traffic for the tunnel will be configured to run through the tunnel by Balance & Failover
Apply changes
Attempt to ping the remote gateway, and confirm that the IPSec tunnel establishes
Navigate to the Routing > Balance & Failover page and re-order connections as desired
Navigate to the Networks > System DNS page and add a remote DNS server if desired
Click “Save” and apply changes
Note
Ensure that the other side is exposing 0.0.0.0/0 or is otherwise configured to allow forwarding traffic to the internet.