How to Configure Site-to-Site IPsec VPN Tunnel - V2 Cloud

Tech Tutorials

How to Configure Site-to-Site IPsec VPN Tunnel

  • September 21, 2023
  • Author:

Background Image

How to Configure Site-to-Site
IPsec VPN Tunnel

IPsec (Internet Protocol Security) is a VPN security network protocol that ensures secure communication between two peers (devices, computers, servers, etc.) over the Internet or any public network. It uses no client software and operates by authenticating and encrypting every data packet sent between the peers using the tunneling or transporting mode, allowing them to connect as if they are connected via a router.

A proper configuring process is critical to the operation’s success, as errors related to pre-shared keys, encryption details, firewalls, profiles, etc., can result in an unsuccessful connection. This tutorial will give stepwise procedures on configuring site-to-site IPsec VPN tunnel for safer communication between two endpoints.

Before You Start Configuring a Site-to-Site IPsec VPN Tunnel

Configuring a working site-to-site IPsec tunnel can only occur when both sides have the same settings for authentication, encryption, etc.

We will use the example illustrated below to help you understand the process so that you can tailor it to your respective scenarios.

Site A

Site B

Name

Lagos Office

Name

New York Office

WAN IP

196.52.100.3

WAN IP

201.0.115.2

LAN Subnet

10.3.0.0/24

LAN Subnet

10.5.0.0/24

LAN IP

10.3.0.1

LAN IP

10.5.0.1

To create a site-to-site tunnel between Site A and Site B, both sites must authenticate each other and encrypt transferred data.

Each process related to the tunnel’s creation has its characteristics, such as hash algorithm, DH Group, encryption algorithm, etc., explored differently by different routers.

Configuring Site-to-Site IPsec VPN Tunnel

The created tunnel is between Site A and B, and to get a proper hang of the process, we will discuss each Site individually. Also, the configuration depends on the type of router you are using.

Hence, we will talk more generally about the process.

Site A

Site A

Name

Lagos Office

WAN IP

196.52.100.3

LAN Subnet

10.3.0.0/24

LAN IP

10.3.0.1

Configuring Site A will be in three categories: Phase 1, Phase II, and Firewall.

Phase 1 is responsible for the authentication and negotiation of keying material and creating a tunnel.

Phase 2 uses the created tunnel to negotiate ESP Sas used in encrypting the data packet shared by both endpoints.

Phase 1 Configuration

Creating an IPsec phase 1 profile depends on the router connection between both endpoints. The general configuration for Phase 1 is as follows:

  • Navigate to the IPsec section on the router.
  • Create a profile.
  • Fill in the settings explained below.
  • Click on Save.

Note: We will explain each setting you need. This part will talk about the identity of the other endpoint (Site B).

Background Image

  • Authentication method: pre-Shared keys.
  • My Identifier: Use the default.
  • Peer Identifier: Use the default.
  • Secret/Pre-Shared Keys: Create a very strong key and send it to Site B using a secure channel.

The next stage controls the proposal for the encryption process.

    Background Image

    • Encryption Algorithm: Choose AES-256.
    • Hash Algorithms: Use the strongest hash if supported by both endpoints.
    • DH Group: modp2048 is the default value. However, you can use higher values if you have a strong CPU.
    • Leave other settings at default.
    • Child SA Close Action: Set to Restart/Reconnect
    • Leave other settings as default.

      Phase 2 Configuration

      Phase 2 follows the general procedure highlighted below:

      • Navigate to the IPsec section of the router.
      • Create a profile.
      • Fill in the settings explained below.
      • Click on Save.

      Note: We will explain each setting you need.

      Background Image

      • Description: Describe the network used in Phase 2.
      • Mode: Select Tunnel IPv4.
      • Local network: Input the LAN Subnet.
      • NAT/BINAT: Set to None.
      • Remote Network: Site B Network (LAN Subnet).

      This stage talks about the encryption process.

      Background Image

      • Protocol: Set ESP.
      • Encryption algorithm: Set AES-GCM if supported by both endpoints.
      • Hash algorithm: If you use AES-GCM for Encryption Algorithm, don’t select any Hashes.
      • Leave other settings as defaults.
      • Click on Save and Apply.

      Firewall

      By default, traffics from a remote VPN host is blocked. As a result, a firewall administrator needs to add the necessary rules on the IPsec tab to ensure that Site B traffic enters through the IPsec funnel.

      You can tweak the rule such that any protocol can enter through the tunnel from Site B or tweak the tunnel to allow traffic from only a port.

        Site B

        Site B

        Name

        New York Office

        WAN IP

        201.0.115.2

        LAN Subnet

        10.5.0.0/24

        LAN IP

        10.5.0.1

        Configuring Site B is similar to Site A. You can repeat the above process with the following adjustment:

          Phase 1 Configurations (Other Adjustments)

          Creating an IPsec phase 1 profile depends on the mode of connection between the two peers. As a result, we will give you a general way of doing things while explaining every setting you need to take note of.

          • Navigate to the IPsec section of the router.
          • Create a profile.
          • Fill in the settings explained below.
          • Click on Save.

           

          • Name: This will describe the identity of the tunnel and its purpose. Since you are configuring Site A, naming it the destination site is normal. Therefore, the name is IPsec-site-b.
          • Tunneling: Ensure you check the box for tunneling to be operational.
          • Life Time: At least 10% higher than Site A
          • Internet Protocol: Choose between IPv4 or IPv6. IPv4 is the most common protocol in most cases. However, if you use IPv6 on both Sites, choose IPv6.
          • Remote Gateway: The WAN address of Site A.
          • Child SA Start Action: Set to None (Responder).
          • Child SA Close Action: Set to Close Connection and Clear SA.
          • Leave other settings as default.
          • Click on Save.

          Phase 2 Configurations (Other Adjustments)

          Configuring Phase 2 is similar to the Site A process.

          • Navigate to the IPsec section of the router.
          • Create a profile.
          • Fill in the settings explained below.
          • Click on Save.

           

          • Description: Describe the network used in Phase 2.
          • Remote Subnet: Site A network.
          • Life Time: 10% higher than Site A.
          • Click on Save and Apply.
          • Check Status.

          Background Image

          After configuring both Sites, check the status by visiting Status > IPsec.

          The description of the tunnel is shown alongside the status.

          If the tunnel is not listed as Established, there may be a problem establishing the tunnel. This soon the most likely reason is that no traffic has attempted to cross the tunnel.

            How V2 Cloud Can Help You

            IPsec connection is secure for any business; however, the setup is very technical, especially for people who only need to connect and are not concerned with the technical parts.

            Furthermore, incorrect setup can result in an unsuccessful connection or information exposure to hackers. A better way is to avoid all the technicalities associated with IPsec site-to-site VPN by using a virtual desktop service.

            At V2 Cloud, we ensure the delivery of quality and safe cloud computing infrastructure to our customers as data is handled using a very secure network that prevents attack vulnerabilities.

            You can rely on our cloud computing infrastructure which allows easy installation of desktops, servers, and applications without complicated setups and access to data and files.

            Get started with a risk-free 7-day trial and experience simplicity and performance.

            Back To Tutorials Menu

            Back to top

            Let us help you find the solution that fits your business needs