VPN connections
In this article:
VPN connections#
Using the cloud VPN service (VPN as a Service, VPNaaS) you can easily connect your К2 Cloud infrastructure with the remote infrastructure.
By default, a high-availability VPN connection is created. To ensure high availability, two tunnels are created and terminated in different availability zones. In normal operation, both tunnels are active, and traffic from VMs is forwarded to the closest tunnel. If a tunnel fails, all traffic is automatically redirected through the second tunnel to make cloud resources available.
Note
There is an hourly rate in addition to using a high-availability VPN connection to outbound traffic charges. You can view the tariff information in the Network tab of the Tariffs section.
There are two types of IPsec VPN connections in К2 Cloud:
ipsec.1
: tunnel mode;ipsec.legacy
: transport mode.
Important
For simplicity, a VPN gateway is not displayed in the web interface. So, when you create VPN connections, selecting a VPC is equivalent to choosing a VPN gateway. Information about the available VPN gateways can be obtained explicitly using the API.
To connect your device with the cloud infrastructure, you should:
create the customer gateway, putting in the information about your device;
create the VPN connection with the gateway;
configure your device according to settings, which you can get on the created VPN connection page.
There can be only one VPN connection between a customer gateway and a VPC (a VPN gateway). But you can create several VPN connections between a VPC and different customer gateways or between a customer gateway and different VPCs.
Creating a customer gateway#
To create a customer gateway, go to Interconnect VPN Customer gateways and click Create.
When registering customer gateway, you should specify:
Name tag — The gateway name (optional).
Type —
ipsec.1
(IPsec connection in tunnel mode) andipsec.legacy
(IPsec connection in transport mode).IP address — The address of the customer gateway in the remote infrastructure.
BGP ASN — The autonomous system number of a remote network. If there is no autonomous system, then use a number from private ranges (64512—65535 and 4200000000—4294967294). If you leave this field empty, then 65000 will be set by default.
If required, you can also specify additional tags.
VPN connections can only be created if a customer gateway is specified.
Creating a VPN connection#
You can create a VPN connection in Interconnect VPN VPN connections. To do that, click Create and select the VPC, with which you need to establish a connection, then select an existing customer gateway, or create the new one right in this form. If the default tunnel options are not suitable for you, you can change.
A high-availability connection with two tunnels is created by default. If you do not need a high-availability VPN, uncheck the corresponding option. For an ipsec.1
type connection, you can also specify subnets on the cloud side (Remote IP Network CIDR) and client-side (Local IP Network CIDR), which are permitted to use the encrypted tunnel.
Also, you can create a VPN connection in Interconnect VPN Customer gateways To do this, create a customer gateway or select it from the list and click Create VPN connection. In the dialog window, select the VPC to which you want to establish a connection. Select the VPC you need to establish a connection, set the connection and tunnel(-s) parameters and click Create.
If BGP is used to exchange route information, only eBGP is allowed. Thus, the BGP ASN of the customer gateway and the BGP ASN of the VPC (VPN gateway) must not be the same. If necessary, you can change the BGP ASN of the VPC. To change it, contact the K2 Cloud support. Please include the VPC ID and the desired autonomous system number in your request. It is recommended to use a number from the private BGP ranges: 64512—65535 and 4200000000—4294967294.
When you create a VPN connection, the cloud, by default, downloads a configuration file, this file is specific for your customer gateway and contains data for the device setup.
Changing tunnel parameters#
In К2 Cloud, you can choose which tunnel options to use when creating a VPN connection. For a high-availability VPN, you can specify tunnel options separately for each tunnel.
Here are the tunnel parameters that you can configure.
General parameters:
Internal IP CIDR for tunnel — a /30 block from the subnet 169.254.252.0/22 to be used inside the IPsec tunnel of the VPN connection;
Pre-shared Key for tunnel — the key (PSK) used for a primary authentication between VPN and customer gateways;
ikeVersion — a key exchange protocol version
ikev1
orikev2
;Replay Window Size — the number of packets in the IKE replay window.
Phase1 parameters:
Encryption Algorithms — the allowed encryption algorithms for the VPN tunnel in the first IKE phase;
Integrity Algorithms — the allowed integrity algorithms for the VPN tunnel in the first IKE phase;
DH Group Numbers — the allowed Diffie-Hellman groups for the VPN tunnel in the first IKE phase;
Lifetime Seconds — the lifetime for the first IKE phase, in seconds.
Phase2 parameters:
Encryption Algorithms — the allowed encryption algorithms for the VPN tunnel in the second IKE phase;
Integrity Algorithms — the allowed integrity algorithms for the VPN tunnel in the second IKE phase;
Turn on PFS — the enabled Perfect Forward Secrecy (PFS) mode guarantees that session encryption keys will not be compromised;
Attention
PFS is enabled by default. In order to prevent the session encryption key from being compromised, do not disable PFS.
DH Group Numbers — the allowed Diffie-Hellman groups for the VPN tunnel in the second IKE phase;
Note
If PFS is disabled, Diffie-Hellman groups cannot be selected.
Lifetime Seconds — the lifetime for the second IKE phase, in seconds.
To learn more about the supported tunnel options, limitations and algorithm compatibility for different IKE versions, see documentation.
Configuring of the remote device#
You can configure your device, located in the remote infrastructure (customer gateway) using settings, provided by the К2 Cloud for each VPN connection.
To get customer gateway settings, go to Interconnect VPN VPN connections . To do that create a VPN connection, select it in the list, or go to its page and click Get settings.
The settings can be generated in the following formats:
generic configuration with a text description of all parameters;
configuration for Cisco IOS 12.4 and higher;
Generic Linux Openswan/Libreswan with Quagga/FRR;
RedHat Linux Openswan/Libreswan with Quagga/FRR.
Click Download to save the customer gateway settings in .cfg format on the local PC.
Routing via a VPN connection#
You can setup static routing between subnets in К2 Cloud and private networks in a remote infrastructure (behind a client gateway) using route tables.
Use BGP for dynamic routing. This saves you the hassle of manually configuring static routes over a VPN connection, improves fault tolerance, and allows for an automatic switchover when using multiple VPN connections.
Important
For high-availability VPN connections, only BGP routing is available; static routing is not supported.
For the routes learned over BGP to be installed in a VPC route table, enable Route propagation. To do this, go to the VPC page, switch to the Information tab and specify the target route table for the Route propagation parameter.
Route propagation feature#
You can choose for the VPC one route table to which BGP routes received from a client gateway must be propagated. This feature can be enabled in the web interface in the VPC page or via the API method EnableVgwRoutePropagation.
Once Route Propagation is enabled, the standard best route selection rules will apply to the selected route table. The following routes will have higher priority:
routes with longer prefix;
routes with shorter administrative distance;
routes with smaller metrics.
If necessary, Route propagation can be disabled in the web interface in the VPC page or via the API method DisableVgwRoutePropagation. In this case, BGP continues to work for VPN connections and advertise routes. Still, BGP routes will not be propagated to the route table, so instances of the VPC will be unable to access networks behind a client gateway. If this is the case, use static routing.
Important
Note that the network connectivity between the VPN and the cloud can be lost for up to 1 minute when you enable route propagation or change the route table, to which BGP routes learned from the client gateway must be propagated.
Deleting a VPN connection and customer gateway#
To delete a VPN connection, go to Interconnect VPN VPN connections, select the VPN connection in the list and click Delete.
Also, you can delete a VPN connection in Interconnect VPN Customer gateways. To do this, select the customer gateway from the list and click Delete VPN connection. In the dialog window, select the VPC, the connection you want to delete and click Delete.
Important
You can delete a customer gateway only if it has no active VPN connection. So you should delete the corresponding VPN connection before deleting a customer gateway.
To delete a customer gateway, go to Interconnect VPN Customer gateways, select the customer gateway in the list, or go to the customer gateway page and click Delete.