VPN connections

Using the cloud VPN service (VPN as a Service, VPNaaS) you can easily connect your K2 Cloud infrastructure with the remote infrastructure.

By default, a high-availability VPN connection is created in a region with multiple availability zones. To ensure high availability, two tunnels are created and terminated in different availability zones. In normal operation, both tunnels are active, and traffic from instances is forwarded to the closest tunnel. If a tunnel fails, all traffic is automatically redirected through the second tunnel to make cloud resources available.

Note

There is an hourly rate in addition to using a VPN connection to outbound traffic charges. You can view the tariff information in the Network tab of the Tariffs section.

There are two types of IPsec VPN connections in K2 Cloud:

• ipsec.1: tunnel mode;

• ipsec.legacy: transport mode.

A VPN connection is established between K2 Cloud VPN gateway and customer gateway; it is also possible to establish a VPN connection with AWS.

Customer gateway — connection point to the remote infrastructure. It is created by the user and contains information about the remote device, with which the connection should be established.

VPN-gateway — connection point in the K2 Cloud. One VPN gateway is automatically created for each virtual private cloud (VPC).

Important

For simplicity, a VPN gateway is not displayed in the web interface. So, when you create VPN connections, selecting a VPC is equivalent to choosing a VPN gateway. Information about the available VPN gateways can be obtained explicitly using the API.

To connect your device with the cloud infrastructure, you should:

• create the customer gateway, putting in the information about your device;

• create the VPN connection with the gateway;

• configure your device according to settings, which you can get on the created VPN connection page.

There can be only one VPN connection between a customer gateway and a VPC (a VPN gateway). But you can create several VPN connections between a VPC and different customer gateways or between a customer gateway and different VPCs.

Creating a customer gateway

1. Go to Interconnect VPN Customer gateways.

2. Click Create.

3. In the window that opens, set the following parameters:

   • Name tag (Optional).

   • Type — ipsec.1 (IPsec connection in tunnel mode) and ipsec.legacy (IPsec connection in transport mode).

   • IP address — The address of the customer gateway in the remote infrastructure.

   • BGP ASN — The autonomous system number of a remote network. If there is no autonomous system, then use a number from private ranges (64512—65535 and 4200000000—4294967294). If you leave this field empty, then 65000 will be set by default.

4. If you need to set tags, go to the next step by clicking Add tags. Specify the tag key and value.

5. After setting all the required parameters, click Create.

Creating a VPN connection

Note

VPN connections can only be created if a customer gateway is specified.

1. Go to Interconnect VPN VPN connections.

2. Click Create to open a VPN connection wizard.

3. Enter the Name tag in the Name tag field (optional).

4. In the VPC field, select the VPC to connect VPN to.

5. A high-availability dual-tunnel connection is created by default. If you don’t need it, uncheck the corresponding option.

6. In the Customer gateway field, select an existing customer gateway, or create the new one and set the following parameters:

   • Type — ipsec.1 (IPsec connection in tunnel mode) and ipsec.legacy (IPsec connection in transport mode).

   • IP address — The address of the customer gateway in the remote infrastructure.

   • BGP ASN — The autonomous system number of a remote network. If there is no autonomous system, then use a number from private ranges (64512—65535 and 4200000000—4294967294). If you leave this field empty, then 65000 will be set by default.

7. For an ipsec.1 type connection, you can also specify the subnets, which are permitted to use an encrypted tunnel:

   • Local IP Network CIDR — customer’s subnet

   • Remote IP Network CIDR — a cloud subnet.

8. If the default tunnel options are not suitable for you, you can modify them.

9. If you need to set tags, go to the next step by clicking Add tags. Specify the tag key and value.

10. After setting all the required parameters, click Create.

You can also create a VPN connection in Customer gateways:

1. Go to Interconnect VPN Customer gateways

2. Сreate a customer gateway or select it in the resource table.

3. Click Create VPN connection to open a VPN connection wizard.

4. Set parameters specified in the manual, starting from step 3.

5. Click Create.

If BGP is used to exchange route information, only eBGP is allowed. Thus, the BGP ASN of the customer gateway and the BGP ASN of the VPC (VPN gateway) must not be the same. If necessary, you can change the BGP ASN of the VPC. To change it, contact the K2 Cloud support. Please include the VPC ID and the desired autonomous system number in your request. It is recommended to use a number from the private BGP ranges: 64512—65535 and 4200000000—4294967294.

When you create a VPN connection, the cloud, by default, downloads a configuration file, this file is specific for your customer gateway and contains data for the device setup.

Changing tunnel parameters

In K2 Cloud, you can choose which tunnel options to use when creating a VPN connection. For a high-availability VPN, you can specify tunnel options separately for each tunnel.

Here are the tunnel parameters that you can configure.

General parameters:

• Internal IP CIDR for tunnel — a /30 block from the subnet 169.254.252.0/22 to be used inside the IPsec tunnel of the VPN connection;

• Pre-shared Key for tunnel — the key (PSK) used for a primary authentication between VPN and customer gateways;

• ikeVersion — a key exchange protocol version ikev1 or ikev2;

• Replay Window Size — the number of packets in the IKE replay window.

Phase1 parameters:

• Encryption Algorithms — the allowed encryption algorithms for the VPN tunnel in the first IKE phase;

• Integrity Algorithms — the allowed integrity algorithms for the VPN tunnel in the first IKE phase;

• DH Group Numbers — the allowed Diffie-Hellman groups for the VPN tunnel in the first IKE phase;

• Lifetime Seconds — the lifetime for the first IKE phase, in seconds.

Phase2 parameters:

• Encryption Algorithms — the allowed encryption algorithms for the VPN tunnel in the second IKE phase;

• Integrity Algorithms — the allowed integrity algorithms for the VPN tunnel in the second IKE phase;

• Turn on PFS — the enabled Perfect Forward Secrecy (PFS) mode guarantees that session encryption keys will not be compromised;

  Attention

  PFS is enabled by default. In order to prevent the session encryption key from being compromised, do not disable PFS.

• DH Group Numbers — the allowed Diffie-Hellman groups for the VPN tunnel in the second IKE phase;

  Note

  If PFS is disabled, Diffie-Hellman groups cannot be selected.

• Lifetime Seconds — the lifetime for the second IKE phase, in seconds.

To learn more about the supported tunnel options, limitations and algorithm compatibility for different IKE versions, see documentation.

Configuring of the remote device

You can configure your device, located in the remote infrastructure (customer gateway) using settings, provided by the K2 Cloud for each VPN connection.

1. Go to Interconnect VPN VPN connections.

2. Create the VPN connection if it has not been created yet.

3. Find the newly created VPN connection in the resource table and click its ID to go to the VPN connection page.

4. Click Get settings. The following formats for settings are supported:

   • generic configuration with a text description of all parameters;

   • configuration for Cisco IOS 12.4 and higher;

   • Generic Linux Openswan/Libreswan with Quagga/FRR;

   • RedHat Linux Openswan/Libreswan with Quagga/FRR.

5. Click Download to save the customer gateway settings in .cfg format on the local PC.

Routing via a VPN connection

You can setup static routing between subnets in K2 Cloud and private networks in a remote infrastructure (behind a client gateway) using route tables.

Use BGP for dynamic routing. This saves you the hassle of manually configuring static routes over a VPN connection, improves fault tolerance, and allows for an automatic switchover when using multiple VPN connections.

Important

For high-availability VPN connections, only BGP routing is available; static routing is not supported.

For the routes learned over BGP to be installed in a VPC route table, enable Route propagation. To do this, go to the VPC page, switch to the Information tab and specify the target route table for the Route propagation parameter.

Route propagation feature

You can choose for the VPC one route table to which BGP routes received from a client gateway must be propagated. This feature can be enabled in the web interface in the VPC page or via the API method EnableVgwRoutePropagation.

Once Route Propagation is enabled, the standard best route selection rules will apply to the selected route table. The following routes will have higher priority:

• routes with longer prefix;

• routes with shorter administrative distance;

• routes with smaller metrics.

If necessary, Route propagation can be disabled in the web interface in the VPC page or via the API method DisableVgwRoutePropagation. In this case, BGP continues to work for VPN connections and advertise routes. Still, BGP routes will not be propagated to the route table, so instances of the VPC will be unable to access networks behind a client gateway. If this is the case, use static routing.

Important

Note that the network connectivity between the VPN and the cloud can be lost for up to 1 minute when you enable route propagation or change the route table, to which BGP routes learned from the client gateway must be propagated.

Deleting a VPN connection

1. Go to Interconnect VPN VPN connections.

2. In the resource table, select the VPN connection and click Delete.

3. In the window that opens, confirm the deletion.

Alternatively, you can go to the VPN connection page, open Information tab and click Delete to delete a VPN connection.

A VPN connection can be deleted in the Customer gateway section. To do this:

1. Go to Interconnect VPN Customer gateways.

2. Select the customer gateway from the list and click Delete VPN connection.

3. In the window that opens, select the VPC, connection to which you want to delete, and click Delete.

4. In the window that opens, confirm the deletion.

Deleting a customer gateway

Important

You can delete a customer gateway only if it has no active VPN connection. So you should delete the corresponding VPN connection before deleting a customer gateway.

1. Go to Interconnect VPN Customer gateways.

2. In the resource table, select the customer gateway and click Delete.

3. In the window that opens, confirm the deletion.

This operation can also be performed on the page of the selected customer gateway. To do this, go to the Information tab and click Delete.