VPN connections

You can easily connect your NGN Cloud infrastructure with the remote infrastructure using the cloud VPN service (VPN as a Service, VPNaaS).

By default, a high-availability VPN connection is created. To ensure high availability, two tunnels are created and terminated in different availability zones. In normal operation, both tunnels are active, and traffic from VMs is forwarded to the closest tunnel. If a tunnel fails, all traffic is automatically redirected through the second tunnel to make cloud resources available.

Note

There is an hourly rate in addition to using a high-availability VPN connection to outbound traffic charges. You can view the tariff information in the Network tab of the Tariffs section.

There are two types of IPsec VPN connections in NGN Cloud:

• ipsec.1: tunnel mode;

• ipsec.legacy: transport mode.

A VPN connection is established between NGN Cloud VPN gateway and customer gateway; it is also possible to establish a VPN connection with AWS.

Customer gateway — connection point to the remote infrastructure. It is created by the user and contains information about the remote device, with which the connection should be established.

VPN-gateway — connection point in the NGN Cloud. One VPN gateway is automatically created for each virtual private cloud (VPC).

Important

For simplicity, a VPN gateway is not displayed in the web interface. So, when you create VPN connections, selecting a VPC is equivalent to choosing a VPN gateway. Information about the available VPN gateways can be obtained explicitly using the API.

To connect your device with the cloud infrastructure, you should:

• create the customer gateway, putting in the information about your device;

• create the VPN connection with the gateway;

• configure your device according to settings, which you can get on the created VPN connection page.

There can be only one VPN connection between a customer gateway and a VPC (a VPN gateway). But you can create several VPN connections between a VPC and different customer gateways or between a customer gateway and different VPCs.

Creating a customer gateway

Click Create in the Customer gateways section to create a customer gateway.

When registering customer gateway, you should specify:

• Type — ipsec.1 (IPsec connection in tunnel mode) and ipsec.legacy (IPsec connection in transport mode).

• IP address — The address of the customer gateway in the remote infrastructure.

• BGP ASN is an autonomous system number of remote networks. If there is no autonomous system, then use a number from private ranges (64512—65534 and 4200000000—4294967294). If you leave this field empty, then the default value 65000 will be set.

VPN connections can only be created if a customer gateway is specified.

Creating a VPN connection

You can create a VPN connection in the VPN connections section. To do that, click Create and select the VPC, with which you need to establish a connection, then select an existing customer gateway, or create the new one right in this form. If the default tunnel options are not suitable for you, you can change.

If you select or create a gateway of the ipsec.1 type, a high-availability connection with two tunnels is created by default (this option is not available for a gateway of the ipsec.legacy type). If you do not need a high-availability VPN, uncheck the corresponding option. For an ipsec.1 type connection, you can also specify subnets on the cloud side (Remote IP Network CIDR) and client-side (Local IP Network CIDR), which are permitted to use the encrypted tunnel.

Also, you can create a VPN connection in the Customer gateways section. To do this, create a customer gateway or select it from the list and click Create VPN connection. In the dialog window, select the VPC to which you want to establish a connection. Select the VPC you need to establish a connection, set the connection and tunnel(-s) parameters and click Create.

When using BGP to exchange route information, only eBGP is allowed. Thus, the BGP ASN of the customer gateway and the BGP ASN of the VPC (VPN gateway) must not be the same. If necessary, you can change the BGP ASN of the VPC. To change it, contact the NGN Cloud support. Please include the VPC ID and the desired autonomous system number in your request. It is recommended to use a number from the private BGP ranges: 64512—65534 and 4200000000—4294967294.

When you create a VPN connection, the cloud, by default, downloads a configuration file, this file is specific for your customer gateway and contains data for the device setup.

Changing tunnel parameters

In NGN Cloud, you can choose which tunnel options to use when creating a VPN connection. For a high-availability VPN, you can specify tunnel options separately for each tunnel.

Here are the tunnel parameters that you can configure.

General parameters:

• Internal IP CIDR for tunnel — a /30 block from the subnet 169.254.252.0/22 to be used inside the IPsec tunnel of the VPN connection;

• Pre-shared Key for tunnel — the key (PSK) used for a primary authentication between VPN and customer gateways;

• ikeVersion — a key exchange protocol version ikev1 or ikev2;

• Replay Window Size — the number of packets in the IKE replay window.

Phase1 parameters:

• Encryption Algorithms — the allowed encryption algorithms for the VPN tunnel in the first IKE phase;

• Integrity Algorithms — the allowed integrity algorithms for the VPN tunnel in the first IKE phase;

• DH Group Numbers — the allowed Diffie-Hellman groups for the VPN tunnel in the first IKE phase;

• Lifetime Seconds — the lifetime for the first IKE phase, in seconds.

Phase2 parameters:

• Encryption Algorithms — the allowed encryption algorithms for the VPN tunnel in the second IKE phase;

• Integrity Algorithms — the allowed integrity algorithms for the VPN tunnel in the second IKE phase;

• Turn on PFS — the enabled Perfect Forward Secrecy (PFS) mode guarantees that session encryption keys will not be compromised;

  Attention

  PFS is enabled by default. In order to prevent the session encryption key from being compromised, do not disable PFS.

• DH Group Numbers — the allowed Diffie-Hellman groups for the VPN tunnel in the second IKE phase;

  Note

  If PFS is disabled, Diffie-Hellman groups cannot be selected.

• Lifetime Seconds — the lifetime for the second IKE phase, in seconds.

To learn more about the supported tunnel options, limitations and algorithm compatibility for different IKE versions, see documentation.

Configuring of the remote device

You can configure your device, located in the remote infrastructure (customer gateway) using settings, provided by the NGN Cloud for each VPN connection.

You can get customer gateway settings in the VPN connections section. To do that create a VPN connection, select it in the list, or go to its page and click Get settings.

The settings can be generated in the following formats:

• generic configuration with a text description of all parameters;

• configuration for Cisco IOS 12.4 and higher;

• Generic Linux Openswan/Libreswan with Quagga/FRR;

• RedHat Linux Openswan/Libreswan with Quagga/FRR.

Click Download to save the customer gateway settings in .cfg format on the local PC.

Routing via a VPN connection

You can setup static routing between subnets in NGN Cloud and private networks in a remote infrastructure (behind a client gateway) using route tables.

Use BGP for dynamic routing. This saves you the hassle of manually configuring static routes over a VPN connection, improves fault tolerance, and allows for an automatic switchover when using multiple VPN connections.

Important

For high-availability VPN connections, only BGP routing is available; static routing is not supported.

For the routes learned over BGP to be installed in a VPC route table, enable Route propagation. To do this, go to the VPC page, switch to the Information tab and specify the target route table for the Route propagation parameter.

Route propagation feature

You can choose for the VPC one route table to which BGP routes received from a client gateway must be propagated. This feature can be enabled in the web interface in the VPC page or via the API method EnableVgwRoutePropagation.

Once Route Propagation is enabled, the standard best route selection rules will apply to the selected route table. The following routes will have higher priority:

• routes with longer prefix;

• routes with shorter administrative distance;

• routes with smaller metrics.

If necessary, Route propagation can be disabled in the web interface in the VPC page or via the API method DisableVgwRoutePropagation. In this case, BGP continues to work for VPN connections and advertise routes. Still, BGP routes will not be propagated to the route table, so instances of the VPC will be unable to access networks behind a client gateway. If this is the case, use static routing.

Important

Note that the network connectivity between the VPN and the cloud can be lost for up to 1 minute when you enable route propagation or change the route table, to which BGP routes learned from the client gateway must be propagated.

Deleting a VPN connection and customer gateway

To delete a VPN connection go to the VPN connections section, select the VPN connection in the list and click Delete.

Also, you can delete a VPN connection in the Customer gateways section. To do this, select the customer gateway from the list and click Delete VPN connection. In the dialog window, select the VPC, the connection you want to delete and click Delete.

Important

You can delete a customer gateway only if it has no active VPN connection. So you should delete the corresponding VPN connection before deleting a customer gateway.

To delete a customer gateway, go to the Customer gateways section, select the customer gateway in the list, or go to the customer gateway page and click Delete.