Skip to content

IPSEC VPN Connection

The following HowTo describes how to configure an IPSEC VPN connection in OpenStack Management Horizon. Please note the Disclaimer and that firewall security settings can vary between firewalls and may change over time.

For the IPSEC VPN connection to work, it is important that the configuration matches on both sides. The following description refers to the IPSEC VPN configuration in OpenStack. Follow these steps:

  • Click on "Network Topology" in the left navigation bar
  • Then click on the "+Add IKE Policy" button in the upper right

1.) Create IKE policy (Phase 1)

image

  • Now enter the missing information in the input mask and click "Add"

image

The created IKE policy is then listed.

image

2.) Create IPsec policy (Phase 2)

  • Now switch to the "IPsec Policies" tab and click on the "+Add IPsec Policy" button in the upper right

image

  • Now enter the information.

image

Important

Currently, only the Transform Protocols "esp" and "ah" are supported.

The created IPsec policy is then listed.

image

3.) Add VPN Service Here you enter the network information from the OpenStack side (Router and the Subnet).

Warning

By default, a maximum of one VPN Service is supported per virtual Router! However, multiple Ipsec Site Connections are allowed per virtual Router, as long as they use the same VPN Service.

  • Now switch to the "VPN Service" tab, click on the "+Add VPN Service" button in the upper right
  • Now enter the information and click on "Add"

image

4.) Add Endpoint Groups

Here you enter the network information A) from OpenStack (Subnet for local systems) and B) from the "VPN Counterparty" (CIDR and External System CIDRs).

  • A) Add local Endpoint Group - Now switch to the "Endpoint Groups" tab, click on the "+Add Endpoint Group" button in the upper right to create the Endpoint Group for A) OpenStack (Subnet for local systems).
    • Now enter a name for the local Endpoint
    • Then select "Subnet (for local systems)" as the Type
    • and select the local Subnet
    • then click on "Add"

image

  • B) Add remote Endpoint Group - Now switch to the "Endpoint Groups" tab, click on the "+Add Endpoint Group" button in the upper right to create the Endpoint Group forB) VPN Counterparty**.
    • Now enter a name for the remote Endpoint
    • Then select "CIDR (for external Systems)" as the Type
    • and enter the network of the counterparty
    • then click on "Add"

image

5.) Add IPsec Site-to-Site Connection Here are the final settings for the IPsec Site-to-Site Connection.

Warning

By default, a maximum of one VPN Service is supported per virtual Router! However, multiple Ipsec Site Connections are allowed per virtual Router, as long as they use the same VPN Service.

  • Now switch to the "IPsec Site-to-Site Connections" tab, click on the "+Add IPsec Site-to-Site Connection" button in the upper right
  • Now enter the information or select the previously configured parameters from the dropdown menus.
  • then click on "Add"

image

Subsequently, if everything was configured correctly, the created IPSEC VPN connection is listed with the status "Activ" (IPSEC tunnel comes up).

image

Important

If the settings are incorrect, the status remains Pending until the negotiation (Phase 1 and 2) matches the remote side. In this case, delete the Site Connection and create it again with the correct parameters.