Connect branch offices and data centers: VPN Site-to-Site
These are instructions for configuring the Selectel firewall when creating a Site-to-Site VPN tunnel between the data center and an external site, such as your office or another data center. The instructions cover IPsec configuration.
You will need to configure the equipment on the other side of the tunnel yourself according to the manufacturer's documentation. Before configuring, make sure that your equipment supports the IPsec protocol.
- Connect to the Selectel firewall.
- Configure the IKE first phase parameters for each device.
- Configure the IKE second phase parameters for each device.
- Configure permissive rules on the firewall for IPsec protocol operation.
- Raise the tunnel between the devices.
1. Connect to a Selectel firewall
-
Open the page in your browser:
https://<ip_address>:5443
Specify
<ip_address>
— The IP address of the firewall. -
Enter the login and password you received in the ticket after ordering the firewall. The main page of the graphical interface with the dashboard will open.
2. Set the parameters of the first phase of IKE
Configure the settings on the Selectel firewall. On your equipment on the other side of the tunnel, you must set similar parameter values.
-
In the VPN menu, go to the IPsec section.
-
Open the Tunnels tab.
-
Press Add P1.
-
In the Key Exchange Version field, select the protocol version for key exchange — IKEv2.
-
In the Internet Protocol field, select the Internet Protocol — IPv4.
-
In the Interface field, select the network interface from which to build the tunnel.
-
In the Remote Gateway field, enter the IP address of the remote device.
-
In the Authentication Method field, select an authentication method:
- Mutual PSK;
- or Mutual Certificate and fill in the My Certificate and Peer Certificate Authority fields.
-
In the My Identifier field, select the type and enter the ID of the device from which you are setting up the tunnel.
-
In the Peer Identifier field, select the type and enter the ID of the remote device.
-
In the Pre-Shared key field, enter the authentication code. This is used when setting up and connecting the remote device.
-
In the Encryption Algorithm box, configure the encryption algorithm:
12.1 Select AES in the Algorithm field.
12.2 Select 256 bits in the Key Length field.
12.3 In the HASH field, select — SHA512.
12.4. In the DH Group field, select — 14.
-
Click Save → Apply Changes.
3. Configure the parameters of the second phase of IKE
Configure the settings on the Selectel firewall. On your equipment on the other side of the tunnel, you must set similar parameter values.
-
In the VPN menu, go to the IPsec section.
-
Open the Tunnels tab.
-
Under the IKE Phase 1 row, click Show Phase 2 Entries.
-
Click Add P2.
-
In the Mode field, select Tunnel IPv4 mode.
-
In the Local Network field, select Network as the type of local network behind the VPN gateway and enter the IP address of the local subnet.
-
In the Remote Network field, select the type of remote network behind the VPN gateway -Network and enter the IP address of the remote subnet.
-
In the Protocol field, select the protocol for protecting the transmitted data — ESP.
-
In the Encryption Algorithm box, configure the encryption algorithm:
9.1 Check the AES checkbox and select Key Length — 128 bits.
9.2 Check the AES256-GCM checkbox and select Key Length — 128 bits.
-
In the Hash Algorithms field, select the hash algorithm — SHA512.
-
In the PFS Key Group field, select the parameters for additional encryption key protection — 14.
-
Click Save → Apply Changes.
4. Configure permissive rules on the firewall
Create an enabling rule for IPsec on the WAN and IPsec interfaces.
- On the Firewall menu, go to the Rules section.
- Open the WAN interface tab.
- Click Add.
- In the Action field, select the action when receiving or sending data packets — Pass.
- In the Interface field, select the network interface — IPsec.
- In the Source field, select the subnet that is the source of the network traffic.
- In the Destination field, select the destination address to which network traffic is allowed.
- Click Save.
- Click Add.
- In the Action field, select the action when receiving or sending data packets — Pass.
- In the Interface field, select the network interface — WAN.
- In the Source field, select the source of the network traffic.
- In the Destination field, select the destination address to which network traffic is allowed.
- Click Save.
- Drag the created rules above the prohibiting rules. Rules are executed in order from top to bottom in the list.
- Click Apply Changes.
5. Raise the tunnel between devices
- On the Status menu, go to the IPsec section.
- Open the Overview tab.
- Press Coppest P1 and P2.