Skip to main content
Connect branch offices and data centers: VPN Site-to-Site
Last update:

Connect branch offices and data centers: VPN Site-to-Site

The example configures a Selectel firewall that is on the data center side. If the firewall is installed at the branch office, you can configure it according to the manufacturer's documentation.

To connect branch offices and the data center, configure a VPN Site-to-Site tunnel using IPsec protocol.

  1. Connect to the Selectel firewall.
  2. Configure the IKE first phase parameters for each device.
  3. Configure the IKE second phase parameters for each device.
  4. Configure permissive rules on the firewall for IPsec protocol operation.
  5. Raise the tunnel between the devices.

1. Connect to the Selectel firewall

  1. Open the page in your browser:

    https://<ip_address>:5443

    Specify <ip_address> — The IP address of the firewall.

  2. Enter the login and password you received in the ticket after ordering the firewall. The main page of the GUI with the dashboard opens.

2. Set the parameters of the first phase of IKE

Parameters must be configured for all devices between which the tunnel is created. The parameter values must be the same.

  1. In the VPN menu, go to the IPsec section.

  2. Open the Tunnels tab.

  3. Press Add P1.

  4. In the Key Exchange Version field, select the protocol version for key exchange — IKEv2.

  5. In the Internet Protocol field, select the Internet Protocol — IPv4.

  6. In the Interface field, select the network interface from which to build the tunnel.

  7. In the Remote Gateway field, enter the IP address of the remote device.

  8. In the Authentication Method field, select an authentication method:

    • Mutual PSK;
    • or Mutual Certificate and fill in the My Certificate and Peer Certificate Authority fields.

  9. In the My Identifier field, select the type and enter the ID of the device from which you are setting up the tunnel.

  10. In the Peer Identifier field, select the type and enter the ID of the remote device.

  11. In the Pre-Shared key field, enter the authentication code. This is used when setting up and connecting the remote device.

  12. In the Encryption Algorithm box, configure the encryption algorithm:

    12.1 Select AES in the Algorithm field.

    12.2 Select 256 bits in the Key Length field.

    12.3 In the HASH field, select — SHA512.

    12.4. In the DH Group field, select — 14.

  13. Click SaveApply Changes.

3. Configure the parameters of the second phase of IKE

Configure the parameters for each device between which the tunnel is created.The parameter values must be the same.

  1. In the VPN menu, go to the IPsec section.

  2. Open the Tunnels tab.

  3. Under the IKE Phase 1 row, click Show Phase 2 Entries.

  4. Click Add P2.

  5. In the Mode field, select Tunnel IPv4 mode.

  6. In the Local Network field, select Network as the type of local network behind the VPN gateway and enter the IP address of the local subnet.

  7. In the Remote Network field, select the type of remote network behind the VPN gateway -Network and enter the IP address of the remote subnet.

  8. In the Protocol field, select the protocol for protecting the transmitted data — ESP.

  9. In the Encryption Algorithm box, configure the encryption algorithm:

    9.1 Check the AES checkbox and select Key Length — 128 bits.

    9.2 Check the AES256-GCM checkbox and select Key Length — 128 bits.

  10. In the Hash Algorithms field, select the hash algorithm — SHA512.

  11. In the PFS Key Group field, select the parameters for additional encryption key protection — 14.

  12. Click SaveApply Changes.

4. Configure permissive rules on the firewall

An IPSEC Protocol Enabling Rule must be created for the WAN and IPSEC interfaces.

  1. On the Firewall menu, go to the Rules section.
  2. Open the tab labeled with the interface name.
  3. Click Add.
  4. In the Action field, select the action when receiving or sending data packets — Pass.
  5. In the Interface field, select the network interface — WAN or IPsec.
  6. In the Source field, select the source of the network traffic. Select a subnet if you selected IPsec in step 6.
  7. In the Destination field, select the destination address to which network traffic is allowed.
  8. Click Save.
  9. Drag and drop the permissive rule above the prohibitive rules. Rules are executed in order from top to bottom in the list.
  10. Click Apply Changes.

5. Raise the tunnel between devices

  1. On the Status menu, go to the IPsec section.
  2. Open the Overview tab.
  3. Press Coppest P1 and P2.