Skip to main content
Connect branch offices and data centers: VPN Site-to-Site
Last update:

Connect branch offices and data centers: VPN Site-to-Site

The example configures a Selectel firewall that is on the data center side. If the firewall is installed at the branch office, you can configure it according to the manufacturer's documentation.

To connect branch offices and the data center, configure a VPN Site-to-Site tunnel using IPsec protocol.

  1. Connect to the Selectel firewall.
  2. Set the parameters of the first phase of IKE for each device.
  3. Configure the parameters of the second phase of the IKE for each device.
  4. Configure permissive rules on the firewall for the IPsec protocol to work.
  5. Raise the tunnel between devices.

Connect to the Selectel firewall

  1. Open the page in your browser:

    https://<ip_address>:5443

    Specify <ip_address> — The IP address of the firewall.

  2. Enter the username and password received in the ticket after the firewall order. The main page of the GUI with the dashboard will open.

Set the parameters of the first phase of IKE

Parameters must be configured for all devices between which the tunnel is created. The parameter values must be the same.

  1. On the menu. VPN go to IPsec.

  2. Open the tab Tunnels.

  3. Click Add P1.

  4. In the field Key Exchange Version select the protocol version for key exchange — IKEv2.

  5. In the field Internet Protocol select Internet Protocol — IPv4.

  6. In the field Interface select the network interface from which to build the tunnel.

  7. In the field Remote Gateway enter the IP address of the remote device.

  8. In the field Authentication Method select an authentication method:

    • Mutual PSK;
    • or Mutual Certificate and fill in the blanks My Certificate и Peer Certificate Authority.

  9. In the field My Identifier select the type and enter the ID of the device from which you are configuring the tunnel.

  10. In the field Peer Identifier select the type and enter the ID of the remote device.

  11. In the field Pre-Shared key enter the code for authentication. Used when setting up and connecting the remote device.

  12. In the block Encryption Algorithm configure the encryption algorithm:

    12.1 In the field Algorithm select — AES. 12.2 In the field Key Length select — 256 bits. 12.3. In the field HASH select — SHA512. 12.4 In the field DH Group select — 14.

  13. Click SaveApply Changes.

configure the parameters of the second phase of IKE

Configure the parameters for each device between which the tunnel is created. The parameter values must be the same.

  1. On the menu. VPN go to IPsec.

  2. Open the tab Tunnels.

  3. Underneath the line of the first phase of IKE click Show Phase 2 Entries.

  4. Click Add P2.

  5. In the field Mode select the Tunnel IPv4 mode of operation.

  6. In the field Local Network Select Network as the local network type behind the VPN gateway and enter the IP address of the local subnet.

  7. In the field Remote Network Select Network as the remote network type behind the VPN gateway and enter the IP address of the remote subnet.

  8. In the field Protocol select the protocol for protection of transmitted data — ESP.

  9. In the block Encryption Algorithm configure the encryption algorithm:

    9.1 Check the checkbox AES and select Key Length — 128 bits. 9.2. Check the checkbox AES256-GCM and select Key Length — 128 bits.

  10. In the field Hash Algorithms select the hash algorithm — SHA512.

  11. In the field PFS Key Group select the parameters of additional encryption key protection — 14.

  12. Click SaveApply Changes.

Configure permissive rules on the firewall

An IPSEC Protocol Enabling Rule must be created for the WAN and IPSEC interfaces.

  1. On the menu. Firewall go to Rules.
  2. Open the tab labeled with the interface name.
  3. Click Add.
  4. In the field Action select the action when receiving or sending data packets — Pass.
  5. In the field Interface select the network interface — WAN or IPsec.
  6. In the field Source Select the source of the network traffic. Select a subnet if you selected IPsec in step 6.
  7. In the field Destination select the destination address to which network traffic is allowed.
  8. Click Save.
  9. Drag and drop the permissive rule above the prohibitive rules. Rules are executed in order from top to bottom in the list.
  10. Click Apply Changes.

Raise the tunnel between devices

  1. On the menu. Status go to IPsec.
  2. Open the tab Overview.
  3. Click Soppest P1 and P2.