Connect branch offices and data centers: VPN Site-to-Site

Last update: September 06 2024

Connect branch offices and data centers: VPN Site-to-Site

Example of creating a Site-to-Site VPN tunnel for the IPsec protocol.

The settings are described for the Selectel firewall on the data center side. To configure a firewall that is installed at the branch office, refer to the documentation from its manufacturer.

1. Set the parameters of the first phase of IKE for each device.
2. Configure the parameters of the second phase of the IKE for each device.
3. Configure permissive rules on the firewall for the IPsec protocol to work.
4. Raise the tunnel between devices.

Configure IKE first phase parameters⁠

You must configure the parameters for each device between which the tunnel is created. The values of the parameters must be the same.

1. В graphical interface from the main menu, go to VPN → IPsec.

2. Open the tab Tunnels.

3. Click Add P1.

4. Fill in the blanks:

   • Key Exchange Version — IKEv2;
   • Internet Protocol — IPv4;
   • Interface — WAN. You can select any network interface from which to tunnel;
   • Remote Gateway — The IP address of the interface of the opposite device;
   • Authentication Method — Mutual PSK. To authenticate using a certificate, specify Mutual Certificate and fill in the additional fields My Certificate и Peer Certificate Authority;
   • Negotiation Mode — Main;
   • My Identifier — My IP Address. You can specify any ID of the device on which you are configuring;
   • Peer Identifier — Peer IP Address. You can specify any ID of the opposite device;
   • Pre-Shared key — code for authentication. Used when setting up and connecting the opposite device;
   • Encryption Algorithm: Algorithm — AES; Key Length — 256 bits; HASH — SHA512; DH Group — 14.

5. Click Save.

6. Click Apply Changes to apply the configuration.

Configure the parameters of the second phase of IKE⁠

You must configure the parameters for each device between which the tunnel is created. The values of the parameters must be the same.

1. В graphical interface from the main menu, go to VPN → IPsec.

2. Open the tab Tunnels.

3. Click Show Phase 2 Entries under tuned first phase.

4. Click Add P2.

5. Fill in the blanks:

   • Mode — Tunnel IPv4;
   • Local Network: Type — Network; Address — The address of the local subnet that is connected by the tunnel;
   • Remote Network: Type — Network; Address — the address of the local subnet on the opposite side;
   • Protocol — ESP;
   • Encryption Algorithm: AES — AES256-GCM; Key Length — 128 bits; Hash Algorithms — SHA512; PFS Key Group — 14.

6. Click Save.

7. Click Apply Changes to apply the configuration.

Configure permissive rules on the firewall⁠

An IPSEC Protocol Enabling Rule must be created for the WAN and IPSEC interfaces.

1. В graphical interface from the main menu, go to Firewall → Rules.

2. Open the tab labeled with the interface name.

3. Click Add. The rule needs to be added above all the prohibitions.

4. Fill in the blanks:

   • Action — Pass;
   • Interface — WAN / IPSEC;
   • Source — The IP address or subnet that includes the servers behind the firewall (for IPSEC, specify the subnet);
   • Destination — destination addresses to which traffic is allowed.

5. Click Save.

6. Click Apply Changes to apply the configuration.

Raise the tunnel between devices⁠

1. В graphical interface from the main menu, go to Status → IPsec.
2. Open the tab Overview.
3. Click Soppest P1 and P2.