Connect branch offices and data centers: VPN Site-to-Site

Last update: March 04 2024

Connect branch offices and data centers: VPN Site-to-Site

Example of creating a Site-to-Site VPN tunnel for the IPsec protocol.

The settings are described for the Selectel firewall on the data center side. To configure a firewall that is installed in a branch office, refer to the documentation from its manufacturer.

1. Configure IKE first-phase-parameters for each device.
2. Configure IKE Second Phase Parameters for each device.
3. Configure permissive firewall rules for IPsec protocol operation.
4. Raise the tunnel between devices.

Configure IKE first phase parameters⁠

You must configure the settings for each device between which the tunnel is created. The values of the parameters must be the same.

1. In GUI in the main menu, go to VPN → IPsec.

2. Open the Tunnels tab.

3. Press Add P1.

4. Fill in the blanks:

   • Key Exchange Version — IKEv2;
   • Internet Protocol — IPv4;
   • Interface — WAN. You can select any network interface from which to build the tunnel;
   • Remote Gateway — IP address of the interface of the opposite device;
   • Authentication Method — Mutual PSK. To authenticate using a certificate, specify Mutual Certificate and fill in the optional fields My Certificate and Peer Certificate Authority;
   • Negotiation Mode — Main;
   • My Identifier — My IP Address. You can specify any ID of the device on which you are configuring;
   • Peer Identifier — Peer IP Address. You can specify any identifier of the opposite device;
   • Pre-Shared key — code for authentication. Used when setting up and connecting the opposite device;
   • Encryption Algorithm: Algorithm — AES; Key Length — 256 bits; HASH — SHA512; DH Group — 14.

5. Press Save.

6. Click Apply Changes to apply the configuration.

Configure the parameters of the second phase of IKE⁠

You must configure the settings for each device between which the tunnel is created. The values of the parameters must be the same.

1. In GUI in the main menu, go to VPN → IPsec.

2. Open the Tunnels tab.

3. Click Show Phase 2 Entries under configured first phase.

4. Press Add P2.

5. Fill in the blanks:

   • Mode — Tunnel IPv4;
   • Local Network: Type — Network; Address — The address of the local subnet that is connected by the tunnel;
   • Remote Network: Type — Network; Address — the address of the local subnet on the opposite side;
   • Protocol — ESP;
   • Encryption Algorithm: AES — AES256-GCM; Key Length — 128 bits; Hash Algorithms — SHA512; PFS Key Group — 14.

6. Press Save.

7. Click Apply Changes to apply the configuration.

Configure permissive rules on the firewall⁠

An IPSEC Protocol Enabling Rule must be created for the WAN and IPSEC interfaces.

1. In GUI, in the main menu, go to Firewall → Rules.

2. Open the tab labeled with the interface name.

3. Press Add. The rule needs to be added above all the prohibitions.

4. Fill in the blanks:

   • Action — Pass;
   • Interface — WAN / IPSEC;
   • Source — The IP address or subnet that includes the servers behind the firewall (for IPSEC, specify the subnet);
   • Destination — destination addresses to which traffic is allowed.

5. Press Save.

6. Click Apply Changes to apply the configuration.

Raise the tunnel between devices⁠

1. In GUI, in the main menu, go to Status → IPsec.
2. Open the Overview tab.
3. Press Connect P1 and P2.