Creating an IPSec VPN tunnel

This scenario describes how to configure an IPSec instance for sending traffic from Yandex Cloud VMs to an IPSec VPN tunnel using the strongSwan daemon.

In the example, we set up a tunnel between two VPN gateways. To test the tunnel, you need to configure gateways on both sides of it. You can do this using a different network in Yandex Cloud or your local network.

To set up a VPN tunnel:

1. Before you start.
2. Create and configure an IPSec instance.
3. Configure IPSec.
4. Set up static routing in the cloud network.
5. Configure IPSec on the second gateway.
6. Test the IPSec tunnel.

If you no longer need the IPSec instance, delete it.

Before you start

Before working, you need to register in Yandex Cloud and create a billing account:

1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

Required paid resources

The cost of IPSec VPN infrastructure support includes:

• A fee for continuously running VMs (see pricingYandex Compute Cloud).
• A fee for using a dynamic external IP address (see pricing Yandex Virtual Private Cloud).

Create networks and subnets

To connect cloud resources to the internet, make sure you have networks and subnets.

Create an IPSec instance

Create a VM in Yandex Cloud to serve as a gateway for an IPSec tunnel.

1. Open your folder and click Create resource. Select Virtual machine.

2. Enter a name for the VM, for example, ipsec-instance.

3. Select the subnet availability zone to connect the IPSec instance to and where the test VM is already located.

4. Under Images from Cloud Marketplace, click Select and select the IPSec instance image.

5. In the Network settings section, choose the required network and subnet and assign a public IP to the VM either by selecting it from the list or automatically.

   Only use static public IP addresses from the list or make the IP address static. Dynamic IP addresses may change after the VM reboots and the tunnel will no longer work.

6. In the Access field, enter the login and SSH key to access the VM.

7. Click Create VM.

Configure IPSec

Configure a gateway with a public IP address and subnet that will establish an IPSec connection with the remote gateway.

In the example below, the public IP address of the gateway is 130.193.32.25. Beyond the gateway is subnet 10.128.0.0/24. This gateway establishes an IPSec connection with a remote gateway with the IP address 1.1.1.1, which leads to subnet 192.168.0.0/24.

1. Connect to the virtual machine over SSH:

   ssh 130.193.32.25
   

2. Open the IPSec configuration:

   sudo nano /etc/ipsec.conf
   

3. Edit config setup to look like the following:

   config setup
           charondebug="all"
           uniqueids=yes
           strictcrlpolicy=no
   

4. Fill out the following parameters for the test connection:

   • leftid: The public IP address of the IPSec instance.
   • leftsubnet: The CIDR of the subnet that the IPSec instance is connected to.
   • right: Enter the public IP address of the gateway at the other end of the VPN tunnel.
   • rightsubnet: Enter the CIDR of the subnet that the VPN gateway is connected to at the other end of the tunnel.
   • In the ike and esp parameters, enter the encryption algorithms that are supported on the remote gateway. The supported encryption algorithms are listed on the strongSwan website: IKEv1 and IKEv2.
   • For the rest of the settings, refer to the strongSwan documentation, being sure to take the remote gateway settings into account.

   Save your changes and close the file.

   The configuration should look like this:

   conn cloud-to-hq
         authby=secret
         left=%defaultroute
         leftid=130.193.32.25
         leftsubnet=10.128.0.0/24
         right=1.1.1.1
         rightsubnet=192.168.0.0/24
         ike=aes256-sha2_256-modp1024!
         esp=aes256-sha2_256!
         keyingtries=0
         ikelifetime=1h
         lifetime=8h
         dpddelay=30
         dpdtimeout=120
         dpdaction=restart
         auto=start
   

   Note

   To speed up data transfer in the tunnel, use optimized encryption algorithms. To do this, add the following lines to the code above:

      keyexchange=ikev2
      ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
      esp=aes128gcm16-ecp256,aes256gcm16-ecp384!
   

   The optimized algorithms can or cannot be used depending on whether the IPSEC stack is implemented on your platform.

5. Open the file /etc/ipsec.secrets and enter your password:

   130.193.32.25 1.1.1.1 : PSK "<password>"
   

6. Restart strongSwan:

   systemctl restart strongswan-starter
   

Set up static routing

Set up routing between the IPSec instance and previously created VM with no public IP address:

Create a route table and add static routes:

1. Open the Virtual Private Cloud section in the folder where you want to create a static route.

2. Select the network to create the route table in.

3. Click Create a routing table.

4. Enter a name for the route table.

   • The length can be from 3 to 63 characters.
   • It may contain lowercase Latin letters, numbers, and hyphens.
   • The first character must be a letter. The last character can't be a hyphen.

5. Click Add route.

6. In the window that opens, enter the prefix of the remote side destination subnet. In the example, this is 192.168.0.0/24.

7. In the Next hopfield, enter the internal IP address of the IPSec gateway. Click Add.

8. Click Create route table.

To use static routes, link the route table to a subnet. To do this:

1. In the line with the desired subnet, click .
2. In the menu that opens, select Link route table.
3. In the window that opens, select the created table from the list.
4. Click Link.

You can also use the created route for other subnets in the same network.

Configure IPSec on a different gateway

For the VPN tunnel to work, you need to set up another IPSec gateway. You can create another cloud network with a subnet in your folder and create an IPSec instance from an image, or use a machine in your local network as a gateway.

1. Configure strongSwan the same as the first IPSec gateway, but swap IP addresses and subnets in the /etc/ipsec.conf file:

   conn hq-to-cloud
         authby=secret
         left=%defaultroute
         leftid=1.1.1.1
         leftsubnet=192.168.0.0/24
         right=130.193.32.25
         rightsubnet=10.128.0.0/24
         ike=aes256-sha2_256-modp1024!
         esp=aes256-sha2_256!
         keyingtries=0
         ikelifetime=1h
         lifetime=8h
         dpddelay=30
         dpdtimeout=120
         dpdaction=restart
         auto=start
   

   Note

   To speed up data transfer in the tunnel, use optimized encryption algorithms. To do this, add the following lines to the code above:

      keyexchange=ikev2
      ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
      esp=aes128gcm16-ecp256,aes256gcm16-ecp384!
   

   The optimized algorithms can or cannot be used depending on whether the IPSEC stack is implemented on your platform.

2. Enter your password in /etc/ipsec.secrets after the swapped gateway IP addresses:

   1.1.1.1 130.193.32.25 : PSK "<password>"
   

3. Restart strongSwan:

   systemctl restart strongswan-starter
   

Test the IPSec tunnel

To make sure the tunnel between gateways is set up, run on any of the gateways the following command:

sudo ipsec status
Security Associations (1 up, 0 connecting):
 hq-to-cloud[3]: ESTABLISHED 29 minutes ago, 10.128.0.26[130.193.33.12]...192.168.0.23[1.1.1.1]
 hq-to-cloud{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7fa371d_i ce8b91ad_o
 hq-to-cloud{3}:   10.128.0.0/24 === 192.168.0.0/24

The ESTABLISHED status means that a tunnel between gateways was created.

To check the status of the strongSwan daemon, run the systemctl status strongswan-starter command:

systemctl status strongswan-starter
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-20 14:54:07 UTC; 3 days ago
 Main PID: 481 (starter)
    Tasks: 18 (limit: 1117)
   CGroup: /system.slice/strongswan-starter.service
           ├─481 /usr/lib/ipsec/starter --daemon charon --nofork
           └─527 /usr/lib/ipsec/charon

To view strongSwan logs, run the journalctl -u strongswan-starter command. The logs contain information about connections.

Delete the resources you created

If you no longer need the IPSec instance, delete the ipsec-instance VM.