Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Practical guidelines
  • Web service
    • All tutorials
    • Static site in Object Storage
    • Website on LAMP or LEMP stack
    • Fault-tolerant website with load balancing by Network Load Balancer
    • Fault-tolerant website with load balancing by Application Load Balancer
    • Joomla-based website with PostgreSQL
    • WordPress website
    • WordPress website on a MySQL database
    • Transferring a WordPress website from a different hosting provider to Yandex Cloud
    • 1C-Bitrix website
    • Publishing game updates
    • Integrating an L7 load balancer with the Cloud CDN and Object Storage
    • Setting up a virtual hosting
    • Creating a load balancer with DDoS protection
    • Integrating an L7 load balancer with the Cloud CDN and Object Storage
    • Blue-green and canary deployment of service versions
    • Terminating TLS connections
  • Online stores
    • All tutorials
    • 1C-Bitrix online store
    • Opencart online store
  • Data archive
    • All tutorials
    • Single-node file server
    • Configuring an SFTP server on Centos 7
    • Backup to Object Storage via Acronis
    • Backup to Object Storage via CloudBerry Desktop Backup
    • Backup to Object Storage via Duplicati
    • Backup to Object Storage via Bacula
    • Backup to Object Storage via Veritas Backup Exec
    • Digitizing archives in Yandex Vision
  • Test environment
    • All tutorials
    • Testing applications with GitLab
    • Creating test VMs using GitLab CI
    • High-performance computing on preemptible VMs
    • Emulating multiple IoT devices
    • Load testing of the gRPC service
    • Deploying and load testing a gRPC service with scaling
    • Using Phantom to run a fixed-load HTTPS test
    • Using Pandora to run a step-load HTTPS test
  • Performing infrastructure management
    • All tutorials
    • Getting started with Terraform
    • Uploading Terraform states to Object Storage
    • Getting started with Packer
    • Building a VM image with a set of infrastructure tools using Packer
    • Automating VM image builds using Jenkins
    • Continuous deployment of containerized applications using GitLab
    • Creating a cluster of 1C:Enterprise Linux servers with a Managed Service for PostgreSQL cluster
    • Migrating to Yandex Cloud using Hystax Acura
    • Fault protection with Hystax Acura
    • Configuring NTP time synchronization
    • Running instance groups with auto scaling
    • Automatically scaling an instance group for handling messages from a queue
    • Updating an instance group under load
    • Transferring logs from a VM instance to Yandex Cloud Logging
    • Creating a VM backup with Hystax Acura Backup
    • Configuring a fault-tolerant architecture in Yandex Cloud
    • Creating an SAP program in Yandex Cloud
    • Configuring a local caching DNS resolver
    • Migrating DNS zones from Yandex 360
    • Integrating with a corporate DNS service
    • Creating an ACME resolver webhook for responses to DNS01 checks
    • Writing load balancer logs to PostgreSQL
    • Creating a trigger for budgets that invokes a function to stop VM instances
  • Building a data platform
    • All tutorials
    • Delivering data from Yandex Managed Service for PostgreSQL to Yandex Managed Service for Apache Kafka® using Yandex Data Transfer
    • Delivering data from Yandex Managed Service for Apache Kafka® to Yandex Managed Service for YDB using Yandex Data Transfer
    • Delivering data from Yandex Managed Service for MySQL to Yandex Managed Service for Apache Kafka® using Debezium
    • Delivering data from Yandex Managed Service for PostgreSQL to Yandex Managed Service for Apache Kafka® using Debezium
    • Configuring Kafka Connect for Yandex Managed Service for Apache Kafka® clusters
    • Managing data schemas in Yandex Managed Service for Apache Kafka®
    • Using Managed Schema Registry with Yandex Managed Service for Apache Kafka®
    • Using Confluent Schema Registry with Yandex Managed Service for Apache Kafka®
    • Asynchronously replicating data from PostgreSQL to ClickHouse
    • Exchanging data between Yandex Managed Service for ClickHouse and Yandex Data Proc
    • Configuring Yandex Managed Service for ClickHouse for Graphite
    • Getting data from Yandex Managed Service for Apache Kafka® to Yandex Managed Service for ClickHouse
    • Fetching data from RabbitMQ to Yandex Managed Service for ClickHouse
    • Using hybrid storage in Yandex Managed Service for ClickHouse
    • Sharding tables Yandex Managed Service for ClickHouse
    • Configuring Yandex Cloud DNS for accessing managed database clusters from other cloud networks
    • Configuring Yandex Cloud DNS for Yandex Managed Service for ClickHouse cluster access from other cloud networks
    • Importing data from Yandex Managed Service for MySQL to Yandex Data Proc using Sqoop
    • Importing data from Yandex Managed Service for PostgreSQL to Yandex Data Proc using Sqoop
    • Using initialization scripts to configure GeeseFS in Yandex Data Proc
    • Migrating data from a third-party Elasticsearch cluster to Yandex Managed Service for Elasticsearch using the Reindex API
    • Migrating collections from MongoDB to Managed Service for MongoDB
    • Migrating data to Managed Service for MongoDB
    • Sharding collections MongoDB
    • Performance analysis and tuning of MongoDB
    • Migrating databases from a third-party MySQL cluster to a Yandex Managed Service for MySQL cluster
    • Performance analysis and tuning of Managed Service for MySQL
    • Syncing data from a third-party MySQL cluster to Yandex Managed Service for MySQL using Yandex Data Transfer
    • Migrating databases from Yandex Managed Service for MySQL to a third-party MySQL cluster
    • Migrating databases from Yandex Managed Service for MySQL to Yandex Managed Service for YDB using Yandex Data Transfer
    • Migrating databases from Yandex Managed Service for MySQL to Yandex Object Storage using Yandex Data Transfer
    • Creating a PostgreSQL cluster for 1C
    • Performance analysis and tuning in Managed Service for PostgreSQL
    • Migrating databases from third-party PostgreSQL cluster to Yandex Managed Service for PostgreSQL cluster
    • Migrating databases from Managed Service for PostgreSQL
    • Delivering data from Yandex Managed Service for PostgreSQL to Yandex Managed Service for YDB using Yandex Data Transfer
    • Migrating databases from a third-party Redis cluster to Yandex Managed Service for Redis
    • Using Managed Service for Redis clusters as PHP session storage
  • Microsoft products in Yandex Cloud
    • All tutorials
    • Deploying Active Directory
    • Deploying Microsoft Exchange
    • Deploying Remote Desktop Services
    • Deploying an Always On availability group with an internal network load balancer
    • Deploying Remote Desktop Gateway
  • Network routing
    • All tutorials
    • Routing through a NAT instance
    • Creating a VPN tunnel
    • Installing a Cisco CSR1000v virtual router
    • Installing a Mikrotik CHR virtual router
    • Connecting to a cloud network using OpenVPN
    • Creating and configuring a UserGate gateway in firewall mode
    • Configuring networks for Yandex Data Proc
  • Data visualization and analytics
    • All tutorials
    • Visualizing data from a CSV file
    • Creating and publishing a chart with a map of Moscow from a CSV file
    • Analyzing a store chain's sales based on data from a ClickHouse DB
    • Analyzing open data on road accidents in Russia
    • Analyzing sales and locations of pizzerias based on data from ClickHouse DB and Marketplace
    • Web analytics with a connection to Yandex Metrica
    • Web analytics with funnels and cohorts calculated based on Yandex Metrica data
    • Mobile app analytics based on AppMetrica data
    • Analyzing Yandex Music podcast statistics (for podcasters)
    • Visualizing data with a SQL chart
    • Mobile app customer journey analytics based on AppMetrica data
    • Analyzing Object Storage logs in DataLens
  • Internet of things
    • Operating manuals for the Internet of Things
    • Status monitoring of geographically distributed devices
    • Monitoring sensor readings and event notifications
  • Serverless technologies
    • URL shortener
    • Entering data into storage systems
    • Storing application runtime logs
    • Deploying a web application using the Java Servlet API
    • Developing a Slack bot
    • Developing a Telegram bot
    • Developing user integration in API Gateway
    • Developing CRUD APIs for movie services
    • Developing a skill for Alice and a website with authorization
  1. Network routing
  2. Creating a VPN tunnel

Creating an IPSec VPN tunnel

Written by
Yandex Cloud
  • Prepare your cloud
    • Required paid resources
  • Create networks and subnets
  • Create an IPSec instance
  • Configure IPSec
  • Set up static routing
  • Configure IPSec on a different gateway
  • Test the IPSec tunnel
  • Delete the resources you created

This scenario describes how to configure an IPSec instance for sending traffic from Yandex Cloud VMs to an IPSec VPN tunnel using the strongSwan daemon.

In the example, we set up a tunnel between two VPN gateways. To test the tunnel, you need to configure gateways on both sides of it. You can do this using a different network in Yandex Cloud or your local network.

To set up a VPN tunnel:

  1. Before you start.
  2. Create and configure an IPSec instance.
  3. Configure IPSec.
  4. Set up static routing in the cloud network.
  5. Configure IPSec on the second gateway.
  6. Test the IPSec tunnel.

If you no longer need the IPSec instance, delete it.

Prepare your cloud

Before working, you need to register in Yandex Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

Required paid resources

The cost of IPSec VPN infrastructure support includes:

  • A fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
  • A fee for using a dynamic external IP address (see Yandex Virtual Private Cloud pricing).

Create networks and subnets

To connect cloud resources to the internet, make sure you have networks and subnets.

Create an IPSec instance

Create a VM in Yandex Cloud to serve as a gateway for an IPSec tunnel.

  1. Open your folder and click Create resource. Select Virtual machine.

  2. Enter a name for the VM, for example, ipsec-instance.

  3. Select the subnet availability zone to connect the IPSec instance to and where the test VM is already located.

  4. Under Image/boot disk selection, go to the Cloud Marketplace tab and select an IPSec instance image.

  5. In the Network settings section, choose the required network and subnet and assign a public IP to the VM either by selecting it from the list or automatically.

    Only use static public IP addresses from the list or make the IP address static. Dynamic IP addresses may change after the VM reboots and the tunnel will no longer work.

  6. In the Access field, enter the login and SSH key to access the VM.

  7. Click Create VM.

Configure IPSec

Configure a gateway with a public IP address and subnet that will establish an IPSec connection with the remote gateway.

In the example below, the public IP address of the gateway is 130.193.32.25. Beyond the gateway is subnet 10.128.0.0/24. This gateway establishes an IPSec connection with a remote gateway with the IP address 1.1.1.1, which leads to subnet 192.168.0.0/24.

  1. Connect to the VM over SSH:

    ssh 130.193.32.25
    
  2. Open the IPSec configuration:

    sudo nano /etc/ipsec.conf
    
  3. Edit config setup to look like the following:

    config setup
            charondebug="all"
            uniqueids=yes
            strictcrlpolicy=no
    
  4. Fill out the following parameters for the test connection:

    • leftid: The public IP address of the IPSec instance.
    • leftsubnet: The CIDR of the subnet that the IPSec instance is connected to.
    • right: Enter the public IP address of the gateway at the other end of the VPN tunnel.
    • rightsubnet: Enter the CIDR of the subnet that the VPN gateway is connected to at the other end of the tunnel.
    • In the ike and esp parameters, enter the encryption algorithms that are supported on the remote gateway. The supported encryption algorithms are listed on the strongSwan website: IKEv1 and IKEv2.
    • For the rest of the settings, refer to the strongSwan documentation, being sure to take the remote gateway settings into account.

    Save your changes and close the file.

    The configuration should look like this:

    conn cloud-to-hq
          authby=secret
          left=%defaultroute
          leftid=130.193.32.25
          leftsubnet=10.128.0.0/24
          right=1.1.1.1
          rightsubnet=192.168.0.0/24
          ike=aes256-sha2_256-modp1024!
          esp=aes256-sha2_256!
          keyingtries=0
          ikelifetime=1h
          lifetime=8h
          dpddelay=30
          dpdtimeout=120
          dpdaction=restart
          auto=start
    
    If the IPSec instance and resources that you need to link to a VPN tunnel are in the same subnet

    Add exclusive rules for the default gateway and the IPSec instance own interface:

    conn passthrough-1
       left=%defaultroute
       leftsubnet=<IP_address_of_the_default_subnet_gateway>
       rightsubnet=10.0.0.0/8
       type=passthrough
       auto=route
    conn passthrough-2
       left=%defaultroute
       leftsubnet=<internal_IP_address_of_IPSec_instance>
       rightsubnet=10.0.0.0/8
       type=passthrough
       auto=route
    

    Where:

    • <IP_address_of_the_default_subnet_gateway>: CIDR of the subnet that hosts the IPSec instance and resources you need to link by a VPN tunnel.
    • <internal_IP_address_of_IPSec_instance>: Internal IP address of the VM running the IPSec instance.

    The IPSec instance will be available for diagnostics and respond via ICMP.

    Note

    To speed up data transfer in the tunnel, use optimized encryption algorithms. To do this, add the following lines to the code above:

       keyexchange=ikev2
       ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
       esp=aes128gcm16-ecp256,aes256gcm16-ecp384!
    

    The optimized algorithms can or cannot be used depending on whether the IPSEC stack is implemented on your platform.

  5. Open the file /etc/ipsec.secrets and enter your password:

    130.193.32.25 1.1.1.1 : PSK "<password>"
    
  6. Restart strongSwan:

    systemctl restart strongswan-starter
    

Set up static routing

Set up routing between the IPSec instance and previously created VM with no public IP address:

Create a route table and add static routes:

  1. Open the Virtual Private Cloud section in the folder where you need to create a static route.

  2. Select the network to create the route table in.

  3. Click Create a routing table.

  4. Enter a name for the route table.

    • The length can be from 3 to 63 characters.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • The first character must be a letter. The last character can't be a hyphen.
  5. Click Add route.

  6. In the window that opens, enter the prefix of the remote side destination subnet. In the example, this is 192.168.0.0/24.

  7. In the Next hop field, enter the internal IP address of the IPSec gateway. Click Add.

  8. Click Create route table.

To use static routes, link the route table to a subnet. To do this:

  1. In the line with the desired subnet, click .
  2. In the menu that opens, select Link route table.
  3. In the window that opens, select the created table from the list.
  4. Click Link.

You can also use the created route for other subnets in the same network.

Configure IPSec on a different gateway

For the VPN tunnel to work, you need to set up another IPSec gateway. You can create another cloud network with a subnet in your folder and create an IPSec instance from an image, or use a machine in your local network as a gateway.

  1. Configure strongSwan the same as the first IPSec gateway, but swap IP addresses and subnets in the /etc/ipsec.conf file:

    conn hq-to-cloud
          authby=secret
          left=%defaultroute
          leftid=1.1.1.1
          leftsubnet=192.168.0.0/24
          right=130.193.32.25
          rightsubnet=10.128.0.0/24
          ike=aes256-sha2_256-modp1024!
          esp=aes256-sha2_256!
          keyingtries=0
          ikelifetime=1h
          lifetime=8h
          dpddelay=30
          dpdtimeout=120
          dpdaction=restart
          auto=start
    

    Note

    To speed up data transfer in the tunnel, use optimized encryption algorithms. To do this, add the following lines to the code above:

       keyexchange=ikev2
       ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
       esp=aes128gcm16-ecp256,aes256gcm16-ecp384!
    

    The optimized algorithms can or cannot be used depending on whether the IPSEC stack is implemented on your platform.

  2. Enter your password in /etc/ipsec.secrets after the swapped gateway IP addresses:

    1.1.1.1 130.193.32.25 : PSK "<password>"
    
  3. Restart strongSwan:

    systemctl restart strongswan-starter
    

Test the IPSec tunnel

To make sure the tunnel between gateways is set up, run on any of the gateways the following command:

sudo ipsec status
Security Associations (1 up, 0 connecting):
 hq-to-cloud[3]: ESTABLISHED 29 minutes ago, 10.128.0.26[130.193.33.12]...192.168.0.23[1.1.1.1]
 hq-to-cloud{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7fa371d_i ce8b91ad_o
 hq-to-cloud{3}: 10.128.0.0/24 === 192.168.0.0/24

The ESTABLISHED status means that a tunnel between gateways was created.

To check the status of the strongSwan daemon, run the systemctl status strongswan-starter command:

systemctl status strongswan-starter
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-20 14:54:07 UTC; 3 days ago
 Main PID: 481 (starter)
    Tasks: 18 (limit: 1117)
   CGroup: /system.slice/strongswan-starter.service
           ├─481 /usr/lib/ipsec/starter --daemon charon --nofork
           └─527 /usr/lib/ipsec/charon

To view strongSwan logs, run the journalctl -u strongswan-starter command. The logs contain information about connections.

Delete the resources you created

If you no longer need the IPSec instance, delete the ipsec-instance VM.

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Prepare your cloud
  • Required paid resources
  • Create networks and subnets
  • Create an IPSec instance
  • Configure IPSec
  • Set up static routing
  • Configure IPSec on a different gateway
  • Test the IPSec tunnel
  • Delete the resources you created