Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Practical guidelines
  • Web service
    • All tutorials
    • Static website in Object Storage
    • Website on LAMP or LEMP stack
    • Fault-tolerant website with load balancing by Network Load Balancer
    • Fault-tolerant website with load balancing by Application Load Balancer
    • Fault-tolerant website using DNS load balancing
    • Joomla website with PostgreSQL
    • WordPress website
    • WordPress website on a MySQL database
    • Transferring a WordPress website from a different hosting provider to Yandex Cloud
    • 1C-Bitrix website
    • Integrating an L7 load balancer with the Cloud CDN and Object Storage
    • Blue-green and canary deployment of service versions
  • Online stores
    • All tutorials
    • 1C-Bitrix online store
    • Opencart online store
  • Data archive
    • All tutorials
    • Single-node file server
    • Configuring an SFTP server on Centos 7
    • Backup to Object Storage via Acronis Backup
    • Backup to Object Storage via CloudBerry Desktop Backup
    • Backup to Object Storage via Duplicati
    • Backup to Object Storage via Bacula
    • Backup to Object Storage via Veritas Backup Exec
    • Digitizing archives in Yandex Vision
  • Test environment
    • All tutorials
    • Testing applications with GitLab
    • Creating test VMs using GitLab CI
    • High-performance computing on preemptible VMs
    • Emulating multiple IoT devices
    • gRPC service load testing
    • Using Phantom to run a fixed-load HTTPS test
    • Using Pandora to run a step-load HTTPS test
  • Performing infrastructure management
    • All tutorials
    • Getting started with Terraform
    • Uploading Terraform states to Object Storage
    • Getting started with Packer
    • Automating VM image builds using Jenkins
    • Continuous deployment of containerized applications using GitLab
    • Creating a cluster of 1C:Enterprise Linux servers with a Managed Service for PostgreSQL cluster
    • Creating a cluster of 1C:Enterprise Windows servers with SQL Server
    • Migrating to Yandex Cloud using Hystax Acura
    • Fault protection with Hystax Acura
    • Creating a VM backup with Hystax Acura Backup
    • Configuring a fault-tolerant architecture in Yandex Cloud
    • Creating an SAP program in Yandex Cloud
  • Building a data platform
    • All tutorials
    • Syncing MySQL data using Yandex Data Transfer
    • Migrating databases from Yandex Managed Service for MySQL to MySQL
    • Configuring a managed databased in a ClickHouse cluster for Graphite
    • Exchanging data between Yandex Managed Service for ClickHouse and Yandex Data Proc
    • Managing data schemas in Yandex Managed Service for Apache Kafka®
    • Using Managed Schema Registry with Yandex Managed Service for Apache Kafka®
    • Using Confluent Schema Registry with Yandex Managed Service for Apache Kafka®
    • Migrating databases from Yandex Managed Service for MySQL to MySQL
    • Delivering data from Yandex Managed Service for PostgreSQL to Yandex Managed Service for Apache Kafka® using Debezium
    • Delivering data from Yandex Managed Service for PostgreSQL to Yandex Managed Service for Apache Kafka® using Yandex Data Transfer
    • Migrating databases to Yandex Managed Service for SQL Server
    • Migrating databases from Yandex Managed Service for SQL Server to a third-party SQL Server cluster
    • Transferring data from PostgreSQL to ClickHouse using Yandex Data Transfer
    • Configuring Yandex Cloud DNS for accessing managed database clusters from other cloud networks
    • Migrating to Yandex Managed Service for Elasticsearch using the Reindex API
    • Configuring Kafka Connect for Yandex Managed Service for Apache Kafka® clusters
    • Using initialization actions to configure GeeseFS in Yandex Data Proc
    • Migrating databases from a third-party MySQL cluster to a Yandex Managed Service for MySQL cluster
  • Windows in Yandex Cloud
    • All tutorials
    • Deploying Active Directory
    • Deploying Microsoft Exchange
    • Deploying Remote Desktop Services
    • Deploying an Always On availability group
    • Deploying an Always On availability group with an internal network load balancer
    • Deploying Remote Desktop Gateway
  • Network routing
    • All tutorials
    • Routing through a NAT instance
    • Creating a VPN tunnel
    • Installing a Cisco CSR1000v virtual router
    • Installing a Mikrotik CHR virtual router
    • Connecting to a cloud network using OpenVPN
  • Data visualization and analytics
    • All tutorials
    • Visualizing data from a CSV file
    • Creating and publishing a chart with a map of Moscow from a CSV file
    • Analyzing a store chain's sales based on data from a ClickHouse DB
    • Analyzing open data on road accidents in Russia
    • Analyzing sales and locations of pizzerias based on data from ClickHouse DB and Marketplace
    • Web analytics with a connection to Yandex.Metrica
    • Web analytics with funnels and cohorts calculated based on Yandex.Metrica data
    • Mobile app analytics based on AppMetrica data
    • Analyzing Yandex Music podcast statistics (for podcasters)
    • Visualizing data with a SQL chart
    • Mobile app customer journey analytics based on AppMetrica data
    • Analyzing Object Storage logs in DataLens
  • Internet of things
    • Operating manuals for the Internet of Things
    • Status monitoring of geographically distributed devices
    • Monitoring sensor readings and event notifications
  • Serverless technologies
    • URL shortener
    • Entering data into storage systems
    • Storing application runtime logs
  1. Network routing
  2. Creating a VPN tunnel

Creating an IPSec VPN tunnel

Written by
Yandex Cloud
  • Before you start
    • Required paid resources
  • Create networks and subnets
  • Create an IPSec instance
  • Configure IPSec
  • Set up static routing
  • Configure IPSec on a different gateway
  • Test the IPSec tunnel
  • Delete the resources you created

This scenario describes how to configure an IPSec instance for sending traffic from Yandex Cloud VMs to an IPSec VPN tunnel using the strongSwan daemon.

In the example, we set up a tunnel between two VPN gateways. To test the tunnel, you need to configure gateways on both sides of it. You can do this using a different network in Yandex Cloud or your local network.

To set up a VPN tunnel:

  1. Before you start.
  2. Create and configure an IPSec instance.
  3. Configure IPSec.
  4. Set up static routing in the cloud network.
  5. Configure IPSec on the second gateway.
  6. Test the IPSec tunnel.

If you no longer need the IPSec instance, delete it.

Before you start

Before working, you need to register in Yandex Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

Required paid resources

The cost of IPSec VPN infrastructure support includes:

  • A fee for continuously running VMs (see pricingYandex Compute Cloud).
  • A fee for using a dynamic external IP address (see pricing Yandex Virtual Private Cloud).

Create networks and subnets

To connect cloud resources to the internet, make sure you have networks and subnets.

Create an IPSec instance

Create a VM in Yandex Cloud to serve as a gateway for an IPSec tunnel.

  1. Open your folder and click Create resource. Select Virtual machine.

  2. Enter a name for the VM, for example, ipsec-instance.

  3. Select the subnet availability zone to connect the IPSec instance to and where the test VM is already located.

  4. Under Images from Cloud Marketplace, click Select and select the IPSec instance image.

  5. In the Network settings section, choose the required network and subnet and assign a public IP to the VM either by selecting it from the list or automatically.

    Only use static public IP addresses from the list or make the IP address static. Dynamic IP addresses may change after the VM reboots and the tunnel will no longer work.

  6. In the Access field, enter the login and SSH key to access the VM.

  7. Click Create VM.

Configure IPSec

Configure a gateway with a public IP address and subnet that will establish an IPSec connection with the remote gateway.

In the example below, the public IP address of the gateway is 130.193.32.25. Beyond the gateway is subnet 10.128.0.0/24. This gateway establishes an IPSec connection with a remote gateway with the IP address 1.1.1.1, which leads to subnet 192.168.0.0/24.

  1. Connect to the virtual machine over SSH:

    ssh 130.193.32.25
    
  2. Open the IPSec configuration:

    sudo nano /etc/ipsec.conf
    
  3. Edit config setup to look like the following:

    config setup
            charondebug="all"
            uniqueids=yes
            strictcrlpolicy=no
    
  4. Fill out the following parameters for the test connection:

    • leftid: The public IP address of the IPSec instance.
    • leftsubnet: The CIDR of the subnet that the IPSec instance is connected to.
    • right: Enter the public IP address of the gateway at the other end of the VPN tunnel.
    • rightsubnet: Enter the CIDR of the subnet that the VPN gateway is connected to at the other end of the tunnel.
    • In the ike and esp parameters, enter the encryption algorithms that are supported on the remote gateway. The supported encryption algorithms are listed on the strongSwan website: IKEv1 and IKEv2.
    • For the rest of the settings, refer to the strongSwan documentation, being sure to take the remote gateway settings into account.

    Save your changes and close the file.

    The configuration should look like this:

    conn cloud-to-hq
          authby=secret
          left=%defaultroute
          leftid=130.193.32.25
          leftsubnet=10.128.0.0/24
          right=1.1.1.1
          rightsubnet=192.168.0.0/24
          ike=aes256-sha2_256-modp1024!
          esp=aes256-sha2_256!
          keyingtries=0
          ikelifetime=1h
          lifetime=8h
          dpddelay=30
          dpdtimeout=120
          dpdaction=restart
          auto=start
    

    Note

    To speed up data transfer in the tunnel, use optimized encryption algorithms. To do this, add the following lines to the code above:

       keyexchange=ikev2
       ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
       esp=aes128gcm16-ecp256,aes256gcm16-ecp384!
    

    The optimized algorithms can or cannot be used depending on whether the IPSEC stack is implemented on your platform.

  5. Open the file /etc/ipsec.secrets and enter your password:

    130.193.32.25 1.1.1.1 : PSK "<password>"
    
  6. Restart strongSwan:

    systemctl restart strongswan-starter
    

Set up static routing

Set up routing between the IPSec instance and previously created VM with no public IP address:

Create a route table and add static routes:

  1. Open the Virtual Private Cloud section in the folder where you want to create a static route.

  2. Select the network to create the route table in.

  3. Click Create a routing table.

  4. Enter a name for the route table.

    • The length can be from 3 to 63 characters.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • The first character must be a letter. The last character can't be a hyphen.
  5. Click Add route.

  6. In the window that opens, enter the prefix of the remote side destination subnet. In the example, this is 192.168.0.0/24.

  7. In the Next hopfield, enter the internal IP address of the IPSec gateway. Click Add.

  8. Click Create route table.

To use static routes, link the route table to a subnet. To do this:

  1. In the line with the desired subnet, click .
  2. In the menu that opens, select Link route table.
  3. In the window that opens, select the created table from the list.
  4. Click Link.

You can also use the created route for other subnets in the same network.

Configure IPSec on a different gateway

For the VPN tunnel to work, you need to set up another IPSec gateway. You can create another cloud network with a subnet in your folder and create an IPSec instance from an image, or use a machine in your local network as a gateway.

  1. Configure strongSwan the same as the first IPSec gateway, but swap IP addresses and subnets in the /etc/ipsec.conf file:

    conn hq-to-cloud
          authby=secret
          left=%defaultroute
          leftid=1.1.1.1
          leftsubnet=192.168.0.0/24
          right=130.193.32.25
          rightsubnet=10.128.0.0/24
          ike=aes256-sha2_256-modp1024!
          esp=aes256-sha2_256!
          keyingtries=0
          ikelifetime=1h
          lifetime=8h
          dpddelay=30
          dpdtimeout=120
          dpdaction=restart
          auto=start
    

    Note

    To speed up data transfer in the tunnel, use optimized encryption algorithms. To do this, add the following lines to the code above:

       keyexchange=ikev2
       ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
       esp=aes128gcm16-ecp256,aes256gcm16-ecp384!
    

    The optimized algorithms can or cannot be used depending on whether the IPSEC stack is implemented on your platform.

  2. Enter your password in /etc/ipsec.secrets after the swapped gateway IP addresses:

    1.1.1.1 130.193.32.25 : PSK "<password>"
    
  3. Restart strongSwan:

    systemctl restart strongswan-starter
    

Test the IPSec tunnel

To make sure the tunnel between gateways is set up, run on any of the gateways the following command:

sudo ipsec status
Security Associations (1 up, 0 connecting):
 hq-to-cloud[3]: ESTABLISHED 29 minutes ago, 10.128.0.26[130.193.33.12]...192.168.0.23[1.1.1.1]
 hq-to-cloud{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7fa371d_i ce8b91ad_o
 hq-to-cloud{3}:   10.128.0.0/24 === 192.168.0.0/24

The ESTABLISHED status means that a tunnel between gateways was created.

To check the status of the strongSwan daemon, run the systemctl status strongswan-starter command:

systemctl status strongswan-starter
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-20 14:54:07 UTC; 3 days ago
 Main PID: 481 (starter)
    Tasks: 18 (limit: 1117)
   CGroup: /system.slice/strongswan-starter.service
           ├─481 /usr/lib/ipsec/starter --daemon charon --nofork
           └─527 /usr/lib/ipsec/charon

To view strongSwan logs, run the journalctl -u strongswan-starter command. The logs contain information about connections.

Delete the resources you created

If you no longer need the IPSec instance, delete the ipsec-instance VM.

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • Before you start
  • Required paid resources
  • Create networks and subnets
  • Create an IPSec instance
  • Configure IPSec
  • Set up static routing
  • Configure IPSec on a different gateway
  • Test the IPSec tunnel
  • Delete the resources you created