Add a VPN Connection to the Cloud Router
Prerequisites
All you need is a compatible VPN device, and you need to know the public IP address to connect to that device.
The following devices have been verified as compatible with our VPN service:
Cisco ASA 9.8.1+
Cisco IOS
Fortigate
Juniper Netscreen
Juniper SRX
Palo Alto Networks NGFW 8.0.0+
Pfsense
SonicWall
strongSwan
WatchGuard
Create a PacketFabric Cloud Router connection
Log in to the PacketFabric portal and select Cloud Routers on the left.
Expand the Cloud Router you are using and click Connect.
Select cloud provider
Select IPSec VPN.
Configure
- OnRamp
- Select the location that is closest to you.
- Speed
- Select a speed/bandwidth for the connection. We support up to 2 Gbps.
- Remote IKE Gateway Address
- The gateway address of your VPN device. Because VPNs traverse the public internet, this must be a public IP address owned by you.
- Once the connection is created, we will provide a local gateway IKE address, which will be available from the connection details page.
- Shared Key
- Enter a pre-shared key of your choice. There are also a number of key generators that you can use.
- Description
- Provide a meaningful name for the connection.
- IPSec Presets
- Select the on-premises device you are using. This will populate the fields below with the supported values for that device.
- If you do not see your device, you can leave this field blank and make your selections from the choices available.
NOTE: The following values are pre-populated based on your selection above. Depending on the device, some fields may or may not be editable.
For a list of all possible options, see See VPN Configuration.
- IKE Version
- Select the Internet Key Exchange (IKE) version supported by your device. In most cases, this is v2 (v1 is deprecated).
- Phase 1 Encryption Algo
- The encryption algorithm to use during phase 1.
- Phase 1 Group
- Phase 1 is when the VPN peers are authenticated and we establish security associations (SAs) to protect IKE messaging between the two endpoints (which in this case is PacketFabric and your VPN device). This is also known as the IKE phase.
-
The Phase 1 group is the Diffie-Hellman (DH) algorithm used to create a shared secret between the endpoints.
- Phase 1 Auth Algo
- The authentication algorithm to use during phase 1.
- Phase 1 Lifetime
- The time in seconds before a tunnel will need to re-authenticate. The phase 1 lifetime should be equal to or longer than phase 2.
- Phase 2 PFS Group
- Phase 2 is when SAs are further established to protect and encrypt IP traffic within the tunnel. This is also known as the IPsec phase.
- The PFS group is the Perfect Forward Secrecy group. This means that rather than using the keys from phase 1, new keys are generated per the selected Diffie-Hellman algorithm (same as those listed above).
- Phase 2 Auth Algo
- The authentication algorithm to use during phase 2.
- Phase 2 Encryption Algo
- The encryption algorithm to use during phase 2.
- Phase 2 Lifetime
- The time in seconds before phase 2 expires and needs to reauthenticate. We recommend that the phase 2 lifetime is equal to or shorter than phase 1.
Under the billing section on the right, select a term and the appropriate billing account to use. You can also optionally specify a PO number to associate with the service. The PO number will be included on your monthly invoice.
Click Place order.
Next steps
Configure BGP for the connection. For more information, see Configure BGP for VPN Connections.
You can also gather the information necessary to configure your connection, such as the public IP address for the Cloud Router. See VPN Configuration.