Add a VPN Connection to the Cloud Router

Prerequisites

All you need is a compatible VPN device, and you need to know the public IP address to connect to that device.

The following devices have been verified as compatible with our VPN service:

Cisco ASA 9.8.1+
Cisco IOS
Fortigate
Juniper Netscreen
Juniper SRX
Palo Alto Networks NGFW 8.0.0+
Pfsense
SonicWall
strongSwan
WatchGuard

Create a PacketFabric Cloud Router connection

  1. Log in to the PacketFabric portal and select Cloud Routers.

  2. From the Cloud Router overflow menu, select Create Connection.

    screenshot of the cloud router overflow menu

  3. Select IPsec VPN.

Configure

Complete the following fields and then click Next.

Location and Capacity
Location
Select the location that is closest to you.
Capacity
Select a bandwidth for the connection. We support up to 2 Gbps.
Remote IKE Gateway Address
The gateway address of your VPN device. Because VPNs traverse the public internet, this must be a public IP address owned by you.
Once the connection is created, we will provide a local gateway IKE address, which will be available from the connection details page.
Shared Key
Enter a pre-shared key of your choice. There are also a number of key generators that you can use.
Description
Provide a meaningful name for the connection.
IPsec Presets

Select the on-premises device you are using. This will populate the IPsec Configuration section with the supported values for that device.

If you do not see your device, you can leave this field blank and make your selections from the choices available.

IPsec Configuration

These values are pre-populated based on your selection above. Depending on the device, some fields may or may not be editable.

IKE Version
Select the Internet Key Exchange (IKE) version supported by your device. In most cases, this is v2 (v1 is deprecated).
Phase 1 Group
Phase 1 is when the VPN peers are authenticated and we establish security associations (SAs) to protect IKE messaging between the two endpoints (which in this case is PacketFabric and your VPN device). This is also known as the IKE phase.

The Phase 1 group is the Diffie-Hellman (DH) algorithm used to create a shared secret between the endpoints.

Depending on the device, your options are:

Group 5—1536 bit modulus
Group 14—2048 bit modulus

Phase 1 Auth Algo
The authentication algorithm to use during phase 1.
Depending on the device, your options are sha1 or sha 384.
Phase 1 Encryption Algo
The encryption algorithm to use during phase 1.
Depending on the device, your options are aes-128-cbc and aes-256-cbc.
Phase 1 Lifetime
The time in seconds before a tunnel will need to re-authenticate. The phase 1 lifetime should be equal to or longer than phase 2.
Phase 2 PFS Group
Phase 2 is when SAs are further established to protect and encrypt IP traffic within the tunnel. This is also known as the IPsec phase.
The PFS group is the Perfect Forward Secrecy group. This means that rather than using the keys from phase 1, new keys are generated per the selected Diffie-Hellman algorithm (same as those listed above).
Phase 2 Auth Algo
The authentication algorithm to use during phase 2.
Depending on the device, your options are hmac-sha1-96 or hmac-sha-256-128.
Phase 2 Encryption Algo
The encryption algorithm to use during phase 2.
Depending on the device, your options are aes-256-gcm, aes-128-gcm, aes-128-cbc, or aes-256-cbc.
Phase 2 Lifetime
The time in seconds before phase 2 expires and needs to reauthenticate. We recommend that the phase 2 lifetime is equal to or shorter than phase 1.

Billing

Select a billing account and then click Place Order.

The connection should provision within a few minutes.

Next steps

Configure BGP for the connection. For more information, see Configure BGP for VPN Connections.