Add a VPN Connection to the Cloud Router
All you need is a compatible VPN device, and you need to know the public IP address to connect to that device.
The following devices have been verified as compatible with our VPN service:
Cisco ASA 9.8.1+
Palo Alto Networks NGFW 8.0.0+
Create a PacketFabric Cloud Router connection
Log in to the PacketFabric portal and select Network > Cloud Routers.
Click the Cloud Router to open its side panel.
Select Create Connection.
Select IPsec VPN.
Complete the following fields and then click Next.
Location and Capacity
- Select the location that is closest to you.
- Select a bandwidth for the connection. We support up to 2 Gbps.
- Remote IKE Gateway Address
- The gateway address of your VPN device. Because VPNs traverse the public internet, this must be a public IP address owned by you.
- Once the connection is created, we will provide a local gateway IKE address, which will be available from the connection details page.
- Shared Key
- Enter a pre-shared key of your choice. There are also a number of key generators that you can use.
- Provide a meaningful name for the connection.
Select the on-premises device you are using. This will populate the IPsec Configuration section with the supported values for that device.
If you do not see your device, you can leave this field blank and make your selections from the choices available.
These values are pre-populated based on your selection above. Depending on the device, some fields may or may not be editable.
- IKE Version
- Select the Internet Key Exchange (IKE) version supported by your device. In most cases, this is v2 (v1 is deprecated).
- Phase 1 Group
- Phase 1 is when the VPN peers are authenticated and we establish security associations (SAs) to protect IKE messaging between the two endpoints (which in this case is PacketFabric and your VPN device). This is also known as the IKE phase.
The Phase 1 group is the Diffie-Hellman (DH) algorithm used to create a shared secret between the endpoints.
Depending on the device, your options are:
Group 5—1536 bit modulus
Group 14—2048 bit modulus
- Phase 1 Auth Algo
- The authentication algorithm to use during phase 1.
- Depending on the device, your options are sha1 or sha 384.
- Phase 1 Encryption Algo
- The encryption algorithm to use during phase 1.
- Depending on the device, your options are aes-128-cbc and aes-256-cbc.
- Phase 1 Lifetime
- The time in seconds before a tunnel will need to re-authenticate. The phase 1 lifetime should be equal to or longer than phase 2.
- Phase 2 PFS Group
- Phase 2 is when SAs are further established to protect and encrypt IP traffic within the tunnel. This is also known as the IPsec phase.
- The PFS group is the Perfect Forward Secrecy group. This means that rather than using the keys from phase 1, new keys are generated per the selected Diffie-Hellman algorithm (same as those listed above).
- Phase 2 Auth Algo
- The authentication algorithm to use during phase 2.
- Depending on the device, your options are hmac-sha1-96 or hmac-sha-256-128.
- Phase 2 Encryption Algo
- The encryption algorithm to use during phase 2.
- Depending on the device, your options are aes-256-gcm, aes-128-gcm, aes-128-cbc, or aes-256-cbc.
- Phase 2 Lifetime
- The time in seconds before phase 2 expires and needs to reauthenticate. We recommend that the phase 2 lifetime is equal to or shorter than phase 1.
Select a billing account and then click Place Order.
The connection should provision within a few minutes.
Configure BGP for the connection. For more information, see Configure BGP for VPN Connections.