Add a VPN Connection to the Cloud Router


All you need is a compatible VPN device, and you need to know the public IP address to connect to that device.

The following devices have been verified as compatible with our VPN service:

Cisco ASA 9.8.1+
Cisco IOS
Juniper Netscreen
Juniper SRX
Palo Alto Networks NGFW 8.0.0+

Create a PacketFabric Cloud Router connection

Log in to the PacketFabric portal and select Cloud Routers on the left.

Expand the Cloud Router you are using and click Connect.

cloud router create connection

Select cloud provider

Select IPSec VPN.

Select the location that is closest to you.
Select a speed/bandwidth for the connection. We support up to 2 Gbps.
Remote IKE Gateway Address
The gateway address of your VPN device. Because VPNs traverse the public internet, this must be a public IP address owned by you.
Once the connection is created, we will provide a local gateway IKE address, which will be available from the connection details page.
Shared Key
Enter a pre-shared key of your choice. There are also a number of key generators that you can use.
Provide a meaningful name for the connection.
IPSec Presets
Select the on-premises device you are using. This will populate the fields below with the supported values for that device.
If you do not see your device, you can leave this field blank and make your selections from the choices available.

NOTE: The following values are pre-populated based on your selection above. Depending on the device, some fields may or may not be editable.

For a list of all possible options, see See VPN Configuration.

IKE Version
Select the Internet Key Exchange (IKE) version supported by your device. In most cases, this is v2 (v1 is deprecated).
Phase 1 Encryption Algo
The encryption algorithm to use during phase 1.
Phase 1 Group
Phase 1 is when the VPN peers are authenticated and we establish security associations (SAs) to protect IKE messaging between the two endpoints (which in this case is PacketFabric and your VPN device). This is also known as the IKE phase.

The Phase 1 group is the Diffie-Hellman (DH) algorithm used to create a shared secret between the endpoints.

Phase 1 Auth Algo
The authentication algorithm to use during phase 1.
Phase 1 Lifetime
The time in seconds before a tunnel will need to re-authenticate. The phase 1 lifetime should be equal to or longer than phase 2.
Phase 2 PFS Group
Phase 2 is when SAs are further established to protect and encrypt IP traffic within the tunnel. This is also known as the IPsec phase.
The PFS group is the Perfect Forward Secrecy group. This means that rather than using the keys from phase 1, new keys are generated per the selected Diffie-Hellman algorithm (same as those listed above).
Phase 2 Auth Algo
The authentication algorithm to use during phase 2.
Phase 2 Encryption Algo
The encryption algorithm to use during phase 2.
Phase 2 Lifetime
The time in seconds before phase 2 expires and needs to reauthenticate. We recommend that the phase 2 lifetime is equal to or shorter than phase 1.

Under the billing section on the right, select a term and the appropriate billing account to use. You can also optionally specify a PO number to associate with the service. The PO number will be included on your monthly invoice.

Click Place order.

Next steps

Configure BGP for the connection. For more information, see Configure BGP for VPN Connections.

You can also gather the information necessary to configure your connection, such as the public IP address for the Cloud Router. See VPN Configuration.