Add a VPN Connection to the Cloud Router


All you need is a compatible VPN device, and you need to know the public IP address to connect to that device.

The following devices have been verified as compatible with our VPN service:

Cisco ASA 9.8.1+
Cisco IOS
Juniper Netscreen
Juniper SRX
Palo Alto Networks NGFW 8.0.0+

Create a PacketFabric Cloud Router connection

  1. Log in to the PacketFabric portal and select Network > Cloud Routers.

  2. Click the Cloud Router to open its side panel.

  3. Select Create Connection.

    screenshot of the cloud router actions menu

  4. Select IPsec VPN.


Complete the following fields and then click Next.

Location and Capacity
Select the location that is closest to you.
Select a bandwidth for the connection. We support up to 2 Gbps.
Remote IKE Gateway Address
The gateway address of your VPN device. Because VPNs traverse the public internet, this must be a public IP address owned by you.
Once the connection is created, we will provide a local gateway IKE address, which will be available from the connection details page.
Shared Key
Enter a pre-shared key of your choice. There are also a number of key generators that you can use.
Provide a meaningful name for the connection.
IPsec Presets

Select the on-premises device you are using. This will populate the IPsec Configuration section with the supported values for that device.

If you do not see your device, you can leave this field blank and make your selections from the choices available.

IPsec Configuration

These values are pre-populated based on your selection above. Depending on the device, some fields may or may not be editable.

For a list of all possible options, see See VPN Configuration.

IKE Version
Select the Internet Key Exchange (IKE) version supported by your device. In most cases, this is v2 (v1 is deprecated).
Phase 1 Group
Phase 1 is when the VPN peers are authenticated and we establish security associations (SAs) to protect IKE messaging between the two endpoints (which in this case is PacketFabric and your VPN device). This is also known as the IKE phase.

The Phase 1 group is the Diffie-Hellman (DH) algorithm used to create a shared secret between the endpoints.

Phase 1 Auth Algo
The authentication algorithm to use during phase 1.
Phase 1 Encryption Algo
The encryption algorithm to use during phase 1.
Phase 1 Lifetime
The time in seconds before a tunnel will need to re-authenticate. The phase 1 lifetime should be equal to or longer than phase 2.
Phase 2 PFS Group
Phase 2 is when SAs are further established to protect and encrypt IP traffic within the tunnel. This is also known as the IPsec phase.
The PFS group is the Perfect Forward Secrecy group. This means that rather than using the keys from phase 1, new keys are generated per the selected Diffie-Hellman algorithm (same as those listed above).
Phase 2 Auth Algo
The authentication algorithm to use during phase 2.
Phase 2 Encryption Algo
The encryption algorithm to use during phase 2.
Phase 2 Lifetime
The time in seconds before phase 2 expires and needs to reauthenticate. We recommend that the phase 2 lifetime is equal to or shorter than phase 1.


Select a billing account and then click Place Order.

The connection should provision within a few minutes.

Next steps

Configure BGP for the connection. For more information, see Configure BGP for VPN Connections.

You can also gather the information necessary to configure your connection, such as the public IP address for the Cloud Router. See VPN Configuration.