IPSEC vpn setup

What is IPSec VPN?

IPSec is a suite of protocols designed to authenticate and encrypt all IP traffic between two locations.  This allows for trusted data to pass through networks which would otherwise be considered insecure.  For more information regarding general IPSEC information, refer to the reference documents at the bottom of this article.
 
Softlayer provides a tunnel mode configuration which will provide you with an encrypted site-to-site network, allowing networks at multiple remote locations to be able to securely communicate.

Setting up an IPSEC Connection

Negotiation Parameters


You will need to know the following information for the remote side of the IPSEC VPN:
- Static IP Address for VPN Endpoint
- Preshared Key (Password)
- Encryption Algorithm (DES, 3DES, AES128, AES192, AES256)
- Authentication (MD5, SHA1, SHA256, for phase 1&2)
- Diffie-Hellman Group (for phase 1&2)
- Is perfect Forward Secrecy (PFS) used?
- Keylife Time (for phase 1 & 2) - NOTE: Our system measures this value in seconds!

Once you have this information available, you will be able to configure the basic negotiation parameters of the VPN connection.

Protected Networks


In the VPN connection properties, you will need to define the networks on the remote end of the tunnel as well as the local networks for the tunnel.  In the “Protected Customer (Remote) Subnet”, enter the private IP address space in CIDR notation for the remote, non-Softlayer end of the IPSEC tunnel.

For example:  If your network on the remote end of the tunnel uses a single subnet 10.0.0.0 with a netmask of 255.255.255.0, you would enter IP Address 10.0.0.0 / CIDR 24 for the “Protected Customer (Remote) Subnet” section.

Network Address Translation


With the IPSEC VPN, you will also be allowed to define Private IP addresses on SoftLayer’s network which will route traffic to remote subnets on the other end of the VPN connection.  This allows you to have Private Internet traffic be forwarded to one of your internal IP addresses of a machine behind your VPN, without exposing the remote location to full Internet access.  

Network Address Translation/Assigned Static NAT Subnets

To configure a remote VPN IP with a static NAT entry, select the red arrow to dropdown the subnet list in the “Assigned Static NAT subnets” section.  Each IP in the subnet will be displayed.  Enter the IP on the remote end of the VPN connection under the “Customer IP” column and enter a name for the mapping under the “Name” column.  Select the “Add/Modify Context Address Translations” and “Apply Configurations”  to save and apply the configuration. This will setup a static one to one network translation for the return traffic which would be used by your hosts behind the Softlayer VPN concentrator to communicate with the hosts behind the remote VPN peer.  For example, all traffic for Softlayer IP 10.1.255.92 will get translated/ forwarded to the Customer IP 192.168.10.15. This will eliminate the need for additional route entries on the Softlayer server.

Reference Documentation:
http://technet.microsoft.com/en-us/network/bb531150.aspx
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing