DocsAPI Explorer
ZHEN
DocumentationZCFZStack CloudUser GuideZCF

IPsec Tunnel

What is IPsec Tunnel?

An IPSec tunnel encrypts and verifies IP packets that transmit over a virtual private network (VPN) from one site to another.

Characteristics

  • IPsec negotiation mode:

    For security reasons, we only support the Main mode. The Aggressive mode is not supported.

  • IPsec security protocol:

    We support only the Encapsulating Security Payload (ESP) protocol.

  • IPsec encapsulation mode:

    We support the Tunnel mode. The Transport mode is not supported.

  • IPsec routing model:

    We support only policy-based IPSec VPN. Route-based IPSec VPN is not supported. Therefore, the tunnel supports only unicast data, and does not support multicast and broadcast.

Create an IPsec Tunnel

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > IPsec Tunnel. On the IPsec Tunnel page, click Create IPsec Tunnel. Then, the Create IPsec Tunnel page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the IPsec tunnel.
  • Description: Optional. Enter a description for the IPsec tunnel.
  • Local IP Address:
    • VIP: You can create a VIP or use an existing VIP to provide IPsec tunnel services.
      Create VIP: Create a VIP. If you select to create a VIP, set the following parameters:
      • Public Network: Select a public network to create a VIP.
      • IP Range: Optional. Select an IP range. If you selected an IPv4 public network, you can select a normal IP range or an address pool.
      • Assign IP: Optional. You can assign a virtual IP address.
        Note:
        • If left blank, the system automatically assigns a VIP.
        • If you do not select a network range, you can specify an IP address only from a normal network range.
      Use Existing VIP: Use an existing VIP. If you select to use an existing VIP, set the following parameters:
      • VIP: Select an existing VIP.
        Note: The system VIP of a VPC vRouter can be used to provide IPsec tunnel services.
  • Peer Public IP: Enter the peer public IP address that provides IPsec tunnel services.
  • Source Network CIDR: Select a VPC network attached to the VPC vRouter that is associated with the selected public network. If only one VPC network is attached to the VPC vRouter, the VPC network is selected by default.
  • Peer CIDR: Specify a specified peer network CIDR.
    Note: The CIDR block cannot be overlapped with the network range of the management network and public network attached to the VPC vRouter.
  • Authentication Mode: psk
  • Authentication Key: Set a relatively strong authentication key.
    Note: The local authentication key must be consistent with its peer.
  • ID Configuration Method: Configure an ID for the local and peer devices. You can configure an ID in the format of an IP address and name:
    • IP Address: Use an IP address to identify the local and peer devices.
      • Local ID: The unique ID that identifies the local device. You can use this ID for authenticating the peer device. The local ID must be 1-255 characters in length.
      • Peer ID: The unique ID that identifies the peer device. You can use this ID for authenticating the local device. The peer ID must be 1-255 characters in length.
    • Name: Use a name to identify the local and peer devices.
      • Local ID: The unique ID that identifies the local device. You can use this ID for authenticating the peer device. The local ID must be 1-255 characters in length.
      • Peer ID: The unique ID that identifies the peer device. You can use this ID for authenticating the local device. The peer ID must be 1-255 characters in length.
  • Advanced: You can configure advanced parameter settings for the IPsec tunnel, including IKE configurations and IPsec configurations. The Cloud automatically configures default settings for the parameters, as shown in the following list:
    • IKE Configuration:
      • IKE Version: IKEv2
      • IKE Authentication Algorithm: sha256
      • IKE Encryption Algorithm: aes-256
      • IKE DH Group: 2
    • IPsec Configuration:
      • Encapsulation Mode: tunnel
      • IPsec Security Protocol: esp
      • ESP Authentication Algorithm: sha256
      • ESP Encryption Algorithm: aes-256
      • PFS DH Group: dh-group14
    Note:
    • If you configure an IPsec tunnel by using a VPC vRouter of ZStack Cloud and a third-party device, you need to coordinate the advanced settings of the two devices.
    • When you create an IPsec tunnel, you need to adjust local advanced settings based on the IPsec configurations of the peer network device.
Figure 1. Create IPsec Tunnel


Manage an IPsec Tunnel

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > IPsec Tunnel. Then, the IPsec Tunnel page is displayed.

The following table lists the actions you can perform on an IPsec Tunnel.
Action Description
Create IPsec Tunnel Create a new IPsec tunnel.
Reconnect IPsec Tunnel Reconnect an IPsec tunnel.
Note: This operation will cause IPsec channel connection temporarily interrupted. Proceed with caution.
Modify Configuration modify the configurations of an IPsec tunnel.
Note: If you modify configurations, IPsec channel connection will be temporarily interrupted. Proceed with caution.
Delete IPsec Tunnel Deleting an IPsec tunnel also deletes the corresponding IPsec tunnel service. Note that the associated VIP and the other services the VIP provides are not affected.
PreviousFirewallNextOSPF Area