Site-to-Site
  • 3 Minutes to read

    Site-to-Site


      Article summary

      A Site-to-Site VPN creates a secure connection to your internal business LAN via Virtual Private Gateway that has a dedicated server setup.

      Request form

      You can find the request form in the Control Panel, under Servers or Gateways tab.

      Simply click on the button Configure on your preferred dedicated server and choose Site-to-site option on a dropdown menu.

      Set up IPsec (Site-to-Site) tunnel:

      In order to proceed with the Site to Site setup, you will need to fill the information in the order form:

      Information:

      Choose the Type of Site-to-Site setup:  

      • If you choose an on-premise setup, you will need to enter the full model name of your router or firewall in the provided field.
      • If you choose a cloud setup – you can either select your cloud service provider from the dropdown menu or manually enter your cloud service provider's name.

      Setting up Site-to-Site for AWS Cloud?

      If you are setting up an IPSec tunnel for AWS, please submit the form twice with information for each of the two tunnels taken from the AWS strongSwan configuration file

      Both requests (for the AWS Tunnel1 and Tunnel2) should contain different values for Mark, Local tunnel IP, Remote tunnel IP, Remote IP and Pre-shared key.


      Base (optional):

      • Policy based is used by default. In case Policy based is used, there is no need for Mark, Local tunnel IP and Remote tunnel IP values - they can be left blank.
      • Route based is used mainly for AWS setups, because this service requires two tunnels for redundancy.

      IKE version: For the best results we suggest using IKEv2 (also known in IPSec as ike). IKEv1 is reserved for some cloud providers and older firewall/router hardware).

      Remote IP: Public IP address of your office, home or any other place where the Site to Site connection will be used.

      Remote Site to Site subnet address: The local network's internal subnet(s) where your router/firewall device/server is connected. 

      Note:
      • The default subnets used for routers or cloud networks are often configured with IP addresses in the ranges of 192.168.0.0/24, 10.0.0.0/24, or 172.16.0.0/12. You can use an online tool to determine the appropriate subnet mask to define the range of your own subnet, which can be accessed via a site-to-site tunnel.
      • Your public IP must be static
      • Keep in mind that a maximum of 5 subnets can be added.

      Pre-shared secret key: A password for authentication - can already be pre-generated by your tool or you can generate it yourself with any password manager;

      Mark (optional): Reserved for Route based only, 100 for AWS tunnel 1 and 200 for AWS tunnel 2;

      Local tunnel IP or (-ln Tunnel1): Can be found in the AWS site2site config;

      Remote tunnel IP or (-lr): Can be found in the AWS site2site config, 1 IP address lower than Local tunnel IP;

      • To obtain Local tunnel IP and Remote tunnel IP values, please refer to the following line in your AWS config file:
      #leftupdown=” /etc/ipsec.d/aws-updown.sh -ln Tunnel1 -11 XXX.XXX.XX.XXX/30 -lr XXX.XXX.XX.XXX/30 -m 100 -r <VPC CIDR>”

      IKE Encryption type: Phase 1: the actual encryption that will be used. AES type, SHA type and lastly - DH group. However, for the DH group - please use this resource (IANA here corresponds to the DH group that your tool is using) what Keyword you should enter in this order form field;

      ESP Encryption type: Phase 2 - usually mirrors the values entered as IKE Encryption type. However, it can be different based on the router/firewall device/server you are using.

      We suggest using IPSec/IKEv2 AES256, SHA256 with DH Group 14 (equivalent to modp2048) at the minimum for the optimal Site to Site experience.

      Once you enter all the information and click on Request Site to Site, please allow up to 24 hours for the feature to be enabled. You will get an email with the confirmation once it’s ready.

      You can also browse through our published articles for in-depth instructions on setting up site-to-site connectivity for your particular on-premises or cloud environment. To access these guides, please navigate to the following subsections available in the dropdown on your left:

      Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.


      Was this article helpful?