- 2 Minutes to read
Setting up site-to-site on IBM Cloud
- 2 Minutes to read
Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.
Configuring a VPN gateway at the IBM Cloud Console
- Open to the VPC section in the IBM Cloud Console. Go to VPNs (under the Network tab)
- Open the IKE Policies tab, then select New IKE Policy
- Choose a Name, the Region in which the appropriate VPC lies, define the Resource group, then select Create IKE policy
Once the policy has been created, select the three-dotted menu (...) and select Edit
Fill in the following information:
- IKE Version: 1
- DH Group: 2
- Authentication: sha256
- Key Lifetime: 28800
- Encryption: aes256
Select Save IKE policy
Open the IPSec Policies tab, then select New IPSec Policy
Choose a Name, the Region in which the appropriate VPC lies and define the Resource group, then select Create IPSec policy
Once the policy has been created, select the three-dotted menu (...) and select Edit
Fill in the following information:
- Check: PFS
- DH Group: 2
- Authentication: sha256
- Key Lifetime: 3600
- Encryption: aes256
- Select Save IPSec policy
Open the VPN gateways tab, then select New VPN gateway
Fill in the following information:
- Name: Choose the name of your choice
- Virtual private cloud: Choose the desired cloud
- Resource group: Choose the resource group
- Subnet: Choose the appropriate subnet
Check New VPN Connection for VPC
Fill in the following information:
- Connection name: Set a name
- Peer gateway address: the IP of your NordLayer dedicated server
- Preshared key: Insert an 8 character (at least) string containing upper-case letters, upper-case letters, and numbers (we will also need this value on our end)
- Local subnet: Specify one or more subnets in the VPC you want to connect
- Peer subnet: 10.6.0.0/20
- Dead peer detection action: Restart
- Interval: 10 seconds
- Timeout: 30 seconds
- IKE policy: Choose the policy that was earlier
- IPSec policy: Choose the policy that was earlier
Ending note:
In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:
- Pre-shared key - you can generate it or we can provide it
- Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
- Remote gateway/router public IP (must be reachable while connected to the dedicated server)
- Remote subnet and mask (the subnet is used in your local network)
Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.