Setting up site-to-site on IBM Cloud

Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

Configuring a VPN gateway at the IBM Cloud Console

1. Open to the VPC section in the IBM Cloud Console. Go to VPNs (under the Network tab)

2. Open the IKE Policies tab, then select New IKE Policy

3. Choose a Name, the Region in which the appropriate VPC lies, define the Resource group, then select Create IKE policy

4. Once the policy has been created, select the three-dotted menu (...) and select Edit

5. Fill in the following information:

• IKE Version: 1
• DH Group: 2
• Authentication: sha256
• Key Lifetime: 28800
• Encryption: aes256

6. Select Save IKE policy

7. Open the IPSec Policies tab, then select New IPSec Policy

8. Choose a Name, the Region in which the appropriate VPC lies and define the Resource group, then select Create IPSec policy

9. Once the policy has been created, select the three-dotted menu (...) and select Edit

10. Fill in the following information:

• Check: PFS
• DH Group: 2
• Authentication: sha256
• Key Lifetime: 3600
• Encryption: aes256

11. Select Save IPSec policy

12. Open the VPN gateways tab, then select New VPN gateway

13. Fill in the following information:

• Name: Choose the name of your choice
• Virtual private cloud: Choose the desired cloud
• Resource group: Choose the resource group
• Subnet: Choose the appropriate subnet

14. Check New VPN Connection for VPC

15. Fill in the following information:

• Connection name: Set a name
• Peer gateway address: the IP of your NordLayer dedicated server
• Preshared key: Insert an 8 character (at least) string containing upper-case letters, upper-case letters, and numbers (we will also need this value on our end)
• Local subnet: Specify one or more subnets in the VPC you want to connect
• Peer subnet: 10.6.0.0/20

• Dead peer detection action: Restart
• Interval: 10 seconds
• Timeout: 30 seconds
• IKE policy: Choose the policy that was earlier
• IPSec policy: Choose the policy that was earlier

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

• Pre-shared key - you can generate it or we can provide it
• Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
• Remote gateway/router public IP (must be reachable while connected to the dedicated server)
• Remote subnet and mask (the subnet is used in your local network)

Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.