Setting up site-to-site on IBM Cloud


Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

 

Configuring a VPN gateway at the IBM Cloud Console

1. Open to the VPC section in the IBM Cloud Console. Go to VPNs (under the Network tab)

01_Setting_up_site-to-site_on_IBM_Cloud.png

2. Open the IKE Policies tab, then select New IKE Policy

02_Setting_up_site-to-site_on_IBM_Cloud.png3. Choose a Name, the Region in which the appropriate VPC lies, define the Resource group, then select Create IKE policy

03_Setting_up_site-to-site_on_IBM_Cloud.png4. Once the policy has been created, select the three-dotted menu (...) and select Edit

5. Fill in the following information:

  • IKE Version: 1
  • DH Group: 2
  • Authentication: sha256
  • Key Lifetime: 28800
  • Encryption: aes256

6. Select Save IKE policy

7. Open the IPSec Policies tab, then select New IPSec Policy

8. Choose a Name, the Region in which the appropriate VPC lies and define the Resource group, then select Create IPSec policy

04_Setting_up_site-to-site_on_IBM_Cloud.png9. Once the policy has been created, select the three-dotted menu (...) and select Edit

10. Fill in the following information:

  • Check: PFS
  • DH Group: 2
  • Authentication: sha256
  • Key Lifetime: 3600
  • Encryption: aes256

11. Select Save IPSec policy

05_Setting_up_site-to-site_on_IBM_Cloud.png

12. Open the VPN gateways tab, then select New VPN gateway

13. Fill in the following information:

  • Name: Choose the name of your choice
  • Virtual private cloud: Choose the desired cloud
  • Resource group: Choose the resource group
  • Subnet: Choose the appropriate subnet

06_Setting_up_site-to-site_on_IBM_Cloud.png14. Check New VPN Connection for VPC

15. Fill in the following information:

  • Connection name: Set a name
  • Peer gateway address: the IP of your NordLayer dedicated server
  • Preshared key: Insert an 8 character (at least) string containing upper-case letters, upper-case letters, and numbers (we will also need this value on our end)
  • Local subnet: Specify one or more subnets in the VPC you want to connect
  • Peer subnet: 10.6.0.0/20

07_Setting_up_site-to-site_on_IBM_Cloud.png

  • Dead peer detection action: Restart
  • Interval: 10 seconds
  • Timeout: 30 seconds
  • IKE policy: Choose the policy that was earlier
  • IPSec policy: Choose the policy that was earlier

 

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via privnote.com

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Return to top