VK Cloud logo
Support
Updated at April 15, 2024   08:50 AM

Managing VPN tunnels

VPN service is available in the Neutron and Sprut SDN. Management of VPN tunnels in Sprut SDN is available only through the personal account interface.

You can manage VPN tunnels: view, add or remove them from the project, as well as edit and restart tunnels.

Viewing a list of VPN tunnels and information about them

  1. Go to your VK Cloud personal account.

  2. Select the project you need.

  3. Go to Virtual networksVPN.

    A list of VPN tunnels will appear.

  4. Click the name of a VPN tunnel.

    A page with detailed information about it will open. Navigate between the page tabs to view information about IKE and IPsec settings, endpoint groups, and the tunnel. You can also edit the VPN tunnel settings on this page.

Adding a VPN Tunnel

  1. Go to your VK Cloud personal account.

  2. Select the project you need.

  3. Go to Virtual networksVPN.

  4. Click the Add VPN or Add button. The New VPN Tunnel Wizard opens.

  5. Select the SDN in which the VPN will be created:

  6. Set up IKE:

    1. IKE Policy — select an IKE policy from the dropdown list. If the desired policy does not exist, create a new one:

      1. Select New IKE Policy from the drop-down list.

      2. Set the policy settings:

        • Policy name.
        • Key lifetime (in seconds).
        • Authorization Algorithmsha256 is recommended.
        • Encryption algorithmaes256 is recommended.
        • IKE versionv2 is recommended.
        • Diffie-Hellman groupgroup14 is recommended.

    2. Press the Next Step button.

  7. Configure IPsec:

    1. IPsec policy — select an IPsec policy from the drop-down list. If the desired policy does not exist, create a new one:

      1. Select New IPsec Policy from the drop-down list.

      2. Set the policy settings:

        • Policy name.
        • Key lifetime (in seconds).
        • Authorization Algorithm — it is recommended to select sha256.
        • Encryption algorithmaes256 is recommended.
        • Diffie-Hellman group — it is recommended to select the group14 group.

    2. Press the Next Step button.

  8. Set up endpoint groups:

    1. Router — select the router whose subnets should be accessible through the VPN tunnel. The available options depend on the selected SDN, and only include routers that are connected to an external network and have an assigned external IP address.

  9. Select New endpoint group from the drop-down list.

    1. Set the group settings:

      • Name — the name of a local endpoint group.
      • Subnets — select one or more subnets connected to the previously selected router. These subnets will be accessible through the VPN tunnel.

    2. Remote Endpoint — select a remote endpoint group from the dropdown list. If the required group does not exist, create a new one:

      1. Select New endpoint group from the drop-down list.

      2. Set the group settings:

        • Group name.

        • Subnet address — address of the remote subnet that will be accessible through the VPN tunnel.

          If you need to add more subnets, click the Add subnet link.

    3. Press the Next Step button.

  10. Set up a VPN tunnel:

    1. Specify basic settings:

      • Tunnel name.

      • Public IPv4 address of the peer (Peer IP).

      • Shared Key (PSK).

        If necessary, generate a key by clicking the corresponding button.

    2. (Optional) Specify advanced settings:

      • Peer Router ID for Authentication (Peer ID) — by default matches the peer address.

      • (For VPN in Sprut SDN only) Селектор потоков траффика:

        • Объединить — do not split traffic selectors, that is, wrap all address prefixes in one data transmission tunnel.
        • Разделить — split traffic selectors, that is, create a separate data transmission tunnel for each pair of address prefixes.

      • Initiator State — behavior when establishing an IPsec connection:

        • bi-directional (default) — the VK Cloud platform will attempt to establish a connection with a remote peer.
        • response-only — the platform expects a VPN connection to be initiated by a remote peer and does not attempt to establish one on its own.

      • Settings for detecting the unavailability of a remote peer (Dead Peer Detection, DPD):

        • When a peer is unavailable — determines the behavior of the VK Cloud platform if a remote peer is unavailable:

          • hold (default) — When an unreachable IPsec connection is detected, the connection is terminated. The connection can only be re-established by a remote peer.
          • clear — When an unreachable IPsec connection is detected, the connection is terminated. The connection will not be re-established even if the remote peer attempts to do so.
          • restart — When an unreachable IPsec connection is detected, the connection is terminated. The VK Cloud platform will try to re-establish a connection with the remote peer.

        • Peer Downtime Detection Interval — at what interval (in seconds) to send test DPD messages.

        • Time to detect peer unavailable — if after this timeout (in seconds) no DPD check messages were received from a remote peer, then it is considered unavailable (dead).

          The default value for this setting is four times the Peer Downtime Detection Interval.

  11. Click the Create VPN Tunnel button.

Editing a VPN Tunnel

  1. Go to your VK Cloud personal account.

  2. Select the project you need.

  3. Go to Virtual networksVPN.

  4. Expand the menu of the desired VPN tunnel and select Edit VPN.

  5. If necessary, edit the local or remote endpoint group:

    1. Local Endpoint — select a local endpoint group from the drop-down list. If the required group does not exist, create a new one:

      1. Select New endpoint group from the drop-down list.
      2. Set the group settings:
      • Name — the name of a local endpoint group.
      • Subnets — select one or more subnets connected to the previously selected router. These subnets will be accessible through the VPN tunnel.

    2. Remote Endpoint — select a remote endpoint group from the dropdown list. If the required group does not exist, create a new one:

      1. Select New endpoint group from the drop-down list.

      2. Set the group settings:

        • Group name.

        • Subnet address — address of the remote subnet that will be accessible through the VPN tunnel.

          If you need to add more subnets, click the Add subnet link.

  6. Press the Next Step button.

  7. Edit the VPN tunnel settings:

    1. Basic settings:

      • Tunnel name.

      • Public IPv4 address of the peer (Peer IP).

      • Shared Key (PSK).

        If necessary, generate a key by clicking the corresponding button.

    2. (Optional) Аdvanced settings:

      • Peer Router ID for Authentication (Peer ID) — by default matches the peer address.

      • (For VPN in Sprut SDN only) Селектор потоков траффика:

        • Объединить — do not split traffic selectors, that is, wrap all address prefixes in one data transmission tunnel.
        • Разделить — split traffic selectors, that is, create a separate data transmission tunnel for each pair of address prefixes.

      • Initiator State — behavior when establishing an IPsec connection:

        • bi-directional (default) — the VK Cloud platform will attempt to establish a connection with a remote peer.
        • response-only — the platform expects a VPN connection to be initiated by a remote peer and does not attempt to establish one on its own.

      • Settings for detecting the unavailability of a remote peer (Dead Peer Detection, DPD):

        • When a peer is unavailable — determines the behavior of the VK Cloud platform if a remote peer is unavailable:

          • hold (default) — when an unreachable IPsec connection is detected, the connection is terminated. The connection can only be re-established by a remote peer.
          • clear — when an unreachable IPsec connection is detected, the connection is terminated. The connection will not be re-established even if the remote peer attempts to do so.
          • restart — when an unreachable IPsec connection is detected, the connection is terminated. The VK Cloud platform will try to re-establish the connection with the remote peer.

        • Peer Downtime Detection Interval — the interval (in seconds) at which to send DPD test messages.

        • Time to detect peer unavailable — if during this interval (in seconds) no DPD test messages were received from a remote peer, then it is considered unavailable (dead).

          The default value for this setting is four times the Peer Downtime Detection Interval.

  8. Click the Save button.

Restarting a VPN tunnel

  1. Go to your VK Cloud personal account.
  2. Select the project you need.
  3. Go to Virtual networksVPN.
  4. Expand the menu of the desired VPN tunnel and select Restart VPN.
  5. Read the warning.
  6. Press the Restart button.

Removing a VPN tunnel

  1. Go to your VK Cloud personal account.

  2. Select the project you need.

  3. Go to Virtual networksVPN.

  4. Expand the menu of the desired VPN tunnel and select Remove VPN.

  5. Review the list of objects to be deleted.

    When deleting a VPN tunnel, the objects associated with it will also be deleted (if they are not used by other VPN tunnels):

    • VPN service serving the tunnel;
    • IKE policy and IPsec policy;
    • local and remote endpoint groups.

  6. Click the Confirm button.

Did not find your answer?Write to us

© 2024 VK Cloud
Privacy Policy