IPsec VPN Function

The IPsec VPN gateway function allows you to connect to on-premises environments or to systems between regions.

If you add the IPsec VPN function to a virtual router, you can connect to a peer IPsec VPN gateway.

The IPsec VPN function is composed of the VPN service and an IPsec site connection.

Figure: Network Connections Using the IPsec VPN Function

Note: Communication is possible through an IPsec VPN tunnel between a single subnet connected directly to a virtual router and a single subnet connected to the peer IPsec gateway.
Note: Only one VPN service can be created for a single virtual router. If you want to create multiple IPsec VPN tunnels, create multiple IPsec site connections on a single VPN service.
Tip:

Set the global IP address for the port of the virtual router specified when creating the VPN service. The virtual router will use the set global IP address to execute communication for the IPsec site connection.

However, with virtual routers in the Eastern Japan Region 2, it is also possible to use the global IP address of the port used for connection with an external network for communication using an IPsec site connection.

Settings

Table 1. Settings Related to VPN Connections
Item Supported Methods
Authentication Method Pre-shared key method
Action When Dead Peer Is Detected hold, restart
DPD Interval 1 second or more
DPD Timeout A value larger than the DPD interval
Initiator Mode bi-directional, response-only

Settings Related to Supported Encryption Methods

Table 2. IKE Policy
Item Supported Methods
Authorization Algorithm sha1
Encryption Algorithm AES-128, AES-192, AES-256
IKE version V1
Life Time 60 - 86400 (seconds)
PFS group2, 5, 14
Key Exchange Mode main
Table 3. IPsec Policy
Item Supported Methods
Authorization Algorithm sha1
Capsule Mode tunnel
Encryption Algorithm AES-128, AES-192, AES-256
Life Time 60 - 86400 (seconds)
PFS group 2, 5, 14
Transformation Protocol esp

Points to Note

When the IPsec VPN function is enabled, the communication shown below is allowed regardless of the firewall rule that is set on the virtual router. However, firewalls between virtual routers and the peer IPsec gateway must use the same rule settings.

Table 4. List of Allowed Communication Rules
Protocol Port No. Description
UDP 500 Internet Security Association and Key Management Protocol (ISAKMP)
UDP 4500 IPsec NAT Traversal