Policy-Based VPN Connection
|Note: Pureport recommends using Route-Based VPN with BGP for your site connection, when supported by your device. This makes future network growth and changes easier, as Pureport manages the BGP peering. See "Connecting to a Site VPN - Route-Based with BGP" for details.|
Before establishing a VPN connection to Pureport, you must first ensure your gateway device support IPSEC VPN connectivity, and then you must gather the following information:
- Speed of your Internet connection
- Primary public IP of your VPN gateway
- Secondary public IP of your VPN gatway (only applicable if you have two Internet connections and wish to support fail-over and load sharing between them)
- IP Networks of your customer site (for traffic selectors and, if using, for Cloud Grade NAT)
- Supported IPSEC settings of your VPN gateway (IKE version, encryption, integrity, and Diffe Hellman Group for Phase 1 and Phase 2 VPN negotiation)
- The knowledge base contains recommended configuration settings for many common platforms
Building the VPN Connection
Use this procedure to create a Policy-Based VPN site connection with Pureport.
- Log into the Pureport Console.
- In the left navigation bar, select the Networks tab.
- The Networks page list the existing networks. Select your network
- On your network page, select Add Connection.
- In the New Connection window, for Type, select Site IPSec VPN from the drop down.
- Select the Pureport Location from the drop down where you would like this connection to be created. You should select the site geographically closest to your physical location.
- Select the Speed of the connection from the dropdown, then click Next. Do not exceed the maximum speed of your Internet connection.
- Enter the Primary Customer Router IP and Secondary Customer Router IP addresses of your site routers. You will only need different customer router IP addresses if your site has multiple Internet connections with separate IP addresses. If your site has a single address, enter the same IP address in both the Primary and Secondary fields.
In the Routing Type field, select Policy Based from the dropdown. Optionally you can enter in the locations physical address and click Next.
Optionally, on the Customer Networks page, enter the network IP address and name for each network behind your firewall to have access to this connection, then click Next. You are only required to enter this information if you are planning to use Cloud Grade NAT on this connection (see the next step), or in order to facilitate building the Traffic Selectors related to your policy-based VPN, If you choose not to enter this information here you will need to enter the networks manually in the Traffic Selectors section of the VPN configuration.
- Use the Add Customer Networks button to add additional networks.
- Use the Delete button to remove a customer network
- (Optional) On the NAT Configuration page, you may also enable and configure Cloud Grade NAT if desired, as detailed in the Cloud Grade NAT knowledge-base article. Then click Next.
- On the Traffic Selectors page, select a Customer Side (that you created in the Customer Networks area). In the Pureport Side field, enter the destination IP address to route traffic to, from the selected Customer Side. You must have one entry for each pair of networks that will need to communicate on your Pureport Network. Then click Next.
For example, if you had networks A and B on the customer side and networks C and D connected to the Pureport Network via Cloud connections or other Site connections, you would need four traffic selectors:
- Network A <--> Network C
- Network A <--> Network D
- Network B <--> Network C
- Network B <--> Network D
To add traffic selectors:
- Use the Add Traffic Selector button to add additional traffic selectors.
- Use the Delete button to remove a selector.
On the IKE Configuration page, select the IKE/ESP Encryption settings that meet your security requirements and are supported by your site's physical device. Then click Next.
Enter a meaningful Name and Description, then click Add Connection.
The Console generates a default name, but you can enter a name that conforms to your organization's naming standards.
Review your selections and choose Add Connection to create your Policy Based Site VPN Connection.
- After saving the Connection, the system displays the following information:
- Site IPsec VPN settings
- Traffic Selectors
- Primary Gateway
- Secondary Gateway
Be sure to record this information, you will need this information later.
The Pureport Support Knowledge Base has guidance on configuring the most common VPN appliances to connect to your Site VPN Connection.