VPN Configuration Reference

When you set up a VPN connection between your corporate network and the OUTSCALE Cloud, you need to configure the VPN tunnel according to the following specifications.

The exact procedure depends specifically on the VPN software that you use.

  • Support for the IKEv1 protocol is End of Life. We strongly recommend using IKEv2.

  • An IKEv1 VPN breaks if there is more than one VPN connection on the same virtual gateway.

For phase 1 proposals, the following options are supported:

  • 256-bit AES-CBC encryption, with SHA2_256_128 HMAC authentication, and DH group 2, 14, 16, 19 or 21.

  • 128-bit AES-CBC encryption, with SHA1 HMAC or SHA2_256_128 HMAC authentication, and DH group 2 or 14.

For phase 2 proposals, the following options are supported:

  • 256-bit AES-CBC encryption, with SHA2_256_128 HMAC authentication, and PFS 2, 14, 16, 19 or 21.

  • 128-bit AES-CBC encryption, with SHA1 HMAC or SHA2_256_128 HMAC authentication, and PFS 2 or 14.

You must specify the following values for the lifetime of each phase:

  • 28800 seconds (8 hours) for phase 1.

  • 3600 seconds (1 hour) for phase 2.

We recommend the following options for both phases: 256-bit AES-CBC encryption, with SHA2_256_128 HMAC authentication, and DH group 16, 19 or 21.

Dead peer detection (DPD) must be enabled, with the following settings:

  • Delay or interval 30 seconds.

  • Timeout 90 seconds / 3 retries.

As policy-based VPN is not supported, a virtual tunnel interface (VTI) must be used, with the following settings:

  • Traffic selectors: 0.0.0.0/0 on both ends.

  • IP: as defined in the tunnel inside addresses in the XML file provided by the API or Cockpit.

The local ID must be set to the IP of the client gateway, and the remote ID must be set to the public IP of the virtual gateway.

Related Pages