For connecting jtel Cloud installations to local on premise data an IPsec VPN is used.
In order to build the IPsec tunnel, the following settings are used.
Note: some settings will be provided by jtel, some settings must be provided by the customer.
Phase 1 Settings
Setting | Value | Provided by | Explanation |
---|---|---|---|
Remote Gateway (jtel Cloud Side) | DNS Entry | jtel | This will be the DNS entry provided by jtel for the firewall entry point to the cloud instance. For example: cmycust-web.jtel.de |
Remote Gateway (Customer Side) | DNS Entry or IP Address | Customer | This will be the DNS name or IP address of the gateway on the customer side. |
Key Exchange Version | V2 | ||
Internet Protocol | IPv4 | ||
Authentication Method | Mutual Pre-Shared Key | jtel | The pre-shared key will be provided by jtel. |
Peer IDs | IP Addresses | ||
Encryption Algorithm | AES 256 | ||
Hash Algorithm | SHA 512 | ||
DH key group | 31 (Elliptic Curve 25519) | Less modern firewalls may not have this setting. Some other available Diffie-Hellman key groups include: 16 (4096 bits) 18 (8192 bits) 19 (NIST EC 256 bits) 21 (NIST EC 521 bits) 24 (2048 sub 256 bits) 30 (Brainpool EC 512 bits) | |
Lifetime | 28800 seconds | ||
NAT Traversal | Disabled | ||
IKEv2 MOBIKE (RFC 4555) | Enabled | ||
Dead Peer Detection | 10 seconds, 5 retries | The jtel side will attempt to restart the tunnel if 5 DPD packets are not acknowledged. |
Phase 2 Settings
The IP address ranges must be provided by the customer for all networks which need to be connected to the IPsec tunnel.
Setting | Value | Provided by | Explanation |
---|---|---|---|
Mode | Tunnel IPv4 | ||
Local Network | 10.168.168.0/24 | jtel | If this value causes a collision, please inform jtel before cloud provisioning and we will provide a different network at our end. |
Remote Networks | Customer | Provide all networks on the customer side which should be able to route traffic through the IPsec tunnel. | |
Protocol | ESP | ||
Encryption algorithm | AES 256 | ||
PFS key group | 31 (Elliptic Curve 25519) | See Phase 1 settings for available alternatives. | |
Lifetime | 3600 seconds | ||
Pingable host (jtel side) | 10.168.168.1 | jtel | If required, this host may be pinged to check the availability of the tunnel. |
Pingable host (customer side) | Customer | If given, this host will be pinged by the jtel side to check the availability of the tunnel. |