For connecting jtel Cloud installations to local on premise data an IPsec VPN is used.
In order to build the IPsec tunnel, the following settings are used.
Note: some settings will be provided by jtel, some settings must be provided by the customer.
Phase 1 Settings
Setting | Value | Provided by | Explanation |
|---|---|---|---|
| Remote Gateway (jtel Cloud Side) | DNS Entry | jtel | This will be the DNS entry provided by jtel for the firewall entry point to the cloud instance. For example: cmycust-web.jtel.de |
| Remote Gateway (Customer Side) | DNS Entry or IP Address | Customer | This will be the DNS name or IP address of the gateway on the customer side. |
| Key Exchange Version | V2 | ||
| Internet Protocol | IPv4 | ||
| Authentication Method | Mutual Pre-Shared Key | jtel | The pre-shared key will be provided by jtel. |
| Peer IDs | IP Addresses | ||
| Encryption Algorithm | AES 256 | ||
| Hash Algorithm | SHA 512 | ||
| DH key group | 31 (Elliptic Curve 25519) | Less modern firewalls may not have this setting. Some other available Diffie-Hellman key groups include: 16 (4096 bits) 18 (8192 bits) 19 (NIST EC 256 bits) 21 (NIST EC 521 bits) 24 (2048 sub 256 bits) 30 (Brainpool EC 512 bits) | |
| Lifetime | 28800 seconds | ||
| NAT Traversal | Disabled | ||
| IKEv2 MOBIKE (RFC 4555) | Enabled | ||
| Dead Peer Detection | 10 seconds, 5 retries | The jtel side will attempt to restart the tunnel if 5 DPD packets are not acknowledged. |
Phase 2 Settings
The IP address ranges must be provided by the customer for all networks which need to be connected to the IPsec tunnel.
Setting | Value | Provided by | Explanation |
|---|---|---|---|
| Mode | Tunnel IPv4 | ||
| Local Network | 10.168.168.0/24 | jtel | If this value causes a collision, please inform jtel before cloud provisioning and we will provide a different network at our end. |
| Remote Networks | Customer | Provide all networks on the customer side which should be able to route traffic through the IPsec tunnel. | |
| Protocol | ESP | ||
| Encryption algorithm | AES 256 | ||
| PFS key group | 31 (Elliptic Curve 25519) | See Phase 1 settings for available alternatives. | |
| Lifetime | 3600 seconds | ||
| Pingable host (jtel side) | 10.168.168.1 | jtel | If required, this host may be pinged to check the availability of the tunnel. |
| Pingable host (customer side) | Customer | If given, this host will be pinged by the jtel side to check the availability of the tunnel. |