For connecting jtel Cloud installations to local on premise data an IPsec VPN is used. In order to build the IPsec tunnel, the following settings are used. Info |
---|
Note: some settings will be provided by jtel, some settings must be provided by the customer from their sides. |
Phase 1 SettingsSetting | Value | Provided by | Explanation |
---|
Remote Gateway (jtel Cloud Side) | DNS Entry | jtel | This will be the DNS entry provided by jtel for the firewall entry point to the cloud instance. For example: cmycust-web.jtel.de | Remote Gateway (Customer Side) | DNS Entry or IP Address | Customer | This will be the DNS name or IP address of the gateway on the customer side. | Key Exchange Version | V2 |
|
| Internet Protocol | IPv4 |
|
| Authentication Method | Mutual Pre-Shared Key | jtel | The pre-shared key will be provided by jtel. | Peer IDs | IP Addresses |
|
| Encryption Algorithm | AES 256 |
|
| Hash Algorithm | SHA 512 |
|
| DH key group | 31 (Elliptic Curve 25519) |
| Less modern firewalls may not have this setting. Some other available Diffie-Hellman key groups include: 16 (4096 bits) 18 (8192 bits) 19 (NIST EC 256 bits) 21 (NIST EC 521 bits) 24 (2048 sub 256 bits) 30 (Brainpool EC 512 bits) | Lifetime | 28800 seconds |
|
| NAT Traversal | Disabled |
|
| IKEv2 MOBIKE (RFC 4555) | Enabled |
|
| Dead Peer Detection | 10 seconds, 5 retries |
| The jtel side will attempt to restart the tunnel if 5 DPD packets are not acknowledged. |
Phase 2 Settings Info |
---|
The IP address ranges must be provided by the customer for all networks which need to be connected to the IPsec tunnel. |
Setting | Value | Provided by | Explanation |
---|
Mode | Tunnel IPv4 |
|
| Local Network | 10.168.168.0/24 | jtel | If this value causes a collision, please inform jtel before cloud provisioning and we will provide a different network at our end. | Remote Networks |
| Customer | Provide all networks on the customer side which should be able to route traffic through the IPsec tunnel. | Protocol | ESP |
|
| Encryption algorithm | AES 256 |
|
| PFS key group | 31 (Elliptic Curve 25519) |
| See Phase 1 settings for available alternatives. | Lifetime | 3600 seconds |
|
| Pingable host (jtel side) | 10.168.168.1 | jtel | If required, this host may be pinged to check the availability of the tunnel. | Pingable host (customer side) |
| Customer | If given, this host will be pinged by the jtel side to check the availability of the tunnel. |
|