Gateway and connection options

Protocols

IPsec IKEv2

The STACKIT VPN Gateway utilizes the industry-leading security of IPsec (Internet Protocol Security) with IKEv2 (Internet Key Exchange Version 2), ensuring robust encryption and authentication for all your data transmissions. This powerful combination provides a multi-layered approach to security, safeguarding your data from unauthorized access and ensuring its integrity throughout its transmission. To ensure optimal security and performance, we support a range of algorithms and options for both the IKE phase (phase 1 / key exchange) and the ESP phase (phase 2 / data encryption).

Gateway options

Display Name

The gateway name is solely used as human readable identification of the gateway. It can be any 0-63 character name containing lower case, upper case and numbers and hyphens.

Plans

The plan defines the size of the gateway. Depending on the selected plan the gateway price, maximum bandwidth and included connections that can be configured in the specific gateway may vary. The gateway plan can be upgraded to a higher plan at any time. Downgrading to a lower plan is not supported.

Availability zone

The VPN gateway consists of two internal instance to allow for high available active-active VPN setups. The availability zone for each internal instance can be defined separately by the customer. The supported availability zones depend on the STACKIT region. The zones must be available in the region the gateway is deployed to. E.g. for region eu01 the supported availability zones are eu01-1, eu01-2 and eu01-3

Note:

• STACKIT highly recommends choosing two different availability zones.
• Metro zones are not supported

Routing Type

STACKIT VPN supports different routing types depending on your needs. It defines the architectural basis for traffic steering.

• POLICY_BASED: Traffic is matched against specific security policies. Requires localSubnets and remoteSubnets.
• ROUTE_BASED: Traffic is directed through the Virtual Tunnel Interface (VTI) using static routes.
• BGP_ROUTE_BASED: Traffic is directed through the VTI using dynamic Border Gateway Protocol (BGP). Requires bgp configuration and peering addresses.

Note:

• The routing type can’t be changed after the gateway has been created. In order to change the type a new gateway needs to be created.

BGP settings

The BGP settings are only required if the BGP route based routing mode for the gateway is selected. The BGP settings on gateway level affect all connections within the gateway.

Local ASN

The ASN used by the STACKIT VPN gateway. It must be within the 16Bit or 32Bit private ranges as defined in RFC 6996.

• 16-bit: between 64 512 and 65 534
• 32-bit: between 4 200 000 000 and 4 294 967 294

Override advertised routes

If left empty by default the SNA network range is advertised to the remote site. You can limit the advertised ranges by specifying a list of network ranges to be advertised (IPv4 CIDRs)

---

Connection options

Display Name

The connection name is solely used as human readable identification of the connection. It can be any 0-63 character name containing lower case, upper case and numbers and hyphens.

Enabled

A boolean flag allowing to enable or disable connections.

Local subnet

The traffic selector on STACKIT side. Mandatory for POLICY_BASED VPN gateways. It defaults to and is recommended to be set to 0.0.0.0/0 for ROUTE_BASED and BGP_ROUTE_BASED VPN gateways.

Remote subnet

The traffic selector for the remote side. Mandatory for POLICY_BASED VPN gateways. It defaults to and is recommended to be set to 0.0.0.0/0 for ROUTE_BASED and BGP_ROUTE_BASED VPN gateways.

Static routes

A list of networks on the remote/on-prem side that should be reachable via the respective VPN connection. (IPv4 CIDRs)

Tunnel options

These settings can be set for both tunnel1 and tunnel2 within the connection.

Remote address

The public IP address of your remote/on-prem VPN gateway. Only this IP is allowed to establish the tunnel.

Pre-shared key (PSK)

STACKIT VPN supports Pre-Shared Keys (PSK), a secure authentication method for establishing VPN connections.
PSK is a shared secret key. This key is used to authenticate and encrypt data during the VPN connection setup. PSK offers a simple and effective way to secure your connection, especially in environments where certificate-based authentication is not feasible.

STACKIT VPN enforces following requirements in order to ensure a secure PSK:

• must be at least 20 characters long
• must be at least 16 different characters
• must have at least one upper case letter
• must have at least one lower case letter
• must have at least one number

Peering

The peering object defines the point-to-point IP configuration for the Tunnel Interface. These addresses serve as next-hop identifiers and are used for BGP peering sessions and can be used in Static Route-Based connectivity. Can be any IP addresses, though should be outside the SNA or your remote network ranges to avoid later conflicts.

BGP Remote ASN

The ASN used by your remote gateway. It must be within the 16Bit or 32Bit private ranges as defined in RFC 6996.

• 16-bit: between 64 512 and 65 534
• 32-bit: between 4 200 000 000 and 4 294 967 294

Advanced settings

You can select one or more algorithms for each option. If multiple algorithms are selected the STACKIT VPN Gateway will negotiate with the remote gateway the best matching algorithms supported by both gateways. Ensure that your remote gateway has at least one matching algorithm for each option configured.

• Default values can be applied when configuring the VPN Gateway via the STACKIT Portal.

Phase 1 options

Diffie-Hellman (DH) groups

The Diffie-Hellman Group is used to agree with the remote host on a shared secret key. It is required, except if AEAD algorithms are selected.

• Options: modp1024, modp20248, ecp256, ecp384, modp2048s256
• Default: ecp384*

Encryption algorithms

The encryption algorithm ensures that authentication and key exchange are secure.

• Options: aes256, aes128gcm16, aes256gcm16
• Default: aes256*

Integrity algorithms

The integrity algorithm is used to verify the authenticity and as Pseudo-Random Function.

• Options: sha1, sha2_256, sha2_384
• Default: sha2_384*

Rekey time

Time to schedule a Phase 1 (IKE) re-keying in seconds.

• Options: between 900 and 28800 seconds
• Default: 14400*

Phase 2 options

Diffie-Hellman (DH) groups

The Diffie-Hellman Group in Phase 2 is used to improve the cryptographic security of the connection.

• Options: modp1024, modp20248, ecp256, ecp384, modp2048s256
• Default: ecp384*

Encryption algorithms

The encryption algorithm ensures that the data is protected during transmission and cannot be intercepted or manipulated by unauthorized third parties.

• Options: aes256, aes128gcm16, aes256gcm16
• Default: aes256*

Integrity algorithms

The integrity algorithm in Phase 2 is used for negotiation of the child SA.

• Options: sha1, sha2_256, sha2_384
• Default: sha2_384*

DPD action

In case of a dead peer detection (DPD) timeout the Tunnel can either close the Phase 2 SA and don’t take any further actions, or restart and try to immediately re-negotiate the Phase 2 SA under a fresh Phase 1 SA (IKE SA)

• Options:
  • Clear: It closes the Phase 2 SA and does not take further action
  • Restart: Immediately tries to re-negotiate the Phase 2 SA under a fresh Phase 1 SA (IKE SA)
• Default: restart*

Rekey time

Time to schedule a Phase 2 SA (child SA) re-keying in seconds.

• Options: between 900 and 3600 seconds
• Default: 3600*

Start action

The start action defines how the tunnel will be initiated.

• Options:
  • None: The connection will be loaded but needs to be manually initiated
  • Start: Initiate the connection actively
• Default: start*