Create a connection

The STACKIT VPN Service allows you to establish secure tunnels between your VPN gateway and a remote peer. Because the service utilizes an active-active architecture, every connection requires the configuration of two separate tunnels to ensure maximum availability and redundancy.

This guide demonstrates how to create a VPN connection, covering policy-based, route-based, and BGP-based configurations.

If you proceed with the action described here, charges may apply or the amount charged may change.

Please check carefully the amount of resulting one-off and/or ongoing costs and do not proceed unless you agree and you are authorized to do so.

Prerequisites

Before you create a connection, ensure you have the following:

• An existing STACKIT VPN gateway in the READY state.
• The public IPv4 addresses of your remote VPN peer.
• A pre-shared key (PSK) with a minimum of 20 characters.
• Information regarding your routing architecture (local and remote subnets, or BGP settings).

Configure routing for your connection

The parameters you must provide depend on the routingType of your parent gateway. You cannot change the routing type once the gateway is created.

The following table outlines the requirements for each routing mode:

Routing type	Subnet requirements	Route requirements
POLICY_BASED	localSubnets and remoteSubnets are mandatory.	staticRoutes are forbidden.
ROUTE_BASED	Defaults to 0.0.0.0/0 if not specified.	staticRoutes are mandatory.
BGP_ROUTE_BASED	Defaults to 0.0.0.0/0 if not specified.	Routes are managed dynamically via BGP.

API

Create a connection

To establish the tunnels, send a POST request to the connections endpoint of your specific gateway.

1. Identify your projectId, region, and gatewayId.

2. Prepare the JSON request body. Ensure you provide configuration for both tunnel1 and tunnel2.

3. Send the request to the following endpoint:

   POST /v1alpha1/projects/{projectId}/regions/{region}/gateways/{gatewayId}/connections

Example request (BGP-based)

This example shows a connection request for a gateway using BGP_ROUTE_BASED routing. Note that the preSharedKey is a writeOnly field and will not be returned in subsequent GET requests.

{
  "displayName": "office-neckarsulm-connection",
  "tunnel1": {
    "remoteAddress": "203.0.113.10",
    "preSharedKey": "a-very-secure-and-long-psk-string",
    "peering": {
      "localAddress": "169.254.0.1",
      "remoteAddress": "169.254.0.2"
    },
    "bgp": {
      "remoteAsn": 65000
    }
  },
  "tunnel2": {
    "remoteAddress": "203.0.113.11",
    "preSharedKey": "a-very-secure-and-long-psk-string",
    "peering": {
      "localAddress": "169.254.0.5",
      "remoteAddress": "169.254.0.6"
    },
    "bgp": {
      "remoteAsn": 65000
    }
  }
}

Portal

Visit the STACKIT Portal, select your desired project and follow these steps:

1. In the sidebar under Networking, click on VPN.
2. Locate the VPN Gateway you want to add the connection and open its details by clicking on the respective gateway.
3. In the sidebar click on Connections.
4. Click the Create Connection button.
5. Fill in the required fields with the information you prepared earlier.
6. Click the Order fee-based button to create the VPN Gateway.

Done! Your STACKIT VPN Connection is being created and will be ready to use shortly. You can see the lifecycle state of the VPN Connection in the VPN Connection overview.

When configuring the tunnels within the connection default parameters are applied if not explicitly changed. Ensure to note down the Pre-shared key as it is write only. It can be changed later but will never be shown afterwards. By default following settings are applied to the connections:

• Phase 1
  • DH groups: ecp384
  • Encryption algorithms: aes256
  • Integrity algorithms: sha2_384
  • Rekey time: 14400 seconds
• Phase 2
  • DH groups: ecp384
  • Encryption algorithms: aes256
  • Integrity algorithms: sha2_384
  • DPD action: restart
  • Rekey time: 3600 seconds
  • Start action: start

You can set custom settings for each tunnel by selecting Set phase settings within the Tunnel configuration modal.

CLI

CLI functions not yet available.

Terraform

Terraform functions not yet available.

Verify connection status

Once the request is initiated, the system begins the IKE negotiation with your remote peer. You can monitor the status of the connection in the STACKIT Portal or via the API.

• PENDING
  The system is configuring the virtual tunnel interfaces and initiating the handshake.
• READY
  The connection is established. This state indicates the tunnels are ready to pass traffic, though actual traffic flow depends on your local and remote firewall rules.
• ERROR
  The connection could not be established. This is often caused by mismatched PSKs, incorrect IKE settings on the remote peer, or firewall blocks.

Next steps

After your connection reaches the READY state, verify that traffic can pass between your SNA and the remote Network.

• Check firewall rules: Ensure that your Security groups and the remote firewall allow the necessary traffic.
• Verify BGP peering: If using BGP, check that the BGP session is established and routes are being exchanged correctly.
• Create more connections: You can add multiple connections to a single gateway to connect several remote sites.