The STACKIT VPN appliance is a Linux-based IPsec (strongSwan) appliance designed to simplify site-to-site VPN connections to a VPC tenant. The appliance is a self-managed solution that has to be operated by the customer.
The appliance is authenticated via web (https) using a local single user login.
Functions
The appliance offers several modules, a server and a client module.
These can be used to map the following two scenarios:
- Road Warrior client to site connections
- Site to site connections
VPN Connection Options
IPsec connections support a number of authentication methods the ones listed below are currently supported:
- IKEv1 & IKEv2
- Certificate-based authentication
- EAP-TLS (Certificate)
- PSK (Pre Shared Key)
- EAP (Username/Password)
IPsec Policy
The settings listed here are used as the IKE / IPsec policy. The remote terminal must be configured accordingly to these settings.
Further down in the document you will find examples of how to configure connections to various remote stations.
|
|
|---|
| IKE encryption | AES128 - AES192 - AES265 |
| IKE Authentication | SHA2 265 - SHA2 384 - SHA2 512 |
| IKE SA Lifetime | max. 14000 |
| IKE DH Group | Group 14-18: MODP 2048-3072-4096-6144-8192 Group 19-21: ECP256-384-521 |
|
|
| IPsec encryption | AES128 GCM - AES192 GCM - AES265 GCM |
| IPsec SA Lifetime | max. 3600 |
| IPsec PFS Group | Group 14-18: MODP 2048-3072-4096-6144-8192 Group 19-21: ECP256-384-521 |
This list shows the possible and supported encryption methods of the VPN appliance. No settings need to be made in the appliance itself, as these are automatically synchronized with the remote terminal.
Basics IPsec VPN
For IPsec connections, it must be ensured that one of the two sides is active. This means that the connection is actively initiated and the other side is passive, i.e. respond only. In the language of the appliance, this is start for the active part and trap for the passive part.
