IPsec VPN configuration
IPsec VPN is a an excellent method to create a secured point-to-point connection between two internal networks. It is an alterative to the traditionnal IP filtering. Jahia Cloud offers IPsec VPN out of the box. Some prior knowledge is required in order to perform the full setup by yourself, otherwise, your Jahia Support team is here to help!
IPsec VPN tunnels can be created to allow network traffic between the Tomcat servers of a Jahia Cloud environment and your infrastructure. Traffic cannot be routed to other backends such as Elasticsearch, Galera clusters and jCustomers.
Supported connection type
The type of connections that are supported are:
Other connection types will not be supported.
Jahia Cloud uses strongSwan as an IPsec VPN Server. Jahia Cloud users can deploy a single strongSwan configuration file named
ipsec.conf (see related documentation) as well as a pre-shared key (
PSK) used by the VPN client and server to authenticate.
The ipsec.conf file contains a "
left" and "
right" section. Here, "
right" is the Cloud client section, "
left" is Jahia Cloud. The left part needs to be defined to "
%any" and the type of the connections needs to be defined to "site-to-site".
rightsubnet property needs to be set to define which subnet will be made available to the Jahia nodes via the tunnel.
rightsubnet property must not overlap with the Jahia Cloud environment's subnets:
192.168.0.0/16, 10.200.0.0/16, 10.150.0.0/16, 10.100.0.0/16
In case of a network overlap, IPs need to be NATed with non-overlapping subnetworks on the client side.
No automated DNS resolution will be handled by the Jahia Cloud client infrastructure's DNS servers. In case some "internal" DNS resolution must happen, the domains to be resolved need to be configured as follows:
If the IPsec VPN connection doesn't succeed right away, please reach out to the Support team to get help. We will gladly help you troubleshoot the issue.
Here is a simple configuration sample of a working IPsec Connection:
conn customer-infra fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = yes rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpdtimeout = 600s auto = route right = CUSTOMER_PUBLIC_IP rightid = CUSTOMER_PUBLIC_IP rightsubnet = CUSTOMER_SUBNETS_COMMA_SEPARATED ikelifetime = 28800s lifetime = 3600s left = %any leftsourceip = %config leftdns = %config ike = aes128-sha1-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1536,aes192-sha256-modp3072! esp = aes128-sha256-modp2048,aes128gcm128-sha256-modp2048,aes192gcm128-sha256-modp2048,aes192gcm96-sha256-modp2048,aes192gcm64-sha256-modp2048,aes256gcm128-sha256-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha256-modp2048,blowfish256-sha256-modp2048,blowfish192-sha256-modp2048,blowfish128-sha256-modp2048,3des-sha256-modp2048! authby = psk aggressive = no
In the secret field, put the secret with the following format:
: PSK "XXXXXXX"