Written by The Jahia Team
   Estimated reading time:

Overview

IPsec VPN is a an excellent method to create a secured point-to-point connection between two internal networks. It is an alterative to the traditionnal IP filtering. Jahia Cloud offers IPsec VPN out of the box. Some prior knowledge is required in order to perform the full setup by yourself, otherwise, your Jahia Support team is here to help!

Scope

IPsec VPN tunnels can be created to allow network traffic between the Tomcat servers of a Jahia Cloud environment and your infrastructure. Traffic cannot be routed to other backends such as Elasticsearch, Galera clusters and jCustomers.

Configuration

Jahia Cloud uses strongSwan as an IPsec VPN Server. Jahia Cloud users can deploy a single strongSwan configuration file named ipsec.conf (see related documentation) as well as a pre-shared key (PSK) used by the VPN client and server to authenticate.

The ipsec.conf file contains a "left" and "right" section. Here, "right" is the Cloud client section, "left" is Jahia Cloud. The left part needs to be defined to "%any" and the type of the connections needs to be defined to "site-to-site".

The rightsubnet property needs to be set to define which subnet will be made available to the Jahia nodes via the tunnel.

Overlapping subnets

The rightsubnet property must not overlap with the Jahia Cloud environment's subnet and with 192.168.0.0/16 (global Jahia Cloud subnet)

In case of a network overlap, IPs need to be NATed with non-overlapping subnetworks on the client side.

Limitations

No automated DNS resolution will be handled by the Jahia Cloud client infrastructure's DNS servers. In case some "internal" DNS resolution must happen, the domains to be resolved need to be configured as follows:

##internal_domains=int.client.com,int2.client.com

Troubleshooting

If the IPsec VPN connection doesn't succeed right away, please reach out to the Support team to get help. We will gladly help you troubleshoot the issue.