IPsec VPN configuration

February 2, 2022

Overview

IPsec VPN is a an excellent method to create a secured point-to-point connection between two internal networks. It is an alterative to the traditionnal IP filtering. Jahia Cloud offers IPsec VPN out of the box. Some prior knowledge is required in order to perform the full setup by yourself, otherwise, your Jahia Support team is here to help!

Scope

IPsec VPN tunnels can be created to allow network traffic between the Tomcat servers of a Jahia Cloud environment and your infrastructure. Traffic cannot be routed to other backends such as Elasticsearch, Galera clusters and jCustomers.

Supported connection type

The type of connections that are supported are:

  • Mobike

Other connection types will not be supported.

Configuration

Jahia Cloud uses strongSwan as an IPsec VPN Server. Jahia Cloud users can deploy a single strongSwan configuration file named ipsec.conf (see related documentation) as well as a pre-shared key (PSK) used by the VPN client and server to authenticate.

The ipsec.conf file contains a "left" and "right" section. Here, "right" is the Cloud client section, "left" is Jahia Cloud. The left part needs to be defined to "%any" and the type of the connections needs to be defined to "site-to-site".

The rightsubnet property needs to be set to define which subnet will be made available to the Jahia nodes via the tunnel.

Overlapping subnets

The rightsubnet property must not overlap with the Jahia Cloud environment's subnets: 192.168.0.0/16, 10.200.0.0/16, 10.150.0.0/16, 10.100.0.0/16

In case of a network overlap, IPs need to be NATed with non-overlapping subnetworks on the client side.

Limitations

No automated DNS resolution will be handled by the Jahia Cloud client infrastructure's DNS servers. In case some "internal" DNS resolution must happen, the domains to be resolved need to be configured as follows:

##internal_domains=int.client.com,int2.client.com

Troubleshooting

If the IPsec VPN connection doesn't succeed right away, please reach out to the Support team to get help. We will gladly help you troubleshoot the issue.

Code example

Here is a simple configuration sample of a working IPSec Connection:

conn customer-infra
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    mobike = yes
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpdtimeout = 600s
    auto = route
    right = CUSTOMER_PUBLIC_IP
    rightid = CUSTOMER_PUBLIC_IP
    rightsubnet = CUSTOMER_SUBNETS_COMMA_SEPARATED
    ikelifetime = 28800s
    lifetime = 3600s
    left = %any
    leftsourceip = %config
    leftdns = %config
    ike = aes128-sha1-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1536,aes192-sha256-modp3072!
    esp = aes128-sha256-modp2048,aes128gcm128-sha256-modp2048,aes192gcm128-sha256-modp2048,aes192gcm96-sha256-modp2048,aes192gcm64-sha256-modp2048,aes256gcm128-sha256-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha256-modp2048,blowfish256-sha256-modp2048,blowfish192-sha256-modp2048,blowfish128-sha256-modp2048,3des-sha256-modp2048!
    authby = psk
    aggressive = no