IPsec VPN configuration

November 14, 2023

Overview

IPsec VPN is a an excellent method to create a secured point-to-point connection between two internal networks. It is an alterative to the traditionnal IP filtering. Jahia Cloud offers IPsec VPN out of the box. Some prior knowledge is required in order to perform the full setup by yourself, otherwise, your Jahia Support team is here to help!

Scope

IPsec VPN tunnels can be created to allow network traffic between the Tomcat servers of a Jahia Cloud environment and your infrastructure. Traffic cannot be routed to other backends such as Elasticsearch, Galera clusters and jCustomers.

Prerequisites

Supported connection types include Mobike, and only Pre-Shared Key (PSK) is accepted for authentication. Other connection types and authentication methods is not compatible with our IPSec setup. 

Configuration

Jahia Cloud uses strongSwan as an IPsec VPN Server. Jahia Cloud users can deploy a single strongSwan configuration file named ipsec.conf (see related documentation) as well as a pre-shared key (PSK) used by the VPN client and server to authenticate.

The ipsec.conf file contains a "left" and "right" section. Here, "right" is the Cloud client section, "left" is Jahia Cloud. The left part needs to be defined to "%any" and the type of the connections needs to be defined to "site-to-site".

The rightsubnet property needs to be set to define which subnet will be made available to the Jahia nodes via the tunnel.

Overlapping subnets

The rightsubnet property must not overlap with the Jahia Cloud environment's subnets: 192.168.0.0/16, 10.200.0.0/16, 10.150.0.0/16, 10.100.0.0/16

In case of a network overlap, IPs need to be NATed with non-overlapping subnetworks on the client side.

Limitations

No automated DNS resolution will be handled by the Jahia Cloud client infrastructure's DNS servers. In case some "internal" DNS resolution must happen, the domains to be resolved need to be configured using the internal_domains custom property, as follows (hash signs included, do not remove them):

## internal_domains=mydomain1.com,mydomain2.com

Troubleshooting

If the IPsec VPN connection doesn't succeed right away, please reach out to the Support team to get help. We will gladly help you troubleshoot the issue.

Code example

Here is a simple configuration sample of a working IPsec Connection:

conn customer-infra
    ## internal_domains=mydomain1.com,mydomain2.com
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    mobike = yes
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpdtimeout = 600s
    auto = route
    right = CUSTOMER_PUBLIC_IP
    rightid = CUSTOMER_PUBLIC_IP
    rightsubnet = CUSTOMER_SUBNETS_COMMA_SEPARATED
    ikelifetime = 28800s
    lifetime = 3600s
    left = %any
    leftsourceip = %config
    leftdns = %config
    ike = aes128-sha1-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1536,aes192-sha256-modp3072!
    esp = aes128-sha256-modp2048,aes128gcm128-sha256-modp2048,aes192gcm128-sha256-modp2048,aes192gcm96-sha256-modp2048,aes192gcm64-sha256-modp2048,aes256gcm128-sha256-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha256-modp2048,blowfish256-sha256-modp2048,blowfish192-sha256-modp2048,blowfish128-sha256-modp2048,3des-sha256-modp2048!
    authby = psk
    aggressive = no

In the secret field, put the secret with the following format:

: PSK "XXXXXXX"

Monitoring

You can verify the status of your custom IPsec VPN configuration at any time. Follow these steps to access the connection status:

  1. Go to Jahia Cloud
  2. Click on "Monitoring" in the top right corner.
  3. Select "Monitor" and then choose "Manage Monitor"
  4. In the filter, enter "IPsec" and press "Enter."