VPN configuration parameters

This article supplements the instructions in Creating a VPN.

Contents

VPN configuration options

The following table describes the Skytap VPN parameters.

Notes

  • Most of the Skytap VPN configuration values are determined by your IT organization, based on the VPN endpoint device that Skytap is connecting to. Work closely with your IT organization ensure that the following values match exactly on both the VPN endpoint device and the Skytap VPN configuration page: Phase 1 encryption algorithm, Phase 1 SA lifetime, Phase 1 DH group, Phase 2 encryption algorithm, Phase 2 authentication algorithm, Phase 2 SA lifetime and Phase 2 perfect forward secrecy
  • The one parameter generated by Skytap—the Skytap peer IP—must be supplied to your IT group so that it can be configured on the remote end of the tunnel.

For links to detailed information about configuring your Skytap VPN to connect with common VPN endpoints (like AWS VPC, Azure VPN, Cisco IOS, and more), see VPN configuration examples below.

Parameter Name

Description

Where Does the Value Come From?

Example

Name

Enter a name for the Skytap VPN.

Max. 255 characters.

Admin

CorporateVPN

Remote peer IP

Enter the public IP address for the remote VPN endpoint device. The remote VPN endpoint device is typically a network device on your corporate network that has been configured to connect to the Skytap VPN.

If your VPN endpoint is behind a NAT router, use the public IP address of the NAT router, otherwise the VPN connection will fail.

Customer IT

74.2.147.3

Region

Select an available region in your account.

This field is related to Skytap peer IP below. You must select a static public IP address in the same region as the Skytap VPN.

US-West

Skytap peer IP

Select an available static public IP address in your Skytap account.

This IP address is used exclusively by the Skytap VPN. When a Skytap static public IP is used by a VPN, it is not available for use by VMs in Skytap.

Selected from available public IP addresses listed on the VPNs page, or allocated as needed from the under the Admin > Public IP tab

76.32.14.101

Skytap subnet

Enter the subnet for the VMs in Skytap that will send and receive traffic through this VPN.

Notes:

  • Traffic sent to the Skytap subnet (destination) from included subnets on the external network (source) are routed through the IPsec tunnel.
  • Traffic sent to the external network (destination) from IP addresses in the Skytap subnet (source) are routed through the IPsec tunnel as defined by the internal and external remote subnets rules (see below).
  • This subnet cannot overlap with restricted subnets or included remote subnets (defined below).

When NAT is enabled on the VPN (see below), NAT IP addresses are allocated from this subnet.

Customer IT

10.1.0.0/23

Apply NAT for connecting networks

Select whether to enable NAT for Skytap virtual networks connected to the VPN.

Options: YES or NO.

If YES, the VPN assigns unique NAT IP addresses to all VMs connected to the VPN. Traffic between the VPN and the VMs occurs over these NAT IP addresses.

NAT automatically assigns IP addresses from the Skytap subnet defined above.

The Skytap subnet should be large enough to accommodate all of the VMs that will be attached to the VPN. Allow for future growth with additional VMs. We recommend a /22 subnet or larger. It is easier to set a large subnet during the initial VPN configuration than to extend the NAT subnet after NAT IP addresses have been assigned.

For more information, see Using Network Address Translation (NAT) to avoid IP address conflicts.

Admin

YES

Topology

Select the topology that matches the remote VPN endpoint.

Options:

  • Policy-based: With policy-based VPNs, access to the VPN is determined by IPsec policy (most commonly used).
  • Route-based: Route-based VPNs use static or dynamic IP routes and ACLs to direct the traffic to its desired endpoint.

Customer IT

Policy-based

Phase 1 encryption algorithm

Select the algorithm for Phase 1 encryption.

Options: 3des, aes, or aes 256

Customer IT

aes 256

Phase 1 hash algorithm

Select the hash algorithm for Phase 1 authentication.

Options: md5, sha1, or sha256

md5 is deprecated. Use sha1 or sha256.

Customer IT

sha256

Phase 1 pre-shared key

Enter the Phase 1 pre-shared key. This is a text string up to 128 characters, used to validate endpoints before protocol negotiation.

Notes

  • The current value of the key is not displayed to any user. The key can only be updated to a new value using the Edit VPN link. The new value can be the same as or different from the current value.
  • Double-quote characters (") are not supported in pre-shared keys.

Customer IT

HelloWorld

Phase 1 SA lifetime

Enter a value (in seconds) for the Phase 1 Security Association (SA) lifetime.

Valid range: 1 to 2147483647.

Customer IT

28800

Phase 1 DH group

Select the Diffie-Hellman (DH) group for Phase 1.

Options: modp1024 (2), modp1536 (5), or modp2048 (14)

modp1024 (2) is deprecated. Use modp1536 (5) or modp2048 (14).

Customer IT

modp2048 (14)

Phase 2 encryption algorithm

Select the algorithm for Phase 2 encryption.

Options: 3des, aes, aes 256, or aes_gcm

Customer IT

aes_gcm

Phase 2 authentication algorithm

Select the algorithm for Phase 2 authentication.

Options: hmac_md5, hmac_sha1, or hmac_sha256

hmac_md5 is deprecated. Use hmac_sha1 or hmac_sha256.

Customer IT

hmac_sha256

Phase 2 perfect forward secrecy (PFS)

Select whether to enable Perfect Forward Secrecy (PFS).

Options: ON or OFF

Customer IT

Off

Phase 2 PFS group

If Phase 2 PFS is enabled (above), select the Diffie-Hellman group to use.

Options: modp1024 (2), modp1536 (5), or modp2048 (14)

modp1024 (2) is depcrecated. Use modp1536 (5) or modp2048 (14).

Customer IT

modp2048 (14)

Phase 2 SA lifetime

Value (in seconds) for the Phase 2 Security Association (SA) lifetime.

Valid range: 1 to 2147483647.

Customer IT

3600

SA policy level

Select the Security Association (SA) Policy Level for policy-based VPNs.

Options: require or unique

On route-based VPNs, this field is disabled.

Customer IT

require

Specify maximum segment size

Select whether to enable a non-standard maximum segment size (below).

Generally, this should be used only if it is required by the remote VPN endpoint, or to troubleshoot VPN errors.

Options: YES or NO

Customer IT

false

Maximum segment size

If Specify maximum segment size is enabled (above), enter the non-standard maximum segment size.

Valid range: 536 to 1460.

Customer IT

1000

Dead peer detection

Select whether Dead Peer Detection (DPD) is enabled.

We recommend that you enable Dead Peer Detection if it is available on the remote VPN endpoint.

Customer IT

True

Remote Subnets options

After you create a VPN, you must define at least one remote subnet to include. You can also choose remote subnets to exclude.

You must include at least one remote subnet or the VPN will not work.

Parameter Name

Description

Where Does the Value Come From?

Example

include

(required)

IP addresses and subnets on the external network that send and receive traffic through this VPN.

  • Traffic sent to included remote subnets (destination) from the Skytap subnet (source) is routed through the IPsec tunnel.
  • This subnet can’t overlap with restricted subnets or the Skytap subnet (defined above).

Customer IT

192.168.0.0/24, 172.16.0.0/24

exclude

(optional)

Subset of IP addresses and subnets on the external network that should be excluded from using the VPN tunnel. This is only used to define exclusions for VPN traffic from larger included remote subnets.

  • Each excluded remote subnet must be contained by an included remote subnet. For example, if an included remote subnet is 192.0.0.0/24, you can exclude the remote subnet 192.0.0.0/28.
  • Traffic from the Skytap subnet to an excluded remote subnet bypasses the VPN tunnel and goes directly to the public Internet.

This is “bypass” security policy; the VPN router continues to manage these routes.

Customer IT

192.168.0.240/28

IKE protocol support

Skytap VPNs support the IKEv1 protocol. IKEv2 is not supported at this time.

VPN configuration examples for common devices and endpoints

Sample VPN diagram

This simplified diagram shows Skytap VMs in the 10.1.0.0/23 IP address range communicating with external machines in the 192.168.0.0/24 and 172.16.0.0/24 IP address range. This diagram does not illustrate any excluded remote subnets.

Skytap VMs communicating with external machines