Home Networking Creating a VPN Customer Gateway

Creating a VPN Customer Gateway

Last updated on Feb 28, 2025
  1. Navigate to https://app.americancloud.com

  1. Select "Networking"

  1. Select "VPN Customer Gateway" from the top menu.

  1. Select "+ Add VPN Customer Gateway"

  1. Name
  • Input a custom name for the Gateway

Project

  • Select the project for the Gateway to reside

Gateway

  • Select the public IP address for the Gateway. This should be the public IP of the distant network. Possibly a Firewall device.

CIDR List

  • In the context of a gateway, a CIDR list can be used to define the range of IP addresses that are allowed to communicate through the gateway. This can be used as a security measure to restrict access to a network or to specify the range of IP addresses that are allowed to connect to a VPN. The CIDR list can be configured on the gateway device or in the cloud-based network infrastructure to enforce these restrictions.

  • Select the CIDR List preferred

IPSEC Pre-shared Key

  • IPsec (Internet Protocol Security) Pre-shared key (PSK) is a method of authentication used to establish a secure and encrypted communication channel between two devices over a network. PSK is a shared secret key between the two devices that is used to encrypt and decrypt data passing through the communication channel. This method of authentication is commonly used in VPN (Virtual Private Network) connections, where the PSK is shared between the VPN client and server to establish a secure connection.

  • There are several online tools that generate keys or OPENSSL can be used on the local machine to generate an IPSEC PSK by running:

openssl rand -base64 24

  • Create a PSK and add

  1. IKE Encryption

  • Internet Key Exchange (IKE) is a protocol used to establish a secure and encrypted connection between two devices in a VPN (Virtual Private Network). Encryption in IKE is used to protect the exchange of security parameters and shared secrets during the establishment of the VPN connection. IKE uses various encryption algorithms, such as AES, DES, and 3DES, to encrypt and protect data transmitted between the devices, ensuring confidentiality, integrity, and authenticity of the data being transmitted.

  • Input the chosen encryption type

IKE Hash

  • Internet Key Exchange (IKE) hash is a cryptographic function used to ensure the integrity of data transmitted between two devices in a VPN (Virtual Private Network) connection. The hash function generates a fixed-size message digest from the input data, which is used to verify that the data has not been modified or tampered with during transmission. IKE supports several hash algorithms, such as SHA-1, SHA-2, and MD5, that can be used to provide different levels of security and performance in the VPN connection.

  • Input the chosen hash type

IKE DH

  • Internet Key Exchange (IKE) Diffie-Hellman (DH) is a key exchange protocol used to establish a shared secret key between two devices in a VPN (Virtual Private Network) connection. DH is used to generate a shared secret key without exchanging the key directly, thus protecting the key from interception. IKE supports various DH groups, such as DH Group 1, 2, 5, 14, 19, 20, 24, etc., that offer different levels of security and performance in the VPN connection.

  • Input the chosen DH Group

IKE Version

  • Internet Key Exchange (IKE) Version is the version of the IKE protocol used to establish a secure and encrypted connection between two devices in a VPN (Virtual Private Network). IKE has undergone several revisions, with each version introducing new features and improvements to the protocol. IKE versions include IKEv1 and IKEv2, with IKEv2 being the most recent version. IKEv2 offers improved security, efficiency, and flexibility over IKEv1, making it the preferred choice for many VPN implementations.

  • Input the chosen version

ESP Encryption

  • Encapsulating Security Payload (ESP) is a protocol used to provide encryption and authentication of data transmitted between two devices in a VPN (Virtual Private Network) connection. ESP encrypts the payload of IP packets, ensuring confidentiality, integrity, and authenticity of the data being transmitted. ESP supports various encryption algorithms, such as AES, DES, and 3DES, that can be used to provide different levels of security and performance in the VPN connection. ESP also provides optional support for data compression and anti-replay protection.

  • Input the chosen Encryption

ESP Hash

  • Encapsulating Security Payload (ESP) hash is a mechanism used to ensure the integrity of data transmitted between two devices in a VPN (Virtual Private Network) connection. The hash function generates a fixed-size message digest from the input data, which is used to verify that the data has not been modified or tampered with during transmission. ESP supports various hash algorithms, such as SHA-1, SHA-2, and MD5, that can be used to provide different levels of security and performance in the VPN connection.

  • Input the chosen hash

Perfect Forward Secrecy

  • Perfect Forward Secrecy (PFS) is a property of cryptographic protocols that ensures that even if the private key of a user is compromised, past communications are still protected. PFS achieves this by generating a new set of public and private keys for each session. This means that even if an attacker gains access to the private key, they will not be able to decrypt previously encrypted messages, providing an additional layer of security to the communication. PFS is commonly used in VPN (Virtual Private Network) and secure messaging protocols.

  • Input the chosen perfect forward secrecy

  1. IKE Lifetime

  • Internet Key Exchange (IKE) lifetime refers to the duration for which the security associations (SA) established during IKE negotiations are valid. An SA is a security mechanism used to ensure the confidentiality, integrity, and authenticity of data transmitted between two devices in a VPN (Virtual Private Network) connection. IKE lifetime can be set by the VPN administrator, and the duration can vary from a few minutes to several hours, depending on the security requirements and network conditions. Once the IKE lifetime expires, the devices renegotiate a new SA to ensure continued secure communication.

  • Input the chosen lifetime

ESP Lifetime

  • Encapsulating Security Payload (ESP) lifetime is the duration for which the encryption and authentication keys used by ESP to secure data transmitted between two devices in a VPN (Virtual Private Network) connection are valid. The ESP lifetime is defined by the VPN administrator and can vary from a few minutes to several hours, depending on the security requirements and network conditions. Once the ESP lifetime expires, the devices renegotiate new keys to ensure continued secure communication. The ESP lifetime can be configured to balance the security and performance requirements of the VPN connection.

  • Input the chosen lifetime

Dead Peer Detection

  • Dead Peer Detection (DPD) is a mechanism used in VPN (Virtual Private Network) connections to detect if one of the peers has become unreachable or unresponsive. DPD monitors the state of the VPN connection and sends periodic requests to the remote peer to confirm its availability. If the peer fails to respond to the requests, the DPD mechanism considers it dead and initiates a new negotiation to establish a new VPN connection. DPD helps to ensure continuous availability and reliability of VPN connections.

  • Toggle disabled/enabled (Disabled by default)

Split Connections

  • Split tunneling is a feature of VPN (Virtual Private Network) connections that allows some traffic to be sent through the VPN tunnel while other traffic is sent directly to the internet. With split tunneling, only the traffic destined for the corporate network is sent through the VPN tunnel, while other traffic, such as browsing the internet, is sent directly to the internet. Split tunneling can reduce the load on the VPN connection and improve the performance of internet-based applications. However, it can also pose security risks, as it can allow unencrypted traffic to bypass the VPN tunnel.

  • Toggle disabled/enabled (Disabled by default)

Force UDP Encapsulation of ESP Packets

  • Force UDP encapsulation of Encapsulating Security Payload (ESP) packets is a technique used in VPN (Virtual Private Network) connections to improve the reliability and efficiency of the ESP protocol over networks that may block or interfere with ESP traffic. By encapsulating the ESP packets within User Datagram Protocol (UDP) packets, the VPN connection can bypass network restrictions and ensure that the ESP traffic is not dropped or modified. The UDP encapsulation can also provide additional security features, such as authentication and anti-replay protection.

  • Toggle disabled/inabled (Disabled by default)

Select 'ADD VPN GATEWAY

  1. The new gateway will be added to the table. To copy the IPSec preshared-key select the copy icon on the right. Use the trashcan icon to delete the gateway if necessary.

Create Site-To-Site

Tip: For more information on creating a VPC, see our VPC Creation Doc.

  1. Select "VPC" from the top menu.

  1. Select the desired VPC network for adding the site-to-site VPN.

  1. In the top menu select "Site-to-site VPN"

  1. Select the slider bar to activate the site-to-site VPN. Once the VPN is running select "+ Create VPN Connection".

  1. In the drop-down select the customer gateway to be used during the connection creation and select "Create VPN Connection"

  1. The connection will show in the table below. The state of the connection will change from Pending -> Connecting -> Connected. This process usually takes only a few moments. If failures occur check accuracies on both ends of the connection.