en-US/create-vpn-customer-gateway.xml - cloudstack-docs - Git at Google

 <?xml version='1.0' encoding='utf-8' ?>
 <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
 %BOOK_ENTITIES;
 ]>
 <!-- Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.
 -->
 <section id="create-vpn-customer-gateway">
   <title>Creating and Updating a VPN Customer Gateway</title>
   <note>
     <para>A VPN customer gateway can be connected to only one VPN gateway at a time.</para>
   </note>
   <para>To add a VPN Customer Gateway:</para>
   <orderedlist>
     <listitem>
       <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
     </listitem>
     <listitem>
       <para>In the left navigation, choose Network.</para>
     </listitem>
     <listitem>
       <para>In the Select view, select VPN Customer Gateway.</para>
     </listitem>
     <listitem>
       <para>Click Add VPN Customer Gateway.</para>
       <mediaobject>
         <imageobject>
           <imagedata fileref="./images/add-vpn-customer-gateway.png"/>
         </imageobject>
         <textobject>
           <phrase>addvpncustomergateway.png: adding a customer gateway.</phrase>
         </textobject>
       </mediaobject>
       <para>Provide the following information:</para>
       <itemizedlist>
         <listitem>
           <para><emphasis role="bold">Name</emphasis>: A unique name for the VPN customer gateway
             you create.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Gateway</emphasis>: The IP address for the remote
             gateway.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">CIDR list</emphasis>: The guest CIDR list of the remote
             subnets. Enter a CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR list
             is not overlapped with the VPC’s CIDR, or another guest CIDR. The CIDR must be
             RFC1918-compliant.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">IPsec Preshared Key</emphasis>: Preshared keying is a method
             where the endpoints of the VPN share a secret key. This key value is used to
             authenticate the customer gateway and the VPC VPN gateway to each other. </para>
           <note>
             <para>The IKE peers (VPN end points) authenticate each other by computing and sending a
               keyed hash of data that includes the Preshared key. If the receiving peer is able to
               create the same hash independently by using its Preshared key, it knows that both
               peers must share the same secret, thus authenticating the customer gateway.</para>
           </note>
         </listitem>
         <listitem>
           <para><emphasis role="bold">IKE Encryption</emphasis>: The Internet Key Exchange (IKE)
             policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and
             3DES. Authentication is accomplished through the Preshared Keys.</para>
           <note>
             <para>The phase-1 is the first phase in the IKE process. In this initial negotiation
               phase, the two VPN endpoints agree on the methods to be used to provide security for
               the underlying IP traffic. The phase-1 authenticates the two VPN gateways to each
               other, by confirming that the remote gateway has a matching Preshared Key.</para>
           </note>
         </listitem>
         <listitem>
           <para><emphasis role="bold">IKE Hash</emphasis>: The IKE hash for phase-1. The supported
             hash algorithms are SHA1 and MD5.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">IKE DH</emphasis>: A public-key cryptography protocol which
             allows two parties to establish a shared secret over an insecure communications channel.
             The 1536-bit Diffie-Hellman group is used within IKE to establish session keys. The
             supported options are None, Group-5 (1536-bit) and Group-2 (1024-bit).</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">ESP Encryption</emphasis>: Encapsulating Security Payload
             (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192,
             AES256, and 3DES.</para>
           <note>
             <para>The phase-2 is the second phase in the IKE process. The purpose of IKE phase-2 is
               to negotiate IPSec security associations (SA) to set up the IPSec tunnel. In phase-2,
               new keying material is extracted from the Diffie-Hellman key exchange in phase-1, to
               provide session keys to use in protecting the VPN data flow.</para>
           </note>
         </listitem>
         <listitem>
           <para><emphasis role="bold">ESP Hash</emphasis>: Encapsulating Security Payload (ESP) hash
             for phase-2. Supported hash algorithms are SHA1 and MD5.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Perfect Forward Secrecy</emphasis>: Perfect Forward Secrecy
             (or PFS) is the property that ensures that a session key derived from a set of long-term
             public and private keys will not be compromised. This property enforces a new
             Diffie-Hellman key exchange. It provides the keying material that has greater key
             material life and thereby greater resistance to cryptographic attacks. The available
             options are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security of the key
             exchanges increase as the DH groups grow larger, as does the time of the
             exchanges.</para>
           <note>
             <para>When PFS is turned on, for every negotiation of a new phase-2 SA the two gateways
               must generate a new set of phase-1 keys. This adds an extra layer of protection that
               PFS adds, which ensures if the phase-2 SA’s have expired, the keys used for new
               phase-2 SA’s have not been generated from the current phase-1 keying material.</para>
           </note>
         </listitem>
         <listitem>
           <para><emphasis role="bold">IKE Lifetime (seconds)</emphasis>: The phase-1 lifetime of the
             security association in seconds. Default is 86400 seconds (1 day). Whenever the time
             expires, a new phase-1 exchange is performed.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">ESP Lifetime (seconds)</emphasis>: The phase-2 lifetime of the
             security association in seconds. Default is 3600 seconds (1 hour). Whenever the value is
             exceeded, a re-key is initiated to provide a new IPsec encryption and authentication
             session keys.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Dead Peer Detection</emphasis>: A method to detect an
             unavailable Internet Key Exchange (IKE) peer. Select this option if you want the virtual
             router to query the liveliness of its IKE peer at regular intervals. It’s recommended to
             have the same configuration of DPD on both side of VPN connection.</para>
         </listitem>
       </itemizedlist>
     </listitem>
     <listitem>
       <para>Click OK.</para>
     </listitem>
   </orderedlist>
   <formalpara>
     <title>Updating and Removing a VPN Customer Gateway</title>
     <para>You can update a customer gateway either with no VPN connection, or related VPN connection
       is in error state.</para>
   </formalpara>
   <orderedlist>
     <listitem>
       <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
     </listitem>
     <listitem>
       <para>In the left navigation, choose Network.</para>
     </listitem>
     <listitem>
       <para>In the Select view, select VPN Customer Gateway.</para>
     </listitem>
     <listitem>
       <para>Select the VPN customer gateway you want to work with.</para>
     </listitem>
     <listitem>
       <para>To modify the required parameters, click the Edit VPN Customer Gateway button<inlinemediaobject>
           <imageobject>
             <imagedata fileref="./images/edit-icon.png"/>
           </imageobject>
           <textobject>
             <phrase>edit.png: button to edit a VPN customer gateway</phrase>
           </textobject>
         </inlinemediaobject></para>
     </listitem>
     <listitem>
       <para>To remove the VPN customer gateway, click the Delete VPN Customer Gateway button<inlinemediaobject>
           <imageobject>
             <imagedata fileref="./images/delete-button.png"/>
           </imageobject>
           <textobject>
             <phrase>delete.png: button to remove a VPN customer gateway</phrase>
           </textobject>
         </inlinemediaobject></para>
     </listitem>
     <listitem>
       <para>Click OK.</para>
     </listitem>
   </orderedlist>
 </section>
	<?xml version='1.0' encoding='utf-8' ?>
	<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
	<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
	%BOOK_ENTITIES;
	]>
	<!-- Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<section id="create-vpn-customer-gateway">
	<title>Creating and Updating a VPN Customer Gateway</title>
	<note>
	<para>A VPN customer gateway can be connected to only one VPN gateway at a time.</para>
	</note>
	<para>To add a VPN Customer Gateway:</para>
	<orderedlist>
	<listitem>
	<para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
	</listitem>
	<listitem>
	<para>In the left navigation, choose Network.</para>
	</listitem>
	<listitem>
	<para>In the Select view, select VPN Customer Gateway.</para>
	</listitem>
	<listitem>
	<para>Click Add VPN Customer Gateway.</para>
	<mediaobject>
	<imageobject>
	<imagedata fileref="./images/add-vpn-customer-gateway.png"/>
	</imageobject>
	<textobject>
	<phrase>addvpncustomergateway.png: adding a customer gateway.</phrase>
	</textobject>
	</mediaobject>
	<para>Provide the following information:</para>
	<itemizedlist>
	<listitem>
	<para><emphasis role="bold">Name</emphasis>: A unique name for the VPN customer gateway
	you create.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Gateway</emphasis>: The IP address for the remote
	gateway.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">CIDR list</emphasis>: The guest CIDR list of the remote
	subnets. Enter a CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR list
	is not overlapped with the VPC’s CIDR, or another guest CIDR. The CIDR must be
	RFC1918-compliant.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">IPsec Preshared Key</emphasis>: Preshared keying is a method
	where the endpoints of the VPN share a secret key. This key value is used to
	authenticate the customer gateway and the VPC VPN gateway to each other. </para>
	<note>
	<para>The IKE peers (VPN end points) authenticate each other by computing and sending a
	keyed hash of data that includes the Preshared key. If the receiving peer is able to
	create the same hash independently by using its Preshared key, it knows that both
	peers must share the same secret, thus authenticating the customer gateway.</para>
	</note>
	</listitem>
	<listitem>
	<para><emphasis role="bold">IKE Encryption</emphasis>: The Internet Key Exchange (IKE)
	policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and
	3DES. Authentication is accomplished through the Preshared Keys.</para>
	<note>
	<para>The phase-1 is the first phase in the IKE process. In this initial negotiation
	phase, the two VPN endpoints agree on the methods to be used to provide security for
	the underlying IP traffic. The phase-1 authenticates the two VPN gateways to each
	other, by confirming that the remote gateway has a matching Preshared Key.</para>
	</note>
	</listitem>
	<listitem>
	<para><emphasis role="bold">IKE Hash</emphasis>: The IKE hash for phase-1. The supported
	hash algorithms are SHA1 and MD5.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">IKE DH</emphasis>: A public-key cryptography protocol which
	allows two parties to establish a shared secret over an insecure communications channel.
	The 1536-bit Diffie-Hellman group is used within IKE to establish session keys. The
	supported options are None, Group-5 (1536-bit) and Group-2 (1024-bit).</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">ESP Encryption</emphasis>: Encapsulating Security Payload
	(ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192,
	AES256, and 3DES.</para>
	<note>
	<para>The phase-2 is the second phase in the IKE process. The purpose of IKE phase-2 is
	to negotiate IPSec security associations (SA) to set up the IPSec tunnel. In phase-2,
	new keying material is extracted from the Diffie-Hellman key exchange in phase-1, to
	provide session keys to use in protecting the VPN data flow.</para>
	</note>
	</listitem>
	<listitem>
	<para><emphasis role="bold">ESP Hash</emphasis>: Encapsulating Security Payload (ESP) hash
	for phase-2. Supported hash algorithms are SHA1 and MD5.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Perfect Forward Secrecy</emphasis>: Perfect Forward Secrecy
	(or PFS) is the property that ensures that a session key derived from a set of long-term
	public and private keys will not be compromised. This property enforces a new
	Diffie-Hellman key exchange. It provides the keying material that has greater key
	material life and thereby greater resistance to cryptographic attacks. The available
	options are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security of the key
	exchanges increase as the DH groups grow larger, as does the time of the
	exchanges.</para>
	<note>
	<para>When PFS is turned on, for every negotiation of a new phase-2 SA the two gateways
	must generate a new set of phase-1 keys. This adds an extra layer of protection that
	PFS adds, which ensures if the phase-2 SA’s have expired, the keys used for new
	phase-2 SA’s have not been generated from the current phase-1 keying material.</para>
	</note>
	</listitem>
	<listitem>
	<para><emphasis role="bold">IKE Lifetime (seconds)</emphasis>: The phase-1 lifetime of the
	security association in seconds. Default is 86400 seconds (1 day). Whenever the time
	expires, a new phase-1 exchange is performed.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">ESP Lifetime (seconds)</emphasis>: The phase-2 lifetime of the
	security association in seconds. Default is 3600 seconds (1 hour). Whenever the value is
	exceeded, a re-key is initiated to provide a new IPsec encryption and authentication
	session keys.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Dead Peer Detection</emphasis>: A method to detect an
	unavailable Internet Key Exchange (IKE) peer. Select this option if you want the virtual
	router to query the liveliness of its IKE peer at regular intervals. It’s recommended to
	have the same configuration of DPD on both side of VPN connection.</para>
	</listitem>
	</itemizedlist>
	</listitem>
	<listitem>
	<para>Click OK.</para>
	</listitem>
	</orderedlist>
	<formalpara>
	<title>Updating and Removing a VPN Customer Gateway</title>
	<para>You can update a customer gateway either with no VPN connection, or related VPN connection
	is in error state.</para>
	</formalpara>
	<orderedlist>
	<listitem>
	<para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
	</listitem>
	<listitem>
	<para>In the left navigation, choose Network.</para>
	</listitem>
	<listitem>
	<para>In the Select view, select VPN Customer Gateway.</para>
	</listitem>
	<listitem>
	<para>Select the VPN customer gateway you want to work with.</para>
	</listitem>
	<listitem>
	<para>To modify the required parameters, click the Edit VPN Customer Gateway button<inlinemediaobject>
	<imageobject>
	<imagedata fileref="./images/edit-icon.png"/>
	</imageobject>
	<textobject>
	<phrase>edit.png: button to edit a VPN customer gateway</phrase>
	</textobject>
	</inlinemediaobject></para>
	</listitem>
	<listitem>
	<para>To remove the VPN customer gateway, click the Delete VPN Customer Gateway button<inlinemediaobject>
	<imageobject>
	<imagedata fileref="./images/delete-button.png"/>
	</imageobject>
	<textobject>
	<phrase>delete.png: button to remove a VPN customer gateway</phrase>
	</textobject>
	</inlinemediaobject></para>
	</listitem>
	<listitem>
	<para>Click OK.</para>
	</listitem>
	</orderedlist>
	</section>