# IPSec VPN

## <mark style="color:green;">**Overview**</mark> <a href="#overview" id="overview"></a>

IPsec VPN offers site-to-site connectivity between an HI GIO and remote sites with third-party hardware routers or VPN gateways that support IPSec.

On HI GIO, you can create VPN tunnels between:

* Organization virtual data center networks in the same organization
* Organization virtual data center networks in different organizations
* Between an organization's virtual data center network and an external network

## <mark style="color:green;">**Procedure**</mark> <a href="#procedure" id="procedure"></a>

{% tabs %}
{% tab title="I. Prepare VPN’s parameters" %}
Fulfill [IPSec parameters](/network/2.-vpn/ipsec-parameters.md).
{% endtab %}

{% tab title="II. Create IPSec VPN" %}
**Step 1:** In the top navigation bar, click **Networking** and click the **Edge Gateways** tab.

**Step 2:** Click the **edge gateway**.

<figure><img src="/files/oxcIujQGmI2qydKC3RAc" alt=""><figcaption></figcaption></figure>

**Step 3:** Under **Services**, click **IPSec VPN**.

**Step 4:** To configure an IPSec VPN tunnel, click **New**.

<figure><img src="/files/xD3kh6BUb7GqqZAJbErV" alt=""><figcaption></figcaption></figure>

**Step 5:** Enter a **Name and** a *description* (optional) for the IPSec VPN tunnel.

**Step 6:** To enable the tunnel upon creation, toggle on the **Status** option.

<figure><img src="/files/ErhAwRiIBrvzY9yrLM9e" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
For the Security Profile – we keep it as Default and configure it later once the VPN tunnel has been created.
{% endhint %}

**Step 7:** Click **NEXT** to select Authentication mode.

**Step 8:** Select a peer authentication mode and **NEXT.**

<figure><img src="/files/PKXyxb898pgxUiiAFoIc" alt=""><figcaption></figcaption></figure>

**HI GIO supported 02 option for Authentication Mode:**

| **Option**         | **Description**                                                                                                 |
| ------------------ | --------------------------------------------------------------------------------------------------------------- |
| **Pre-Shared Key** | Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel. |
| **Certificate**    | Select site and CA certificates to be used for authentication.                                                  |

**Step 9:** On *Endpoint Configuration* windows, we put some parameters (follow [IPSec parameters](https://higio-support.atlassian.net/wiki/spaces/v2/pages/40206337) in the prepare step):

*<mark style="color:blue;">**IP address \[Local Endpoint]:**</mark> <mark style="color:blue;"></mark><mark style="color:blue;">Enter public IP (HI GIO’s public IP).</mark>*

*<mark style="color:blue;">**Networks \[Local Endpoint]:**</mark> <mark style="color:blue;"></mark><mark style="color:blue;">Enter at least one local (HI GIO’s network) IP subnet address for the IPSec VPN tunnel.</mark>*

*<mark style="color:blue;">**IP address \[Remote Endpoint]:**</mark> <mark style="color:blue;"></mark><mark style="color:blue;">Enter public IP (remote site, ex: Office’s public IP).</mark>*

*<mark style="color:blue;">**Networks \[Remote Endpoint]:**</mark> <mark style="color:blue;"></mark><mark style="color:blue;">Enter at least one remote IP (ex: Office’s network) subnet address for the IPSec VPN tunnel.</mark>*

**Step 10:** Enter the **remote ID** (optional) for the peer site.

{% hint style="warning" %}
In case we use a Certificate for Authentication mode
{% endhint %}

The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware, OU=VCD, CN=Edge1.

<figure><img src="/files/zUGa06W5oZO9UUoaSkYv" alt=""><figcaption></figcaption></figure>

**Step 11:** Click **Next**.

**Step 12:** Review your settings and click **Finish**.

<figure><img src="/files/FHDu1oyP1RQhlGjrQqcA" alt=""><figcaption></figcaption></figure>

The newly created IPSec VPN tunnel is listed in the **IPSec VPN** view. The IPSec VPN tunnel is created with a default security profile.

<figure><img src="/files/GPTKP7Tyl3yHIRDXEgSs" alt=""><figcaption></figcaption></figure>

**Step 13:** To verify that the tunnel is functioning, select it and click **View Statistics**.

If the tunnel is functioning, **Tunnel Status** and **IKE Service Status** both display Up.

<figure><img src="/files/YfogMusoJV96VbhQyN6P" alt=""><figcaption></figcaption></figure>

&#x20;
{% endtab %}

{% tab title="III. Configure the Security Profile of the IPSec VPN Tunnel" %}
Once the IPSec VPN tunnel has been created. We can change the IPSec VPN configuration by **security profile,** it must fit with the remote site.

**Step 1:** In the top navigation bar, click **Networking** and click the **Edge Gateways** tab.

**Step 2:** Click the **edge gateway**.

<figure><img src="/files/be2NThdpffBvssTreRMh" alt=""><figcaption></figcaption></figure>

**Step 3:** Under **Services**, click **IPSec VPN**.

**Step 4:** Select the IPSec VPN tunnel and click **Security Profile Customization**.

<figure><img src="/files/ZP0S4LS8a9mjS3fovPoM" alt=""><figcaption></figcaption></figure>

**Step 5:** Change the configures of the VPN tunnel as you prepared ([IPSec parameters](https://higio-support.atlassian.net/wiki/spaces/v2/pages/40206337)).

<figure><img src="/files/0Dg8Ymu92zOsaQ1Y1MgB" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
Remember that the security settings must match the remote site's security settings.
{% endhint %}
{% endtab %}

{% tab title="IV. Setup firewall rule for VPN tunnel." %}
**Step 1:** Preparing IP set for firewall rule (can use dynamic\static group also). [More detail](/network/1.-working-with-network/using-edge-gateway-firewall.md)

<figure><img src="/files/chykwZ6vsa6l0M86TAgC" alt=""><figcaption></figcaption></figure>

**IP set detail:**

<figure><img src="/files/a9LsdyYLRbfetYGODicx" alt=""><figcaption><p>IPsec-Higio</p></figcaption></figure>

<figure><img src="/files/ww1bDqJKzZRi9SwMCvot" alt=""><figcaption><p>IPsec-Local-Subnet</p></figcaption></figure>

**Step 2:** Create 02 the firewall rules (Edge gateway firewall) for the IPsec tunnel:

\+ HI GIO to Local (remote site)

\+ And Local (remote site) to HI GIO

<figure><img src="/files/ty2y2hDLttKNuDd4iWam" alt=""><figcaption></figcaption></figure>

If we used **Distributed firewall**, we also need to create firewall rules to allow VPN’s traffic (remote site to HI GIO).

\*\*\* Please also set the firewall rules for VPN traffic on the remote routers.

**VALIDATE: Tunnel static is UP with Traffic**

<figure><img src="/files/BPsyoEMl6dqedgQTbrsM" alt=""><figcaption></figcaption></figure>
{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.higiocloud.vn/network/2.-vpn/ipsec-vpn.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.