# IPSec VPN ## **Overview** IPsec VPN offers site-to-site connectivity between an HI GIO and remote sites with third-party hardware routers or VPN gateways that support IPSec. On HI GIO, you can create VPN tunnels between: * Organization virtual data center networks in the same organization * Organization virtual data center networks in different organizations * Between an organization's virtual data center network and an external network ## **Procedure** {% tabs %} {% tab title="I. Prepare VPN’s parameters" %} Fulfill [IPSec parameters](https://docs.higiocloud.vn/network/2.-vpn/ipsec-parameters). {% endtab %} {% tab title="II. Create IPSec VPN" %} **Step 1:** In the top navigation bar, click **Networking** and click the **Edge Gateways** tab. **Step 2:** Click the **edge gateway**.
**Step 3:** Under **Services**, click **IPSec VPN**. **Step 4:** To configure an IPSec VPN tunnel, click **New**.
**Step 5:** Enter a **Name and** a *description* (optional) for the IPSec VPN tunnel. **Step 6:** To enable the tunnel upon creation, toggle on the **Status** option.
{% hint style="warning" %} For the Security Profile – we keep it as Default and configure it later once the VPN tunnel has been created. {% endhint %} **Step 7:** Click **NEXT** to select Authentication mode. **Step 8:** Select a peer authentication mode and **NEXT.**
**HI GIO supported 02 option for Authentication Mode:** | **Option** | **Description** | | ------------------ | --------------------------------------------------------------------------------------------------------------- | | **Pre-Shared Key** | Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel. | | **Certificate** | Select site and CA certificates to be used for authentication. | **Step 9:** On *Endpoint Configuration* windows, we put some parameters (follow [IPSec parameters](https://higio-support.atlassian.net/wiki/spaces/v2/pages/40206337) in the prepare step): ***IP address \[Local Endpoint]:** Enter public IP (HI GIO’s public IP).* ***Networks \[Local Endpoint]:** Enter at least one local (HI GIO’s network) IP subnet address for the IPSec VPN tunnel.* ***IP address \[Remote Endpoint]:** Enter public IP (remote site, ex: Office’s public IP).* ***Networks \[Remote Endpoint]:** Enter at least one remote IP (ex: Office’s network) subnet address for the IPSec VPN tunnel.* **Step 10:** Enter the **remote ID** (optional) for the peer site. {% hint style="warning" %} In case we use a Certificate for Authentication mode {% endhint %} The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware, OU=VCD, CN=Edge1.
**Step 11:** Click **Next**. **Step 12:** Review your settings and click **Finish**.
The newly created IPSec VPN tunnel is listed in the **IPSec VPN** view. The IPSec VPN tunnel is created with a default security profile.
**Step 13:** To verify that the tunnel is functioning, select it and click **View Statistics**. If the tunnel is functioning, **Tunnel Status** and **IKE Service Status** both display Up.
{% endtab %} {% tab title="III. Configure the Security Profile of the IPSec VPN Tunnel" %} Once the IPSec VPN tunnel has been created. We can change the IPSec VPN configuration by **security profile,** it must fit with the remote site. **Step 1:** In the top navigation bar, click **Networking** and click the **Edge Gateways** tab. **Step 2:** Click the **edge gateway**.
**Step 3:** Under **Services**, click **IPSec VPN**. **Step 4:** Select the IPSec VPN tunnel and click **Security Profile Customization**.
**Step 5:** Change the configures of the VPN tunnel as you prepared ([IPSec parameters](https://higio-support.atlassian.net/wiki/spaces/v2/pages/40206337)).
{% hint style="warning" %} Remember that the security settings must match the remote site's security settings. {% endhint %} {% endtab %} {% tab title="IV. Setup firewall rule for VPN tunnel." %} **Step 1:** Preparing IP set for firewall rule (can use dynamic\static group also). [More detail](https://docs.higiocloud.vn/network/1.-working-with-network/using-edge-gateway-firewall)
**IP set detail:**

IPsec-Higio

IPsec-Local-Subnet

**Step 2:** Create 02 the firewall rules (Edge gateway firewall) for the IPsec tunnel: \+ HI GIO to Local (remote site) \+ And Local (remote site) to HI GIO
If we used **Distributed firewall**, we also need to create firewall rules to allow VPN’s traffic (remote site to HI GIO). \*\*\* Please also set the firewall rules for VPN traffic on the remote routers. **VALIDATE: Tunnel static is UP with Traffic**
{% endtab %} {% endtabs %}