Overview
VPN as a Service (VPNaaS) provides IPsec-based site-to-site tunnel connectivity, enabling secure communication between your Xloud private cloud and remote data centers, branch offices, or other cloud environments. VPNaaS is available with XPCI deployments.Prerequisites
- Active project with
memberrole or higher - At least one router with an external gateway configured
- Remote site VPN endpoint details (peer IP, subnets, pre-shared key)
- VPNaaS enabled by your administrator (
enable_neutron_vpnaas: "yes")
Key Concepts
| Concept | Description |
|---|---|
| IKE Policy | Defines the Internet Key Exchange parameters used during Phase 1 negotiation — authentication algorithm, encryption algorithm, IKE version (v1 or v2), and key lifetime |
| IPsec Policy | Defines the Phase 2 parameters for the data channel — encryption algorithm, authentication algorithm, encapsulation mode (tunnel or transport), and Perfect Forward Secrecy (PFS) group |
| VPN Service | Associates a VPN with a specific router and subnet in your project |
| Endpoint Group | Defines the local or remote subnets that participate in the VPN tunnel |
| IPsec Site Connection | Combines the IKE policy, IPsec policy, VPN service, and endpoint groups into an active tunnel to a remote peer |
Supported Algorithms
- IKE Policy
- IPsec Policy
| Parameter | Supported Values | Default |
|---|---|---|
| IKE Version | v1, v2 | v1 |
| Authentication Algorithm | sha1, sha256, sha384, sha512 | sha1 |
| Encryption Algorithm | aes-128, aes-192, aes-256, 3des | aes-128 |
| Phase 1 Negotiation Mode | main | main |
| Lifetime | 60 — 86400 seconds | 3600 |
| PFS Group | group2, group5, group14 | group5 |
Create a VPN Connection
- Dashboard
- CLI
Create an IKE Policy
Navigate to Project > Network > VPN > IKE Policies and click Add IKE Policy.
| Field | Value |
|---|---|
| Name | A descriptive name (e.g., ike-aes256-sha256) |
| IKE Version | v2 |
| Encryption Algorithm | aes-256 |
| Authentication Algorithm | sha256 |
| PFS Group | group14 |
| Lifetime | 3600 |
Create an IPsec Policy
Navigate to Project > Network > VPN > IPsec Policies and click Add IPsec Policy.
| Field | Value |
|---|---|
| Name | A descriptive name (e.g., ipsec-aes256-sha256) |
| Transform Protocol | esp |
| Encryption Algorithm | aes-256 |
| Authentication Algorithm | sha256 |
| Encapsulation Mode | tunnel |
| PFS Group | group14 |
Create a VPN Service
Navigate to Project > Network > VPN > VPN Services and click Add VPN Service.
| Field | Value |
|---|---|
| Name | A descriptive name (e.g., vpn-to-branch-office) |
| Router | Select the router with an external gateway |
| Subnet | Select the local subnet to expose through the tunnel |
Create Endpoint Groups
Navigate to Project > Network > VPN > Endpoint Groups and create two endpoint groups:Local Endpoint Group:
Remote Endpoint Group:
| Field | Value |
|---|---|
| Name | local-subnets |
| Type | subnet |
| Endpoints | Select your local project subnet(s) |
| Field | Value |
|---|---|
| Name | remote-subnets |
| Type | cidr |
| Endpoints | Enter the remote subnet CIDRs (e.g., 192.168.1.0/24) |
Create the IPsec Site Connection
Navigate to Project > Network > VPN > IPsec Site Connections and click Add IPsec Site Connection.
Click Create to establish the tunnel.
| Field | Value |
|---|---|
| Name | connection-to-branch |
| VPN Service | Select the VPN service created above |
| IKE Policy | Select the IKE policy created above |
| IPsec Policy | Select the IPsec policy created above |
| Local Endpoint Group | local-subnets |
| Peer Endpoint Group | remote-subnets |
| Peer Gateway IP | Public IP of the remote VPN device |
| Peer ID | Remote peer identifier (typically the peer gateway IP) |
| Pre-Shared Key | Shared secret agreed upon with the remote site |
The connection appears in the list with status Active once both sides negotiate successfully.
Validation
Confirm the VPN tunnel is established and operational:- Dashboard
- CLI
Navigate to Project > Network > VPN > IPsec Site Connections. The connection status should display Active.
| Status | Meaning |
|---|---|
| Active | Tunnel is established and passing traffic |
| Down | Tunnel negotiation failed or peer is unreachable |
| Pending Create | Connection is being provisioned |
| Error | Configuration error — review IKE/IPsec parameters |
Connection status is Active — the tunnel is operational.
Troubleshooting
Connection stuck in DOWN status
Connection stuck in DOWN status
Cause: The remote peer is unreachable or IKE/IPsec parameters do not match.Resolution:
- Verify the peer gateway IP is reachable from the router’s external network
- Confirm that IKE version, encryption, authentication, and PFS settings match on both sides
- Check that the pre-shared key is identical on both endpoints
- Verify security group rules allow UDP ports 500 and 4500 (IKE/NAT-T) and IP protocol 50 (ESP)
Tunnel established but no traffic flows
Tunnel established but no traffic flows
Cause: Endpoint group CIDRs do not match between the local and remote configurations.Resolution:
- Verify the local endpoint group subnets match what the remote side expects as “remote” subnets
- Verify the remote endpoint group CIDRs match the actual subnets behind the remote peer
- Check routing tables on both sides to ensure traffic is directed through the tunnel
Next Steps
Security Groups
Configure firewall rules to control traffic flow through the VPN tunnel
Routers
Manage the routers that anchor your VPN services
Network Topology
Visualize your network layout including VPN connections
Key Manager
Store and manage VPN pre-shared keys and certificates securely