A GIO-US VPC (Site-to-Site VPN) connection connects your office network to our cloud service. GIO-US VPC supports Internet Protocol security (IPsec) VPN connections. Data transferred between your office and our cloud routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit.
GIO-US VPC is designed to provide a simple, easy and secure user experience. It is not designed for complex network task or large scale IT environment. We have other network services for those requirements. Please contact our help desk for more details.
VPC Site-to-Site VPN Parameters
VPC default values are decided by recommended NSA practices for IPsec VPN.
Item |
Param options |
VPC default value |
---|---|---|
PH1 Key Exchange |
ike v1 and v2 |
ike v2 |
PH1 Encryption |
AES128, AES192, AES256 AES128GCM, AES192GCM, AES256GCM, 3DES |
AES256 |
PH1 Hash |
SHA1, SHA256, SHA384, SHA512 AES128GMAC, AES192GMAC, AES256GMAC, MD5 |
SHA384 |
PH1 Pseudo-random function (PRF) |
Fixed (same as PH1 hash) |
SHA384 |
PH1 DH Group |
1, 2, 4, 5, 14-24 |
16 |
Lifetime (Sec) |
30-86400 |
28800 |
DPD |
Enable |
Enable |
|
|
|
PH2 Encryption |
AES128, AES192, AES256 AES128GCM, AES192GCM, AES256GCM, 3DES |
AES256 |
PH2 Hash |
SHA1, SHA256, SHA384,SHA512 AES128GMAC, AES192GMAC, AES256GMAC, MD5 |
SHA384 |
PH2 PFS Group |
1, 2, 4, 5, 14-24 |
16 |
Lifetime (Sec) |
30-86400 |
3600 |
General Parameters
Item |
Parameter Option (default value) |
Memo |
---|---|---|
Pre Shared Key |
Length: 8-128 Allowed characters: 0-9a-zA-Z!#$%&()*+,-./:;<=>@[]^_`{|}~ |
|
MSS (VTI tunnel) |
500-1460 (1394) |
TCP maximum segment size in bytes. |
MTU (VTI tunnel) |
68-9000 (1436) |
Maximum Transmission Unit |
FAQ
Q: What gateway devices can I use to connect to GIO-US VPC?
A. You can create a GIO-US Site-to-Site VPN connections (Route based VPN or policy based VPN)
Customer devices must be able to:
-
Establish IKE(v1/v2) Security Association using Pre-Shared Keys (PSK)
-
Establish IPsec Security Associations in Tunnel mode
-
Support AES(128 / 192 / 256) / AES-GCM(128 / 192 / 256) / 3DES encryption
-
Support SHA1 / SHA-2 (256 / 384 / 512) / AES-GMAC(128 / 192 / 256) / MD5 hashing
-
Support Diffie-Hellman (DH) groups (1, 2, 4, 5, 14-24)
-
Create logical interfaces (route-based VPN)
-
Utilize IPsec Dead Peer Detection (DPD)
Dynamic-route VPN (BGP,OSPF,etc) is not supported.
If you prefer a policy-based VPN please ask us about IIJA managed VPN service or consider our professional services.
Q: What is the approximate maximum throughput of a Site-to-Site VPN connection?
A. It is approximately Up to 1.5 Gbps (RTT=1ms) though IPsec tunnel.
(Tested environment : aes256gcm, dh14, sha256 for both ph1 & ph2)
VPN Throughput may vary depending on the customer device, internet circuits and latency.
Q: Is tunnel routing split mode or non-split mode?
A. split tunneling mode
Q: What is a maximum number of VPN tunnels per VPC?
A. 10 tunnels per VPC
Q: Can I modify tunnel MTU and MSS size?
A. Yes.
Q: What port should be opened on customer gateway device?
A. Protocol ESP and TCP-UDP (500, 4500) on the WAN interface.
List of devices tested
These lists are best-effort basis. While they have been tested by GIO-US environment, testing is limited. You might need to contact the specific vendor for additional support.
Vendor |
Type |
Result |
Memo |
---|---|---|---|
VyOS |
Version 1.3 |
OK |
|
Cisco |
ASAv |
OK |
|
Cisco |
Meraki |
OK |
|
Fortinet |
Fortigate |
OK |
|
pfSense |
|
OK |
|
VPN parameter compatibility
This is a summary of supported VPN parameters by vendors.
Parameter options by Vendors (As of June 2022)
Item |
Cisco |
Fortigate |
AWS |
Azure |
---|---|---|---|---|
PH1 Key Exchange |
ike v1/v2 |
ike v1/v2 |
ike v1/v2 |
ike v1/v2 |
PH1 Encryption |
AES128,AES192,AES256, AES128GCM, AES192GCM,AES256GCM |
AES128,AES192,AES256, 3DES, DES, AES256GCM, AES128GCM |
AES128, AES256, AES128-GCM-16, AES256-GCM-16 |
AES128, AES192, AES256, 3DES, DES |
PH1 Hash |
SHA1, SHA256, SHA384,SHA512 |
SHA1,MD5, SHA384,SHA512, |
SHA1, SHA2-256, SHA2-384, SHA2-512 |
SHA1, MD5 SHA384, SHA256, |
PH1 DH Group |
1,14,19-24 |
1,2,5, 14-21, 27-31 |
2, 14-24 |
1,2,14,19,20,24 |
|
|
|
|
|
PH2 Encryption |
AES128,AES192,AES256, AES128GCM, AES192GCM, AES256GCM |
AES128,AES192,AES256, 3DES, DES, AES128GCM, AES256GCM |
AES128, AES256, AES128-GCM-16, AES256-GCM-16 |
AES128, AES192, AES256, 3DES, DES, AES128GCM, AES192GCM, AES256GCM
|
PH2 Hash |
SHA1, SHA256, SHA384,SHA512 |
SHA1,MD5, SHA384,SHA512, |
SHA1, SHA2-256, SHA2-384, SHA2-512 |
SHA1, MD5 GCMAES256, GCMAES192, GCMAES128, SHA256, |
PH2 PFS Group |
1,14,19-24 |
1,2,5, 14-21, 27-31 |
2, 5, 14-24 |
1,2,14,19,20,24 |
|
|
|
|
|
Pre Shared Key |
8 to 128 |
16 to 128 |
8 to 64 |
1 to 128 |
Comments
0 comments
Article is closed for comments.