Tutorial: Configure a Generic IPsec Tunnel From Your Private Network to CloudConnexa

Abstract

Learn how to configure an IPsec tunnel between your private network and CloudConnexa, including authentication (PSK or certificates), advanced settings, and connectivity verification.

This tutorial walks you through setting up an IPsec tunnel between your private network and CloudConnexa using an IPsec-compatible router or VPN service.

To complete this setup, you'll configure:

A Network in CloudConnexa to represent your private network.
A Network Connector configured for IPsec.
Tunnel parameters such as:
- Authentication (pre-shared key or certificate)
- Encryption and IKE settings
- Routing configuration
Your IPsec-compatible router or VPN service using the provided configuration details.

After setup is complete, users and networks connected to CloudConnexa can securely access resources in your private network.

Before you begin

Ensure you have a CloudConnexa account and Cloud ID.
Ensure your network device supports IPsec (IKEv1 or IKEv2).
Ensure you have access to your network router or VPN gateway configuration.

Step 1: Create a Network in CloudConnexa

Sign in to your WPC's Administration portal by entering your Cloud ID in a web browser (for example, company_name.openvpn.com).
Navigate to Networks → Networks.
Click Add Network.
Select at least one Network Scenario. Refer to these tutorials for details:
Click Continue.
For the Network Configuration, enter a name and description (optional).
Select IPsec as the Connector Tunneling Protocol.
For the Connector, enter a name and description (optional).
Click Next.

Step 2: Configure the Network Connector

In the Configure Network Connector step, configure the IPsec Network Connector:

Configure the platform: In Platform to Connect, select the device or platform.
- Our example uses Public Cloud Providers (IAAS): Other.
Enter connection details: In Remote Site Public IPv4 Address, enter the public IP address of your router or VPN gateway.
Configure authentication:
- Option 1: Shared Secret — Enter the pre-shared key (PSK), hostname, and domain for the IPsec Network Connector.
  Tip
  CloudConnexa doesn't generate a PSK. You need to create and configure the same key on both CloudConnexa and your network device. Use only alphanumeric characters, as some characters aren't supported.
  Example (Linux/macOS):
```
openssl rand -hex 32
```
- Option 2: Certificate-based — Upload the required files and provide a passphrase.
  Tip
  Ensure the certificates and private key:
  Are in a supported format (for example, PEM).
  Match each other (the private key corresponds to the uploaded certificate).
  Are trusted by both peers (the correct CA certificate is provided).

(Optional) Configure advanced settings: Expand Advanced Configuration to customize IPsec parameters:

IKE Version: Select the version: IKEv1 or IKEv2.
Tip
If using IKEv2 and only GCM encryption algorithms (AES-128-GCM-16 and/or AES-256-GCM-16), the integrity algorithm and a DH group are optional in phase 2.
For non-GCM encryption algorithms, an integrity algorithm and a DH group are required. The default values are applied automatically.

Phase 1 settings:

Setting	Description
Encryption Algorithm	Select one or more supported encryption algorithms.
Integrity Algorithm	Select a supported integrity algorithm.
Diffie-Hellman Group	Select a DH group supported by your device.
Lifetime (sec)	Enter a value between 901 and 86400.

Phase 2 settings:

Setting	Description
Encryption Algorithm	Select one or more supported encryption algorithms.
Integrity Algorithm	Select a supported integrity algorithm.
Diffie-Hellman Group	Select a DH group supported by your device.
Lifetime (sec)	Enter a value between 900 and 28800.

IKE rekey settings:
Setting
Description
Rekey Margin Time (sec)
Value between 60 and half of Phase 2 lifetime.
Rekey Fuzz (%)
Value between 0 and 100.
Replay Window Size (packets)
Value between 64 and 2048.

Setting	Description
Rekey Margin Time (sec)	Value between 60 and half of Phase 2 lifetime.
Rekey Fuzz (%)	Value between 0 and 100.
Replay Window Size (packets)	Value between 64 and 2048.

Connection behavior:

Setting	Description
Startup Action	Defines how the tunnel is initiated.
CloudConnexa Connection Restoration	Controls whether the tunnel automatically reconnects if interrupted: Defaults to Yes when Startup Action = Start. Automatically set to No when Startup Action = Attach and can't be changed.

Step 3: Review remote tunnel configuration

CloudConnexa provides configuration details required for your network router.

Locate the Remote Tunnel Configuration section.
Note the values provided for:
- Firewall configuration.
- IPsec tunnel parameters.
- Connection initiation and restoration parameters.
- Static routes.
- DNS settings.
Keep this information available for configuring your router.

Step 4: Configure your network router

Use the values from the Remote Tunnel Configuration section to configure your IPsec device.

Step 5: Verify connectivity

After configuring both sides of the tunnel, verify that the connection is established.

In the Verify Connectivity section, click Test Connection.
CloudConnexa attempts to establish a connection to your remote network.
Check the connection status:
- Connected — The tunnel is successfully established.
- Offline — The connection failed or hasn't been established yet.
  Tip
  If the connection status is Offline:
  Click View Logs to review connection details.
  Verify the following:
  PSK or certificates match on both sides.
  IPsec parameters (encryption, DH group, lifetimes) are aligned.
  Firewall rules allow IPsec traffic.
  The correct public IP address is configured.

Step 6: Complete the setup

Click Finish to complete the Network configuration.
Confirm that:
- The Network is created.
- The Connector shows a Connected status.

In this section: