The goal of this tutorial is to set up a VPN connection between your corporate network and one of your Virtual Private Clouds (VPCs) in the OUTSCALE Cloud.

In this tutorial, you learn how to:

Create the Required Resources 

Before you begin: Create a VPC to connect to your corporate network. For more information, see Creating a VPC.


  1. Create a customer gateway. For more information, see Creating a Customer Gateway

  2. Create a virtual private gateway. For more information, see Creating a Virtual Private Gateway

  3. Attach the virtual private gateway to the VPC. For more information, see Attaching a Virtual Private Gateway.

  4. Create a VPN connection. For more information, see Creating a VPN Connection

    Remember to download the XML file returned after VPN creation. This file contains example configuration information that is useful for configuring the VPN tunnel, as mentioned in the Configure the VPN Tunnel section below.


Configure the Resources to Allow Traffic 

Allow Access

  1. In the firewall of your corporate network:
    • Open ports 500 and 4500 for UDP protocol
    • Add a route pointing to the VPC.

  2. In the VPC, add rules to the security groups associated with the instances allowing outbound and inbound flows to and from your corporate network. For more information, see Adding Rules to a Security Group.

Configure the Routing 

  1. If you want routes to be automatically created, enable route propagation in the VPC to the route table. For more information, see Enabling Route Propagation

  2. If you do not enable route propagation, create a route in the route table, using:
    • The CIDR of your corporate network as destination
    • The ID of the virtual private gateway as target
    For more information, see Creating a Route

  3. (static routing only) Create a route associated with the VPN connection, using:

    • The CIDR of your corporate network as destination
    • The ID of the virtual private gateway as target

    For more information, see Creating a VPN Connection Route

    With dynamic routing and a Border Gateway Protocol (BGP), these routes are automatically created and updated. For more information, see About Routing Configuration for VPN Connections.

Configure the VPN Tunnel

You need to configure the VPN tunnel according to the following specifications. The exact procedure depends specifically on the VPN software that you use.

The IKEv1 and IKEv2 protocols are both supported. We recommend IKEv2.

For phase 1 proposals, the following options are supported:

  • 128-bit AES-CBC encryption, with SHA1 HMAC or SHA2_256_128 HMAC authentication, and PFS 2 or 14.
  • 256-bit AES-CBC encryption, with SHA2_256_128 HMAC authentication, and PFS 2, 14 or 16.

For phase 2 proposals, the same options are supported:

  • 128-bit AES-CBC encryption, with SHA1 HMAC or SHA2_256_128 HMAC authentication, and PFS 2 or 14.
  • 256-bit AES-CBC encryption, with SHA2_256_128 HMAC authentication, and PFS 2, 14 or 16.

Dead peer detection (DPD) must be enabled, with the following settings:

  • Delay or interval 30 seconds
  • Timeout 90 seconds / 3 retries

As policy-based VPN is not supported, a virtual tunnel interface (VTI) must be used, with the following settings:

  • Traffic selectors: 0.0.0.0/0 on both ends
  • IP: as defined in the tunnel inside addresses in the XML file provided by the API or Cockpit