What are the security best practices for implementing an IPsec tunnel?
To deploy a VPN, we recommend that you closely follow the documentation: Tutorial: Setting up a VPN Connection.
During the configuration of the VPN tunnel, in particular, you need to correctly configure the values of dead peer detection (DPD). In some cases, a timeout is set due to low traffic on a VPN tunnel and the connection may be cut. We can recommend a lifetime of 86400 seconds for phase 1 and 3600 seconds for phase 2.
Do virtual private gateways use a specific range of IPs?
Yes, there is a specific range for virtual private gateways. When creating a virtual private gateway, our TINA OS orchestrator allocates a public IP. There is only one public IP per virtual private gateway.
How do I authorize the IP of the virtual private gateway?
We do not recommend authorizing all OUTSCALE IPs: it is preferable to explicitly authorize the source IP that performs the authentication and encryption negotiations for the VPN implementation.
If you use the OUTSCALE API actions CreateVpnConnection and ReadVpnConnections (or the FCU actions CreateVpnConnection and DescribeVpnConnections), this IP also called "tunnel outside address" of the virtual private gateway is shown in the result of the action, in the
ClientGatewayConfiguration element (or, for FCU, the
If you use Cockpit, this IP is shown in the details of the VPN connections user interface page.
Is there an SSL VPN feature or its IPsec equivalent (IPsec Mobile Client VPN), for accessing the machines inside the VPC without going through my corporate infrastructure?
Our VPN service provides only an IPsec tunnel with IKEv1/IKEv2 encryption protocol. As the service does not support policy routing (policy-based VPN), you must configure a virtual tunnel interface (VTI).
A VTI is a virtual interface linked to the VPN itself, and works practically like a normal interface. The advantage is that you can manage the routing with your usual tools (static routes, BGP). In the VTI configuration, you must set the phase 2 selectors to 0.0.0.0/0 (local network) and 0.0.0.0/0 (remote network).
For more information, see Tutorial: Setting up a VPN Connection > Configure the VPN Tunnel.
The OUTSCALE VPN service does not incur significant costs. It amounts to around 22 euros for a 720 hours/month use.
Can I deploy my own VPN service on the OUTSCALE IaaS?
Yes, you can mount your own VPN service on a virtual machine of the OUTSCALE Cloud. See an example of deployment recipe with an IPSEC/L2TP server.
When and how can I contact the support for a VPN issue?
After configuring the VPN and all associated elements, deploying, and routing, if you encounter difficulties, you can open a ticket with the OUTSCALE support. Our team will be able to analyze the logs in detail.
To do so, please follow the support request procedure. Make sure you indicate your router model as well as the IDs of all the resources that you have deployed for the VPN.