Tips for setting up a VPN Tunnel to your Acquia Cloud servers

    See more
    • Updated

    VPN Installation Instructions

    Each VPN connection has two tunnels. One tunnel is used as primary and the other is used as failover. The failover is used for high availability (HA) purposes when the primary goes down for maintenance. Both tunnels will send traffic to the customer gateway provided to Acquia. Acquia cannot remove the tunnels. If another gateway or tunnel is required, Acquia can create a second VPN connection, which will have two additional tunnels.

    Each tunnel will have its own separate settings. Both tunnels will have the same Customer Endpoint External Address because they are linked to a single customer gateway.

    Customer Endpoint

    External Address: The public IP address of the customer gateway provided to Acquia. This IP address will be same for both tunnels.

    Internal Address: Link-local IP addresses that form the internal VPC transit net, which allow the endpoints to communicate with each other without the risk of an IP address collision between the customer and Acquia networks.

    Acquia Endpoint

    External Address: The public IP address of the tunnel endpoint at Acquia’s end. The IP address will be different for each tunnel.

    Internal Address: Link-local IP addresses that form the internal VPC transit net, which allow the endpoints to communicate with each other without the risk of an IP address collision between the customer and Acquia networks.

    IKE Security Configuration

    The following are the default settings. Some of the settings are adjustable on the customer end of the connection. Acquia’s side will mirror the customer settings, which cannot be modified from the Acquia end of the connection. The following is a list of IKE configurations that Acquia supports.

    Authentication Protocol: SHA-1 (default), SHA-2 (256), SHA2 (384), SHA2 (512)

    Encryption Protocol: AES-128 (default), AES-258

    Lifetime: 900 - 28,800 (default)

    DH Group: Groups 2 (default), 14-24

    Mode: main

    Pre-Shared Key: Random. Acquia can customize or change if needed.

    IPSEC Security Configuration

    The following are the default settings. Some of the settings are adjustable on the customer end of the connection. Acquia’s side will mirror the customer settings, which cannot be modified from the Acquia end of the connection. The following is a list of IPSEC configurations that Acquia supports.

    Protocol: esp

    Authentication Protocol: SHA-1 (default), SHA-2 (256), SHA2 (384), SHA2 (512)

    Encryption Protocol: AES-128 (default), AES-258

    Lifetime: 900-3600 (default)

    DH Group: Groups 2 (default), 5, 14-24

    Mode: tunnel

    Clear DF Bit: true 

    Frag. before Enc.: true 

    TCP MSS Adjustment: 1379

    Dead Peer Retries: 3

    Dead Peer Interval (m): 10

    Issue 

    I am having trouble setting up my VPN connection and the tunnels are failing to establish. 

    Resolution

    Tips to ensure your VPN tunnel is setup correctly:

    • Acquia's gateway is not the initiator of the connection: The VPN tunnel is established when traffic is generated from your side of the VPN connection. Acquia's gateway is not the initiator of the connection, your gateway must initiate the tunnels. 
    • Do not use any proxy or other intermediary IP or firewall to establish the tunnel. The Acquia tunnel endpoints allow traffic ONLY from the Customer Gateway IP. Acquia is unable to use another connection other than the CGW IP to set up the tunnel.
    • Use a network monitoring tool to generate keepalive pings. If the VPN tunnel experiences a period of idle time (~10 seconds, depending on the configuration), the tunnel may go down. To prevent this, We recommend using a network monitoring tool to generate keepalive pings. 
    • You will find two tunnels connected to Acquia: Each VPN connection consists of two separate tunnels, with each tunnel having its own public endpoint IP address. Acquia cannot remove either of these tunnels. One is intended to be used as a primary, and the other as a backup incase the primary becomes unavailable. This is expected behavior. 
    • Set a primary tunnel on your connection. Having two tunnels up at the same time can potentially cause asymmetric routing. If you are having VPN issues with both tunnels up, specify one tunnel as the primary by setting a preferred route.
    • What IP Range will I see?: Interesting traffic that originates from Acquia’s side of the tunnel will come from the IP range that matches your Acquia Shield VPC (for example, 172.16.32.0/20). When traffic is decrypted from one side of the tunnel, the source IP will be the private IP of the original sender.
    • Enable PFS. Ensure that Perfect Forward Secrecy (PFS) is enabled.
    • Recommended networking equipment list. See the list of networking equipment given to you previously. If you don’t have this list, reach out to your Account Manager. 

     

    Please review this image if you have any questions about the topology of a VPN tunnel to your Acquia Cloud servers. 

    AWS VPN Tunnel example diagram

    Are you connected to Acquia Cloud, but it doesn't appear to be working? See our troubleshooting guide here: My VPN Tunnel is connected to Acquia Cloud, but is not working

    Acquia Products

    Topics

    Related articles