VPN Tunnels and Sites

The VPN service allows the definition of one or more VPN tunnels per device.

Each site-to-site tunnel includes an IPsec tunnel with 256-bit encryption and can reach many remote sites or locations. Typically, the tunnel is over the interface toward the public internet but can be used in any combination.

The VPN service has the following attributes:

 

Values

Data Requirements

Notes

Configure before launch:

No

 

 

Configure at launch:

No

 

Requires at least one active connection; connections are not provisioned at startup of device.

Configure during lifecycle:

Yes

 

on additional services tab of device details.

Optional or Required

Optional

 

 

Remote Site: VPN Name

Required

Minimum 3 and maximum 50 characters; most characters accepted.

The informal name given to the overall configuration and solution for a VPN tunnel and appears in inventory.

Remote Site: Site Name

Required

Between 2 and 10 characters, must be alphanumeric. Will appear in the configuration of the device.

 

Remote Site: Pre-shared Key

Required

Alphanumeric only, no special characters or spaces.

 

Remote Site: Remote Peer IP Address

Required

Must be IPv4 address; must be public and must be part of same subnet as the remote IP address.

Users should provide a public address; if none is available, they could purchase an IP block from Equinix.

Equinix VNF: Local ASN

Required

Must be in numeric format and can be 2- or 4-byte, public or private.

Some restricted or pre-reserved AS' will apply.

Equinix VNF: Tunnel IP Address

Required

Must be an IPv4 address, be private and be part of same subnet as the tunnel remote IP address.

 

Equinix VNF: Remote Peer ASN

Required

Must be in numeric format and can be 2- or 4-byte, public or private.

Some restricted or pre-reserved AS' will apply.

Equinix VNF: Remote Peer IP Address

Required

Must be IPv4 address, be private and part of the same subnet as the local IP address.

 

Equinix VNF: Authentication Key

Required

Can only be letters or numerals, can’t begin with a number.

 

Device

UUID; Required

Alphanumeric

On the portal, the device UUID is assumed based on the currently active device that user is viewing.

How many tunnels per device

10

   

Provisioning State

NA

Can include: provisioning, provisioned or failed

Not user-defined.

Reqd same on secondary?

Yes*

 

An equivalent VPN tunnel is required on secondary when HA is active. The VPN settings can be different as it might point back to a different site.

Users can add up to 10 separate site-to-site VPN tunnels. A public IP address is required for each site. The user is responsible for providing these addresses, although they can purchase a block separately from the Network Edge portal. When configuring or changing a current VPN tunnel, the system will push the configuration in two stages, and so you can operate on and edit one at a time:

  1. Details about the remote site or location
  2. Details about the peering between the tunnel and the cloud or other provider of choice

Once you have entered the VPN details, the configuration is pushed to the device immediately. If it's a change or a delete, there could be a service impact to current traffic over those tunnels.

The BGP session operates in the same way on the tunnel as it does on individual connections, including the states and transitions. However, the BGP session is independent from that BGP session, and should not be confused with other larger failures of the device or its connections.

When adding VPN tunnels to an HA pair, the system will enforce two VPNs (one on primary and one on secondary) to the same remote site.