Skip to main content

Create an IPsec tunnel and share

Frontdoor V2 feature

IPsec tunnels and shares are available on Frontdoor V2 to customers who have IPsec shares enabled. Contact your account manager to request access.

Learn how to connect a remote site over IPsec and publish a service to it. You first create an IPsec tunnel (the VPN ingress point), wait for it to deploy, hand the generated configuration to the remote site, and then create one or more IPsec shares on the tunnel. For conceptual info, see IPsec shares.

An IPsec tunnel has two ends that must use matching settings to connect. NetFoundry provisions and configures its end for you; you then download a generated configuration and give it to whoever manages the remote site's IPsec device — a firewall, router, or VPN gateway — so they can configure theirs. That configuration includes a pre-shared key, so deliver it over a secure channel and treat the key like a password.

Prerequisites

Before you start, make sure you have:

  • The remote site's public IPv4 address and the peer CIDRs behind its IPsec device.
  • An online agent connected to the environment that can reach the share's target.

Part 1: Create the IPsec tunnel

  1. From the Frontdoor console, click IPsec Tunnels in the left-hand menu.

  2. Click the + icon to create a new tunnel.

  3. Fill in the tunnel fields:

    • Name: Enter a recognizable name for the tunnel (for example, customer-a-dc1).
    • Peer Public IP: Enter the public IPv4 address of the remote site's IPsec device.
    • Peer CIDR: Enter the internal subnet behind the remote device (for example, 172.31.0.0/16).
  4. Click Save.

    The tunnel provisions asynchronously, so it isn't ready immediately: its Deployment Status shows a pending state first, then Deployed once the cloud infrastructure is up. This can take roughly 10–20 minutes, so wait for Deployed before continuing.

  5. Once the tunnel is Deployed, open the tunnel's Sample Config, download the generated VPN configuration, and deliver it to the remote site over a secure channel.

Part 2: Create an IPsec share on the tunnel

  1. From the Frontdoor console, click Shares in the left-hand menu, then select the IPsec Shares tab.

  2. Click the + icon to create a new share.

  3. Fill in the share fields:

    • Name: Enter a name for the share. Use letters, numbers, and hyphens; don't start or end with a hyphen.
    • Hosting Frontdoor agent: Select the online agent that can reach the target.
    • IPsec Tunnel: Select the tunnel you created in Part 1.
    • Target: Enter the target address and port of the service to publish (for example, 172.31.10.5:3306).
    • Ingress port: Enter the port on the tunnel that the remote site connects to for this share.
  4. Click Save.

    You're returned to the IPsec Shares tab, where the share's ingress address appears under the Access column once it's deployed. It may take a few minutes for the share to become active.