[go: up one dir, main page]
action.skip
Megaport Documentation
Using IPsec with MCR
Copy for LLM ▼
Copy Page Content Open in ChatGPT Open in Claude Open in VS Code View Markdown
PDF

Using IPsec with MCR

The IPsec add-on for MCR lets you create secure, encrypted tunnels from branch offices, remote sites, or cloud environments without deploying a physical Port. Extend your network with built-in encryption for public or private paths, from wherever you are.

You can enable IPsec when you create the MCR, or enable it on an existing MCR by editing the configuration. To add IPsec details, edit the MCR VXC and configure the IPsec tunnel as required.

You can configure up to 10 IPsec tunnels across all the VXCs connected to one MCR.

Supported ciphers

The MCR will offer the following ciphers to IPsec peers. At this time the options are not configurable.

Encryption

  • AES128-GCM-128

  • AES256-GCM-128

Integrity

  • HMAC SHA-1

  • HMAC SHA-256

  • HMAC SHA-384

  • HMAC SHA-512

Key Exchange (Diffie-Hellman group)

  • MODP

    • Diffie-Hellman Group 2 (1024-bit)

    • Diffie-Hellman Group 14 (2048-bit)

  • ECP

    • Diffie-Hellman Group 19 (256-bit random)

    • Diffie-Hellman Group 20 (384-bit random)

    • Diffie-Hellman Group 21 (521-bit random)

IP MTU settings

IPsec packets include overhead due to encryption and encapsulation. We recommend that you configure your IP Maximum Transmission Unit (MTU)IP MTU (Maximum Transmission Unit) refers to the largest size (in bytes) of an IP packet that can be sent over a network interface (VXC). Jumbo packets are larger than the standard 1500 bytes (MTU), and are typically used in high-performance networks to reduce overhead and improve efficiency.
 carefully to suit your network. The maximum value depends on the negotiated ciphers. If you do not configure the IP MTU setting, the MCR will use the following default values:

  • 96 bytes less than the parent interface IP MTU for IPv4
  • 116 bytes less than the parent interface IP MTU for IPv6

These values allow for ciphers that have the largest overhead.

Enabling and configuring IPsec on an MCR

Enabling IPsec on an MCR

To enable IPsec when you are creating an MCR, click + Add IPsec on the Connection Details page. For more information, see Creating an MCR.

You configure the IPsec connection details on the MCR VXC, as described below.

Configuring IPsec on an MCR

Prerequisites

To configure IPsec for an MCR connection, you will need:

  • A configured interface – For each VXC connected to an MCR, you can configure one or more interfaces. The IPsec tunnel details are dependent on having an IP address on the interface tab. Each MCR VXC will have one interface by default, but you can add more. For more information, see the A-End interface section of Creating an MCR VXC.

  • Pre-shared key – This is a value that you provide. It is used as part of establishing the tunnel on both ends.

    • The length must be between 8 and 100 characters.
    • This is a required field.

  • Destination IP Address – The IP address of the destination endpoint in IPv4/6 format. For example, 192.168.1.2.

To configure IPsec on the MCR VXC

  1. Create your connection, such as a cloud or private VXC.
    For more information, see Creating an MCR VXC.

  2. Wait for the connection to be live, then click the gear icon next to the VXC to edit the details.
    VXC Details

  3. Click Next or click A-End on the header. Select VXC A-End

  4. Add a description to the Interface presented on the page, if required.
    This is the default interface.

  5. Click + Add IPsec Tunnel Interface.
    Add the IPsec tunnel details:

    • Description – Add a description for your reference.
    • Source IP Address – Click the box and select from the drop-down list.
      This is a list of interface IP addresses defined on this VXC.
    • Destination IP Address – Add the destination IP address.
    • Pre-shared key – Add a key that is common to both the IKE2 (Internet Key Exchange version 2) initiator and responder. The length must be between 8 and 100 characters.
    • Start Action – Select either active or passive. Passive indicates that the local MCR is an IPsec responder waiting for the remote to perform IKE2 initiation.
    • Phase 1 Lifetime – Enter a value between 300 and 604800 seconds. This is the lifetime of IKE2 session in seconds. The default value is 28800 seconds (8 hours). When it expires, rekeying will occur.
    • Phase 2 Lifetime – Enter a value between 300 and 604800 seconds. This is the lifetime in seconds of the IPsec Security Association (SA). The value must be less than the phase1Lifetime. The default value is 3600 seconds (1 hour). When it expires, rekeying will occur. IPSec config details

  6. Scroll down the page and click Save.

Helpful references