L2L VPN Tunnel

To fully use this screen, you must have the following permissions assigned to your account:

Read Network L2L
Write Network L2L

If you are an upgraded user, then any L2L VPN tunnel that you created in Generation 3 (my.armor.com) will not be displayed in the Armor Management Portal (AMP). If you need to modify a Generation 3 L2L VPN tunnel, please contact Armor Support via a support ticket.

Any L2L VPN tunnel that you create in AMP will be visible and configurable in AMP.

BGP Routing

Some users have asked if Armor L2L VPN supports BGP routing. Armor does not currently support BGP routing.

Create an L2L VPN tunnel with a new workload

In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
Click L2L VPN.
In the top menu, in the drop-down menu, select the data center where the virtual machine lives.
Click the plus ( + ) icon.
- If you do not have any tunnels in that data center, then click Create an L2L tunnel.
In Tunnel Name, enter a descriptive name.
Use the slider to enable or disable the tunnel.
In Pre-Shared Key, enter a secure password.
- You will use this key to securely connect to your local endpoint.
- You can click Generate New Key to generate a password.
- You can also create your own key. If you create your own key, the key must contain the following requirements:
  - 16 to 96 characters
  - One lower-case letter
  - One upper-case letter
  - One number
In Internet Key Exchange Version (IKE Version), select the IKE version (IKEV1 or IKEV2).
In Digest Algorithms, select an algorithm (SHA1 or SHA256).
In Encryption Mode, select an encryption mode:
- Advanced Encryption Standard (AES-128), (AES-256-CBC), or (AES-256-GCM).
Select a Diffie-Hellman Group option:
- DH-2
  - MODP with a 1024-bit modulus
- DH-5
  - MODP with a 1536-bit modulus
- DH-14
- DH-15
- DH-16
Enable or disable Perfect Forward Secrecy (PFS).
Tunnel Configuration
1. Digest Algorithms, select an algorithm (SHA1 or SHA256).
2. Encryption Mode, select an encryption mode: (AES-128, AES-256, AEC-GCM)
3. Select a Diffie-Hellman Group option:
  - DH-2
    - MODP with a 1024-bit modulus
  - DH-5
    - MODP with a 1536-bit modulus
  - DH-14
  - DH-15
  - DH-16
In Remote Peer IP Address, enter your VPN peer IP address.
In Remote Host/Networks (CIDR), enter your LAN encryption domain, and then click the plus ( + ) sign.
In Local Host/Networks (CIDR), enter the Armor LAN encryption domain, and then click the plus ( + ) sign.
- This information is the same as your secure cloud server IP address at Armor.
Click Save Changes.

Attribute	Setting

Attribute	Setting
ISAKMP Mode	Main Mode
Authentication	Pre-Shared Key
Phase 1 Lifetime (Seconds)	28800
DPD/Keep Alive	Enabled
DPD/Keep Alive Retries	2
DPD/Keep Alive Threshold (Seconds)	10
SA Lifetime (Seconds)	3600
SA Lifetime (Kilobytes)	4608000

Edit an L2L VPN tunnel

In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
Click L2L VPN.
If you have virtual machines in various data centers, then click the corresponding data center.
Locate and hover over the desired virtual machine.
Click the vertical ellipses.
Click Edit.
Make your desired changes, and then click Save Changes.

Enable, disable, or delete an L2L VPN tunnel

In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
Click L2L VPN.
If you have virtual machines in various data centers, then click the corresponding data center.
Locate and hover over the desired virtual machine.
Click the vertical ellipses.
Click Enable, Disable, or Delete.
Make your desired changes, and then click Save Changes.

Troubleshooting

Topics Discussed

1 BGP Routing
2 Create an L2L VPN tunnel with a new workload
3 Edit an L2L VPN tunnel
4 Enable, disable, or delete an L2L VPN tunnel
5 Troubleshooting