Create IPSec VPN in ACS

ACS Supports VPNaaS (VPN as a Service) which allows your network in ACS to be connected to a network in another environment via an IPsec tunnel.  The process of setting up the ACS site of an IPSec tunnel is as follows.

 

Create an IKE Policy

  1. Log into ACS and navigate to Network -> VPN.
  2. Click on the IKE Policies tab and click Add IKE Policy.
  3. Fill out the form that pops up with information that is relevant to the environment you are connecting to.  Once complete, click Add.

Create IPsec Policy

  1. Click the IPsec Policies tab.
  2. Click Add IPsec Policy.
  3. Fill out the form that pops up with information that is relevant to the environment you are connecting to.  Once complete, click Add.

Create a VPN Service

  1. In order to create a VPN in ACS, a VPN Service must be created.
    Note: Only one VPN service can be created per router, however multiple VPN tunnels can use a single VPN service.
  2. Click the VPN Services tab and click Add VPN Service.
  3. Fill out the Name and Description (recommended but not required) and select the router from the drop-down.
    Note: Do not select a subnet.

Create Endpoint Groups

In order for the VPN to know where it can send traffic, it needs Endpoint Groups created that describe the networks on both sides of the connection.  Two endpoint groups will be created; one for the ACS side and one for the other side of the connection.

Subnet Endpoint Group (ACS Side of Tunnel)

  1. Click the Endpoint Groups tab and click Add Endpoint Group.
  2. Fill out the Name and Description (recommended but not required).
  3. Under Type click the dropdown and select Subnet and then click the list of ACS subnets that are desired to be part of the VPN.
  4. Click Add to create the endpoint group.

CIDR Endpoint Group (Other side of the tunnel)

  1. Click Add Endpoint Group.
  2. Fill out the Name and Description (recommended but not required).
  3. From the Type dropdown click CIDR and type in the network in CIDR format for the other side of the tunnel.  Multiple networks can be provided if they are separated by a comma.

Create IPsec Site Connection

This final step will set up the ACS side of the VPN.

  1. Click the IPsec Site Connections tab and then click Add IPsec Site Connection.
  2. Fill out the fields listed below including the Pre-Shred Key value as you will need this to set up the other side of the VPN.  Or if the other side is already setup, enter the Pre-Shared Key here.

3.  It is also recommended, but not required to change the default
Dead peer detection actions to restart.  This makes the VPN tunnel more tolerable to network blips and will restart itself if needed.

 

 

That's it!  At this point, once the other side of the VPN tunnel is set up with IKE/IPSec settings that match and the same Pre-Shared Key, the tunnel should be up and running.