Copy for LLM ▼

Copy Page Content Open in ChatGPT Open in Claude Open in VS Code View Markdown

PDF

Using IPsec with Megaport

If you need to encrypt traffic between endpoints in an IP network, IPsecInternet Protocol Security (IPsec) is a secure network protocol suite for Internet Protocol (IP) communications that works by authenticating and encrypting packets of data in a communication session. It provides secure encrypted communication between two computers over an Internet Protocol network and is used in virtual private networks.
is the most common solution. IPsec encrypted traffic can be transparently carried over any Megaport VXC.

Creating an encrypted IPsec link using Megaport

You can create an IPsec encrypted customer-to-customer, customer-to-cloud, or cloud-to-cloud connection. See your cloud or equipment vendor’s documentation for more information about creating IPsec connections. On Megaport Cloud Routers (MCR), you can enable IPsec in the Megaport Portal during creation, or edit the MCR to enable IPsec after it has gone live. For more information, see Using IPsec with MCR.

Supported ciphers

The MCR will offer the following ciphers to IPsec peers. At this time, the options are not configurable.

Encryption

• AES128-GCM-128

• AES256-GCM-128

Integrity

• HMAC SHA-1

• HMAC SHA-256

• HMAC SHA-384

• HMAC SHA-512

Key Exchange (Diffie-Hellman group)

• MODP

  • Diffie-Hellman Group 2 (1024-bit)

  • Diffie-Hellman Group 14 (2048-bit)

• ECP

  • Diffie-Hellman Group 19 (256-bit random)

  • Diffie-Hellman Group 20 (384-bit random)

  • Diffie-Hellman Group 21 (521-bit random)

IP MTU settings

IPsec packets include overhead due to encryption and encapsulation. We recommend that you configure your IP Maximum Transmission Unit (MTU)IP MTU (Maximum Transmission Unit) refers to the largest size (in bytes) of an IP packet that can be sent over a network interface (VXC). Jumbo packets are larger than the standard 1500 bytes (MTU), and are typically used in high-performance networks to reduce overhead and improve efficiency.
carefully to suit your network. The maximum value depends on the negotiated ciphers. If you do not configure the IP MTU setting, the MCR will use the following default values:

• 96 bytes less than the parent interface IP MTU for IPv4
• 116 bytes less than the parent interface IP MTU for IPv6

These values allow for ciphers that have the largest overhead.

Creating a customer-to-customer link using Megaport and IPsec

You can use an IPsec connection between two of your own devices using Megaport services.

Prerequisites

Before creating an IPsec encrypted link from customer-to-customer, you need:

• An IPsec capable router at each of your locations.
• Megaport Ports in locations where you can connect physically from your IPsec capable routers to the Port for each end of your connection.

To create a customer-to-customer encrypted connection

1. From each IPsec capable router, create a physical link to a Megaport Port.
2. Use a VXC to connect your Ports.
3. Create an IPsec connection over the interfaces connected to Megaport.

Creating a customer-to-cloud link using Megaport and IPsec

Prerequisites

Before creating an IPsec encrypted link from customer-to-cloud, you need:

• An IPsec capable router.
• A Megaport Port in a location where you can connect physically from your IPsec capable router to the Port.
• A connection to your CSP.

To create a customer-to-cloud encrypted connection

This example shows an IPsec connection from a customer to AWS Direct Connect.

1. From your IPsec capable router, create a physical link to a Megaport Port.
2. Use VXC to connect the Port to the CSP, AWS Direct Connect in this case.
3. Create an IPsec tunnel between your device and the CSP’s VPN services.

The connection will be IPsec encrypted from the IPsec capable router through to the AWS Transit Gateway.

Creating a cloud-to-cloud link using Megaport and IPsec

Prerequisites

Before creating an IPsec encrypted link from cloud to cloud, you need:

• A Megaport Cloud Router (MCR) with IPsec enabled.
• Connections to your CSPs VXCs

To create a cloud-to-cloud encrypted connection

This example describes an IPsec connection from AWS Direct Connect to Azure ExpressRoute.

1. Create a VXC to connect your Direct Connect connection to the MCR.
2. Use a VXC to connect the MCR to the ExpressRoute connection.
3. Create an IPsec tunnel between the AWS and Azure VPN services.
   For more information, see Using IPsec with MCR.

The connection will be IPsec encrypted from the AWS Transit Gateway to the Azure Virtual Network Gateway.

Creating a cloud-to-cloud link using Megaport and IPsec tunnels

Prerequisites

Before creating a cloud to cloud link with IPsec tunnels, you need:

• A Megaport Cloud Router (MCR) with IPsec enabled.
• Connections established through VXCs to your Cloud Service Providers.

To create a cloud-to-cloud encrypted connection

This example describes an IPsec connection from AWS Direct Connect to Azure ExpressRoute.

1. Create a VXC to connect your Direct Connect connection to the MCR.
2. Create a VXC to connect the MCR to the ExpressRoute connection.
3. Create an IPsec tunnel on the VXC between the MCR and the Direct Connect connection. For more information, see Using IPsec with MCR.
4. Create an IPsec tunnel on the VXC between the MCR and the ExpressRoute connection. For more information, see Using IPsec with MCR.

The connection will be IPsec-encrypted from the AWS Transit Gateway to the Azure Virtual Network Gateway.

Helpful references

• AWS Azure Private IP VPN with Megaport

• Comparing Encryption in Transit Options

• Creating a Port

• Creating a VXC

• Creating an MCR

• IPsec Overhead Calculator

• Using Encryption in Transit with Megaport Services

• Using IPsec with MCR