Upload
others
View
24
Download
0
Embed Size (px)
Citation preview
© NTT Communications Corporation ALL Rights Reserved.
1
3.2 IPSec VPN v 1.0.6
Disclaimer: The English version of the service description is translated by machine
translation. If there is any discrepancy, the Japanese version takes prevalence.
© NTT Communications Corporation ALL Rights Reserved.
2
Table of Contents
Table of Contents ........................................................................................................................................................................... 2
1 Summary ................................................................................................................................................................................ 3
2 delivery function .................................................................................................................................................................. 4
2.1 delivery function ...................................................................................................................................................... 4
2.2 IPSec VPN Host-Side Configuration ..................................................................................................................... 4
2.3 About Applications ................................................................................................................................................... 6
2.3.1 Document ............................................................................................................................................... 6
2.3.2 parameter sheet .................................................................................................................................... 6
3 billing ....................................................................................................................................................................................... 8
4 Standard Due Date .............................................................................................................................................................. 9
5 Related Menus .................................................................................................................................................................... 10
6 Constraints ........................................................................................................................................................................... 11
7 maintenance operation .................................................................................................................................................... 12
7.1 maintenance and operation of equipment........................................................................................................ 12
7.2 Our company Scope of Responsibility ............................................................................................................... 12
8 Service Level........................................................................................................................................................................ 13
© NTT Communications Corporation ALL Rights Reserved.
3
1 Summary
The IPSec VPN menu provides the ability to securely connect between the Landing Zone of this Service and the
Customer's site using IPSec VPN encryption over the Internet.
To connect to the Internet, use the "Internet Connect" menu of this service separately.
© NTT Communications Corporation ALL Rights Reserved.
4
2 delivery function
2.1 delivery function
Menu ID Menu Name Description
N-CS-VPN-H -
1 T
IPSec VPN Host-Side
Configuration
Configure the IPSec VPN tunnel for the IPSec VPN device on the
Service side based on the parameter sheet provided by the Customer.
IPSec VPN tunnels are configured for each customer site.
N-CS-VPN-
U1-NET IPSec VPN - Tokyo DC
Provide VPN connectivity between the Tokyo Data Center and the
Customer Site for this Service. Also, we will change the settings of the
IPSec VPN device on the Service side according to the customer's
request.
N-CS-VPN-
U2-NET IPSec VPN - Osaka DC
Provide VPN connectivity between the Osaka Data Center and the
Customer Site for this Service. Also, we will change the settings of the
IPSec VPN device on the Service side according to the customer's
request.
N-CS-VPN-T-
SVC
IPSec VPN Tunnel
Managed Service Feed
In response to the Customer's inquiry, we will verify the status of the
IPSec VPN device on the Service side (Phase 1, 2) and perform a
ping/traceroute to the global IP address of the Customer Site Router.
2.2 IPSec VPN Host-Side Configuration
Create an IPSec VPN device in the Landing Zone according to your application.
The configuration of this service-side IPSec VPN device is as follows:.
Parameter Value
VPN Tunnel Endpoint Service side Our company issues a global IP
address (*)
© NTT Communications Corporation ALL Rights Reserved.
5
Customer Site Side Customer Specified
VPN Tunnel Network
network address Please specify/30.
Service side The fourth octet + 1 of the network
address
Customer Site Side The fourth octet + 2 of the network
address
VPN Type Route based
Key management protocol IKEv1
NAT Traversal Enabled
Phase I. VPN SA Parameters
Key exchange format (key
exchange mode) Main Mode
Encryption algorithm (Encryption
Algorithm)
Customer-specified <AES 256, AES
128>
Hash algorithm (Hash Algorithm) Customer-specified <SHA -256, SHA -
1>
Authentication method
(Authentication Method) Pre-Shared Key
Pre-Shared Key Customer Specified
Diffie-Hellman group GROUP 2
IKE SA lifetime 24 hours (86,400 sec)
DPD (Dead Peer Detection)
ISAKMP keepalive transmission
interval/number of transmissions
Enabled
10 Seconds/2 Second retry
© NTT Communications Corporation ALL Rights Reserved.
6
Phase II. IPSec SA parameters
protocol ESP
Encryption algorithm (Encryption
Algorithm)
Customer-specified <AES 256, AES
128>
Authentication algorithms
(Integrity Algorithm)
Customer-specified <SHA -256, SHA -
1>
PFS (Perfect Forward Secrecy)
Enabled
Customer-specified <GROUP 1, 2, 5,
14> (Default is GROUP2)
IPSec SA lifetime 4,500 MB/3,600 sec
Customer Site Network Customer-specified <network address,
subnet mask>
(*) No application for Public IP Address (IPv4) is required. Global IP addresses for IPSec VPNs are included in this
IPSec VPN menu.
2.3 About Applications
2.3.1 Document
Document Description
order sheet Please fill out this form when you apply for the IPSec VPN menu.
parameter sheet
Enter the configuration parameters.
You will be asked to provide this information during the initial setup of your IPSec
VPN, as well as when you request configuration changes during your use period.
After the setting change is completed, our company will present a parameter sheet
reflecting the setting contents.
2.3.2 parameter sheet
The following parameters can be specified in the parameter sheet:.
© NTT Communications Corporation ALL Rights Reserved.
7
Item Parameter
Customer Site Network
Peering IP Address
Customer site network address
tunnel network network address
Phase I. VPN SA Parameters
Pre-Shared Key
encryption algorithm
hash algorithm
Phase II. IPSec SA parameters
encryption algorithm
authentication algorithm
PFS (Perfect Forward Secrecy)
© NTT Communications Corporation ALL Rights Reserved.
8
3 billing
Menu ID Menu Name initial cost monthly cost
N-CS-VPN-H -1 T IPSec VPN Host-Side Configuration Per VPN Tunnel -
N-CS-VPN-U1-
NET IPSec VPN - Tokyo DC -
Monthly fixed per IPSec VPN
device
N-CS-VPN-U2-
NET IPSec VPN - Osaka DC -
Monthly fixed per IPSec VPN
device
N-CS-VPN-T-SVC IPSec VPN Tunnel Managed Service
Feed -
Monthly fixed per IPSec VPN
device
© NTT Communications Corporation ALL Rights Reserved.
9
4 Standard Due Date
Menu ID Menu Name delivery date
N-CS-VPN-H -
1 T
IPSec VPN Host-Side
Configuration
10 business days (If you apply at the same time as IaaS Onboarding,
it will be done in the IaaS Onboarding process.)
N-CS-VPN-
U1-NET IPSec VPN - Tokyo DC
The due date of a setup change order depends on the work volume.
Standard volume (single location VPN tunnel endpoint, changing VPN
tunnel network), 5 business days after application acceptance (*).
The date you wish to change the setting is shown on the parameter
sheet by the customer.
Orders will be accepted until 14 o'clock on each business day, after
which they will be treated as received on the following business day.
The day of acceptance is counted as 0 day.
N-CS-VPN-
U2-NET IPSec VPN - Osaka DC
(*) After confirming through our company that there are no defects in the application form
© NTT Communications Corporation ALL Rights Reserved.
10
5 Related Menus
Menu ID Menu Name Menu that requires application
together Related Service Category
N-CS-VPN-H -1
T
IPSec VPN Host-Side
Configuration
• Internet Connect
• IaaS Onboarding
• IaaS Compute μVM
• Virtual HANA
• Physical HANA
N-CS-VPN-U1-
NET IPSec VPN - Tokyo DC
N-CS-VPN-U2-
NET IPSec VPN - Osaka DC
N-CS-VPN-T-
SVC
IPSec VPN Tunnel
Managed Service Feed
© NTT Communications Corporation ALL Rights Reserved.
11
6 Constraints
• This menu is available in a single configuration.
• You must have IPSec VPN-enabled network equipment at your site and connect to the Internet.
• The customer will configure the IPSec VPN-enabled network equipment at the customer site.
• Depending on the type of network equipment that supports IPSec VPN at the customer site, IPSec
communication may not be established.
equipment with a proven track record
of connection
• Cisco ASR 1000
• VyOS
• FortiGate-VM 64
Equipment that failed to verify a good
connection
• YAMAHA RTX 810
• The configuration of the IPSec VPN device on the service side can be changed only once a month. If the
upper limit is exceeded, a separate fee will be charged.
• The IPSec VPN device on this side does not provide packet filtering. If you wish to restrict communication
between VPN connection sites, either configure filtering settings on your IPSec VPN device or create
multiple Landing Zones on the Service side so that communication between VPN connection sites goes
through the firewall. IPSec VPN devices on the service side are created for each landing zone.
• You cannot specify a date and time for configuration changes to the IPSec VPN device on this side.
• Communication may be interrupted depending on the setting change. In that case, we will contact you in
advance.
• If there are any changes to the order, the due date is reset based on our company's confirmed changes
completion date.
• Under the IPSec VPN Tunnel Managed Service Feed menu, in response to a customer query, our
company will provide the customer with ping and traceroute results, but will not provide any further
troubleshooting if the service side IPSec VPN device is not found to be defective. Depending on the
customer's network equipment and the environment, the ping and traceroute may not reach the
customer's network equipment from the normal time, and therefore may not be an effective means of
isolation in the event of failure.
• In the IPSec VPN Tunnel Managed Service Feed menu, we assume that customer queries occur only twice
a month. If it exceeds that, you will be charged separately.
© NTT Communications Corporation ALL Rights Reserved.
12
7 maintenance operation
7.1 maintenance and operation of equipment
• IPSec VPN devices are monitored based on our company monitoring rules. Monitoring is 24 hours a day,
365 days a year.
• Ping is used to monitor life and death.
• Notify the customer of any failures that affect customer service.
7.2 Our company Scope of Responsibility
The chart below shows the scope of our company's responsibilities.
The maintenance of this menu does not apply to failures of the Internet or customer sites.
© NTT Communications Corporation ALL Rights Reserved.
13
8 Service Level
This menu does not cover SLAs.