3.2 IPSec VPN

© NTT Communications Corporation ALL Rights Reserved.

1

3.2 IPSec VPN v 1.0.6

Disclaimer: The English version of the service description is translated by machine

translation. If there is any discrepancy, the Japanese version takes prevalence.


2

Table of Contents

Table of Contents ........................................................................................................................................................................... 2

1 Summary ................................................................................................................................................................................ 3

2 delivery function .................................................................................................................................................................. 4

2.1 delivery function ...................................................................................................................................................... 4

2.2 IPSec VPN Host-Side Configuration ..................................................................................................................... 4

2.3 About Applications ................................................................................................................................................... 6

2.3.1 Document ............................................................................................................................................... 6

2.3.2 parameter sheet .................................................................................................................................... 6

3 billing ....................................................................................................................................................................................... 8

4 Standard Due Date .............................................................................................................................................................. 9

5 Related Menus .................................................................................................................................................................... 10

6 Constraints ........................................................................................................................................................................... 11

7 maintenance operation .................................................................................................................................................... 12

7.1 maintenance and operation of equipment........................................................................................................ 12

7.2 Our company Scope of Responsibility ............................................................................................................... 12

8 Service Level........................................................................................................................................................................ 13


3

1 Summary

The IPSec VPN menu provides the ability to securely connect between the Landing Zone of this Service and the

Customer's site using IPSec VPN encryption over the Internet.

To connect to the Internet, use the "Internet Connect" menu of this service separately.


4

2 delivery function

2.1 delivery function

Menu ID Menu Name Description

N-CS-VPN-H -

1 T

IPSec VPN Host-Side

Configuration

Configure the IPSec VPN tunnel for the IPSec VPN device on the

Service side based on the parameter sheet provided by the Customer.

IPSec VPN tunnels are configured for each customer site.

N-CS-VPN-

U1-NET IPSec VPN - Tokyo DC

Provide VPN connectivity between the Tokyo Data Center and the

Customer Site for this Service. Also, we will change the settings of the

IPSec VPN device on the Service side according to the customer's

request.

N-CS-VPN-

U2-NET IPSec VPN - Osaka DC

Provide VPN connectivity between the Osaka Data Center and the

Customer Site for this Service. Also, we will change the settings of the

IPSec VPN device on the Service side according to the customer's

request.

N-CS-VPN-T-

SVC

IPSec VPN Tunnel

Managed Service Feed

In response to the Customer's inquiry, we will verify the status of the

IPSec VPN device on the Service side (Phase 1, 2) and perform a

ping/traceroute to the global IP address of the Customer Site Router.

2.2 IPSec VPN Host-Side Configuration

Create an IPSec VPN device in the Landing Zone according to your application.

The configuration of this service-side IPSec VPN device is as follows:.

Parameter Value

VPN Tunnel Endpoint Service side Our company issues a global IP

address (*)


5

Customer Site Side Customer Specified

VPN Tunnel Network

network address Please specify/30.

Service side The fourth octet + 1 of the network

address

Customer Site Side The fourth octet + 2 of the network

address

VPN Type Route based

Key management protocol IKEv1

NAT Traversal Enabled

Phase I. VPN SA Parameters

Key exchange format (key

exchange mode) Main Mode

Encryption algorithm (Encryption

Algorithm)

Customer-specified <AES 256, AES

128>

Hash algorithm (Hash Algorithm) Customer-specified <SHA -256, SHA -

1>

Authentication method

(Authentication Method) Pre-Shared Key

Pre-Shared Key Customer Specified

Diffie-Hellman group GROUP 2

IKE SA lifetime 24 hours (86,400 sec)

DPD (Dead Peer Detection)

ISAKMP keepalive transmission

interval/number of transmissions

Enabled

10 Seconds/2 Second retry


6

Phase II. IPSec SA parameters

protocol ESP

Encryption algorithm (Encryption

Algorithm)

Customer-specified <AES 256, AES

128>

Authentication algorithms

(Integrity Algorithm)

Customer-specified <SHA -256, SHA -

1>

PFS (Perfect Forward Secrecy)

Enabled

Customer-specified <GROUP 1, 2, 5,

14> (Default is GROUP2)

IPSec SA lifetime 4,500 MB/3,600 sec

Customer Site Network Customer-specified <network address,

subnet mask>

(*) No application for Public IP Address (IPv4) is required. Global IP addresses for IPSec VPNs are included in this

IPSec VPN menu.

2.3 About Applications

2.3.1 Document

Document Description

order sheet Please fill out this form when you apply for the IPSec VPN menu.

parameter sheet

Enter the configuration parameters.

You will be asked to provide this information during the initial setup of your IPSec

VPN, as well as when you request configuration changes during your use period.

After the setting change is completed, our company will present a parameter sheet

reflecting the setting contents.

2.3.2 parameter sheet

The following parameters can be specified in the parameter sheet:.


7

Item Parameter

Customer Site Network

Peering IP Address

Customer site network address

tunnel network network address

Phase I. VPN SA Parameters

Pre-Shared Key

encryption algorithm

hash algorithm

Phase II. IPSec SA parameters

encryption algorithm

authentication algorithm

PFS (Perfect Forward Secrecy)


8

3 billing

Menu ID Menu Name initial cost monthly cost

N-CS-VPN-H -1 T IPSec VPN Host-Side Configuration Per VPN Tunnel -

N-CS-VPN-U1-

NET IPSec VPN - Tokyo DC -

Monthly fixed per IPSec VPN

device

N-CS-VPN-U2-

NET IPSec VPN - Osaka DC -


device

N-CS-VPN-T-SVC IPSec VPN Tunnel Managed Service

Feed -


device


9

4 Standard Due Date

Menu ID Menu Name delivery date

N-CS-VPN-H -

1 T

IPSec VPN Host-Side

Configuration

10 business days (If you apply at the same time as IaaS Onboarding,

it will be done in the IaaS Onboarding process.)

N-CS-VPN-

U1-NET IPSec VPN - Tokyo DC

The due date of a setup change order depends on the work volume.

Standard volume (single location VPN tunnel endpoint, changing VPN

tunnel network), 5 business days after application acceptance (*).

The date you wish to change the setting is shown on the parameter

sheet by the customer.

Orders will be accepted until 14 o'clock on each business day, after

which they will be treated as received on the following business day.

The day of acceptance is counted as 0 day.

N-CS-VPN-

U2-NET IPSec VPN - Osaka DC

(*) After confirming through our company that there are no defects in the application form


10

5 Related Menus

Menu ID Menu Name Menu that requires application

together Related Service Category

N-CS-VPN-H -1

T

IPSec VPN Host-Side

Configuration

• Internet Connect

• IaaS Onboarding

• IaaS Compute μVM

• Virtual HANA

• Physical HANA

N-CS-VPN-U1-

NET IPSec VPN - Tokyo DC

N-CS-VPN-U2-

NET IPSec VPN - Osaka DC

N-CS-VPN-T-

SVC

IPSec VPN Tunnel

Managed Service Feed


11

6 Constraints

• This menu is available in a single configuration.

• You must have IPSec VPN-enabled network equipment at your site and connect to the Internet.

• The customer will configure the IPSec VPN-enabled network equipment at the customer site.

• Depending on the type of network equipment that supports IPSec VPN at the customer site, IPSec

communication may not be established.

equipment with a proven track record

of connection

• Cisco ASR 1000

• VyOS

• FortiGate-VM 64

Equipment that failed to verify a good

connection

• YAMAHA RTX 810

• The configuration of the IPSec VPN device on the service side can be changed only once a month. If the

upper limit is exceeded, a separate fee will be charged.

• The IPSec VPN device on this side does not provide packet filtering. If you wish to restrict communication

between VPN connection sites, either configure filtering settings on your IPSec VPN device or create

multiple Landing Zones on the Service side so that communication between VPN connection sites goes

through the firewall. IPSec VPN devices on the service side are created for each landing zone.

• You cannot specify a date and time for configuration changes to the IPSec VPN device on this side.

• Communication may be interrupted depending on the setting change. In that case, we will contact you in

advance.

• If there are any changes to the order, the due date is reset based on our company's confirmed changes

completion date.

• Under the IPSec VPN Tunnel Managed Service Feed menu, in response to a customer query, our

company will provide the customer with ping and traceroute results, but will not provide any further

troubleshooting if the service side IPSec VPN device is not found to be defective. Depending on the

customer's network equipment and the environment, the ping and traceroute may not reach the

customer's network equipment from the normal time, and therefore may not be an effective means of

isolation in the event of failure.

• In the IPSec VPN Tunnel Managed Service Feed menu, we assume that customer queries occur only twice

a month. If it exceeds that, you will be charged separately.


12

7 maintenance operation

7.1 maintenance and operation of equipment

• IPSec VPN devices are monitored based on our company monitoring rules. Monitoring is 24 hours a day,

365 days a year.

• Ping is used to monitor life and death.

• Notify the customer of any failures that affect customer service.

7.2 Our company Scope of Responsibility

The chart below shows the scope of our company's responsibilities.

The maintenance of this menu does not apply to failures of the Internet or customer sites.


13

8 Service Level

This menu does not cover SLAs.

Documents

3.2 IPSec VPN