Contact Support

Enable IPsec Site-to-Site VPN

Learn how to configure an IPsec site-to-site VPN on a Verkada Gateway

Verkada gateways can act as site-to-site IPSec IKEv2 VPN clients. This allows the gateway to connect to an IPsec VPN server and route encrypted traffic. The gateway can only route traffic from devices connected to it through the VPN. Appropriate egress and NAT rules must be set up on the VPN server to allow connected device traffic to be routed through the internet and within the VPN tunnel.

You need to set up Dynamic DNS before you can enable IPsec Site-to-Site VPN.

Configure IPsec VPN on a gateway

1

In Verkada Command, go to All Products > Gateways .

2

Select the gateway you want to configure.

3

In the top right, click Settings .

4

Under Network > IPsec VPN toggle on Enable IPSec VPN.

5

In the Server field, enter the VPN server IP or domain name.

6

The gateway supports two authentication types:

a. (See step 7) Certificate: Requires Certificate Authority cert, client cert, and key. b. (See step 8) Pre-Shared Key: Requires a shared key.

7

On the Authentication drop-down, select Certificate.

a. On Remote ID, enter the remote certificate subjectAltName or subject DN. b. On Local ID, enter local certificate subjectAltName or subject DN.

c. Upload the Client Key, Client Certificate, and Certificate Authority certificate in the .pem format.**Note: **Instructions to generate a client key and certificate and to set up a certificate authority are found here. d. Skip to step 9.

8

On the Authentication drop-down, select Pre-Shared Key.

a. On Remote ID, enter the remote ID of the pre-shared key. b. On Local ID, enter the local ID of the pre-shared key. c. On Password, enter the password of the pre-shared key.

9

Hit Apply, then Confirm to save. Your gateway should now have a VPN badge next to the name, indicating that the connection was successful.

Configure your VPN server

When configuring your VPN server, you must set specific details to establish the VPN tunnel and enable data transfer between the server and the client.

Supported VPN routing type

  • Policy Based routing

Supported Key Exchange Version

  • IKEv2

Perfect Forward Secrecy (PFS) is not supported on gateways as a VPN client.

Supported cipher suites for IKE Phase 1 and Phase 2

  • Encryption

    • AES 128

    • AES 256

  • Hash

    • SHA 256

    • SHA 384

    • SHA 512

  • DH Group

    • Group 14

Set up DDNS using a supported free DDNS provider to ensure your VPN is always connected to the client using its Dynamic Public IP address. This way, the provided ‘hostname’ always resolves to the active public IP address on the VPN client.

Need more help? Contact Verkada Support.

Last updated

Was this helpful?