Create a connection

The STACKIT VPN Service allows you to establish secure tunnels between your VPN gateway and a remote peer. Because the service utilizes an active-active architecture, every connection requires the configuration of two separate tunnels to ensure maximum availability and redundancy.

This guide demonstrates how to create a VPN connection, covering policy-based, route-based, and BGP-based configurations.

If you proceed with the action described here, charges may apply or the amount charged may change.

Please check carefully the amount of resulting one-off and/or ongoing costs and do not proceed unless you agree and you are authorized to do so.

Prerequisites

Before you create a connection, ensure you have the following:

• An existing STACKIT VPN gateway in the READY state.
• The public IPv4 addresses of your remote VPN peer.
• A pre-shared key (PSK) with a minimum of 20 characters.
• Information regarding your routing architecture (local and remote subnets, or BGP settings).

Configure routing for your connection

The parameters you must provide depend on the routingType of your parent gateway. You cannot change the routing type once the gateway is created.

The following table outlines the requirements for each routing mode:

Routing type	Subnet requirements	Route requirements
POLICY_BASED	localSubnets and remoteSubnets are mandatory.	staticRoutes are forbidden.
ROUTE_BASED	Defaults to 0.0.0.0/0 if not specified.	staticRoutes are mandatory.
BGP_ROUTE_BASED	Defaults to 0.0.0.0/0 if not specified.	Routes are managed dynamically via BGP.

API

Create a connection

To establish the tunnels, send a POST request to the connections endpoint of your specific gateway.

1. Identify your projectId, region, and gatewayId.

2. Prepare the JSON request body. Ensure you provide configuration for both tunnel1 and tunnel2.

3. Send the request to the following endpoint:

   POST /v1alpha1/projects/{projectId}/regions/{region}/gateways/{gatewayId}/connections

Example request (BGP-based)

This example shows a connection request for a gateway using BGP_ROUTE_BASED routing. Note that the preSharedKey is a writeOnly field and will not be returned in subsequent GET requests.

{
  "displayName": "office-neckarsulm-connection",
  "tunnel1": {
    "remoteAddress": "203.0.113.10",
    "preSharedKey": "a-very-secure-and-long-psk-string",
    "peering": {
      "localAddress": "169.254.0.1",
      "remoteAddress": "169.254.0.2"
    },
    "bgp": {
      "remoteAsn": 65000
    }
  },
  "tunnel2": {
    "remoteAddress": "203.0.113.11",
    "preSharedKey": "a-very-secure-and-long-psk-string",
    "peering": {
      "localAddress": "169.254.0.5",
      "remoteAddress": "169.254.0.6"
    },
    "bgp": {
      "remoteAsn": 65000
    }
  }
}

Portal

Portal integration not yet available.

CLI

CLI functions not yet available.

Terraform

Terraform functions not yet available.

Verify connection status

Once the request is initiated, the system begins the IKE negotiation with your remote peer. You can monitor the status of the connection via the API.

• PENDING
  The system is configuring the virtual tunnel interfaces and initiating the handshake.
• READY
  The connection is established. This state indicates the tunnels are ready to pass traffic, though actual traffic flow depends on your local and remote firewall rules.
• ERROR
  The connection could not be established. This is often caused by mismatched PSKs, incorrect IKE settings on the remote peer, or firewall blocks.

Next steps

After your connection reaches the READY state, verify that traffic can pass between your SNA and the remote Network.

• Check firewall rules: Ensure that your Security groups and the remote firewall allow the necessary traffic.
• Verify BGP peering: If using BGP, check that the BGP session is established and routes are being exchanged correctly.
• Create more connections: You can add multiple connections to a single gateway to connect several remote sites.