To create an IPSec endpoint, you need to use the API for the initial setup.
โ NB: This feature is currently in beta.
Before you Start
You will need an API key to use the API. Once you have saved the API key, you are ready to get started.
Since you are using the API directly, you have two main options:
Follow the curl commands directly in this article through a CLI replacing the <api-key> with the API key have saved.
The basic API calls can be found in a small Postman Collection "IPSec API Commands" where the API Key is added at the collection level under the variables tab.
More helpful information
We only support IKEv2.
It is not possible to make passthrough rules for this connector type.
It is not possible to use the OpenVPN setup when using the IPSec "connector" - or it is, but it might not behave as expected: you can send data to your device using OpenVPN, but any response will be routed through the IPSec tunnel.
The Onomondo SIM IP range for local endpoints is:
100.64.0.0/10
.You will need to provide remote endpoints on your side and include all of your SIMs.
Setting up IPSec Connection on your SIMs.
Here are the four steps required to set up your SIMs so that they can use an IPSec connection.
1. Get local configured for your organization
You will need to make a GET call to obtain the local endpoints from Onomondo:
curl -XGET 'https://api.onomondo.com/ipsec' \
-H 'authorization: <api-key>' \
-H 'content-type: application/json'
You should receive a response that looks like:
{
"local_endpoints": [
{
"id": "bf7fa8a9-48b3-4535-92f7-367167d0b73b",
"region": "aws-eu-central-1",
"ip": "3.66.70.29",
"fqdn": "endpoint01.eu-central-1.aws.ipsec.onomondo.com"
},
{
"id": "4e319a05-4ad7-4fa4-b720-1b8c8b33e004",
"region": "aws-eu-central-1",
"ip": "35.158.204.65",
"fqdn": "endpoint02.eu-central-1.aws.ipsec.onomondo.com"
}
],
"remote_endpoints": []
}
2. Create remote endpoints
Each remote endpoint you set will create a tunnel between Onomondo (local_endpoint) and your IPSec endpoint.
There are two local endpoints on Onomondo's side for redundancy. You will need to create two remote endpoints on your side to utilize both. One for each of the local endpoints.
If only one endpoint is used and that endpoint goes offline (fx. for maintenance), the data will not reach your point.
You can either point each endpoint to a single endpoint at your end or two separate endpoints.
Currently each local endpoint can only be used in one remote connection.
Each API call will create a remote connection. You will need to send 2 API calls, each with the different local endpoint ID:
curl -XPOST 'https://api.onomondo.com/ipsec' \
-H 'authorization: <api-key>' \
-H 'content-type: application/json' \
-d '{
"local_endpoint_id": "<local endpoint id>",
"psk": "<Pre-Shared-Key>",
"endpoint": "<customer IPSec endpoint, IP or FQDN>",
"proposals": "<proposal>",
"use_ip": <true if you ID by IP, false if you ID by FQDN>
}'
What can you use in the proposals field?
For valid proposal values, see IKEv2 Cipher Suites > Encryption Algorithms.
Proposals will need to be in the following format: <Encryption Algorithm>-<Integrity Algorithm>-<Diffie Hellman Group> (e.g. aes256-sha256-modp2048
).
What are valid values in the endpoint field?
This is your IPSec endpoint and can be either of the following:
An IP
A Fully Qualified Domain Name (FQDN)
If you are using FQDN you will need to set the use_ip field to false otherwise set it to true.
For each remote endpoint you create you will get a response with the unique ID of that remote_endpoint as well as the information you used to create the connection.
It will look something like this:
{
"id": "<id of remote endpoint>",
"ipsec_local_endpoint_id": "<local endpoint id>",
"psk": "<Pre-Shared-Key>",
"organization_id": 21441,
"endpoint": "<customer IPSec endpoint, IP or FQDN>",
"proposals": "<proposal>",
"use_ip": <use_ip_boolean>
}
You will use these one/two IDs in the next step when you create a IPSec Connector.
3. Create the IPSec Connector
Use the following API request to create the IPSec using the 1 or 2 remote endpoints you have already created:
curl -XPOST 'https://api.onomondo.com/connectors' \
-H 'authorization: <api-key>' \
-H 'content-type: application/json' \
-d '{
"name": "<connector name>",
"tags": [],
"passthrough": [],
"type": "ipsec",
"options": {
"remote_endpoints": [
"<remote_endpoint_id1>",
"<remote_endpoint_id2>"
]
}}'
You will get a response that includes all fields submitted in the POST request and would look like:
{
"name": "<connector name>",
"tags": [],
"passthrough": [],
"type": "ipsec",
"options": {
"remote_endpoints": [
"<remote_endpoint_id1>",
"<remote_endpoint_id2>"
]
}
}
4. Add the Connector to SIMs
Once this Connector is created you can start adding the Connector to SIMs that you want to utilize this IPSec connection. This can be done on the Platform by editing individual SIMs.
You can also use the API to create a loop for individual SIM or bulk SIM updates through the API.
Once the Connector is attached to the SIM, any new data sessions will be redirected to your IPSec endpoint.