Skip to main content

IPsec Site-to-Site VPN Setup Guide

TestMu AI supports connectivity via IPsec Site-to-Site VPN (S2S VPN) for clients who need to test web applications hosted on internal/private networks that are not publicly accessible. This allows TestMu AI cloud infrastructure to reach your privately hosted test environments directly over an encrypted, authenticated tunnel — just as if both networks are on the same LAN.

Executive Summary

An IPsec Site-to-Site VPN creates a permanent, encrypted tunnel between your network gateway and TestMu AI cloud, enabling secure access to internal staging environments, development servers, and private applications without exposing them to the public internet.

What is IPsec Site-to-Site VPN?

An IPsec Site-to-Site (S2S) VPN creates a permanent, encrypted tunnel between two network gateways, allowing devices on both networks to communicate securely as if they were on the same Local Area Network (LAN).

Key Concepts

  • Gateway-to-Gateway: Unlike remote access VPNs (user-to-device), S2S VPN connects entire networks. It does not require software installation on individual test machines.
  • Persistence: The tunnel is "always on," automatically re-establishing connection if interrupted.
  • Technology: It utilizes the IPsec suite, specifically IKEv2 for secure key exchange and ESP in Tunnel Mode for data encapsulation and encryption.
  • Use Case: It enables TestMu AI cloud nodes to access private URLs (e.g., http://192.168.10.5/myapp or http://internal.company.com) that are not accessible via the public internet.

Network Architecture

The diagram below illustrates the secure connection between your internal network and TestMu AI's cloud infrastructure.

S2S VPN Network Architecture

Traffic Flow Steps

  1. TestMu AI test node initiates HTTP request to internal URL (e.g., http://10.10.1.50).
  2. Traffic is routed to TestMu AI VPN Gateway based on routing table.
  3. VPN Gateway encapsulates packet in IPsec ESP Tunnel Mode (encrypted).
  4. Encrypted packet traverses the public internet to Client's Public IP.
  5. Client's VPN Gateway decrypts the packet (ESP decapsulation).
  6. Request is forwarded to the internal web server.
  7. Response follows the reverse path back to the test node.

IPsec Protocol Suite

IPsec Overview

IPsec (RFC 4301) secures IP communications. For S2S VPNs, we use Tunnel Mode, which encapsulates the entire original IP packet within a new IP packet, protecting both the payload and the original header.

IKEv2 (RFC 7296)

Internet Key Exchange Version 2 is responsible for negotiation and authentication.

  • Phase 1 (IKE_SA_INIT): Negotiates cryptography (DH group, encryption) and generates keying material.
  • Phase 2 (IKE_AUTH): Authenticates peers and establishes Child SAs for traffic.
  • Ports: UDP 500 (Initial), UDP 4500 (NAT Traversal).

ESP (RFC 4303)

Encapsulating Security Payload provides confidentiality (encryption) and integrity. It operates as IP Protocol 50.

NAT Traversal (NAT-T)

Standard ESP cannot pass through NAT devices. RFC 3948 solves this by encapsulating ESP packets inside UDP packets on port 4500. This is automatically detected and negotiated during IKEv2 setup.

ParameterRecommended ValueNotes
IKE VersionIKEv2IKEv1 is deprecated
Encryption (Phase 1)AES-256-GCM or AES-256-CBCNIST SP 800-77r1 approved
Encryption (Phase 2)AES-256-GCMPreferred AEAD cipher
Integrity (Phase 1)HMAC-SHA-384SHA-1 is deprecated
Diffie-Hellman GroupGroup 14 (Min) / Group 20 (Preferred)Groups < 14 are insecure
PFSEnabledPerfect Forward Secrecy
SA Lifetime (Phase 1)28800 seconds (8 hours)Standard enterprise setting
SA Lifetime (Phase 2)3600 seconds (1 hour)Renegotiate frequently
DPDEnabledDead Peer Detection

Firewall / Port Requirements

The following ports must be permitted on your external firewall between the Client Gateway Public IP and the TestMu AI Gateway IP.

ProtocolPortDirectionPurpose
UDP500BidirectionalIKE/ISAKMP Negotiation
UDP4500BidirectionalNAT-Traversal & ESP Encapsulation
IP Proto 50N/ABidirectionalESP (If no NAT is present)
TCP/UDP80, 443Client → TestMu AIAllowed Test Traffic (HTTP/HTTPS)

S2S VPN vs. SSH Tunnel Comparison

FeatureS2S IPsec VPNTestMu AI SSH Tunnel
ConnectivityGateway-to-Gateway (Permanent)Client-Initiated (Session-based)
Client SoftwareNone (Router Config)Requires LT Binary/App
ScopeEntire Network/SubnetsLocal Machine only
Best ForEnterprise / Permanent StagingAd-hoc / Dev Testing

Client Coordination

Network Team Involvement Mandatory

Setting up an IPsec Site-to-Site VPN is NOT a self-service process. It requires configuration on your organization's edge firewalls/routers.

Required Actions by Client Team

  1. Gateway Configuration: Configure on-premise device (Cisco, Fortinet, Palo Alto, etc.) with provided parameters.
  2. Firewall Rules: Permit UDP 500/4500 from TestMu AI IP.
  3. Routing: Add static routes directing traffic for TestMu AI subnets into the tunnel.
  4. Security Approval: Obtain internal change management approval.

Timeline: Typical setup takes 3–10 business days depending on internal client approvals.

S2S VPN Requirement Gathering

Please provide the following details to your Network Team and share with TestMu AI support to initiate the setup process.

S2S VPN Requirement Form

Contact TestMu AI support at [email protected] with the above details to initiate the VPN setup process. Our Network Engineering team will review and contact you within 2 business days.

Implementation Checklist

S2S VPN Implementation Checklist

Troubleshooting

IssuePossible CauseResolution
Tunnel not establishingFirewall blocking UDP 500Ensure UDP 500 is open bidirectionally
IKE Auth FailedPSK mismatchVerify Pre-Shared Key matches exactly
TS_UNACCEPTABLESubnet mismatchVerify Traffic Selectors (subnets) match on both sides
Tunnel Up, No TrafficMissing RouteAdd route for TestMu AI subnet via tunnel interface
Drops FrequentlyNAT TimeoutEnable NAT-T keepalives; check DPD

References & Standards

  • RFC 4301: Security Architecture for the Internet Protocol (IPsec)
  • RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)
  • NIST SP 800-77 Rev. 1: Guide to IPsec VPNs
  • FIPS 140-3: Security Requirements for Cryptographic Modules

For VPN setup assistance, contact: [email protected]

Last updated on

Test across 3000+ combinations of browsers, real devices & OS.

Book Demo

Help and Support

Related Articles