This article discusses creating, accessing, and viewing networks for cloud virtualization in the new Recovery Launchpad.
- Datto Partner Portal
- New Recovery Launchpad
- Accessing the new Recovery Launchpad
- Creating a VPN
- Site-to-Site configuration (optional)
- Additional Resources
The Datto Partner Portal lets you create a virtual private network (VPN) for use in a disaster recovery. You do not need to have a cloud virtualization mounted to set up a VPN. These two steps can be done separately and networks can be setup ahead of time if you prefer. For instructions on creating a cloud virtualization to access via your VPN, see Partner Portal: New Recovery Launchpad: Performing a cloud virtualization.
To create a VPN, first access the new Recovery Launchpad environment for your device.
Accessing the new Recovery Launchpad
1. In the Datto Partner Portal, click the Status tab, then select BCDR Status from the drop-down menu.
2. In the section for the device you are virtualizing, click the ellipsis icon on the far right-hand side of the screen, then click Recovery Launchpad from the drop-down menu.
Creating a VPN
1. In the Virtualizations card on the Recovery page, click MANAGE NETWORKS.
2. On the Active Networks card, click ADD NEW NETWORK.
3. In the Add New Network dialog window, enter the Network Name, Network Address (IP scheme), and the Subnet Mask you want to use.
4. Under Network Options, Internet Connection is checked by default. Uncheck this box if you don't need an internet connection, otherwise, enter a Gateway IP to access the internet from your restore.
5. Click the Enable DHCP button if you require DHCP assignment of IP addresses to be provided by your cloud network.
- Enter DHCP Pool Start and DHCP End IP addresses if you enabled DHCP.
Site to Site Configuration (Early release feature - optional)
The Site-to-Site Configuration allows you to establish a secure connection over the Internet between your locations and the Datto Cloud via IPSec, so that your users can easily connect to cloud resources from remote offices.
About VPN Tunnels
IPSec VPN negotiations happen in two distinct phases between the devices at each end of the tunnel. These negotiations are required to build the VPN tunnel, and include a series of messages about encryption and authentication in an attempt to agree on the required VPN parameters. In Phase 1, the devices set up a secure encrypted channel so that they can negotiate Phase 2, where they agree on an additional set of parameters that define what traffic can go through the VPN and how that traffic should be secured. The Phase 1 and Phase 2 configurations must match for the devices on either end of the tunnel.
To use the site to site option, check the box labeled Enable Site-to-site VPN Connection. You'll need to specify the following parameters:
- IPsec Mode (drop-down menu): Select the IKE Mode the client will use to connect (IKEv1 or IKEv2).
- Pre-shared Key: Create a pre-shared key that will be used to communicate securely with the client. Any client you connect will need to communicate by using this key.
- On-Premises ID: Based on your local router, enter the ID for the on-premises device
- On-Premises IP: The IPV4 address for your router.
- On-Premises Subnets: A comma-separated set of CIDR subnets that will access the connection.
The remaining fields are pre-selected with the recommended default settings. If needed, you have the option to change these IPsec policies and parameters for both Phase 1 and Phase 2. See the Phase 1 and Phase 2 parameters section below for an explanation of the settings. Otherwise, proceed to step 6.
6. After you have reviewed your new network settings, click the CREATE NETWORK button at the bottom right of the dialog window.
You'll now see your network listed under Active Networks on the Manage Networks page. You can only configure one site-to-site VPN tunnel per network, however, you can create multiple site-to-site VPNs using separate networks.
If you want to add Site-to-Site VPN to an existing network, this can be done from the new Recovery Launchpad. Select Manage Networks and choose a network from the list.
In the Site to Site VPN Configuration section, select Add Configuration. This will take you to the configuration screen referenced above.
Phase 1 and Phase 2 parameters (optional)
When creating a site to site VPN, these settings are set to their most common configuration by default. You may need to change these settings based on your particular router/firewall manufacturers' recommendations. If you need to change the settings, the following options are available:
- Encryption Algorithm: Allows you to specify what encryption algorithm is used. The Triple Data Encryption Standard (3DES), AES-128, AES-192, and AES-256 are available.
- Hash Algorithm: Allows you to specify what hash algorithm is used. MD5, SHA1, SHA256, SHA384, and SHA512 are available. AES-XCBC is available exclusively for phase 2.
- DH Group: Allows you to specify what Diffie-Hellman exchange (DH group) is used. The following groups and moduli are available:
- Regular Groups
- Group 1: 768 bit
- Group 2: 1024 bit
- Group 5: 1536 bit
- Group 14: 2048 bit
- Group 15: 3072 bit
- Group 16: 4096 bit
- Group 17: 6144 bit
- Group 18: 8192 bit
- Prime Order with Prime Subgroups
- Group 22: 160 bit
- Group 23: 224 bit
- Group 24: 256 bit
- NIST Elliptic Curve Groups
- Group 25: 192 bit
- Group 26: 224 bit
- Group 19: 256 bit
- Group 20: 384 bit
- Group 21: 521 bit
- Brainpool Elliptic Curve Groups
- Group 27: 224 bit
- Group 28: 256 bit
- Group 29: 384 bit
- Group 30: 512 bit
- Lifetime (seconds): Allows you to specify, in seconds, how often the IPsec tunnel is renegotiated. The default is 86,400 seconds.
- Dead Peer Detection: Dead Peer Detection (DPD) is the method to detect the status of a peer in an IPsec connection. You can enter the time in seconds before the connection will be dropped due to an unresponsive peer.
Check your specific router/firewall documentation before changing the default settings.
- Site-to-Site configurations are not persisted for reuse outside of a network.
- You can only remove a site-to-site IPsec connection from a network when the network is removed completely.
- The Site to Site VPN feature is not available on SIRIS Private service plans.