IPsec shares
IPsec tunnels and shares are available on Frontdoor V2 to customers who have IPsec shares enabled. Contact your account manager to request access.
IPsec shares let a remote site reach your private services over a standard site-to-site IPsec tunnel — without installing any NetFoundry software at that site. The remote site's existing firewall, router, or VPN appliance peers with a NetFoundry-managed VPN endpoint, and traffic is securely routed to the target service an agent can reach.
This is ideal when data flows from a remote customer site into your environment and the site can't run an agent but already terminates IPsec.
IPsec tunnels and IPsec shares
IPsec connectivity uses two objects. You create the tunnel first, then create one or more shares on it.
- IPsec tunnel: The VPN ingress point. NetFoundry provisions a managed VPN endpoint that peers with the remote site's IPsec device. A tunnel is defined by the site's public IP and the CIDR behind it.
- IPsec share: A service published on a tunnel. Each share maps an ingress port on the tunnel's load balancer to
a private
targetthat a hosting agent can reach, much like a TCP share but reached over the IPsec tunnel instead of a public port.
How it works
The remote site connects to the VPN endpoint over IPsec. Traffic for a share's ingress port is routed through the tunnel to Frontdoor, which proxies it to the share's target through the hosting agent. No inbound ports are opened on your network, and the remote site needs no NetFoundry software.
Key concepts
- Peer public IP: The internet-facing IPv4 address of the remote site's IPsec device, used to establish the tunnel.
- Peer CIDR: The private network range behind the remote device that should be reachable through the tunnel (for
example,
172.31.0.0/16). Traffic destined for this range is routed through the IPsec connection. - Ingress port: The port on the tunnel's load balancer that the share listens on. Each share uses a distinct port.
- Target: The private
host:portthe hosting agent connects to for this share. - Sample config: Once a tunnel is deployed, you can download a generated VPN configuration that includes the NetFoundry endpoint address, pre-shared key, and supported encryption settings to configure the remote IPsec device.
Provisioning
Creating a tunnel provisions cloud infrastructure asynchronously, so it isn't ready immediately. It moves through a pending state and reaches Deployed once the infrastructure is up, which can take roughly 10–20 minutes. Wait for Deployed before downloading the sample config or creating shares on the tunnel.
A tunnel can't be deleted while any IPsec share still references it. Delete the shares first, then the tunnel.