Compliant Kubernetes Service documentation has moved

Please note: You are not reading Kubernetes documentation. If you're looking for Compliant Kubernetes Service documentation, it has moved. Read more here.

Legacy Notice

Please note: Datica is replacing legacy Strongswan IPSEC VPNs with OpenVPN TLS VPNs. All new client VPNs use OpenVPN. Older VPNs are being converted as necessary. Please contact Datica with any questions. If you are not using an OpenVPN client, you are still on a legacy VPN.

Recommended Clients

OSX 10.9+ * Native VPN Client

Ubuntu Linux * StrongSwan VPN Client 5.1+

Windows 7 and Windows 8 VPN Client+

VPN Security

Communications between your client computer and the Platform environment over the VPN are encrypted and secure. However, your VPN credentials provide access into this protected environment and should be safeguarded very securely. Please make sure that you are following all applicable information security policies, including what we provide at and

OS X 10.10 and below IKEv1 Native Client Setup

On OS X, the VPN can be created via the Native OS X client. In System Preferences, open Network Connections.

Click the “+” to create a new connection. You will see the screen below pop-up:


Ensure that Interface is set to “VPN” and that VPN Type is “Cisco IPsec”. You can name the VPN whatever you wish.

Click ok after setting those values. You will see the following screen:


Fill in the Server Address, Account Name, and Password fields with the VPN Gateway IP, VPN Account Name, and VPN Account Password credentials provided by Datica.

Finally, click on Authentication Settings. You will see the following window:


Choose the Shared Secret radio button. In that field, place the VPN Pre-Shared Key supplied to you by Datica. Click “Ok”.

Now, click the “Apply” button for the connection and connect by clicking the “Connect” button.


OS X 10.11+ IKEv2 Native Client Setup

Datica will provide a CA cert alongside VPN credentials. Save that file to your Desktop:


Before you create the VPN connection, the CA certificate needs to be imported into the OSX keychain. Use “command + space” key combination to open search and type in “Keychain” to open the OSX keychain. You will see the below screen.


Make sure that you are on the “System” and “Certs” tabs in the window. Unlock the Keychain by clicking the lock icon in the upper left corner.

Once unlocked, drag the CA certificate file into the window. You will be asked for your password again. When done, the certificate will be imported and look like this:


Double click on the certificate and expand the “Trust” tab. Change the top setting to “Always Trust” as show below:


That should remove the red “X” from the certificate.

Now move on to making the VPN. In System Preferences, open Network.

Click the “+” to create a new connection. You will see the screen below pop-up:


After creating the VPN, you need to set the server address and username/password authentication. Add in the Server Address and Remote ID as shown below. Also click the checkbox to “Show VPN status in menu bar”.


Now that you have the server IP entered, click “Authentication Settings”. Enter in the username and password you were provided for the VPN appliance.


Now, test the VPN by clicking “Connect”! Once connected, the VPN should display a timer in the top menu bar in OSX while connected.

Ubuntu strongSwan Client Setup

On Linux, Datica recommends using strongSwan directly as opposed to using the plugins for NetworkManager or other VPN clients. Those clients often do not properly configure the connection properly. This connection setup was tested on Ubuntu 14.04.

strongSwan Installation

Most Linux distributions provide strongSwan in their package repositories. Execute the following commands to install strongSwan plus other dependencies.

sudo apt-get install strongswan strongswan-plugin-unity strongswan-plugin-xauth-generic

strongSwan Client Connection

There are two pieces of configuration necessary for strongSwan on Ubuntu to function - the connection configuration and the connection secrets.

To create a connection, execute the following command in a terminal window:

sudo charon-cmd --ike-proposal aes256-sha1-modp1536 --esp-proposal aes256-sha1 --profile ikev1-xauth-psk --host ${VPN_GATEWAY_IP} --identity ${YOUR_VPN_IDENTITY}

You will then be prompted for your Pre-Shared Key and User Password.

Datica will provide each VPN user with the VPN Gateway IP, VPN Account Name, VPN Account Password, and VPN Pre-Shared Key.

Example Connection Command

sudo charon-cmd --ike-proposal aes256-sha1-modp1536 --esp-proposal aes256-sha1 --profile ikev1-xauth-psk --host --identity

Windows 7 strongSwan Client Setup

On Windows, the process for VPN connection is slightly different than for OSX or Linux. The connection is secured by X.509 certificate signatures and a username/password combination.

Install the Datica CA Certificate as a Windows Trusted Root Certificate

Save the Datica provided CA certificate to your computer.

From the Start Menu, type “mmc” into the search bar to launch the Microsoft Managment Console.


From the launched window, go to File -> Add/Remove Snap-in.


From the pop-up window, choose “Certificates” and click “Add”. Then click “Ok”


Choose “Computer Account” when asked for the type of account.


Click “Next” and then “Finish”.

Finally, click “Ok” and you will be back to the main MMC window.


Expand the “Certificates” tab and then expand the “Trusted Root Certification Authorities” tab.


Right click on the “Certificate” tab under “Trusted Root Certification Authorities” and go to “Actions” and left-click on “Import”


You will now see the Wizard screen.


Click “Next”. In the next window, click “Browse” and select the CA file you saved initially. Click “Next” and then “Finish”. The CA certificate is now imported.

Install the Datica CA Certificate as a Windows Trusted Root Certificate with Powershell

Copy the certificate file to directory on your workstation that is readable by your user account

Open Windows Powershell

The format for the power shell command to import the SSL certificate is

Command Format:

$file = ( Get-ChildItem -Path <path to certificate file> )
$file | Import-Certificate -CertStoreLocation cert:\LocalMachine\Root


$file = ( Get-ChildItem -Path C:\Users\Bob\Desktop\cert.pem )
$file | Import-Certificate -CertStoreLocation cert:\LocalMachine\Root

Configure the new VPN Connection

Configure a new VPN Connection:

Control Panel -> Network and Sharing Center -> Set up a new connection or network Select “Connect to a workplace”

Click Next

Select “Use my Internet connection (VPN)”


Enter the IP address of the VPN server into the Internet address field. Example:

Enter a name for the VPN in the Destination Name field. Example: Datica VPN

Select “Don’t connect just now; just set it up so I can connect later”

Click Next


Enter your VPN username. Example “”

Enter your VPN password

Leave the Domain field empty

Click Create


Click Close

Open the Network and Sharing Center

Select Change adapter settings

Highlight the new Datica VPN connection, right click and select Properties


Click the Security tab

Set Type of VPN to IKEv2

Set Authentication to “Use Extensible Authentication Protocol (EAP)

Select Microsoft: Secured password (EAP-MSCHAP v2)

Click the Networking tab

Highlight Internet Protocol Version 4 (TCP/IPv4)

Click Advanced


Uncheck “Use default gateway on remote network”


Click Ok

Click the Network Icon in the lower right hand of the Windows desktop



Select the Datica VPN

Click Connect

Using the VPN Connection

The VPN connection allows you to connect directly to many of the resources in your environment. Datica will provide you with a service map to use for your environment. If you are attempting to connect a database server, you will need to retrieve the connection credentials from your environment variables.

Example Service Map

  • Postgresql on database-1:
  • Postgresql on database-2:
  • Redis on cache-1:
  • Application on code-1:
  • Application on code-2:

Example Postgres Service Connection

In this example we will use psql to connect to our environment’ database-2 server running Postgresql. This example assumes we have a VPN connection up and running.

Example Service Map: Postgresql on database-2:

First, we use the CLI to retrieve our database credentials:

datica -E my_stage_env_name vars list <service_name>

Next, we look for the database service that we want the credentials for:


The above environment variable provides the user(catalyze), the password(abcdefghijklmnopqrstuvwxyz), and the db name(catalyzeDB). Note that the port is not the same - use the port mapping provided by Datica.

psql -h -p 5433 -U catalyze catalyzeDB

You will be prompted for the catalyze user password.

This drops me onto the database-2 Postgresql shell on the catalyzeDB database. Other database types can be accessed through similar procedures with their respective clients. Other programs such as database visualizers could also be connected.

Example Redis Service Connection

Example Service Map: Redis on cache-1:

Redis does not have authentication credentials within the encrypted environment. You can use the redis-cli to connect to your Redis instances.

redis-cli -h -p 6379

Example Code Service Connection

Example Service Map: Application on code-1 :

This exposes your application container without going through the environment’s service proxy.

Below is a simple example that will curl the port that the web server is on.