Skill Level: Intermediate

This recipe describes a setup and configuration for accessing IBM's private Service Endpoints over an IPSec VPN tunnel established between a VRA (Vyatta) and a strongSwan client. The configuration is applicable to similar setups as well.


Major Building Blocks

  • Configuring particular source NAT rule for traffic forwarded to the private Service Endpoint




The customer's IBM Cloud account needs to be VRF (Virtual Routing and Forwarding) enabled in order to access private Service Endpoints. For accounts being created after January 2019, this option should be enabled by default. To check and optionally enable VRF, follow the instructions described at Enabling your account for using Service Endpoints.

If the account is enabled, a Vyatta gateway appliance provisioned in that account, should be able to access the private Service Endpoint network range - After the site-to-site VPN-Tunnel between the customer and the Vyatta gateway appliance has been established, the customer's peer needs to have the Vyatta set as default route to that network ( This can be fulfilled by different options, e.g. using static routes or BGP. For more information regarding Vyattas and their configuration, please see IBM Cloud VRA Docs.

As soon as the infrastructure is set up, a source NAT rule has to be applied on the Vyatta, due to the following issue: The private Service Endpoints do only have routes to VRF-enabled / included subnets. Since the customer's network is not included in those routes, any requests coming from such a subnet, does not receive an according response. After creating this source NAT rule, the incoming traffic is masqueraded with an IP, where the private Service Endpoints do have a deftault route to. Therefore, the private Service Endpoints are accessible from the customer's network.



  • IBM Cloud Account has been VRF and private Service Enpoint enabled
  • Administrative access to Vyatta gateway
  • A VPN tunnel to a Vyatta gateway appliance in that account has been established
  • Private Endpoint addresses can be resolved by customer
  • The Vyatta is configured as default route to the private Service Enpoints subnet on the peer and all tenants behind it
  • Recommended but not required: Source IP of connections to the private Service Endpoint is known


Team members

René Meyer (Rene.Meyer@de.ibm.com) supported me by creating this setup and recipe.



  1. Check VPN Tunnel status

    After logging into the Vyatta, check if the VPN tunnel is up.



  2. Check if default route to private Service Endpoints is set on Vyatta

    If the IBM Cloud account is VRF enabled, a default route to the private Service Endpoint network ( should be set on the Vyatta, where the next hop is the gateway IP of the Vyatta’s private network interface (dp0bond0).




  3. Optionally: Check source IP of incoming customer traffic to private Service Endpoint

    For creating the NAT rule on the Vyatta, the source IP of traffic flowing to the private Service Endpoint needs to be known. If the source IP / Subnet is not known, a simple check on the Vyatta displays the IP. Therefore, a steady incoming traffic needs to be set up by the customer (e.g. a steady ping to a private Service Endpoint – in this example, private Service Endpoint for Postgres). By monitoring the private interface (dp0bond0), the IP is revealed.


    In the example above, 10.85.XX.27 is the sought source IP.

  4. Create source NAT rule to make private Service Endpoints reachable from customer network

    Since the private Service Endpoints do not have a route to non-VRF enabled / included subnets, requests coming from those networks do not receive an according answer. Therefore, the source IPs need to be masqueraded with the interface IP of the private network interface (dp0bond0). This can be achieved by the following source NAT rule:


    set service nat source rule 10 destination address ‘’
    set service nat source rule 10 outbound-interface ‘dp0bond0’
    set service nat source rule 10 source address ‘10.85.XX.17’
    set service nat source rule 10 translation address ‘masquerade’



    • destination address contains the private Service Endpoint subnet
    • outbound-interface is the private network interface
    • source address is the specific address or subnet from which the incoming connections are being sent (see step 3)
    • translation address is set to masquerade, so that the interface IP of dp0bond0 is used as source (optionally, this address can also be set statically)


    After this rule has been applied, the private Service Endpoints are reachable from the customers network.

Join The Discussion