Purpose
This document provides comprehensive setup instructions for securely connecting to DvSum SaaS services using Site-to-Site VPN (IPSec IKEv2), enabling fully private network access to:
- REST APIs (apis.dvsum.ai)
- WebSocket Services (socket-api.dvsum.ai)
- S3 Storage Service (s3-storage.dvsum.ai)
All traffic travels through an encrypted IPSec tunnel from the customer environment to a DvSum SaaS platform through private networking.
Architecture Diagram
Key components:
- Customer environment — your network with VPN device/firewall and the DvSum gateway agent
- IPSec tunnel — encrypted site-to-site VPN over the public internet (IKEv2 / AES encryption)
- DvSum SaaS — production platform serving APIs, WebSocket, and S3 storage
Service Architecture Details
DvSum exposes three services over the private connectivity path. All three are accessed over HTTPS port 443 and are routed through the same IPSec tunnel.
| Service | Domain | Purpose | Protocol | Port |
| REST APIs | apis.dvsum.ai | Standard API communication | HTTPS | 443 |
| WebSocket | socket-api.dvsum.ai | Real-time WebSocket communication | WSS | 443 |
| S3 Storage | s3-storage.dvsum.ai | S3 pre-signed URL handling | HTTPS | 443 |
Important
All three domains resolve to private IP addresses inside the DvSum network when accessed over the VPN tunnel.
These private IPs are only reachable through the tunnel — they are not accessible from the public internet.
DvSum will provide the specific private IPs for each domain after the VPN connection is established.
Information DvSum Requires from You
To configure the VPN connection on the DvSum side, please provide the following information to your DvSum’s representative before any setup begins.
1. VPN Configuration
| Parameter | Description | Example / Default |
| VPN routing mode | Static routing (simpler) or BGP dynamic routing | Static |
| BGP ASN | Your network's BGP Autonomous System Number | 65000 |
| Customer network CIDR | The IP range of your internal network (VPC) from which the gateway agent will make requests | 192.168.0.0/16 |
| VPN device vendor | Manufacturer of your firewall or VPN device | Cisco / Fortigate / Alto / Azure / Other |
| VPN device platform | Product line or model family of your device | ASA / FTD / FortiGate-VM / etc. |
| VPN device software version | Firmware or software version on the device | 9.x / 7.x / etc. |
2. Network Details
| Parameter | Description |
| Static public IP of VPN device | The fixed public IP address of your customer gateway device — the tunnel endpoint on your side. Must be a static IP address. |
| Machine IP running DvSum gateway agent | The IP of the machine running the DvSum gateway agent inside your network. |
Why a static IP is required
The customer's public IP is registered in Customer Gateway on DvSum tunnel side.
Information DvSum Provides to You
Once DvSum has registered your Customer Gateway and created the VPN connection on its side, the following will be provided to you.
1. VPN Configuration File
DvSum will provide a VPN configuration file generated by AWS for your specific connection. This file contains all the parameters required to configure your VPN device. Below is the structure — actual values will be specific to your connection.
VPN Connection ID : vpn-XXXXXXXXXXXXXXXXX
IPSec Tunnel #1
─────────────────────────────────────────────────────────────────
IKE version : IKEv2
Authentication method : Pre-Shared Key (PSK)
Pre-Shared Key : <provided securely — not in this file>
Authentication algorithm : sha1
Encryption algorithm : aes-128-cbc
IKE lifetime : 28800 seconds (8 hours)
Diffie-Hellman group : Group 14 (modp2048)
ESP (IPSec Phase 2)
Authentication algorithm : hmac-sha1-96
Encryption algorithm : aes-128-cbc
ESP lifetime : 3600 seconds (1 hour)
Perfect Forward Secrecy : DH Group 14
Outside IP addresses
Customer Gateway (your side) : <your static public IP>
Virtual Private Gateway : <DvSum AWS VPN endpoint IP>
Inside IP addresses (for BGP or tunnel interface)
Customer Gateway : 169.254.x.x/30
Virtual Private Gateway : 169.254.x.x/30
MTU : 1436 bytes
TCP MSS adjustment : 1379 bytes
DPD interval : 10 seconds | DPD retries: 3
IPSec Tunnel #2
─────────────────────────────────────────────────────────────────
(Same structure as Tunnel 1 with different IPs and PSK)
2. IKE Version Requirement
| Parameter | DvSum requirement |
| IKE version | IKEv2 |
| NAT traversal (NAT-T) | Enabled — UDP port 4500 must be open inbound and outbound on your firewall |
| DPD (Dead Peer Detection) | Enabled on DvSum side — recommend enabling on your device with interval 10s, retries 3 |
3. Private IPs of DvSum Service Endpoints
After the VPN connection is established, DvSum will provide the private IP addresses for the three service endpoints. These must be configured in your DNS or hosts file so the gateway agent resolves the DvSum domains to private IPs.
| Service | Domain | Private IP |
| REST APIs | apis.dvsum.ai | <provided by DvSum> |
| WebSocket | socket-api.dvsum.ai | <provided by DvSum> |
| S3 Storage | s3-storage.dvsum.ai | <provided by DvSum> |
4. DNS Resolver Configuration
DvSum will provide the following DNS resolver details. These are required if you are using Approach B (internal DNS forwarding) to resolve DvSum domains to private IPs across your entire network automatically.
| Parameter | Description | Value |
| Resolver Inbound IP 1 | Primary DNS resolver IP inside DvSum SaaS — forward *.dvsum.ai queries to this IP | <provided by DvSum> |
| Resolver Inbound IP 2 | Secondary DNS resolver IP (second availability zone — for redundancy) | <provided by DvSum> |
| Resolver port | Port to forward DNS queries to | 53 (UDP and TCP) |
| Forwarding domain | The domain scope to configure forwarding for — covers all three service domains | dvsum.ai |
Firewall and Network Requirements
The following ports and protocols must be permitted on your perimeter firewall for the VPN tunnel to establish and carry traffic.
Outbound rules (Customer machine → DvSum)
| Protocol | Port | Destination | Purpose | |
| UDP | 500 | DvSum VGW IPs (from config file) | IKE Phase 1 — key negotiation | |
| UDP | 4500 | DvSum VGW IPs (from config file) | IPSec NAT traversal — tunnel data | |
| DNS (TCP) | 53 | DvSum VGW IPs | DNS resolution — forwards *.dvsum.ai queries to resolver | |
| DNS (UDP) | 53 | DvSum VGW IPs | DNS resolution — forwards *.dvsum.ai queries to resolver | |
Note on data source access: The outbound rules above are specific to VPN tunnel establishment and DNS resolution toward DvSum. The machine running the DvSum gateway agent also needs outbound access to your internal data sources within your own network. If your firewall policy allows all outbound traffic by default (All traffic → 0.0.0.0/0), no additional rules are needed — the gateway agent will reach both DvSum and your internal data sources without restriction.
If you have a restrictive outbound policy, ensure the gateway agent machine is permitted to reach your data sources on the relevant ports.
Inbound rules (DvSum → Customer Machine)
| Protocol | Port | Source | Purpose |
| UDP | 500 | DvSum VGW IPs (from config file) | IKE responses |
| UDP | 4500 | DvSum VGW IPs (from config file) | IPSec NAT traversal return |
| ESP (IP protocol 50) | N/A | DvSum VGW IPs | IPSec return traffic |
DvSum VGW public IPs
The two VGW public IPs (one per tunnel) are provided in the VPN configuration file.
DvSum always provisions two tunnels — allow both IPs on your firewall for redundancy.
In NAT-T mode (most common) all tunnel data uses UDP 4500 — ESP protocol 50 is only needed if NAT-T is disabled.
Step-by-Step Setup Instructions
The following steps guide you through the complete setup. Steps 1 and 2 are completed by DvSum. Steps 3 onwards are completed by your network team.
| Step 1 | DvSum creates VPN infrastructure (DvSum action — no customer action required)DvSum registers your Customer Gateway on its side using your static public IP and BGP ASN.DvSum creates the Site-to-Site VPN connection and provisions two tunnels.DvSum prepares the VPN configuration file and shares it with you via a secure channel.DvSum configures the private endpoint routing on its side. |
| Step 2 | Receive VPN configuration file from DvSumReceive the configuration file from your DvSum solutions engineer via secure channel.Open the file and note the following — you will need these for your device configuration: • Tunnel 1 VGW outside IP (DvSum tunnel endpoint) • Tunnel 1 Pre-shared key (PSK) — shared separately • Tunnel 2 VGW outside IP • Tunnel 2 Pre-shared key — shared separately • Inside IP addresses (169.254.x.x — for BGP mode) |
| Step 3 | Configure your VPN deviceUsing the values from the configuration file, configure your VPN device.DvSum recommends configuring both tunnels — designate one as primary and one as standby.Use the IKE parameters exactly as specified in the configuration file.Set MTU to 1436 bytes and TCP MSS to 1379 bytes on the tunnel interface.Enable Dead Peer Detection (DPD) with interval 10 seconds and 3 retries. |
Key parameters to configure on your device:
| Parameter | Value | Notes |
| IKE version | IKEv2 | Mandatory — do not use IKEv1 |
| Authentication | Pre-Shared Key (PSK) | PSK provided separately by DvSum |
| IKE encryption | AES-128-CBC | Phase 1 |
| IKE integrity | SHA-1 | Phase 1 |
| IKE DH group | Group 14 (modp2048) | AWS enforces minimum — do not use Group 2 |
| IPSec encryption | AES-128-CBC | Phase 2 / ESP |
| IPSec integrity | HMAC-SHA1-96 | Phase 2 / ESP |
| IPSec PFS | DH Group 14 | Perfect Forward Secrecy |
| Tunnel MTU | 1436 bytes | Set on tunnel interface |
| TCP MSS | 1379 bytes | Set on customer gateway |
| DPD interval | 10 seconds | Dead Peer Detection |
| DPD retries | 3 | Before declaring tunnel dead |
| Static route | 10.0.0.0/16 → tunnel interface | DvSum Landing Zone CIDR — route traffic into tunnel |
| Step 4 | Configure DNS — resolve DvSum domains to private IPsOnce DvSum provides the private IPs of the three service endpoints, configure DNS.The gateway agent machine must resolve DvSum domains to private IPs — not public addresses.Choose the approach that fits your environment: |
Approach A — Linux /etc/hosts (single machine, simplest)
If the DvSum gateway agent runs on a single Linux machine, add the following to /etc/hosts on that machine. Replace the IPs with the actual values provided by DvSum.
# DvSum Service Endpoint Private IPs
# Replace with actual IPs provided by DvSum
<ip-provided-by-dvsum> apis.dvsum.ai
<ip-provided-by-dvsum> s3-storage.dvsum.ai
<ip-provided-by-dvsum> socket-api.dvsum.ai
Example format (actual IPs will differ):
# DvSum Service Endpoint Private IPs
10.0.151.182 apis.dvsum.ai
10.0.150.69 s3-storage.dvsum.ai
10.0.157.107 socket-api.dvsum.ai
Approach B — Internal DNS forwarding (multiple machines, recommended for production)
For environments with multiple machines, configure your internal DNS server to forward queries for *.dvsum.ai to the DvSum DNS Resolver IPs provided during setup. This automatically resolves the domains to private IPs for every machine in your network.
- Configure a forwarding rule: DNS queries for *.dvsum.ai → forward to DvSum Resolver IPs
- The resolver returns the private IP of the corresponding service endpoint
- All machines in your network benefit automatically — no per-machine configuration needed
| Step 5 | Verify tunnel is establishedAfter configuring your device, verify the VPN tunnel has established successfully.On your VPN device, confirm IKE Phase 1 and Phase 2 complete in the logs or dashboard.Notify your DvSum solutions engineer — DvSum will confirm the tunnel status on its side.Both tunnels should show as established for full redundancy. |
| Step 6 | Test connectivity — see Testing sectionRun the connectivity tests in Section 8 of this document.Share the test results with your DvSum solutions engineer to confirm setup is complete. |
Routing Configuration
The following routes must be configured on your VPN device or network routing infrastructure.
Static routing mode
| Route to add on your device | Next hop | Purpose |
| 10.0.0.0/16 | VPN tunnel interface | DvSum VPC CIDR — all traffic for DvSum goes through tunnel |
DvSum configures a corresponding static route on its side pointing back to your network CIDR (the CIDR you provided in the information-gathering step).
BGP routing mode
If using BGP, configure a BGP session with the VGW inside IP addresses from the config file. Advertise your internal network CIDR over BGP. DvSum will advertise the Landing Zone CIDR (10.0.0.0/16) back to you dynamically.
| BGP parameter | Value |
| DvSum VGW ASN | 64512 (Amazon default) |
| Your ASN | As provided to DvSum (default 65000) |
| BGP peer IP — tunnel 1 | VGW inside IP from config file (169.254.x.x) |
| BGP peer IP — tunnel 2 | VGW inside IP from config file (169.254.x.x) |
| Advertise from your side | Your internal network CIDR |
| Receive from DvSum side | 10.0.0.0/16 (Landing Zone CIDR) |
Connectivity Testing
Run the following tests from the machine running the DvSum gateway agent. All tests must pass before the setup is considered complete.
Pre-conditions before testing
The VPN tunnel must be established before running any of these tests.
DNS must be configured (/etc/hosts, internal DNS forwarding or Resolver IP) before running HTTPS tests.
All tests must be run from the machine running the DvSum gateway agent.
1. DNS verification
Confirm DvSum domains resolve to private IPs — not public addresses.
On Linux:
getent hosts apis.dvsum.ai
# Expected: 10.0.x.x apis.dvsum.ai (private IP — not a public address)
getent hosts s3-storage.dvsum.ai
# Expected: 10.0.x.x s3-storage.dvsum.ai
getent hosts socket-api.dvsum.ai
# Expected: 10.0.x.x socket-api.dvsum.ai
On Windows (PowerShell):
Resolve-DnsName apis.dvsum.ai
# Expected: IPAddress should be 10.0.x.x (private)
Resolve-DnsName s3-storage.dvsum.ai
Resolve-DnsName socket-api.dvsum.ai
2. TCP connectivity
Confirm TCP port 443 is reachable on all three endpoint private IPs provided by DvSum.
On Linux:
nc -zv <apis-private-ip> 443
# Expected: Connection to <ip> 443 port [tcp/https] succeeded!
nc -zv <s3-private-ip> 443
# Expected: succeeded!
nc -zv <socket-private-ip> 443
# Expected: succeeded!
On Windows (PowerShell):
Test-NetConnection -ComputerName <apis-private-ip> -Port 443
# Expected: TcpTestSucceeded : True
Test-NetConnection -ComputerName <s3-private-ip> -Port 443
Test-NetConnection -ComputerName <socket-private-ip> -Port 443
3. TLS certificate validation
Confirm TLS certificates validate correctly with no errors.
openssl s_client -connect apis.dvsum.ai:443 -servername apis.dvsum.ai </dev/null 2>&1 | grep -E "subject|Verify return"
# Expected:
# subject=CN=apis.dvsum.ai
# Verify return code: 0 (ok)
openssl s_client -connect s3-storage.dvsum.ai:443 -servername s3-storage.dvsum.ai </dev/null 2>&1 | grep 'Verify return'
# Expected: Verify return code: 0 (ok)
openssl s_client -connect socket-api.dvsum.ai:443 -servername socket-api.dvsum.ai </dev/null 2>&1 | grep 'Verify return'
# Expected: Verify return code: 0 (ok)
4. HTTPS health checks
Confirm all three services return HTTP 200 — this validates full end-to-end connectivity.
On Linux:
curl -s https://apis.dvsum.ai/health-check
# Expected: {"status":"OK","mode":"privatelink"}
curl -s https://s3-storage.dvsum.ai/health-check
# Expected: {"status":"OK"}
curl -s https://socket-api.dvsum.ai/health-check
# Expected: {"status":"OK"}
On Windows (PowerShell):
Invoke-WebRequest -Uri https://apis.dvsum.ai/health-check | Select StatusCode, Content
# Expected: StatusCode 200
Invoke-WebRequest -Uri https://s3-storage.dvsum.ai/health-check | Select StatusCode
Invoke-WebRequest -Uri https://socket-api.dvsum.ai/health-check | Select StatusCode
5. WebSocket connectivity
Confirm the WebSocket endpoint is reachable. A 403 response confirms the connection reached the server — a valid session token is required for full authentication.
On Linux (install wscat: sudo npm install -g wscat):
wscat -c wss://socket-api.dvsum.ai/socket
# Expected: error: Unexpected server response: 403
# 403 = reached the server successfully (authentication required — this is correct)
# timeout or connection refused = network issue — check tunnel and DNS first
Alternative using curl:
curl -v --http1.1 \
-H "Upgrade: websocket" \
-H "Connection: Upgrade" \
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" \
-H "Sec-WebSocket-Version: 13" \
https://socket-api.dvsum.ai/socket
# Expected: HTTP response 400 or 403 (server received the request)
6. Full verification — run all checks at once (Linux)
echo "=== DNS ===" && \
getent hosts apis.dvsum.ai && \
getent hosts s3-storage.dvsum.ai && \
getent hosts socket-api.dvsum.ai && \
echo "=== TCP ===" && \
nc -zv <apis-private-ip> 443 && \
nc -zv <s3-private-ip> 443 && \
nc -zv <socket-private-ip> 443 && \
echo "=== HEALTH CHECKS ===" && \
curl -s https://apis.dvsum.ai/health-check && echo && \
curl -s https://s3-storage.dvsum.ai/health-check && echo && \
curl -s https://socket-api.dvsum.ai/health-check && echo && \
echo "=== ALL PASSED ==="
7. Expected results summary
| Test | Expected result | If failing |
| DNS — apis.dvsum.ai | Returns private 10.0.x.x IP | Check /etc/hosts or DNS forwarding config |
| DNS — s3-storage.dvsum.ai | Returns private 10.0.x.x IP | Check /etc/hosts or DNS forwarding config |
| DNS — socket-api.dvsum.ai | Returns private 10.0.x.x IP | Check /etc/hosts or DNS forwarding config |
| TCP — APIs endpoint | Connection succeeded | Check tunnel is up and route 10.0.0.0/16 → tunnel |
| TCP — S3 endpoint | Connection succeeded | Check tunnel is up and route 10.0.0.0/16 → tunnel |
| TCP — Socket endpoint | Connection succeeded | Check tunnel is up and route 10.0.0.0/16 → tunnel |
| TLS — all domains | Verify return code: 0 (ok) | DNS returning public IP — fix DNS first |
| HTTPS — REST APIs | HTTP 200 | Tunnel or DNS issue — run TCP test first |
| HTTPS — S3 Storage | HTTP 200 | Tunnel or DNS issue — run TCP test first |
| HTTPS — WebSocket | HTTP 200 | Tunnel or DNS issue — run TCP test first |
| WebSocket | 403 (reached server) | Timeout = network issue, not auth issue |
Troubleshooting
| Symptom | Likely cause | Fix |
| IKE phase 1 fails — no response | UDP 500/4500 blocked on firewall | Allow UDP 500 and 4500 outbound to DvSum VGW IPs |
| AUTHENTICATION_FAILED | Wrong PSK or wrong IKE identity | Verify PSK and confirm local identity is set to your static public IP |
| Tunnel established but traffic not flowing | Missing route to 10.0.0.0/16 | Add static route: 10.0.0.0/16 → tunnel interface |
| DNS returns public IP | /etc/hosts not set or DNS forwarding not configured | Add /etc/hosts entries or configure DNS forwarding for *.dvsum.ai |
| nc -zv times out | Tunnel down, wrong private IP, or routing issue | Verify tunnel is up; confirm private IP with DvSum |
| curl returns TLS certificate error | DNS returning public IP — traffic going to wrong server | Fix DNS — verify getent hosts returns private 10.0.x.x IP |
| curl times out (DNS correct) | Tunnel is down or route is missing | Check tunnel status and route table |
| WebSocket returns timeout (not 403) | Network path not working | Run TCP test first — fix tunnel/DNS before WebSocket |
DvSum, Inc. |DvSum.ai | 440 N Wolfe Road, Sunnyvale, CA 94085 | +1.844.855.3282.
CONFIDENTIAL
DvSum, Inc. |DvSum.ai | 440 N Wolfe Road, Sunnyvale, CA 94085 | +1.844.855.3282.
CONFIDENTIAL
DvSum DataPARC User Guide < # >
0 Comments