What is a VPN Connection in SurveyAnalytica?

A VPN (Virtual Private Network) connection allows SurveyAnalytica to securely communicate with resources hosted in your on-premise or private cloud environment. When configured, a site-to-site IPsec VPN tunnel is established between SurveyAnalytica’s cloud infrastructure and your network, enabling encrypted data transfer for integrations, data imports, and webhook delivery to internal endpoints.

This is ideal for organizations that need SurveyAnalytica to reach databases, APIs, or services that are not exposed to the public internet.

Prerequisites

Before configuring a VPN connection, ensure you have the following:

• An on-premise or cloud-based VPN gateway capable of establishing IPsec tunnels (e.g., Cisco ASA, Palo Alto, AWS VPN Gateway, Azure VPN Gateway, pfSense).
• A static public IP address assigned to your VPN gateway that SurveyAnalytica can reach.
• IKE v2 support enabled on your gateway. IKE v1 is supported but IKE v2 is strongly recommended for improved security and performance.
• Network administrator access to configure routes, firewall rules, and VPN settings on your side.
• Knowledge of your on-premise CIDR ranges that SurveyAnalytica needs to reach (e.g., 10.0.1.0/24).

Step-by-Step Configuration

Step 1: Navigate to Network Connections

In SurveyAnalytica, go to Settings → Network Connections and click Add Connection. Select VPN as the connection type.

Step 2: Configure the Peer Gateway IP

Enter the public IP address of your on-premise VPN gateway. This is the IP that SurveyAnalytica will initiate the tunnel towards.

Example: 203.0.113.50

Step 3: Specify On-Premise CIDR Ranges

Add one or more CIDR ranges that represent the internal networks SurveyAnalytica needs to access. These are used to configure routing on the VPN tunnel.

Examples:

• 10.0.1.0/24 — A single subnet containing your database servers
• 172.16.0.0/16 — A broader internal network range

Important: Only specify the ranges that SurveyAnalytica actually needs to reach. Avoid overly broad ranges for security.

Step 4: Select the IKE Version

Choose the IKE (Internet Key Exchange) version your gateway supports:

• IKE v2 (Recommended) — Better security, faster re-keying, and NAT traversal support.
• IKE v1 — Legacy support for older gateways.

Step 5: Generate and Enter a Pre-Shared Key

A strong pre-shared key (PSK) is required for mutual authentication between the two VPN endpoints. Generate a cryptographically secure key using the following command:

openssl rand -base64 32

This produces a 256-bit random key encoded in base64. Example output:

k7G3xP9mQ2vLwR5nT8yB1dF4hJ6cA0eI3uO7sW9zX1Y=

Enter this key in SurveyAnalytica and save it securely — you will need the same key when configuring your on-premise gateway.

Step 6: Save and Provision

Click Save & Provision to initiate tunnel creation.

What Happens After Provisioning

Once you save the configuration, SurveyAnalytica provisions a GCP Cloud VPN tunnel on our side. This process typically takes 1–3 minutes. When complete, you will receive:

• Our VPN Gateway IP(s) — The public IP address(es) of the SurveyAnalytica VPN endpoint that your gateway should peer with.
• Tunnel status — Initially shown as Waiting for peer until your side is configured.
• SurveyAnalytica CIDR range — The internal range used by our services (needed for your routing configuration).

Customer-Side Configuration

After receiving the SurveyAnalytica gateway IPs, configure your VPN gateway with the following:

1. Remote peer IP: Use the SurveyAnalytica gateway IP provided after provisioning.
2. Pre-shared key: Enter the same PSK you generated in Step 5.
3. Remote network (Phase 2 / Traffic selector): Add the SurveyAnalytica CIDR range provided.
4. IKE version: Must match what you selected in SurveyAnalytica.
5. Firewall rules: Allow UDP ports 500 and 4500 (IKE/NAT-T) inbound from the SurveyAnalytica gateway IP.
6. Routing: Add a route for the SurveyAnalytica CIDR range pointing through the VPN tunnel interface.

Once both sides are configured, the tunnel should establish automatically. The status in SurveyAnalytica will update to Established.

Troubleshooting Common Issues

Tunnel Not Establishing

• Verify the pre-shared key matches exactly on both sides (watch for trailing whitespace or newline characters).
• Check firewall rules — Ensure UDP 500 and 4500 are open bidirectionally between the two gateway IPs.
• Confirm IKE version alignment — Both sides must use the same IKE version.
• Verify the peer IP — Ensure SurveyAnalytica has your correct public IP and vice versa.
• Check NAT — If your gateway is behind NAT, ensure NAT traversal (NAT-T) is enabled.

CIDR Overlap Errors

• If you receive a CIDR overlap error during configuration, it means your specified on-premise range conflicts with SurveyAnalytica’s internal range or another existing connection.
• Resolution: Use a more specific (smaller) CIDR range, or contact support to discuss network planning.

Tunnel Established but No Connectivity

• Verify that routing is configured on your side to direct traffic for SurveyAnalytica’s CIDR through the tunnel.
• Check that internal firewall rules on your network allow traffic from the SurveyAnalytica CIDR to the target resources.
• Confirm the target service is listening on the expected port.

Security Notes

• CIDR isolation: Each VPN connection is isolated to the specific CIDR ranges you configure. SurveyAnalytica cannot access any part of your network outside these ranges.
• Encryption: All traffic through the tunnel is encrypted using IPsec with AES-256-GCM.
• Key rotation: We recommend rotating the pre-shared key every 90 days. Update it in both SurveyAnalytica and your gateway simultaneously.
• Least privilege: Only expose the minimum CIDR ranges and ports necessary for your integration.