Using VPN authentication with Redox

Last updated: Jun 3, 2026

IMPLEMENTATION

SUPPORT

VPN is the supported authentication method for MLLP sources or destinations to exchange HL7v2 traffic. A Redoxer sets up a VPN configuration for you.

To authenticate with VPN, you must:

Review our technical specifications and requirements for using VPN.
Submit the VPN request form that your Implementation Manager sends you.
Redox provides a summary sheet containing all the information you need (i.e., peer IPs, host IPs) to build the VPN tunnel on your end.
Talk to your Implementation Manager for any further questions or assistance.

What VPN types Redox supports

Redox uses NAT-T globally and NAT IPs. Learn more about NAT IPs.
We support both policy-based or route-based VPNs.

Minimum supported VPN requirements

At a minimum, your VPN configuration must meet these requirements:

IKE/SAKMP phase 1

VPN information	Minimum required setting
IKE version	IKEv2
Mode	Redox only allows Main Mode.
Encryption	AES-256
Authentication	SHA-256
Key exchange	DH 14
Lifetime	86400 seconds
Pre-shared key (PSK)	N/A. Redox shares the PSK via SendSafely.

IPSEC phase 2

VPN information	Minimum required setting
Encryption	AES-256
Authentication	SHA-256
Perfect forward secrecy (PFS)	DH 14
Lifetime	3600 seconds

What VPN details you provide

In your VPN request form, you’ll be asked to provide the following details:

Network information

VPN device make model
VPN peer address

Encryption domain

Provide the specific IPs to be included in the encryption domain. Please submit host IPs using /32 CIDR only.

Unsupported subnets

Your IP values may not be in the following system-reserved subnets:

10.1.100.0/24
10.20.0.0/16
10.153.0.0/16
10.154.0.0/16
10.155.0.0/16
10.156.0.0/16
10.157.0.0/16
10.253.0.0/16
10.254.0.0/16
172.20.0.0/16
172.28.0.0/16

Please NAT any host IPs you have that fall into these subnets.

Provide the noted IP addresses in the VPN request form. You can use the same IP address for either sending or receiving data. However, you can also use multiple IP addresses if you prefer.

Source IP	Destination IP	Port/service	Purpose
52.204.171.241/32	Provide the destination IP address you’ll use for receiving from Redox.	ICMP	Redox ping to your connection
52.204.171.241/32	Provide the destination IP address you’ll use for receiving from Redox.	N/A	Production HL7v2 traffic + ping
52.204.171.241/32	Provide the destination IP address you’ll use for receiving from Redox.	N/A	Development or staging HL7v2 traffic + ping
Provide the source IP address you’ll use for sending to Redox.	52.204.171.241/32	ICMP	Connection ping to Redox
Provide the source IP address you’ll use for sending to Redox.	52.204.171.241/32	Redox assigns and provides port information.	Production HL7v2 traffic + ping
Provide the source IP address you’ll use for sending to Redox.	52.204.171.241/32	Redox assigns and provides port information.	Development or staging HL7v2 traffic + ping

Learn more about pings and VPN statuses.

Contact information

Provide the name, phone, and email address of each the following contacts from your organization:

Application contact
Network contact
Production Technical Support contact

FHIR® is a registered trademark of Health Level Seven International (HL7) and is used with the permission of HL7. Use of this trademark does not constitute an endorsement of products/services by HL7®.