Create an IPSec Site-to-Site VPN Tunnel
Background: Whether an infrastructure migration or extension is taking place, or a data transfer is needed, a CloudConnect partner has the ability to establish a Site-to-Site VPN IPsec tunnel between a CloudConnect Org VDC Network and an external on on-premise network.
This procedure may be used to create a Highly Available Site-to-Site VPN/IPsec Tunnel between an on premise network and a CloudConnect Org VDC (Client) Network using the vCloud Director HTML portal. This procedure requires an on premise VPN capable firewall. In this example we use a SonicWALL NSA running SonicOS. A working knowledge of TCP/IP and VPN/IPSec is necessary for the individual performing this procedure.
Note: Any setting written in Bold Italics is a variable and will vary depending on your environment. All other settings are standard fixed settings.
In this example we will connect to an on premise subnet of 192.168.10.0/24 with a Public Address of 22.214.171.124. Replace these values with your on premise values and follow this procedure to setup a connection from your CloudConnect Virtual Datacenter.
Workflow 1: Configure the Edge Gateway (vCloud Director Tasks)
Obtain your Edge Gateway properties. Locate your Edge Gateway.
1.) Login to vCloud Director. URL: https://vcloud-bos.cloudconnect.net/tenant/YOURDOMAIN
2.) Select the VDC and navigate to "Networks"
3.) Take note of the Gateway CIDR. This is your internal subnet for upcoming steps. In this example, the Gateway CIDR is 10.6.0.0/24.
Locate the Edge Gateway’s Internet Access IP Address
1.) Navigate to "Edges" and highlight the Edge Gateway you're going to use to establish a VPN connection.
2.) The Internet Access IP Address is displayed in the right column. Ignore the CloudConnect IP Address. Take note of the Internet Access IP Address as you will need this in multiple later steps. In this example, the Edge Gateway Internet Access IP Address is 172.29.254.214. This address is pre-assigned to you by CloudConnect.
3.) Once you've taken note of both the Internet IP and Subnet, click "Configure Services" to move on.
Access the Edge Gateway Firewall Service and create an exception to allow tunneled traffic to traverse the edge gateway.
1.) In the Firewall tab, click the "+" button to add a new rule.
2.) Provide a Name for the Firewall rule. This rule should clearly identify the Source of the Traffic (i.e. the On-Premise Network). For example, "Allow Acme Chicago Office"
3.) Enter the Network address in the Source Window, 192.168.10.0/24
4.) Enter the Org VDC Network subnet into the Destination Window, 10.6.0.0/24
5.) In the Service window, choose "Any." If you want to limit only certain ports to traverse the tunnel, that is also acceptable and you can customize that on this screen.
6.) Verify the "Action" radio window is set to "Accept."
7.) Optionally, you can enable logging of the traffic.
8.) Finally, click "Save changes."
Note: this rule applies to the already encapsulated traffic. There is no need to create standard IPsec port exceptions (e.g. IKE, ESP, UDP 500, UDP 4500) on the Edge Gateway Firewall as Edge Gateway will automatically determine and configure these exceptions based on the VPN configuration settings. Customers with overlapping on-premise subnets should not be configured on the same Edge Gateway.
Add a New Site-to-Site VPN configuration:
1.) Navigate to the VPN tab
2.) Verify the IPsec VPN Service Status is enabled
3.) Save changes, and navigate to the IPsecVPN Sites sub-tab
Configure the Site-to-Site VPN Configuration:
1.) Enter a name for the tunnel. Because you may have multiple tunnels, it is best to use a naming convention that clearly describes both the On-Premise Network you are connecting to as well as the Org VDC Netwrok. For example, "From Client Acme Org VDC Net To Acme Chicago." Note: at a minimum, you will want to clearly describe the On-Premise Network as the Configuration is Org VDC Network Aware.
2.) The Local ID is the Edge Gateway IKE Identifier (Internet Access IP Address from above). In this example, it is 172.29.254.214. Add this to the "Local ID" and "Local Endpoint" window. Note: depending on the router that is being used on-premise, as well as your FQDN, the "Local ID" might be your FQDN. Only attempt to use your FQDN in this window if you have exhausted all other troubleshooting steps.
3.) The Local Subnets are the subents associated with this Org VDC Network, noted previously. In this example, it is 10.6.0.0/24
4.) The Peer ID is generally the statically assigned Internet IP Address of the On-Premise firewall. In this example, it is 126.96.36.199.
5.) The Peer Endpoint is always the statically assigned Internet IP Address of the On-Premise firewall. In this example, it is also the Peer ID: 188.8.131.52.
6.) The Peer Subnets are the subnets associated with the on-prem network. In this example, it is 192.168.10.0/24
7.) Choose AES-256 as the encryption protocol. If your on premise firewall does not support AES encryption, consider upgrading the device.
8.) Choose "PSK" (Pre-shared Key) as the authentication method.
9.) Choose a Pre-shared Key that is between 32 and 128 alphanumeric characters. This key must have at least one lowercase letter, one uppercase letter, and one number. Make note of this key.
10.) Choose the Diffie-Hellman Group. DH2 and DH14 are supported.
11.) Make note of other settings: the VPN established from the on-premise network must have the same settings.
12.) Click "keep" and save changes.
Workflow 2: Configure the SonicWALL (On Premise Tasks)
Create a Network Object defining the CloudConnect Org VDC Network:
1.) From the On-Premise Network, access the SonicWALL device and verify you are running the latest firmware. At a minimum, the device should be running SonicOS 5.1.
2.) Create a Network Object, which identifies the Org VDC Network ("Client Acme Network" CloudConnect subnet) that you are connecting to.
3.) Provide a Name, which clearly identifies the CloudConnect Org VDC as such.
4.) Choose type "Network"
5.) In the "Zone Assignment" window, choose "LAN." For sophisticated deployments, you may have a dedicated zone for this traffic, or you may use the VPN zone. Generally, the Zone will define what On-Premise resources traffic coming from the VPN tunnel have access to.
6.) Enter the Network address of the Org VDC Network, 10.6.0.0/24
7.) Enter the Netmask 255.255.255.0
Create a New VPN Policy:
1.) From the main menu, choose VPN → Settings.
2.) In the results pane, under "VPN Policies" click "Add"
Before configuring the VPN policy, we must first derive the Primary Gateway Address and the Secondary Gateway Address.
CloudConnect assigns two Public IP Addresses to each Internet Access IP Address of your Edge Gateway. The Primary Public IP Address is used during normal operation and is the Primary Gateway Address for any on premise SonicWALL or other VPN firewall appliance. The Standby Public IP Address is used if a serious disaster event occurs, which requires CloudConnect to invoke a Geographic Site failover. Additional use of this Standby Public IP Address may occur during a planned migration or planned CloudConnect infrastructure maintenance. The Standby Public IP Address should be used as your Secondary Gateway Address in any On-Premise SonicWALL or other VPN firewall appliance. More information about this configuration is available in this KB Article: https://support.cloudconnect.net/support/solutions/articles/1000199548-cct-20150817-configuring-a-cloudconnect-statically-assigned-internet-ip-address-to-be-highly-availa
As mentioned in the above referenced KB Article, the following tbale provides a mapping between your Edge Gateway's Internet Acecss IP Address(es) and the Primary and Standby Public IP Addresses.
In this example, the Edge Gateway Internet Access IP Address (from Workflow 1, above) is 172.29.254.214. The corresponding Primary Public IP Address is 184.108.40.206 and the corresponding Standby Public IP Address is 220.127.116.11.
1.) Policy type: Site to Site
2.) Authentication method: IKE using Preshared Secret
3.) Name: Choose a name that clearly describes the Tunnel's destination network. For example, "To CloudConnect Acme Network"
4.) IPSec Primary Gateway Address: Enter the Primary Public IP Address of your Edge Gateway. In this example, 18.104.22.168
5.) IPSec Secondary Gateway Address: Enter the Standby Public IP Address of your Edge Gateway. In this example, 22.214.171.124
6.) Shared Secret: Enter the Shared Secret from your Edge Gateway Site-to-Site Configuration.
7.) Local IKE ID: IP Address - This is generally the Public IP Address of the SonicWALL. In this example, 126.96.36.199
8.) Peer IKE ID: IP Address - This is the Edge Gateway's Internet Access IP Address (NOT THE PUBLIC IP ADDRESS). In this example, it is 172.29.254.214
1.) In the Network tab, choose the On-Premise Network which will have access to the VPN tunnel. In this example, we are using "LAN Subnets"
2.) For Remote Networks, choose the Network Object we created as our first SonicWALL configuration task. In this example, we are using Org VDC Network Subnet ("Client Acme Network").
IKE (Phase 1) Proposal
1.) Exchange: Main Mode
2.) DH Group: Group 14
3.) Encryption: AES-256
4.) Authentication: SHA1
5.) Life Time (seconds): 28800
IPSec (Phase 2) Proposal
1.) Protocol: ESP
2.) Encryption: AES-256
3.) Authentication: SHA1
4.) Enable Perfect Forward Secrecy: Enabled (DH Group 14)
5.) Life Time 9seconds): 3600
1.) Preempt Secondary Gateway: Enabled (Primary Gateway Detection Interval: 28800)
2.) Management via this SA: optional
Note: it is recommended to keep all other Advanced Settings disabled. Enabling this featuers can cause the tunnel to stop functioning.
The tunnel should show as up.
In the Edge Gateway Configuration Window, navigate to the Statistics tab then the IPSec VPN tab. Ensure the Channel and Tunnel status show a checkmark.
Test the tunnel by pinging across to verify connectivity:
Note: if the tunnel shows as Up, but you are unable to ping across, check your firewall configurations on both sides as these may be dropping traffic in either or both directions.
If you can ping through, congratulations! You have successfully linked your on-prem network to the customer's Org VDC Network on CloudConnect!
Applies to: VMware vCloud Director
CloudConnect Infrastructure as a Service.