Secure Access Using Virtual Private Networks
You can configure the VPN capabilities that are provided by the Networking software for your Networking Data Center for VMware vSphere edge gateways. You can configure VPN connections to your organization virtual data center using an SSL VPN-Plus tunnel, an IPsec VPN tunnel, or an L2 VPN tunnel.
As described in the Networking Administration Guide, the Networking edge gateway supports these VPN services:
SSL VPN-Plus, which allows remote users to access private corporate applications.
IPsec VPN, which offers site-to-site connectivity between an Networking edge gateway and remote sites which also have Networking or which have third-party hardware routers or VPN gateways.
L2 VPN, which allows extension of your organization virtual data center by allowing virtual machines to retain network connectivity while retaining the same IP address across geographical boundaries.
In a Cyfuture Cloud Console environment, you can create VPN tunnels between:
Organization virtual data center networks on the same organization
Organization virtual data center networks on different organizations
Between an organization virtual data center network and an external network
Note- Cyfuture Cloud Console does not support multiple VPN tunnels between the same two edge gateways. If there is an existing tunnel between two edge gateways and you want to add another subnet to the tunnel, delete the existing VPN tunnel and create a new one that includes the new subnet.
After you configure VPN tunnels for an edge gateway, you can use a VPN client from a remote location to connect to the organization virtual data center that is backed by that edge gateway.
Configure SSL VPN-Plus
The SSL VPN-Plus services for an Networking Data Center for VMware vSphere edge gateway in a Cyfuture Cloud Console environment enable remote users to connect securely to the private networks and applications in the organization virtual data centers backed by that edge gateway. You can configure various SSL VPN-Plus services on the edge gateway.
In your Cyfuture Cloud Console environment, the edge gateway SSL VPN-Plus capability supports network access mode. Remote users must install an SSL client to make secure connections and access the networks and applications behind the edge gateway. As part of the edge gateway SSL VPN-Plus configuration, you add the installation packages for the operating system and configure certain parameters. See Add an SSL VPN-Plus Client Installation Package for details.
Configuring SSL VPN-Plus on an edge gateway is a multi-step process.
Prerequisites
Verify that all SSL certificates needed for the SSL VPN-Plus have been added to the Certificates screen. See SSL Certificate Management.
Note- On an edge gateway, port 443 is the default port for HTTPS. For the SSL VPN functionality, the edge gateway HTTPS port must be accessible from external networks. The SSL VPN client requires the edge gateway IP address and port that are configured in the Server Settings screen on the SSL VPN-Plus tab to be reachable from the client system. See Configure SSL VPN Server Settings.
Procedure
1 Navigate to the SSL-VPN Plus Screen
You can navigate to the SSL-VPN Plus screen to begin configuring the SSL-VPN Plus service for an Networking Data Center for VMware vSphere edge gateway.
2 Configure SSL VPN Server Settings
These server settings configure the SSL VPN server, such as the IP address and port the service listens on, the cipher list of the service, and its service certificate. When connecting to the Networking Data Center for VMware vSphere edge gateway, remote users specify the same IP address and port you set in these server settings.
3 Create an IP Pool for Use with SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway
The remote users are assigned virtual IP addresses from the static IP pools that you configure using the IP Pools screen on the SSL VPN-Plus tab.
4 Add a Private Network for Use with SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway
Use the Private Networks screen on the SSL VPN-Plus tab to configure the private networks. The private networks are the ones you want the VPN clients to have access to, when the remote users connect using their VPN clients and the SSL VPN tunnel. The enabled private networks will be installed in the routing table of the VPN client.
5 Configure an Authentication Service for SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway
Use the Authentication screen on the SSL VPN-Plus tab to set up a local authentication server for the edge gateway SSL VPN service and optionally enable client certificate authentication. This authentication server is used to authenticate the connecting users. All users configured in the local authentication server will be authenticated.
6 Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server
Use the Users screen on the SSL VPN-Plus tab to add accounts for your remote users to the local authentication server for the Networking Data Center for VMware vSphere edge gateway SSL VPN service.
7 Add an SSL VPN-Plus Client Installation Package
Use the Installation Packages screen on the SSL VPN-Plus tab to create named installation packages of the SSL VPN-Plus client for the remote users.
8 Edit SSL VPN-Plus Client Configuration
Use the Client Configuration screen on the SSL VPN-Plus tab to customize the way the SSL VPN client tunnel responds when the remote user logs in to SSL VPN.
9 Customize the General SSL VPN-Plus Settings for an Networking Data Center for VMware vSphere Edge Gateway
By default, the system sets some SSL VPN-Plus settings on an edge gateway in your Cyfuture Cloud Console environment. You can use the General Settings screen on the SSL VPN-Plus tab in the Cyfuture Cloud Console tenant portal to customize these settings.
Navigate to the SSL-VPN Plus Screen
You can navigate to the SSL-VPN Plus screen to begin configuring the SSL-VPN Plus service for an Networking Data Center for VMware vSphere edge gateway.Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Click the SSL VPN-Plus tab.
What to do next
On the General screen, configure the default SSL VPN-Plus settings. See Customize the General SSL VPN-Plus Settings for an Networking Data Center for VMware vSphere Edge Gateway.
Configure SSL VPN Server Settings
These server settings configure the SSL VPN server, such as the IP address and port the service listens on, the cipher list of the service, and its service certificate. When connecting to the Networking Data Center for VMware vSphere edge gateway, remote users specify the same IP address and port you set in these server settings.
If your edge gateway is configured with multiple, overlay IP address networks on its external interface, the IP address you select for the SSL VPN server can be different than the default external interface of the edge gateway.
While configuring the SSL VPN server settings, you must choose which encryption algorithms to use for the SSL VPN tunnel. You can choose one or more ciphers. Carefully choose the ciphers according to the strengths and weaknesses of your selections.
By default, the system uses the default, self-signed certificate that the system generates for each edge gateway as the default server identity certificate for the SSL VPN tunnel. Instead of this default, you can choose to use a digital certificate that you have added to the system on the Certificates screen.
Prerequisites
n Verify that you have met the prerequisites described in Configure SSL VPN-Plus.
n If you choose to use a service certificate different than the default one, import the required certificate into the system. See Add a Service Certificate to the Edge Gateway.
n Navigate to the SSL-VPN Plus Screen.
Procedure
1 On the SSL VPN-Plus screen, click Server Settings.
2 Click Enabled.
3 Select an IP address from the drop-down menu.
4 (Optional) Enter a TCP port number.
The TCP port number is used by the SSL client installation package. By default, the system uses port 443, which is the default port for HTTPS/SSL traffic. Even though a port number is required, you can set any TCP port for communications.
Note The SSL VPN client requires the IP address and port configured here to be reachable from the client systems of your remote users. If you change the port number from the default, ensure that the IP address and port combination are reachable from the systems of your intended users
5 Select an encryption method from the cipher list.
6 Configure the service Syslog logging policy.
Logging is enabled by default. You can change the level of messages to log or disable logging.
7 (Optional) If you want to use a service certificate instead of the default system-generated self-signed certificate, click Change server certificate, selection a certificate, and click OK.
8 Click Save changes.
What to do next
Note The edge gateway IP address and the TCP port number you set must be reachable by your remote users. Add an edge gateway firewall rule that allows access to the SSL VPN-Plus IP address and port configured in this procedure. See Add an Networking Data Center for VMware vSphere Edge Gateway Firewall Rule.
Add an IP pool so that remote users are assigned IP addresses when they connect using SSL VPN-Plus. See Create an IP Pool for Use with SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway.
Create an IP Pool for Use with SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway
The remote users are assigned virtual IP addresses from the static IP pools that you configure using the IP Pools screen on the SSL VPN-Plus tab.
Each IP pool added in this screen results in an IP address subnet configured on the edge gateway. The IP address ranges used in these IP pools must be different from all other networks configured on the edge gateway.
Note- SSL VPN assigns IP addresses to the remote users from the IP pools based on the order the IP pools appear in the on-screen table. After you add the IP pools to the on-screen table, you can adjust their positions in the table using the up and down arrows.
Prerequisites
Procedure
1 On the SSL VPN-Plus tab, click IP Pools.
2 Click the Create (
) button.
3 Configure the IP pool settings.
|
Option |
Action |
|
IP Range |
Enter an IP address range for this IP pool, such as 127.0.0.1-127.0.0.9.. These IP addresses will be assigned to VPN clients when they authenticate and connect to the SSL VPN tunnel. |
|
Netmask |
Enter the netmask of the IP pool, such as 255.255.255.0. |
|
Gateway |
Enter the IP address that you want the edge gateway to create and assign as the gateway address for this IP pool. When the IP pool is created, a virtual adapter is created on the edge gateway virtual machine and this IP address is configured on that virtual interface. This IP address can be any IP within the subnet that is not also in the range in the IP Range field. |
|
Description |
(Optional) Enter a description for this IP pool. |
|
Status |
Select whether to enable or disable this IP pool. |
|
Primary DNS |
(Optional) Enter the name of the primary DNS server that will be used for name resolution for these virtual IP addresses. |
|
Secondary DNS |
(Optional) Enter the name of the secondary DNS server to use. |
|
DNS Suffix |
(Optional) Enter the DNS suffix for the domain the client systems are hosted on, for domain-based host name resolution. |
|
WINS Server |
(Optional) Enter the WINS server address for the needs of your organization. |
4 Click Keep.
Results
The IP pool configuration is added to the on-screen table.
What to do next
Add private networks that you want accessible to your remote users connecting with SSL VPN- Plus. See Add a Private Network for Use with SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway.
Add a Private Network for Use with SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway
Use the Private Networks screen on the SSL VPN-Plus tab to configure the private networks. The private networks are the ones you want the VPN clients to have access to, when the remote users connect using their VPN clients and the SSL VPN tunnel. The enabled private networks will be installed in the routing table of the VPN client.
The private networks is a list of all reachable IP networks behind the edge gateway that you want to encrypt traffic for a VPN client, or exclude from encrypting. Each private network that requires access through an SSL VPN tunnel must be added as a separate entry. You can use route summarization techniques to limit the number of entries.
SSL VPN-Plus allows remote users to access private networks based on the top-down order the IP pools appear in the on-screen table. After you add the private networks to the on- screen table, you can adjust their positions in the table using the up and down arrows.
If you select to enable TCP optimization for a private network, some applications such as FTP in active mode might not work within that subnet. To add an FTP server configured in active mode, you must add another private network for that FTP server and disable TCP optimization for that private network. Also, the private network for that FTP server must be enabled and appear in the on-screen table above the TCP-optimized private network.
Prerequisites
n Navigate to the SSL-VPN Plus Screen.
n Create an IP Pool for Use with SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway.
Procedure
1 On the SSL VPN-Plus tab, click Private Networks.
2 Click the Add () button.
3 Configure the private network settings.
|
Option |
Action |
|
Network |
Type the private network IP address in a CIDR format, such as 192169.1.0/24. |
|
Description |
(Optional) Type a description for the network. |
|
Send Traffic |
Specify how you want the VPN client to send the private network and Internet traffic. ■ Over Tunnel The VPN client sends the private network and Internet traffic over the SSL VPN-Plus enabled edge gateway.
■ Bypass Tunnel The VPN client bypasses the edge gateway and sends the traffic directly to the private server. |
|
Enable TCP Optimization |
(Optional) To best optimize the Internet speed, when you select Over Tunnel for sending the traffic, you must also select Enable TCP Optimization Selecting this option enhances the performance of TCP packets within the VPN tunnel but does not improve performance of UDP traffic. Conventional full-access SSL VPNs tunnel sends TCP/IP data in a second TCP/IP stack for encryption over the Internet. This conventional method encapsulates application layer data in two separate TCP streams. When packet loss occurs, which can happen even under optimal Internet conditions, a performance degradation effect called TCP-over-TCP meltdown occurs. In TCP-over-TCP meltdown, two TCP instruments correct the same single packet of IP data, undermining network throughput and causing connection timeouts. Selecting Enable TCP Optimization eliminates the risk of this TCP-over-TCP problem occurring. |
|
|
Note When you enable TCP optimization: ■ You must enter the port numbers for which to optimize the Internet traffic. ■ The SSL VPN server opens the TCP connection on behalf of the VPN client. When the SSL VPN server opens the TCP connection, the first automatically generated edge firewall rule is applied, which allows all connections opened from the edge gateway to get passed. Traffic that is not optimized is evaluated by the regular edge firewall rules. The default generated TCP rule is to allow any connections. |
|
|
|
|
Ports |
When you select Over Tunnel, type a range of port numbers that you want opened for the remote user to access the internal servers, such as 20-21 for FTP traffic and 80-81 for HTTP traffic. To give unrestricted access to users, leave the field blank. |
|
Status |
Enable or disable the private network. |
4 Click Keep.
5 Click Save changes to save the configuration to the system.
What to do next
Add an authentication server. See Configure an Authentication Service for SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway.
Important Add the corresponding firewall rules to allow network traffic to the private networks you have added in this screen. See Add an Networking Data Center for VMware vSphere Edge Gateway Firewall Rule.
Configure an Authentication Service for SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway
Use the Authentication screen on the SSL VPN-Plus tab to set up a local authentication server for the edge gateway SSL VPN service and optionally enable client certificate authentication. This authentication server is used to authenticate the connecting users. All users configured in the local authentication server will be authenticated.
You can have only one local SSL VPN-Plus authentication server configured on the edge gateway. If you click + LOCAL and specify additional authentication servers, an error message is displayed when you try to save the configuration.
The maximum time to authenticate over SSL VPN is three (3) minutes. This maximum is determined by the non-authentication timeout, which is 3 minutes by default and is not configurable. As a result, if you have multiple authentication servers in chain authorization and user authentication takes more than 3 minutes, the user will not be authenticated.
Prerequisites
n Navigate to the SSL-VPN Plus Screen.
n Add a Private Network for Use with SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway.
n If you intend to enable client certificate authentication, verify that a CA certificate has been added to the edge gateway. See Add a CA Certificate to the Edge Gateway for SSL Certificate Trust Verification.
Procedure
1 Click the SSL VPN-Plus tab and Authentication.
2 Click Local.
3 Configure the authentication server settings.
a (Optional) Enable and configure the password policy.
|
Option |
Description |
|
Enable password policy |
Turn on enforcement of the password policy settings you configure here. |
|
Password Length |
Enter the minimum and maximum allowed number of characters for password length. |
|
Minimum no. of alphabets |
(Optional) Type the minimum number of alphabetic characters, that are required in the password. |
|
Minimum no. of digits |
(Optional) Type the minimum number of numeric characters, that are required in the password. |
|
Minimum no. of special characters |
(Optional) Type the minimum number of special characters, such as ampersand (&), hash tag (#), percent sign (%) and so on, that are required in the password. |
|
Password should not contain user ID |
(Optional) Enable to enforce that the password must not contain the user ID. |
|
Password expires in |
(Optional) Type the maximum number of days that a password can exist before the user must change it. |
|
Expiry notification in |
(Optional) Type the number of days prior to the Password expires in value at which the user is notified the password is about to expire. |
b (Optional) Enable and configure the account lockout policy.
|
Option |
Description |
|
Enable account lockout policy |
Turn on enforcement of the account lockout policy settings you configure here. |
|
Retry Count |
Enter the number of times a user can try to access their account. |
|
Retry Duration |
Enter the time period in minutes in which the user account gets locked on unsuccessful login attempts. For example, if you specify the Retry Count as 5 and Retry Duration as 1 minute, the account of the user is locked after 5 unsuccessful login attempts within 1 minute. |
|
Lockout Duration |
Enter the time period for which the user account remains locked. After this time has elapsed, the account is automatically unlocked. |
c In the Status section, enable this authentication server.
d (Optional) Configure secondary authentication.
|
Options |
Description |
|
Use this server for secondary authentication |
(Optional) Specify whether to use the server as the second level of authentication. |
|
Terminate session if authentication fails |
(Optional) Specify whether to end the VPN session when authentication fails. |
e Click Keep.
4 (Optional) To enable client certification authentication, click Change certificate, then turn on the enablement toggle, select the CA certificate to use, and click OK.
What to do next
Add local users to the local authentication server so that they can connect with SSL VPN-Plus. See Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server.
Create an installation package containing the SSL Client so remote users can install it on their local systems. See Add an SSL VPN-Plus Client Installation Package.
Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server
Use the Users screen on the SSL VPN-Plus tab to add accounts for your remote users to the local authentication server for the Networking Data Center for VMware vSphere edge gateway SSL VPN service.
Note- If a local authentication server is not already configured, adding a user on the Users screen automatically adds a local authentication server with default values. You can then use the edit button on the Authentication screen to view and edit the default values. For information about using the Authentication screen, see Configure an Authentication Service for SSL VPN-Plus on an Networking Data Center for VMware vSphere Edge Gateway.
Prerequisites
Navigate to the SSL-VPN Plus Screen.
Procedure
1 On the SSL VPN-Plus tab, click Users.
2 Click the Create () button.
3 Configure the following options for the user.
|
Option |
Description |
|
User ID |
Enter the user ID. |
|
Password |
Enter a password for the user. |
|
Retype Password |
Reenter the password. |
|
First name |
(Optional) Enter the first name of the user. |
|
Last name |
(Optional) Enter the last name of the user. |
|
Description |
(Optional) Enter a description for the user. |
|
Enabled |
Specify whether the user is enabled or disabled. |
|
Password never expires |
(Optional) Specify whether to keep the same password for this user forever. |
|
Allow change password |
(Optional) Specify whether to let the user change the password. |
|
Change password on next login |
(Optional) Specify whether you want this user to change the password the next time the user logs in. |
4 Click Keep.
5 Repeat the steps to add additional users.
What to do next
Add local users to the local authentication server so that they can connect with SSL VPN-Plus. See Add SSL VPN-Plus Users to the Local SSL VPN-Plus Authentication Server.
Create an installation package containing the SSL Client so the remote users can install it on their local systems. See Add an SSL VPN-Plus Client Installation Package.
Add an SSL VPN-Plus Client Installation Package
Use the Installation Packages screen on the SSL VPN-Plus tab to create named installation packages of the SSL VPN-Plus client for the remote users.
You can add an SSL VPN-Plus client installation package to the Networking Data Center for VMware vSphere edge gateway. New users are prompted to download and install this package when they log in to use the VPN connection for the first time. When added, these client installation packages are then downloadable from the FQDN of the edge gateway's public interface.
You can create installation packages that run on Windows, Linux, and Mac operating systems. If you require different installation parameters per SSL VPN client, create an installation package for each configuration.
Prerequisites
Navigate to the SSL-VPN Plus Screen
Procedure
1 On the SSL VPN-Plus tab in the tenant portal, click Installation Packages.
2 Click the Add () button.
3 Configure the installation package settings.
|
Option |
Description |
|
Profile Name |
Enter a profile name for this installation package. This name is displayed to the remote user to identify this SSL VPN connection to the edge gateway. |
|
Gateway |
Enter the IP address or FQDN of the edge gateway public interface. The IP address or FQDN that you enter is bound to the SSL VPN client. When the client is installed on the local system of the remote user, this IP address or FQDN is displayed on that SSL VPN client. To bind additional edge gateway uplink interfaces to this SSL VPN client, click the Add ( |
|
Port |
(Optional) To modify the port value from the displayed default, double-click the value and enter a new value. |
|
Windows Linux Mac |
Select the operating systems for which you want to create the installation packages. |
|
Description |
(Optional) Type a description for the user. |
|
Enabled |
Specify whether this package is enabled or disabled. |
4 Select the installation parameters for Windows.
|
Option |
Description |
|
Start client on logon |
Starts the SSL VPN client when the remote user logs in to their local system. |
|
Allow remember password |
Enables the client to remember the user password. |
|
Enable silent mode installation |
Hides installation commands from remote users. |
|
Hide SSL client network adapter |
Hides the Cyfuture Cloud SSL VPN-Plus Adapter which is installed on the computer of the remote user, together with the SSL VPN client installation package. |
|
Hide client system tray icon |
Hides the SSL VPN tray icon which indicates whether the VPN connection is active or not. |
|
Create desktop icon |
Creates an icon on the user desktop to invoke the SSL client. |
|
Enable silent mode operation |
Hides the window that indicates that installation is complete. |
|
Server security certificate validation |
The SSL VPN client validates the SSL VPN server certificate before establishing the secure connection. |
5 Click Keep.
What to do next
Edit the client configuration. See Edit SSL VPN-Plus Client Configuration.
Edit SSL VPN-Plus Client Configuration
Use the Client Configuration screen on the SSL VPN-Plus tab to customize the way the SSL VPN client tunnel responds when the remote user logs in to SSL VPN.
Prerequisites
Navigate to the SSL-VPN Plus Screen
Procedure
1 On the SSL VPN-Plus tab, click Client Configuration.
2 Select the Tunneling mode.
■ In split tunnel mode, only the VPN traffic flows through the edge gateway.
■ In full tunnel mode, the edge gateway becomes the default gateway for the remote user and all traffic, such as VPN, local, and Internet, flows through the edge gateway.
3 If you select full tunnel mode, enter the IP address for the default gateway used by the clients of the remote users and, optionally, select whether to exclude local subnet traffic from flowing through the VPN tunnel.
4 (Optional) Disable auto reconnect.
Enable auto reconnect is enabled by default. If auto reconnect is enabled, the SSL VPN client automatically reconnects users when they get disconnected.
5 (Optional) Optionally enable the ability for the client to notify remote users when a client upgrade is available.
This option is disabled by default. If you enable this option, remote users can choose to install the upgrade.
6 Click Save changes.
Customize the General SSL VPN-Plus Settings for an Networking Data Center for VMware vSphere Edge Gateway
By default, the system sets some SSL VPN-Plus settings on an edge gateway in your Cyfuture Cloud Console environment. You can use the General Settings screen on the SSL VPN-Plus tab in the Cyfuture Cloud Console tenant portal to customize these settings.
Prerequisites
Navigate to the SSL-VPN Plus Screen.
Procedure
1 On the SSL VPN-Plus tab, click General Settings.
2 Edit the general settings as required for the needs of your organization.
|
Option |
Description |
|
Prevent multiple logon using same username |
Turn on to restrict a remote user to having only one active login session under the same user name. |
|
Compression |
Turn on to enable TCP-based intelligent data compression and improve data transfer speed. |
|
Enable Logging |
Turn on to maintain a log of the traffic that passes through the SSL VPN gateway. Logging is enabled by default. |
|
Force virtual keyboard |
Turn on to require remote users to use a virtual (on-screen) keyboard only to enter login information. |
|
Randomize keys of virtual keyboard |
Turn on to have the virtual keyboard use a randomized key layout. |
|
Session idle timeout |
Enter the session idle timeout in minutes. If there is no activity in a user session for the specified time period, the system disconnects the user session. The system default is 10 minutes. |
|
User notification |
Type the message to be displayed to remote users after they log in. |
|
Enable public URL access |
Turn on to allow remote users to access sites that are not explicitly configured by you for remote user access. |
|
Enable forced timeout |
Turn on to have the system disconnect remote users after the time period that you specify in the Forced timeout field is over. |
|
Forced timeout |
Type the timeout period in minutes. This field is displayed when Enable forced timeout toggle is turned on. |
3 Click Save changes.
Configure IPsec VPN
The Networking Data Center for VMware vSphere edge gateways in a Cyfuture Cloud Console environment support site-to-site Internet Protocol Security (IPsec) to secure VPN tunnels between organization virtual data center networks or between an organization virtual data center network and an external IP address. You can configure the IPsec VPN service on an edge gateway.
Setting up an IPsec VPN connection from a remote network to your organization virtual data center is the most common scenario. The Networking software provides an edge gateway IPsec VPN capabilities, including support for certificate authentication, preshared key mode, and IP unicast traffic between itself and remote VPN routers. You can also configure multiple subnets to connect through IPsec tunnels to the internal network behind an edge gateway. When you configure multiple subnets to connect through IPsec tunnels to the internal network, those subnets and the internal network behind the edge gateway must not have address ranges that overlap.
Note- If the local and remote peer across an IPsec tunnel have overlapping IP addresses, traffic forwarding across the tunnel might not be consistent depending on whether local connected routes and auto-plumbed routes exist.
The following IPsec VPN algorithms are supported:
n AES (AES128-CBC)
n AES256 (AES256-CBC)
n Triple DES (3DES192-CBC)
n AES-GCM (AES128-GCM)
n DH-2 (Diffie-Hellman group 2)
n DH-5 (Diffie-Hellman group 5)
n DH-14 (Diffie-Hellman group 14)
Note- Dynamic routing protocols are not supported with IPsec VPN. When you configure an IPsec VPN tunnel between an edge gateway of the organization virtual data center and a physical gateway VPN at a remote site, you cannot configure dynamic routing for that connection. The IP address of that remote site cannot be learned by dynamic routing on the edge gateway uplink.
As described in the IPSec VPN Overview topic in the Networking Administration Guide, the maximum number of tunnels supported on an edge gateway is determined by its configured size: compact, large, x-large, quad large.
To view the size of your edge gateway configuration, navigate to the edge gateway and click the edge gateway name.
Configuring IPsec VPN on an edge gateway is a multi-step process.
Note- If a firewall is between the tunnel endpoints, after you configure the IPsec VPN service, update the firewall rules to allow the following IP protocols and UDP ports:
n IP Protocol ID 50 (ESP)
n IP Protocol ID 51 (AH)
n UDP Port 500 (IKE)
n UDP Port 4500
Procedure
1 Navigate to the IPsec VPN Screen
In the IPsec VPN screen, you can begin configuring the IPsec VPN service for an Networking Data Center for VMware vSphere edge gateway.
2 Configure the IPsec VPN Site Connections for the Networking Data Center for VMware vSphere Edge Gateway
Use the IPsec VPN Sites screen in the Cyfuture Cloud Console tenant portal to configure settings needed to create an IPsec VPN connection between your organization virtual data center and another site using the edge gateway IPsec VPN capabilities.
3 Enable the IPsec VPN Service on an Networking Data Center for VMware vSphere Edge Gateway
When at least one IPsec VPN connection is configured, you can enable the IPsec VPN service on the edge gateway.
4 Specify Global IPsec VPN Settings
Use the Global Configuration screen to configure IPsec VPN authentication settings at an edge gateway level. On this screen, you can set a global pre-shared key and enable certification authentication.
Navigate to the IPsec VPN Screen
In the IPsec VPN screen, you can begin configuring the IPsec VPN service for an Networking Data Center for VMware vSphere edge gateway.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways. b Select the edge gateway that you want to edit and click Services.
2 Navigate to VPN > IPsec VPN.
What to do next
Use the IPsec VPN Sites screen to configure an IPsec VPN connection. At least one connection must be configured before you can enable the IPsec VPN service on the edge gateway. See Configure the IPsec VPN Site Connections for the Networking Data Center for VMware vSphere Edge Gateway.
Configure the IPsec VPN Site Connections for the Networking Data Center for VMware vSphere Edge Gateway
Use the IPsec VPN Sites screen in the Cyfuture Cloud Console tenant portal to configure settings needed to create an IPsec VPN connection between your organization virtual data center and another site using the edge gateway IPsec VPN capabilities.
When you configure an IPsec VPN connection between sites, you configure the connection from the point of view of your current location. Setting up the connection requires that you understand the concepts in the context of the Cyfuture Cloud Console environment so that you configure the VPN connection correctly.
n The local and peer subnets specify the networks to which the VPN connects. When you specify these subnets in the configurations for IPsec VPN sites, enter a network range and not a specific IP address. Use CIDR format, such as 192.168.99.0/24.
n The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address. For peers using certificate authentication, this ID must be the distinguished name set in the peer certificate. For PSK peers, this ID can be any string. An Networking best practice is to use the public IP address of the remote device or FQDN as the peer ID. If the peer IP address is from another organization virtual data center network, you enter the native IP address of the peer. If NAT is configured for the peer, you enter the peer's private IP address.
n The peer endpoint specifies the public IP address of the remote device to which you are connecting. The peer endpoint might be a different address from the peer ID if the peer's gateway is not directly accessible from the Internet, but connects through another device. If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT.
n The local ID specifies the public IP address of the edge gateway of the organization virtual data center. You can enter an IP address or hostname along with the edge gateway firewall.
n The local endpoint specifies the network in your organization virtual data center on which the edge gateway transmits. Typically the external network of the edge gateway is the local endpoint.
Prerequisites
n Navigate to the IPsec VPN Screen.
n If you intend to use a global certificate as the authentication method, verify that certificate authentication is enabled on the Global Configuration screen. See Specify Global IPsec VPN Settings.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 On the IPsec VPN tab, click IPsec VPN Sites.
3 Click the Add () button.
4 Configure the IPsec VPN connection settings.
|
Option |
Action |
|
Enabled |
Enable this connection between the two VPN endpoints. |
|
Enable perfect forward secrecy (PFS) |
Enable this option to have the system generate unique public keys for all IPsec VPN sessions your users initiate. Enabling PFS ensures that the system does not create a link between the edge gateway private key and each session key. |
The compromise of a session key will not affect data other than the data exchanged in the specific session protected by that particular key.
Compromise of the server's private key cannot be used to decrypt archived sessions or future sessions.
When PFS is enabled, IPsec VPN connections to this edge gateway experience a slight processing overhead.
Important The unique session keys must not be used to derive any additional keys. Also, both sides of the IPsec VPN tunnel must support PFS for it to work.
|
Name |
(Optional) Enter a name for the connection. |
|
Local ID |
Enter the external IP address of the edge gateway instance, which is the public IP address of the edge gateway. The IP address is the one used for the peer ID in the IPsec VPN configuration on the remote site. |
|
Local Endpoint |
Enter the network that is the local endpoint for this connection. The local endpoint specifies the network in your organization virtual data center on which the edge gateway transmits. Typically, the external network is the local endpoint. If you add an IP-to-IP tunnel using a pre-shared key, the local ID and local endpoint IP can be the same. |
|
Local Subnets |
Enter the networks to share between the sites and use a comma as a separator to enter multiple subnets. Enter a network range (not a specific IP address) by entering the IP address using CIDR format. For example, 192.168.99.0/24. |
|
Peer ID |
Enter a peer ID to uniquely identify the peer site. The peer ID is an identifier that uniquely identifies the remote device that terminates the VPN connection, typically its public IP address. For peers using certificate authentication, the ID must be the distinguished name in the peer's certificate. For PSK peers, this ID can be any string. An Networking best practice is to use the remote device's public IP address or FQDN as the peer ID. If the peer IP address is from another organization virtual data center network, you enter the native IP address of the peer. If NAT is configured for the peer, you enter the peer's private IP address. |
|
Peer Endpoint |
Enter the IP address or FQDN of the peer site, which is the public-facing address of the remote device to which you are connecting.
Note When NAT is configured for the peer, enter the public IP address that the device uses for NAT. |
|
|
|
|
Peer Subnets |
Enter the remote network to which the VPN connects and use a comma as a separator to enter multiple subnets. Enter a network range (not a specific IP address) by entering the IP address using CIDR format. For example, 192.168.99.0/24. |
|
Encryption Algorithm |
Select the encryption algorithm type from the drop-down menu.
Note The encryption type you select must match the encryption type configured on the remote site VPN device. |
|
|
|
|
Authentication |
Select an authentication. The options are: ■ PSK
Pre Shared Key (PSK) specifies that the secret key shared between the edge gateway and the peer site is to be used for authentication. ■ Certificate
Certificate authentication specifies that the certificate defined at the global level is to be used for authentication. This option is not available unless you have configured the global certificate on the IPsec VPN tab's Global Configuration screen. |
|
Change Shared Key |
(Optional) When you are updating the settings of an existing connection, you can turn on this option on to make the Pre-Shared Key field available so that you can update the shared key. |
|
Pre-Shared Key |
If you selected PSK as the authentication type, type an alphanumeric secret string which can be a string with a maximum length of 128 bytes.
Note The shared key must match the key that is configured on the remote site VPN device. A best practice is to configure a shared key when anonymous sites will connect to the VPN service. |
|
|
|
|
Display Shared Key |
(Optional) Enable this option to make the shared key visible in the screen. |
|
Diffie-Hellman Group |
Select the cryptography scheme that allows the peer site and this edge gateway to establish a shared secret over an insecure communications channel.
Note The Diffie-Hellman Group must match what is configured on the remote site VPN device. |
|
|
|
|
Extension |
(Optional) Type one of the following options: ■ securelocaltrafficbyip=IPAddress to redirect the edge gateway local |
traffic over the IPsec VPN tunnel.
This is the default value.
■ passthroughSubnets=PeerSubnetIPAddress to support overlapping subnets.
5 Click Keep.
6 Click Save changes.
What to do next
Configure the connection for the remote site. You must configure the IPsec VPN connection on both sides of the connection: your organization virtual data center and the peer site.
Enable the IPsec VPN service on this edge gateway. When at least one IPsec VPN connection is configured, you can enable the service. See Enable the IPsec VPN Service on an Networking Data Center for VMware vSphere Edge Gateway.
Enable the IPsec VPN Service on an Networking Data Center for VMware vSphere Edge Gateway
When at least one IPsec VPN connection is configured, you can enable the IPsec VPN service on the edge gateway
Prerequisites
n Navigate to the IPsec VPN Screen.
n Verify that at least one IPsec VPN connection is configured for this edge gateway. See the steps described in Configure the IPsec VPN Site Connections for the Networking Data Center for VMware vSphere Edge Gateway.
Procedure
1 On the IPsec VPN tab, click Activation Status.
2 Click IPsec VPN Service Status to enable the IPsec VPN service.
3 Click Save changes.
Results
The edge gateway IPsec VPN service is active.
Specify Global IPsec VPN Settings
Use the Global Configuration screen to configure IPsec VPN authentication settings at an edge gateway level. On this screen, you can set a global pre-shared key and enable certification authentication.
A global pre-shared key is used for those sites whose peer endpoint is set to any.
Prerequisites
n If you intend to enable certificate authentication, verify that you have at least one service certificate and corresponding CA-signed certificates in the Certificates screen. Self-signed certificates cannot be used for IPsec VPNs. See Add a Service Certificate to the Edge Gateway.
n Navigate to the IPsec VPN Screen.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 On the IPsec VPN tab, click Global Configuration.
3 (Optional) Set a global pre-shared key:
a Enable the Change Shared Key option.
b Enter a pre-shared key.
The global pre-shared key (PSK) is shared by all the sites whose peer endpoint is set to any. If a global PSK is already set, changing the PSK to an empty value and saving it has no effect on the existing setting.
c (Optional) Optionally enable Display Shared Key to make the pre-shared key visible. d Click Save changes.
4 Configure certification authentication:
a Turn on Enable Certificate Authentication.
b Select the appropriate service certificates, CA certificates, and CRLs.
c Click Save changes.
What to do next
You can optionally enable logging for the IPsec VPN service of the edge gateway. See Statistics and Logs for an Edge Gateway.
Configure L2 VPN
The Networking Data Center for VMware vSphere edge gateways in a Cyfuture Cloud Console environment support L2 VPN. With L2 VPN, you can extend your organization virtual data center by enabling virtual machines to maintain network connectivity while retaining the same IP address across geographical boundaries. You can configure the L2 VPN service on an edge gateway.
Networking Data Center for VMware vSphere provides the L2 VPN capabilities of an edge gateway. With L2 VPN, you can configure a tunnel between two sites. Virtual machines remain on the same subnet despite being moved between these sites, which enables you to extend your organization virtual data center by stretching its network using L2 VPN. An edge gateway at one site can provide all services to virtual machines on the other site.
To create the L2 VPN tunnel, you configure an L2 VPN server and L2 VPN client. As described in the Networking Administration Guide, the L2 VPN server is the destination edge gateway and the L2 VPN client is the source edge gateway. After configuring the L2 VPN settings on each edge gateway, you must then enable the L2 VPN service on both the server and the client.
Note- A routed organization virtual data center network created as a subinterface must exist on the edge gateways.
Navigate to the L2 VPN Screen
To begin configuring the L2 VPN service for an Networking Data Center for VMware vSphere edge gateway, you must navigate to the L2 VPN screen.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Navigate to VPN > L2 VPN.
What to do next
Configure the L2 VPN server. See Configure the Networking Data Center for VMware vSphere Edge Gateway as an L2 VPN Server.
Configure the Networking Data Center for VMware vSphere Edge Gateway as an L2 VPN Server
The L2 VPN server is the destination Networking edge to which the L2 VPN client is going to connect.
As described in the Networking Administration Guide, you can connect multiple peer sites to this L2 VPN server.
Note- Changing site configuration settings causes the edge gateway to disconnect and reconnect all existing connections.
Prerequisites
n Verify that the edge gateway has a routed organization virtual data center network that is configured as a subinterface on the edge gateway.
n Navigate to the L2 VPN Screen.
n If you want to bind a service certificate to the L2 VPN connection, verify that the server certificate has already been uploaded to the edge gateway. See Add a Service Certificate to the Edge Gateway.
n You must have the listener IP of the server, listener port, encryption algorithm, and at least one peer site configured before you can enable the L2 VPN service.
Procedure
1 On the L2 VPN tab, select Server for the L2 VPN mode.
2 On the Server Global tab, configure the L2 VPN server's global configuration details.
|
Option |
Action |
|
Listener IP |
Select the primary or secondary IP address of an external interface of the edge gateway. |
|
Listener Port |
Edit the displayed value as appropriate for the needs of your organization. The default port for the L2 VPN service is 443. |
|
Encryption Algorithm |
Select the encryption algorithm for the communication between the server and the client. |
|
Service Certificate Details |
Click Change server certificate to select the certificate to be bound to the L2 VPN server. In the Change Server Certificate window, turn on Validate Server Certificate, select a server certificate from the list, and click OK. |
3 To configure the peer sites, click the Server Sites tab.
4 Click the Add () button.
5 Configure the settings for an L2 VPN peer site.
|
Option |
Action |
|
Enabled |
Enable this peer site. |
|
Name |
Enter a unique name for the peer site. |
|
Description |
(Optional) Type a description. |
|
User ID Password Confirm Password |
Enter the user name and password with which the peer site is to be authenticated. User credentials on the peer site must be the same as the credentials on the client side. |
|
Stretched Interfaces |
Select at least one subinterface to be stretched with the client. The subinterfaces available for selection are those organization virtual data center networks configured as subinterfaces on the edge gateway. |
|
Egress Optimization Gateway Address |
(Optional) If the default gateway for virtual machines is the same across the two sites, enter the gateway IP addresses of the subinterfaces for which you want the traffic locally routed or blocked over the L2 VPN tunnel. |
6 Click Keep.
7 Click Save changes.
What to do next
Enable the L2 VPN service on this edge gateway. See Enable the L2 VPN Service on an Networking Data Center for VMware vSphere Edge Gateway.
Configure the Networking Data Center for VMware vSphere Edge Gateway as an L2 VPN Client
The L2 VPN client is the source Networking edge that initiates communication with the destination Networking edge, the L2 VPN server.
Prerequisites
n If this L2 VPN client is connecting to an L2 VPN server that uses a server certificate, verify that the corresponding CA certificate is uploaded to the edge gateway to enable server certificate validation for this L2 VPN client. See Add a CA Certificate to the Edge Gateway for SSL Certificate Trust Verification.
Procedure
1 On the L2 VPN tab, select Client for the L2 VPN mode.
2 On the Client Global tab, configure the global configuration details of the L2 VPN client.
|
Option |
Description |
|
Server Address |
Enter the IP address of the L2 VPN server to which this client is to be connected. |
|
Server Port |
Enter the L2 VPN server port to which the client should connect. The default port is 443. |
|
Encryption Algorithm |
Select the encryption algorithm for communicating with the server. |
|
Stretched Interfaces |
Select the subinterfaces to be stretched to the server. The subinterfaces available to select are the organization virtual data center networks configured as subinterfaces on the edge gateway. |
|
Egress Optimization Gateway Address |
(Optional) If the default gateway for virtual machines is the same across the two sites, type the gateway IP addresses of the subinterfaces or the IP addresses to which traffic should not flow over the tunnel. |
|
User Details |
Enter the user ID and password for authentication with the server. |
3 Click Save changes.
4 (Optional) To configure advanced options, click the Client Advanced tab.
5 If this L2 VPN client edge does not have direct access to the Internet, and must reach the L2 VPN server edge by using a proxy server, specify the proxy settings.
|
Option |
Description |
|
Enable Secure Proxy |
Select to enable the secure proxy. |
|
Address |
Enter the proxy server IP address. |
|
Port |
Enter the proxy server port. |
|
User Name Password |
Enter the proxy server authentication credentials. |
6 To enable server certification validation, click Change CA certificate and select the appropriate CA certificate.
7 Click Save changes.
What to do next
Enable the L2 VPN service on this edge gateway. See Enable the L2 VPN Service on an Networking Data Center for VMware vSphere Edge Gateway.
Enable the L2 VPN Service on an Networking Data Center for VMware vSphere Edge Gateway
When the required L2 VPN settings are configured, you can enable the L2 VPN service on the edge gateway.
Note- If HA is already configured on this edge gateway, ensure that the edge gateway has more than one internal interface configured on it. If only a single interface exists and that has already been used by the HA capability, the L2 VPN configuration on the same internal interface fails.
Prerequisites
n If this edge gateway is an L2 VPN server, the destination Networking edge, verify that the required L2 VPN server settings and at least one L2 VPN peer site are configured. See the steps described in Configure the Networking Data Center for VMware vSphere Edge Gateway as an L2 VPN Server.
n If this edge gateway is an L2 VPN client, the source Networking edge, verify that the L2 VPN client settings are configured. See the steps described in Configure the Networking Data Center for VMware vSphere Edge Gateway as an L2 VPN Client.
n Navigate to the L2 VPN Screen.
Procedure
1 On the L2 VPN tab, click the Enable toggle.
2 Click Save changes.
Results
The L2 VPN service of the edge gateway becomes active.
What to do next
Create NAT or firewall rules on the Internet-facing firewall side to enable the L2 VPN server to connect to the L2 VPN client.
Remove the L2 VPN Service Configuration from an Networking Data Center for VMware vSphere Edge Gateway
You can remove the existing L2 VPN service configuration of the edge gateway. This action also disables the L2 VPN service on the edge gateway.
Prerequisites
Procedure
1 Scroll down to the bottom of the L2 VPN screen, and click Delete configuration.
2 To confirm the deletion, click OK.
Results
The L2 VPN service is disabled and the configuration details are removed from the edge gateway.