VPN-Cubed 2.x vpcplus Enterprise Edition

Transcription

1 VPN-Cubed 2.x vpcplus Enterprise Edition v

2 Requirements You have an Amazon AWS account that CohesiveFT can use for enabling your access to the VPN-Cubed Manager AMIs. Ability to use the Amazon EC2 Command Line tools. Ability to create and configure a VPC deployment. You have a compliant IPsec firewall/router networking device: - Preferred: Cisco ASA - Validated: Cisco 1800, Cisco PIX, Juniper JunOS Models, Fortigate (3 years old or less), Watchguard Firebox (3 years old or less) - Best Effort: Any IPsec device that supports: IKE1 or IKE2, AES256 or AES 128 or 3DES and SHA1 or MD5 2

3 Getting Help with VPN-Cubed Using VPC with VPN-Cubed adds a layer of complexity. This guide covers a very generic VPN-Cubed vpcplus setup. If you are interested in more custom use cases and would like CohesiveFT to advise and help setup the topology contact sales@cohesiveft.com for services pricing. Please direct all support inquiries to our support address to ensure the fastest response: support@cohesiveft.com 3

4 Remote Support Note that TCP 22 (ssh) is not required for normal operations. Each VPN-Cubed Manager is running a restricted SSH daemon, with access limited only to CohesiveFT for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation. In the event CohesiveFT needs to observe runtime state of a VPN-Cubed Manager in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI. CohesiveFT will send you an encrypted passphrase to generate a private key used by CohesiveFT Support staff to access your Manager. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access. 4

5 Sizing Considerations VPN-Cubed Enterprise Edition Managers packed for EC2 currently are using the Amazon Small Instance type. 64bit versions are available on request for Enterprise Edition subscribers. Contact us at for AMI information. VPN Cubed Managers currently generate 1024 bit keys for connecting the clients to the overlay network via the clientpacks. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). 5

6 Firewall Considerations VPC deployment access is controlled by three layers: VPC ACLs, VPC Security Groups, and Routing Tables. This document will show you how to open the correct ports in order to access the Manager, peer Managers, connect clients, and negotiate an IPsec tunnel. VPN-Cubed Manager instance uses the following TCP and UDP ports. - UDP port 1194 For client VPN connections; must be accessible from all servers that will join VPN-Cubed topology as clients. - UDP For tunnels between manager peers; must be accessible from all peers in a given topology. - TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the managers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. - UDP port 500, ESP Protocol and possibly UDP port 4500 IPsec connections to VPC deployments do not require NAT-Traversal like connections to generic EC2. To make native IPsec connections (without NAT-Traversal) to a VPC deployment you will need to allow access via UDP port 500 and ESP Protocol. If you would like the EC2 IPsec Gateway to be able to initiate a connection (for example in the event of a broken connection) then you need to allow the public IP address of the gateway to connect to your IPsec device over these ports. If you want your IPsec device to initiate the connection, then these ports need to be opened to the public address of your IPsec device in the EC2 Security Group your gateway AMI was launched in. 6

7 Addressing Consideration VPC VPC deployments are launched in a VPC CIDR. That VPC CIDR can be split up into multiple subnets, private or public. All servers launched in a VPC are launched in one of the subnets created. VPN-Cubed VPN-Cubed provides an encrypted subnet in addition to the VPC subnets. Servers that are configured to join the VPN-Cubed encrypted Overlay Network do so via OpenVPN connections using the VPN-Cubed generated Client Packs. Each Client Pack is tied to a specific Overlay Network Address. Restrictions The VPC CIDR and VPC Subnets cannot not overlap with the VPN-Cubed Overlay Network Subnet. VPC Subnets (eth0) Not Encrypted OpenVPN is not required on Client Servers Clients Packs are not required on Client Servers Cannot join generic EC2 directly (public Internet connection required) No Additional Overhead VPN-Cubed Overlay Network Subnet (tun0) Encrypted OpenVPN is required on Client Servers Client Packs are required on Client Servers Can join generic EC2 services directly (OpenVPN or Peer Manager required) Additional Overhead (minimal) When Peering VPN-Cubed Managers between two VPC or once VPC and generic EC2, all Client Server must all connect the Overlay Network via clientpacks and OpenVPN. Contact support@cohesiveft.com for more information. 7

8 Your Configuration Begins Here! 8

9 Create a VPC From the VPC Wizard Create a VPC from the VPC tab at the top of the AWS Console. Click VPC Dashboard in the left column menu. Click Get started creating a VPC. Choose either VPC with a Single Public Subnet Only or VPC with Public and Private Subnets. The other two choices will not work with VPN-Cubed. For this example we choose VPC with a Single Public Subnet Only. You can leave the default values in for the VPC CIDR and VPC Subnet or edit them to fit your addressing requirements. For this example we use /24 for the VPC CIDR and /25 for the Public Subnet. Remember the VPC CIDR and VPC Subnets must not overlap with the VPN-Cubed Overlay Network Subnet. Click Create VPC. The VPC Wizard creates the VPC, the Subnet, Network ACL, Internet Gateway, 2 Routing Tables, and a Security Group. 9

10 Inbound and Outbound VPC ACL Setup Configure Network ACLs from the VPC tab at the top of the AWS Console. Click Network ACLs in the left column menu under the SECURITY section. Select the ACL created by the VPC Wizard. The default settings allow all ports on all protocols from all destinations for both inbound and outbound connections. This due to our selection of a Public Subnet when setting up the VPC. It is recommended you leave the ACLs open during initial configuration of your deployment. Once all connections are established and tested you can lock down the ACL based on the Firewall Considerations outlined on page 7 by deleting the default Rule #100 and adding specific ALLOW rules. 10

11 Inbound and Outbound VPC Security Group Setup Configure Security Groups from the VPC tab at the top of the AWS Console. Click Security Groups in the left column menu under the SECURITY section. Select the Security Group created by the VPC Wizard. The default settings allow inbound connections on all ports from servers launched in the VPC security group and allow outbound connections on all ports to all routes ( /0). Again, this due to our selection of a Public Subnet when setting up the VPC. It is your choice to leave the default Outgoing rules or modify based on your use case. Add the following Inbound exceptions: - TCP port 8000 from your public IP (you can find your IP address by navigating to - UDP port 500 from the IP of your Datacenter-based IPsec Device - Customer Protocol Rule for ESP from the IP of your Datacenterbased IPsec Device - UDP port 4500 from the IP of your Datacenter-based IPsec Device* - UDP ports from the Elastic IP of the Manager in the other VPC deployment (required for peering) - TCP port 8000 from the Elastic IP of the Manager in the other VPC deployment (required for keyset fetch) Click Apply Rule Changes. 11

12 Launch a VPN-Cubed Manager Switch to the EC2 tab at the top of the AWS Console. Click AMIs in the left column menu under the IMAGES section. Launch a VPN-Cubed vpcplus Lite Edition instance using the AMI ID supplied by CohesiveFT. Be sure to launch the Instance in the VPC and the VPC security group that was created using the VPC Wizard. NOTE: On the Instance Details step in the Request Instances Wizard you can specify a particular IP Address for the Manager Instance on the VPC Subnet that was created using the VPC Wizard. AWS will automatically assign an IP inside the VPC Subnet if this field is left blank (as we did for this example). 12

13 Disable Source/Destination Check on the Manager Instance Once the Manager Instance is launched. You need to disable the Source/Destination check on the instance. This step is required so the Manager instance is allowed to forward packets to the client servers. If this is not disabled the Manager will not be able to route traffic appropriately. To Disable select the Manager Instance the click Instance Actions. Click Change Source/Dest. Check. Click Yes, Disable. 13

14 Create a VPC Specific Elastic IP and Assign to the Manager Instance Switch back to the VPC tab at the top of the AWS Console. Click Elastic IPs in the left column menu under the VIRTUAL PRIVATE CLOUD section. Click Allocate New Address and select the Elastic IP be used in VPC. Click Yes, Allocate. Associate the Elastic IP Address with your VPN-Cubed Manager Instance by clicking Associate Address. Select your VPN-Cubed Manager Instance and click Yes, Associate. Associating an Elastic IP with your VPN-Cubed Manager Instance will make the instance publicly available so you can log into the Manager Web UI to configure your Overlay Network and setup IPsec connections. Repeat steps outlined on pages 9-14 to create a second VPC deployment. CFT recommends using different VPC cidr for each VPC deployment. 14

15 Log into Manager 1 Login to the VPN-Cubed Web UI - Elastic IP>:8000 In order to have an encrypted connection to the VPN-Cubed Manager, the web UI uses HTTPS with a self-signed certificate generated on each manager individually on boot. You may need to add a security exception in your browser. Log in with a username of vpncubed, password is the instance id of this EC2 instance (i-xxxxxxx). You can obtain instance id with ec2- describe-instances command line, ElasticFox or AWS Console. 15

16 Configuring Manager 1: Upload License Paste the encrypted VPN-Cubed license received from CohesiveFT in the first field. Enter a security token in the second field. This can be anything but must be the same for all Managers in the same topology. Click Submit and Reboot. The Manager will be unavailable for a few moments while the instance reboots and configures itself per the configuration parameters included in the license. 16

17 Configuring Manager 1: License Parameters Click License Parameters The resulting screen allows you to choose between the subnet range that comes preconfigured with the license or a customer subnet defined by your specific topo needs. Click the Custom Radio button to specify a custom subnet range. In addition to selecting a custom subnet range you can specify linear addressing for your Overlay Connected Devices (OLNDs). In this example we use /24 for our custom subnet range. The Manager IPs is and the Overlay Connected Device IPs are Once you complete this step, the manager instance will reboot itself and will come up with your specified topology enabled and running. Click Submit and reboot. 17

18 Generate Keys on VPN-Cubed Manager 1 The Manager is now configured to the License specs (how many managers it can peer with, how many clientpacks are available, and how many ipsec links are available). Click Generate New under SSL Certs and Keys in the left column. During key generation you can specify a Topology name to be displayed in the Manager UI. This can be changed at anytime by clicking on the Topology Name left column menu item. Click Generate keys link. Key generator will be started in the background, and you can refresh screen to observe progress. This process will generate the client credentials that will be loaded onto the devices you wish to connect to the VPN-Cubed overlay network. NOTE: This step is required regardless of whether you plan on using the encrypted Overlay Network subnet for your clients or the unencrypted VPC subnet. 18

19 Peering the Managers: Peering Manager 1 Click Setup Manager Peering. Managers connect to each other in a process called Peering. Peered Managers create a redundant, highly available and secure overlay network and share traffic load from the overlay network connected servers. The Peering Setup Page will display the number of Managers allowed to peer together in your topology as defined by the license file used to configure the Manager. For Manager #1 select "this instance" from drop down, instead of specifying its IP. To be valid, your form must have "this instance" value in one and only one drop-down. If your topology has unused Managers, leave the extra fields set to "not set. Enter the Elastic IP Public DNS address of the second Manager for Manager #2. Repeat this for each additional Manager in your topology. When done select Save Changes. You should then get a status page showing that this manager was able to reach the other launched manager instance. 19

20 Peering the Managers: Peering Manager 2, fetch the keyset from Manager 1 (do NOT regenerate) Log in to VPN-Cubed Manager UI on the second manager. Upload the same license used for Manager 1 on page 16. Specify the same license parameters used for Manager 1 on page 17. DO NOT Generate new keyset on Manager 2. Click Fetch Keyset. (Remember that keys must be generated only once per topology!) Type in private IP address of Manager1 (where keys were generated) and keys will be copied from Manager1 and set up locally. 20

21 Peering the Managers: Peering Manager 2 For Manager #1 enter the IP address of MGR1 For Manager #2 select "this instance" from drop down, instead of specifying its IP. To be valid, your form must have "this instance" value in one and only one dropdown. When done select Save Changes. You should then get a status page showing that this manager was able to reach the other launched manager instances. Verify that topology checksum on Manager1 corresponds to that of Manager2. 21

22 VPN-Cubed Manager Status The VPN-Cubed Manager is ready to setup an IPsec Tunnel. You should see all your peered Managers listed under the Links to Other Managers section on each Manager Runtime Status Page. Click IPsec under Peering left menu heading. NOTE: The NAT-Traversal toggle on the IPsec page allows you to configure tunnels to VPN-Cubed using either NAT-Traversal or not. This is currently a global setting for VPN-Cubed. If you leave NAT- Traversal enabled, make sure UDP port 4500 exceptions exist on your VPC ACLs and VPC Security Groups. For the purposes of this document we have disabled NAT-Traversal. On the resulting IPsec page note the Configuration Settings needed for configuration. Click Define new remote endpoint. NOTE: When toggling between configuration of NAT-Traversal on and off, you will have to Reboot the Manager by clicking the Reboot link under the Admin section in the left column of the UI. 22

23 VPN-Cubed Manager IPsec Setup: Define a New Remote Endpoint Enter descriptive name for the Endpoint configuration, this can be anything. Occasionally there is another router between the IPsec firewall and the Internet. Enter the public facing IP address of either the IPsec device or router between EC2 and the IPsec device (see picture below). Enter a Pre-shared Key and keep a record of that key to be entered into the IPsec device. In this example we use VPNCubedRocks for obvious reasons. If your IPsec device is behind a router, enter the external IP interface of the IPsec device (see picture below). Enter the VPC CIDR use to setup your VPC deployment in the Cloud WAN field. This entry will ensure network extent to the VPC Subnets via the IPsec connection. Click Create. One the resulting page click New subnet. For information on what to enter in the Extra configuration parameters field see the next page. 23

24 IPsec Configuration: Extra Parameters VPN-Cubed's IPSec subsystem is good at autodiscovery on IKE and ESP choices with a wide range of boxes. We recommend being as specific as possible when entering tunnel parameters. Match the algorithm, hash and DiffieH group for your gateway settings by specifying them in the "Extra Params" text field. We support combinations algorithms 3DES, AES128, or AES256; hashes SHA1 or MD5; and DH groups 2 or 5 (which are represented by the software we use as "modp1024" and "modp1536" respectively). Example entries for IKE (Phase 1) and ESP (Phase 2) in the extra params box: ike=aes128-sha1 ike=aes256-sha1 ike=3des-md5-modp1024 ike=aes256-sha1-modp1536 phase2alg=aes256-sha1 phase2alg=3des-sha1;modp1536 (the "modpxxxx" value can only be added to phase2alg={value of esp} with a semi-colon as show above.) PFS Group Extra params entry for PFS Group is technically required only when it must be diff from pfs group in phase1. If that is the case, then use phase2alg={value of esp};modpxxxx IKE and ESP Lifetimes ikelifetime=3600s (default setting on VPN-Cubed) salifetime=28800s (default setting on VPN-Cubed) Dead Peer Detection - Disabled by default, to enable DPD to attempt to re-connect during periods of no response use the following: dpdaction=restart dpddelay=30 dpdtimeout=90 24

25 VPN-Cubed Manager Setup: Setup a Subnet Enter the subnet this is or will be configured behind the datacenter IPsec Extranet Device. In this example we used /24. Provide a name for the Subnet to allow for easy identification in more complex topologies. External Ping is a new optional feature for the 2.x line. It provides a pinging functionality over the IPsec tunnel that can be used in addition to IPsec DPD and Keep Alive settings to ensure the tunnel remains up during low traffic periods Enter an IP address of a pingable server located on the Subnet specified. Set the time interval (in seconds) for the ping. Click Create. Your VPN-Cubed Manager IPsec setup is complete. The next steps will detail setting the IPsec connection from your extranet device. Once the IPsec connection is live, this guide will detail how to add clients to the created overlay network. Note the Configuration Settings values, you will need these to correctly configure your extranet device. 25

26 Configuring the IPsec Extranet Device: Adding Network Objects Note: As mentioned earlier these screenshots are from a Cisco ASA extranet device. Your setup user experience may differ slightly. The first step in configuring any IPsec extranet device is to add the appropriate Network Objects. The screenshot to the right shows all the objects that need to be added. Their details are below: - vpc_inside: inside NAT of your VPC subnet - overlay_inside: inside NAT of your Overlay Network subnet - inside-network: inside interface network of extranet device - inside_network_test_client: initial inside test IP for IPsec connectivity - outside_network: outside interface network of extranet device - outsideinterface: address of outside interface of extranet device - vpncubed_mgr: public IP address of the VPN-Cubed Manager - vpncubed_mgr_inside: inside tunnel test for use before connecting clients (VPN-Cubed IPsec to EC2 Test Gateway) Note: Because there is both a VPC Subnet and an Overlay Network Subnet you will need to setup IPsec rules for both subnets. 26

27 Configuring the IPsec Extranet Device: VPN Wizard Create a new VPN Tunnel. The Cisco ASA used in this guide does this through a VPN Wizard. If you are using another facility to create your IPsec Tunnel, make sure to enter the same information we enter in the following slides. Choose a Site-to-Site Tunnel Type. Click Next Tunnel Configuration Considerations If you want the tunnel to be perpetual and as close to "always on" as IPSec can do, then: - Your gateway should be using its "keepalive" feature, VPN-Cubed has this enabled by default - Your gateway should be using Dead Peer Detection (DPD) with a "restart" parameter in the event it believes tunnel is dropped - Your VPN-Cubed manager has DPD disabled by default, enable it by adding "dpdaction=restart" dpddelay=30 and dpdtimeout=90 in the extra parameters box (no quotes needed). - Your gateway should allow the VPN-Cubed manager to make a connection "inbound to it", by default the VPN-Cubed manager allows inbound connections and attempts outbound 27

28 Configuring the IPsec Extranet Device: VPN Wizard Enter the VPN-Cubed Managerʼs IP address in the Peer IP Address field. Enter the same Pre-Shared Key entered from page 23 (our example used VPNCubedRocks ). Click Next 28

29 Configuring the IPsec Extranet Device: VPN Wizard Choose your Key Exchange Policy (IKE). Make sure it is the same as the one used in the VPN-Cubed Manager setup. On page 23 we used AES-256. Click Next 29

30 Configuring the IPsec Extranet Device: VPN Wizard Select the ecryption and authentication algos for the Encapsulating Security Payload (ESP). Make sure it is the same as the one used in the VPN-Cubed Manager setup. Again our recommended setup uses AES-256 from page 23. Click Next 30

31 Configuring the IPsec Extranet Device: VPN Wizard Setting up Hosts and Networks. The following information will setup a test tunnel to your VPN-Cubed Manager. After the tunnel is up and running you can return to this step and change the Source and Destination information to open up more traffic between your IPsec extranet device and the cloud. Setup the tunnel to identify the datacenter subnet, inside_network, as the Source and select the Overlay Network subnet, ec2_inside, in the Destination section. Click Next Note: Because there is both a VPC Subnet and an Overlay Network Subnet you will need to setup IPsec rules for both subnets. This can be done after the initial tunnel configuration is complete. Add an IPsec Rule for traffic from the inside-network to vpc_inside. 31

32 Configuring the IPsec Extranet Device: VPN Wizard Double check that all the information is entered correctly. Click Finish 32

33 IPsec Extranet Device: Session Details Make sure the IPsec VPN session is up and running. Goto Monitoring > VPN Statistics > Sessions You should be able to see the session under LAN-to-LAN Click Details 33

34 IPsec Extranet Device: Session Details The Session Details will give you expanded information about your Key Exchange and IPsec status. 34

35 Add Remote Subnet to the VPC Routing Table Configure the Routing Tables from the VPC tab at the top of the AWS Console. Click Routing Tables in the left column menu under the VIRTUAL PRIVATE CLOUD section. Select the Routing Table associated with the VPC Subnet created by the VPC Wizard. You can see what subnets are associated with a Routing Table by clicking on the Routing Table then on the Associations tab in the lower window pane. Enter the Remote Subnet behind your IPsec device in the Destination field. In our example we enter /24. Select the VPN-Cubed Manager Instance ID as the Target and click Add. Click Yes, Create on the Create Route popup window. This change to the Routing Table will allow traffic to routed through the Manager and down the IPsec tunnel to the datacenter-based remote subnet. 35

36 VPN-Cubed Manager: Check the IPsec Status To check the status of your IPsec connection from the VPN-Cubed Manager click on Runtime Status. Each Subnet will be displayed as a connected tunnel. Click the Remote Subnet for tunnel parameters and to access the IPsec log for that specific connection. If you do not see your IPsec Tunnel listed, it is not correctly configured. Double check that you have entered all the information correctly in both the VPN-Cubed Manager and your IPsec device. If you are having difficulties please support@cohesiveft.com. Now that the IPsec Tunnel is up and running, clients in EC2 can be added to the secure Overlay Network extension of your Datacenter OR the unencrypted VPC subnet (but not both). 36

37 IPsec Connection Trouble Shooting: Verbose Logging VPN-Cubed allows users to enable Verbose Logging to help with IPsec connection troubleshooting. To enable Verbose Logging click IPsec in the left column menu. Click Logging on the IPsec Page. Click the radio button next to verbose logging. Click Submit. NOTE: Verbose Logging is disabled by default and should remain disabled during normal operations. Leaving Verbose Logging enabled over a extended period of time can fill the Manager instances virtual disk drive. This causes the Manager to become inaccessible via the UI and requires our intervention to free up disk space. 37

38 Connecting Client Servers Option 1: Unencrypted VPC Subnet NOTE: If launching Client Servers in the encrypted VPN-Cubed Overlay Subnet skip this step and continue on the next page. In order to allow client servers launched in the VPC subnet to connect to the Manager and the datacenter-based subnet via the IPsec tunnel you must add the appropriate route on the VPN-Cubed Manager. Click Other Routes on the VPN-Cubed Manager left column menu under the Peering section. Enter the VPC Subnet in the Enter CIDR for new route field. Click Add route. Once the Route is added, Client Servers launched in the unencrypted VPC Subnet will be able to communicate with one another and with the datacenter-based Remote Subnet via the IPsec tunnel. 38

39 Connecting Client Servers Option 2: Encrypted VPN-Cubed Overlay Subnet In the context of VPN-Cubed, client means devices which will be configured as members of the overlay network. These network members will usually be servers running in EC2. In more advanced editions of VPN-Cubed this includes desktop based client machines. Note the Client Download username and password on Status screen on every manager (username is clientpack ). On any Manager go to Client Packs and pick a client pack. A client pack can run on a single client at a time. If you shut down or disconnect client from the topology, you can reuse its client pack. The number of client packs provided in your license depends on your purchased parameters. 39

40 Connecting Client Servers on the encrypted VPN-Cubed Overlay Subnet: ACL and Security Group Exceptions Depending on what OS your cloud-based clients are running you will need to add ACL and Security Group access to the client servers via RDP Port 3389 (Windows) or SSH Port 22 (Linux) in order to add the clientpacks. For Linux Clients Configuration follow the steps on pages For Windows Clients Configuration follow the steps on page

41 Connecting Linux Client Servers on the encrypted VPN-Cubed Overlay Subnet: Add SSH Client Access In order to SSH into your cloud-based Linux client servers you must temporarily assign an Elastic IP to the server and grant SSH access (TCP port 22) via the ACLs and Security Groups from your IP. Assign an Elastic IP the same way you assigned one to the VPN-Cubed Manager (steps shown on page 15). Then temporarily enable TCP port 22 access from your public IP on both the ACLs (if you modified the default settings) and Security Groups (steps shown on page 12). Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. 41

42 Connecting Linux Client Servers on the encrypted VPN-Cubed Overlay Subnet: Install Client Credentials TWO PHILOSOPHIES FOR INSTALLATION a) Download Locally then Upload to the Client Server - Download credentials to your trusted admin machine via the VPN-Cubed Manager Client Packs link. SCP them into the client machines, and then SSH into the client machines to complete the configuration. b) WGET Direct to Client Server - SSH into the client machine and download the credentials from its command line using the following URL: wget --no-check-certificate Something like: wget --no-check-certificate 172_31_1_53.tar.gz NOTE: The clientpack:password combination is on the status screen of each of the VPN-Cubed Managers. 42

43 Connecting Linux Client Servers on the encrypted VPN-Cubed Overlay Subnet: Install OpenVPN You can either install OpenVPN 2.1 on physical servers or virtual servers you already possess to connect those devices to the VPN-Cubed overlay network. For a quick test you might want to use the Elastic Server factory at You can quickly assemble a representative application stack for testing in the overlay network and easily deploy to the your Amazon account. Use the OpenVPN for VPN-Cubed 2.1 bundle in your servers for a ready-made VPN-Cubed client. You will still have to install a client pack on that device once launched locally or in the EC2 cloud, and configure the file /etc/openvpn/vpncubed.conf. Extract clientpack contents to /etc/openvpn directory (consult OpenVPN documentation for your OS if not found). Edit the vpncubed.conf add the managers you want this client to connect to in priority at the bottom of the file: remote MANAGER_DNS_ADDRESS 1194 Use the public DNS URL of the Manager for the remote entry. In multiple Manager topologies the order of remote commands matters - client will try to connect to the first remote endpoint, if not successful - to the second, and so on. You may want to evenly distributed clients among managers by varying the order of "remote" commands on each client. 43

44 Connecting Linux Client Servers on the encrypted VPN-Cubed Overlay Subnet: Launch OpenVPN Start openvpn. On Linux OSs this is done using the /etc/init.d/openvpn start command. Your client will get a virtual IP address that corresponds to the clientpack it received. WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same topology at a time. Adjust local firewall on the client if necessary (on Linux, your tunnel device name will be tun0). Verify connectivity by pinging the Managerʼs Overlay Network IP address of

45 Connecting Windows Client Servers on the encrypted VPN-Cubed Overlay Subnet: Add RDP Client Access In order to RDP into your cloud-based Windows client servers you must temporarily assign an Elastic IP to the server and grant RDP access (TCP port 3389) via the ACLs and Security Groups from your IP. Assign an Elastic IP the same way you assigned one to the VPN-Cubed Manager (steps shown on page 15). Then temporarily enable TCP port 3389 access from your public IP on both the ACLs (if you modified the default settings) and Security Groups (steps shown on page 12). Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. 45

46 Connecting Windows Client Servers on the encrypted VPN-Cubed Overlay Subnet: Install Client Credentials RDP into the Windows Machine using the Administrator credentials specified when launching the server. Navigate to Manager IP>:8000 in IE. Login using the default vpncubed for the password and username or the password you changed on your first login. Click Client Packs on the left menu. Download the appropriate client pack zip file to the Windows machine. 46

47 Connecting Windows Client Servers on the encrypted VPN-Cubed Overlay Subnet: Install OpenVPN Install OpenVPN 2.1 on physical servers or virtual servers you already possess to connect those devices to the VPN-Cubed overlay network. On Vista you will need to have admin privileges to install the software. You will have to install a client pack on the Windows desktop machine and put the client pack files in \Program Files\OpenVpn\config\ RENAME vpncubed.conf to vpncubed.ovpn!!!! Edit the vpncubed.ovpn and add the managers you want this client to connect to in priority at the bottom of the file: remote MANAGER_DNS_ADDRESS 1194 Use the public DNS URL of the Manager for the remote entry. In multiple Manager topologies the order of remote commands matters - client will try to connect to the first remote endpoint, if not successful - to the second, and so on. You may want to evenly distributed clients among managers by varying the order of "remote" commands on each client. 47

48 Connecting Windows Client Servers on the encrypted VPN-Cubed Overlay Subnet: Launch OpenVPN Start openvpn. On Windows XP and Vista this can be done through the Services tool or via the command line openvpn vpncubed.ovpn. On Vista if you run it from the command line you will need to know how to start a command line with administrative privileges. Details here: Alternatively, start the OpenVPN service from the Services tool. On Vista and Win2k servers OpenVPN also has a graphical tool - OpenVPN GUI. Your client will get a virtual IP address that corresponds to the clientpack it received. WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same topology at a time. Adjust local firewall on the client if necessary. Verify connectivity by pinging the Managerʼs Overlay Network IP address of

49 Connecting Windows Client Servers on the encrypted VPN-Cubed Overlay Subnet: Launch OpenVPN 49

50 Connecting Windows Client Servers on the encrypted VPN-Cubed Overlay Subnet: Windows 2008 RegEdit Consideration When setting up OpenVPN as a Service on Windows2008 there can be an issue with the machine resolving IPv6 instead of IPv4. Follow the steps below to fix the problem. 1. Go to "regedit" 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tcpip\parameters 3. Double-click the ArpRetryCount value, type 0, and then click OK. If it does not exist create a new REG_DWORD, rename to ArpRetryCount, and set the value to Reboot the machine 50

51 Connecting Client Servers on the encrypted VPN-Cubed Overlay Subnet: Clients in the overlay network You should see the clients listed in the client table and the IPsec Remote Subnet in the IPsec tunnel table. If this is not the case please check the items listed on the Troubleshooting page of this document. 51

52 VPN-Cubed Firewall Tool 52

53 VPN-Cubed Firewall VPN-Cubed Firewall is controlled using IPTables syntax. For more information - Look for PARAMETERS section and below. In general, you write a specification of a packet to match and what to do with this packet. Customer rules are applied in the middle of overall rules on the manager. If customer rules don't reject a packet, it will be allowed. Order of rules matters - rules are applied from top to bottom up to the first match. If not match is found, packet is allowed. "-j ACCEPT" allows a packet. "-j DROP" drops a packet. "-j REJECT" sends an appropriate notification to sender saying such and such packet was rejected (depends on protocol). Basic examples: * Drop all packets from to s d j DROP * Drop all traffic from /24 (entire subnet) except : -s j ACCEPT -s /24 -j DROP 53

54 Change Username and Password 54

55 Change Username and Password Username and Password can be changed via the Left Column Menu Items. 55

56 Save Manager Configuration with Runtime Snapshots 56

57 Runtime Snapshots save the Manager Configuration Once your VPN-Cubed Managers and Clients are configured and running, save the configuration with Runtime Snapshots. Snapshots can be used to reconfigure a new Manager with the same SSL Certificates and Keyset with just one file upload. Click the Runtime Snapshots link to take a new snapshot or view/ download available snapshots. Download the snapshot to your local network. In the event of a Manager failure or re-provisioning event, you can upload the snapshot file to a new VPN-Cubed Manager. The new Manager will retain all the configuration settings as your saved snapshot. If you are utilizing Elastic IPs, once the Elastic IP is transferred to the new Manager, your overlay network devices will automatically connect back with the Managers. Save time on both Manager and client configuration. 57

58 Save and Download a Snapshot Click the Take New Snapshot Now button to generate a new Snapshot. The resulting screen will have the snapshot download link. Download the Snapshot and save locally. 58

59 Upload a Snapshot To use a Snapshot to configure a Manager click the Import Runtime Snapshot link. Browse for your saved Snapshot and upload. The Manager will reboot with the updated configuration. The same client packs will be used to redistribution of the credentials to each Overlay Network Device (OLNDs) is not necessary. A slight configuration change on each OLND is necessary if you have not assigned Elastic IPs to your Manager. The OpenVPN configuration file (vpncubed.ovpn) on each OLND needs the new IP of the new Manager referenced in the remote commands section. To automate this step, you can assign an Elastic IP (see AWS billing for rates) to the Manager and reference the Elastic IP in each OLNDʼs OpenVPN configuration file. 59

60 Troubleshooting 60

61 Troubleshooting and FAQ for theec2 Managers Client appears to be hopping on and off the network. This is usually the result of the same client keys being installed on two client machines in the network. Only one client machine can use a set of credentials at a given time. Fetch Keyset appears to hang or not work. Check to see if the Amazon security group is correct for port 8000 between the manager you are getting the keyset from and the manager you are do the fetch from. If they are separated across Amazon USA and Amazon EU you will need to have thier security group reference the public IP addresses. When you do the Fetch Keyset command use the managers public IP address. Manager IDs seem correct, EC2 security groups seem correct, but managers, especially ones launched via separate launch commands will not peer. Review your worksheet and your launch commands. Ensure that the managers were all launched with the same security token. 61

62 End 62