VPN-Cubed Datacenter Connect IBM Trial Edition v201102

Transcription

1 VPN-Cubed Datacenter Connect IBM Trial Edition v

2 Requirements You have an IBM Smart Business Dev and Test on IBM Cloud account. You have agreed to the terms of service provided for the VPN-Cubed Manager Images available in the RAM Contents -VPN-Cubed Datacenter Connect Trial Edition Terms.pdf. Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software. We will provide pointers and support for the major distributions. You have a compliant IPsec firewall/router networking device (NAT-Traversal Support Required) which you can configure. CohesiveFT has successfully connected most popular IPsec firewalls to VPN-Cubed. 2

3 Getting Help with VPN-Cubed This guide uses Cisco s Adaptive Security Device Manager UI. Setting up your IPsec Extranet device may have a different user experience than what is shown here. All the information entered in this guide will be same regardless of your UI or cmd line setup. For support requests use our community forums at: For production support contact: sales@cohesiveft.com 3

4 Your Configuration Begins Here! 4

5 VPN-Cubed Datacenter Connect provides a virtual network connected to your datacenter via IPsec. A VPN-Cubed Datacenter Connect Trial Edition topology is built from a VPN-Cubed Manager/ IPsec Gateway appliance in the IBM Cloud that provides a secure and controllable virtual network for your cloud-based servers. Your data center extranet solution (Cisco ASA, Cisco Pix, Juniper Netscreen) will connect to the VPN-Cubed Manager in the cloud creating a secure and encrypted end-to-end connection to your cloud deployment. The cloud-based client servers behave like they are a subnet extension of your datacenter. IBM Cloud If a more complex overlay network is needed, multiple topologies can be connected to provide a redundant, geographically distributed network. Interested in learning more about more complex VPN-Cubed configurations? Contact us at sales@cohesiveft.com. 5

6 Firewall Considerations VPN-Cubed Manager instance uses the following TCP and UDP ports. - UDP 1194 For client VPN connections; must be accessible from all servers that will join VPN-Cubed topology as clients. - TCP 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the managers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. - UDP 500 and 4500 These ports are used for IPsec NAT-TRAVERSAL and need to be configured in your IPsec device. If you would like the IPsec Gateway to be able to initiate a connection (for example in the event of a broken connection) then you need to allow the public IP address of the gateway to connect to your IPsec device over these ports. 6

7 Access Considerations Note that TCP 22 (ssh) is not required for normal operations. Each VPN-Cubed Manager is running a restricted SSH daemon, with access limited only to CohesiveFT for debugging purposes - if remote support from CohesiveFT is desired. In the event CohesiveFT needs to observe runtime state of a VPN-Cubed Manager in response to a tech support request, we will ask you to enable remote support from the Manager UI (Left column menu item). In this scenario CohesiveFT has credentials to log in, while you control whether network access to the VPN-Cubed manager is available to CohesiveFT via individual server controls. 7

8 Launching VPN-Cubed Managers Sign in to the IBM Smart Business Development and Test on IBM Cloud Control Panel. Select Instances. Click Add an Instance. Select the CohesiveFT VPN-Cubed Datacenter Connect Trial Edition V PAYG Image. Click Next. Enter a Name, select a Key, and click Next. 8

9 Launching VPN-Cubed Managers Verify all the information is correct. Click Next. Review the IBM Cloud Service Agreement. Select I agree. Click Next. 9

10 Logging in and Configuring the Manager Return to the IBM Cloud Instance Control Panel. When the instance is booted and available and IP address will be listed. Login to the VPN-Cubed Admin - public_ip]:8000/ In order to have an encrypted connection to the VPN-Cubed Manager the manager uses HTTPS with a self-signed certificate generated on each manager individually on boot. You may need to add a security exception in your browser. Log in with the username and password of vpncubed. Be sure to change the default password once logged in. The VPN-Cubed Datacenter Connect Trial Edition comes pre-loaded with a license. This license restricts the Manager to only allow 5 cloud machines to join the overlay network and restricts the cloud subnet to x. If you are interested in additional client packs (adding more cloud devices to the overlay network) or a different subnet, please contact us at sales@cohesiveft.com. 10

11 Generate Keys on VPN-Cubed Manager Again, the Datacenter Connect Trial Edition Manager comes preconfigured to the purchased specs (how many managers it can peer with, how many clientpacks are available, how many ipsec links are available, and the default subnet in IBM Cloud of X). Click Generate New under SSL Certs and Keys in the left column. Enter a security token in the second field. This can be anything and is used for client pack generation and manager peering. Click the Generate keys link. Key generator will be started in the background, and you can refresh screen to observe progress. This process will generate the client credentials that you will load onto the devices you wish to connect to the VPN-Cubed overlay network. 11

12 Peering the Manager - Important Step! While a single Manager topology doesnʼt peer with any other Managers, the single Manager must be identified as Manager #1 in order for client routing to work correctly. In more complex VPN-Cubed deployments users can peer two VPN- Cubed Managers together to create a redundant, highly available and secure cloud connectivity solution. For more information on custom enterprise configurations contact us at sales@cohesiveft.com. Select this instance Click Save changes You should then get a status page showing that the managers routing is configured and started. 12

13 VPN-Cubed Manager Status The VPN-Cubed Manager is ready to setup an IPsec Tunnel. The VPN-Cubed Manager will show no other links to other managers, no connected clients, no subnets available, and no detected tunnel data. Click IPsec under Peering left menu heading. On the resulting IPsec page note the Configuration Settings needed for configuration. Click Define new remote endpoint 13

14 VPN-Cubed Manager Setup: Define a New Remote Enpoint Enter descriptive name for the Endpoint configuration, this can be anything. Occasionally there is another router between the IPsec firewall and the Internet. Enter the public facing IP address of either the IPsec device or router between the IBM Cloud and the IPsec device (see picture below). Enter a Pre-shared Key and keep a record of that key, it will need to be entered into the IPsec device. In this example we use VPNCubedRocks for obvious reasons. If your IPsec device is behind a router, enter the external IP interface of the IPsec device (see picture below). Exta Config Parameters: We recommend connecting to the Manager with tunnels using AES256 encryption and SHA authentication for both IKE and ESP. Add the lines shown to the right - ike=aes256-sha1 and esp=aes256- sha1. For other tunnel configurations contact support@cohesiveft.com for assistance. Click Create. One the resulting page click New subnet. 14 IBM Cloud IBM Cloud

15 IPsec Configuration: Extra Parameters VPN-Cubed's IPSec subsystem is good at autodiscovery on IKE and ESP choices with a wide range of boxes. We recommend being as specific as possible when entering tunnel parameters. Match the algorithm, hash and DiffieH group for your gateway settings by specifying them in the "Extra Params" text field. We support combinations algorithms 3DES, AES128, or AES256; hashes SHA1 or MD5; and DH groups 2 or 5 (which are represented by the software we use as "modp1024" and "modp1536" respectively). Example entries for IKE (Phase 1) and ESP (Phase 2) in the extra params box: ike=aes128-sha1 ike=aes256-sha1 ike=3des-md5-modp1024 ike=aes256-sha1-modp1536 esp=aes256-sha1 esp=3des-sha1 (can't use a "modpxxxx" in the esp parameter..the second DH group in a IPSec gateway setup is really for PFS settings) PFS Group pfsgroup=modp1024 or pfsgroup=modp1536 (for use when PFS is enabled and you still are getting connection complaints that are pfs related, SOMETIMES you have to be explicit about the DH group, vast majority of times you don't.) IKE and ESP Lifetimes ikelifetime=3600s (default setting on VPN-Cubed) salifetime=28800s (default setting on VPN-Cubed) Dead Peer Detection - Disabled by default, to enable DPD to attempt to re-connect during periods of no response use the following: dpdaction=restart dpddelay=30 dpdtimeout=90 15

16 VPN-Cubed Manager Setup: Setup a Subnet Enter the subnet this is or will be configured behind the datacenter IPsec Extranet Device. In this example we used /24. Provide a name for the Subnet to allow for easy identification in more complex topologies. External Ping is a new optional feature for 2.0. It provides a pinging functionality over the IPsec tunnel that can be used in addition to IPsec DPD and Keep Alive settings to ensure the tunnel remains up during low traffic periods Enter an IP address of a pingable server located on the Subnet specified. Set the time interval (in seconds) for the ping. Click Create. Your VPN-Cubed Manager IPsec setup is complete. The next steps will detail setting the IPsec connection from your extranet device. Once the IPsec connection is live, this guide will detail how to add clients to the created overlay network. Note the Configuration Settings values, you will need these to correctly configure your extranet device. 16

17 Configuring the IPsec Extranet Device: Adding Network Objects Note: As mentioned earlier these screenshots are from a Cisco ASA extranet device. Your setup user experience may differ slightly. The first step in configuring any IPsec extranet device is to add the appropriate Network Objects. The screenshot to the right shows all the objects that need to be added. Their details are below: - cloud_inside: /24, inside NAT of your IBM Cloud subnet - inside-network: inside interface network of extranet device - outside_network: outside interface network of extranet device - outsideinterface: address of outside interface of extranet device - vpncubed_mgr: public IP address of the VPN-Cubed Manager - vpncubed_mgr_inside: , inside tunnel test for use before connecting clients (VPN-Cubed Test Gateway) cloud_inside 17

18 Configuring the IPsec Extranet Device: VPN Wizard Create a new VPN Tunnel. The Cisco ASA used in this guide does this through a VPN Wizard. If you are using another facility to create your IPsec Tunnel, make sure to enter the same information we enter in the following slides. Choose a Site-to-Site Tunnel Type. Click Next Tunnel Configuration Considerations If you want the tunnel to be perpetual and as close to "always on" as IPSec can do, then: - Your gateway should be using its "keepalive" feature, VPN-Cubed has this enabled by default - Your gateway should be using Dead Peer Detection (DPD) with a "restart" parameter in the event it believes tunnel is dropped - Your VPN-Cubed manager has DPD disabled by default, enable it by adding "dpdaction=restart" in the extra parameters box (no quotes needed). - Your gateway should allow the VPN-Cubed manager to make a connection "inbound to it", by default the VPN-Cubed manager allows inbound connections and attempts outbound 18

19 Configuring the IPsec Extranet Device: VPN Wizard Enter the VPN-Cubed Managerʼs IP address in the Peer IP Address field. Enter the same Pre-Shared Key entered from page 14 (our example used VPNCubedRocks ). Click Next 19

20 Configuring the IPsec Extranet Device: VPN Wizard Choose your Key Exchange Policy (IKE). Make sure it is the same as the one used in the VPN-Cubed Manager setup. On page 14 we used AES-256. Click Next 20

21 Configuring the IPsec Extranet Device: VPN Wizard Select the encryption and authentication algos for the Encapsulating Security Payload (ESP). Make sure it is the same as the one used in the VPN-Cubed Manager setup. Again our recommended setup uses AES-256 from page 14. Click Next 21

22 Configuring the IPsec Extranet Device: VPN Wizard Setting up Hosts and Networks. The screenshot to the right shows how to open up your network to the overlay network at the IBM Cloud, select the inside-network in the Source section and select cloud_inside in the Destination section. Setup a connection using inside_network as the Source and cloud_inside as the Destination. Click Next 22

23 Configuring the IPsec Extranet Device: VPN Wizard Double check that all the information is entered correctly. Click Finish 23

24 IPsec Extranet Device: Session Details Make sure the IPsec VPN session is up and running. Goto Monitoring > VPN Statistics > Sessions You should be able to see the session under LAN-to-LAN Click Details NOTE: Some tunnels require network traffic to complete the connection. Try pinging the Managerʼs Overlay Subnet Address, , from a server on the DC subnet behind the extranet device. 24

25 IPsec Extranet Device: Session Details The Session Details will give you expanded information about your Key Exchange and IPsec status. 25

26 VPN-Cubed Manager: Check the IPsec Status To check the status of your IPsec connection from the VPN-Cubed Manager click on Runtime Status. Each Subnet will be displayed as a connected tunnel. Click the Remote Subnet for tunnel parameters and to access the IPsec log for that specific connection. If you do not see your IPsec Tunnel listed, it is not correctly configured. Double check that you have entered all the information correctly in both the VPN-Cubed Manager and your IPsec device. If you are having difficulties please support@cohesiveft.com. Now that the IPsec Tunnel is up and running, clients in IBM can be added to the secure Overlay Network extension of your Datacenter. 26

27 IPsec Connection Trouble Shooting: Verbose Logging VPN-Cubed allows users to enable Verbose Logging to help with IPsec connection troubleshooting. To enable Verbose Logging click IPsec in the left column menu. Click Logging on the IPsec Page. Click the radio button next to verbose logging. Click Submit. NOTE: Verbose Logging is disabled by default and should remain disabled during normal operations. Leaving Verbose Logging enabled over a extended period of time can fill the Manager instances virtual disk drive. This causes the Manager to become inaccessible via the UI and requires our intervention to free up disk space. 27

28 Client Configuration: Install Client Credentials In the context of VPN-Cubed, client means devices which will be configured as members of the overlay network. These network members are usually servers running in the IBM Cloud. More advanced editions of VPN-Cubed include desktop-based client machines. Note the Client Download username and password on Status screen on every manager (username is clientpack ). On any Manager go to Client Packs and pick a client pack. A client pack can run on a single client at a time. If you shut down or disconnect client from the topology, you can reuse its client pack. You have access to 5 client packs. 28

29 Client Configuration For Linux Clients Configuration follow the steps on pages For Windows Clients Configuration follow the steps on page

30 Linux Client Configuration: Install Client Credentials TWO PHILOSOPHIES FOR INSTALLATION a) SCP - Have ssh access into a client server (if only for the duration of installation). Download credentials to your trusted admin machine via the VPN-Cubed Manager Client Packs link. SCP them into the client machines, and then SSH into the client machines to complete the configuration. b) WGET - SSH into the client machine and download the credentials from its command line using the following URL: wget --no-check-certificate Something like: wget --no-check-certificate 172_31_1_53.tar.gz NOTE: The clientpack:password combination is on the status screen of the VPN-Cubed Manager. 30

31 Linux Client Configuration: Install OpenVPN You can either install OpenVPN 2.1 or later on physical servers or virtual servers you already possess to connect those devices to the VPN-Cubed overlay network. Extract clientpack contents to /etc/openvpn directory (consult OpenVPN documentation for your OS if not found). Edit the vpncubed.conf add the managers you want this client to connect to in priority at the bottom of the file: remote MANAGER_IP_ADDRESS 1194 In multiple Manager topologies the order of remote commands matters - client will try to connect to the first remote endpoint, if not successful - to the second, and so on. You may want to evenly distributed clients among managers by varying the order of "remote" commands on each client. 31

32 Linux Client Configuration: Launch OpenVPN Start openvpn. On Linux OSs this is done using the /etc/init.d/openvpn start command. Your client will get a virtual IP address that corresponds to the clientpack it received. WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same topology at a time. Adjust local firewall on the client if necessary (on Linux, your tunnel device name will be tun0). Verify connectivity by pinging the Managerʼs Overlay Network IP address,

33 Windows Client Configuration: Install Client Credentials RDP into the Windows Machine using the Administrator credentials specified when launching the server. Navigate to Manager IP>:8000 in IE. Login using the default username and password (vpncubed and <instance ID> respectively) or the password you changed on your first login. Click Client Packs on the left menu. Download the appropriate client pack zip file to the Windows machine. 33

34 Windows Client Configuration: Install OpenVPN Install OpenVPN 2.1 or later on physical servers or virtual servers you already possess to connect those devices to the VPN-Cubed overlay network. On Vista you will need to have admin privileges to install the software. You will have to install a client pack on the Windows desktop machine and put the client pack files in \Program Files\OpenVpn\config\ RENAME vpncubed.conf to vpncubed.ovpn!!!! Edit the vpncubed.ovpn and add the managers you want this client to connect to in priority at the bottom of the file: remote MANAGER_IP_ADDRESS 1194 In multiple Manager topologies the order of remote commands matters - client will try to connect to the first remote endpoint, if not successful - to the second, and so on. You may want to evenly distributed clients among managers by varying the order of "remote" commands on each client. 34

35 Windows Client Configuration: Launch OpenVPN Start openvpn. On Windows XP and Vista this can be done through the Services tool or via the command line openvpn vpncubed.ovpn. On Vista if you run it from the command line you will need to know how to start a command line with administrative privileges. Details here: Alternatively, start the OpenVPN service from the Services tool. On Vista and Win2k servers OpenVPN also has a graphical tool - OpenVPN GUI. Your client will get a virtual IP address that corresponds to the clientpack it received. WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same topology at a time. Adjust local firewall on the client if necessary. Verify connectivity by pinging the Managerʼs Overlay Network IP address,

36 Windows Client Configuration: Launch OpenVPN 36

37 Windows Client Configuration: Windows 2008 RegEdit Consideration When setting up OpenVPN as a Service on Windows2008 there can be an issue with the machine resolving IPv6 instead of IPv4. Follow the steps below to fix the problem. 1. Go to "regedit" 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 3. Double-click the ArpRetryCount value, type 0, and then click OK. If it does not exist create of type REG_DWORD, rename to ArpRetryCount, and set the value to Reboot the machine 37

38 Client Configuration: Client in the overlay network The key elements of the display to look for are the connections to that managerʼs peer, both showing the local processes are running and the link as up. You should see the clients listed in the client table at the bottom, connected to the appropriate manager. If this is not the case please check the items listed on the Troubleshooting page of this document. 38

39 VPN-Cubed Firewall Tool 39

40 VPN-Cubed Firewall VPN-Cubed Firewall is controlled using IPTables syntax. For more information - Look for PARAMETERS section and below. In general, you write a specification of a packet to match and what to do with this packet. Customer rules are applied in the middle of overall rules on the manager. If customer rules don't reject a packet, it will be allowed. Order of rules matters - rules are applied from top to bottom up to the first match. If not match is found, packet is allowed. "-j ACCEPT" allows a packet. "-j DROP" drops a packet. "-j REJECT" sends an appropriate notification to sender saying such and such packet was rejected (depends on protocol). Basic examples: * Drop all packets from to s d j DROP * Drop all traffic from /24 (entire subnet) except : -s j ACCEPT -s /24 -j DROP 40

41 Change Username and Password 41

42 Change Username and Password Username and Password can be changed via the Left Column Menu Items. 42

43 Save Manager Configuration with Runtime Snapshots 43

44 44

45 Runtime Snapshots save the Manager Configuration Once your VPN-Cubed Managers and Clients are configured and running, save the configuration with Runtime Snapshots. Snapshots can be used to reconfigure a new Manager with the same SSL Certificates and Keyset with just one file upload. Click the Runtime Snapshots link to take a new snapshot or view/ download available snapshots. Download the snapshot to your local network. In the event of a Manager failure or re-provisioning event, you can upload the snapshot file to a new VPN-Cubed Manager. The new Manager will retain all the configuration settings as your saved snapshot. 45

46 Save and Download a Snapshot Click the Take New Snapshot Now button to generate a new Snapshot. The resulting screen will have the snapshot download link. Download the Snapshot and save locally. 46

47 Upload a Snapshot To use a Snapshot to configure a Manager click the Import Runtime Snapshot link. Browse for your saved Snapshot and upload. The Manager will reboot with the updated configuration. The same client packs will be used to redistribution of the credentials to each Overlay Network Device (OLNDs) is not necessary. A slight configuration change on each OLND is necessary if you have not assigned a public static IP to your Manager as the Managers Public IP address has most likely changed. The OpenVPN configuration file (vpncubed.ovpn) on each OLND needs the new IP of the new Manager referenced in the remote commands section. To automate this step, you can assign a static IP (see IBM billing for rates) to the Manager and reference the static IP in each OLNDʼs OpenVPN configuration file. When launching a replacement Manager, assign the static IP to that instance, upload the snapshot, reboot, and the clients will reconnect automatically. 47

48 End 48