VNS3 to Windows RRAS Instructions Windows 2012 R2 RRAS Configuration Guide 2018
Site-to-Site IPsec Tunnel IPsec protocol allows you to securely connect two sites together over the public internet using cryptographically secured services. IPsec ensure private and secure communication between two devices. This type of VPN has many use-cases. We will focus on the Site-to-Site or LAN-to-LAN setup most often used with VNS3 to build Hybrid Clouds. Public Cloud Overlay Network Subnet: 172.16.1.0/24 Many network hardware devices support IPsec tunneling functionality. Check your device's data sheet to see if it is compatible with VNS3. The requirements are: IKE1 or IKE2 AES256 or AES128 or 3DES SHA1 or MD5 NAT-Traversal capability (some clouds require NAT-Traversal encapsulation - AWS Generic EC2, Microsoft Azure, etc.) A diagram of the typical secure hybrid cloud setup using VNS3 is provided on the right. The IPsec tunnel provides secure and encrypted connectivity between the office subnet (10.0.2.0/26) and the VNS3 Overlay Network (172.16.1.0/24). Windows RRAS Cloud Server Overlay IP: 172.16.1.1 VNS3 public IP: 54.54.54.131 overlay IP: 172.16.1.253 Active IPsec tunnel 10.0.2.0/26-172.16.1.0/24 This guide will provide steps to setup the Windows 2012 R2 RRAS side of the IPsec configuration. The most important thing in any IPsec configuration is to make sure all settings match on both devices that are going to connect to each other. Mismatches are the primary cause for tunnel failure or instability. Server A LAN IP: 10.0.2.1 Server B LAN IP: 10.0.2.2 Customer Remote Office Remote subnet: 10.0.2.0/26 2
Update Windows Network Adapter Settings This step may be required depending on the Windows server deployment environment. We recommend you take this step if the Windows server is deployed to a public cloud environment like AWS EC2. To update your adapter settings: 1. Open the Control Panel 2. Click View network status and tasks under the Network and Internet setting category 3. Click the Ethernet connection listed under the active networks 4. Click Properties on the resulting Ethernet Status window 5. Click Configure on the resulting Ethernet Properties window 6. Disable the IPv4 Checksum Offload, TCP Checksum Offload (IPv4), and UDP Checksum Offload (IPv4) properties, and then click OK 3
Install RRAS 4
Installing RRAS Before configuring an IPsec tunnel, RRAS needs to be installed and configured on the Windows 2012 R2 server. 1. Open Server Manager from the start menu 2. Click Manage 3. Click Add Roles and Features 4. Click Role-based or feature-based installation 5. Click Next 6. Click on your Windows 2012 R2 server, and then click Next 5
Installing RRAS 7. Click Network Policy and Access Services in the list and in the popup window, click Add Features 8. Click Remote Access 9. Click Next 10. On the Select features page, click Next 6
Installing RRAS 11. On the Network Policy and Access Services page, click Next 12. Leave Network Policy Server selected, and click Next 7
Installing RRAS 13. On the Remote Access page, click Next 14. On the next page, select DirectAccess and VPN (RAS) and in the popup window, click Add Features 15. Click Routing 16. Click Next 8
Installing RRAS 17. On the Web Server Role (IIS) page, click Next 18. Leave the default selection, and click Next 19. Click Install 9
Configure RRAS 10
Configuring RRAS 1. From the Server Manager Dashboard, click Remote Access Manager from the Tools menu. 2. On the resulting Remote Access Management Console window click DirectAccess and VPN under the Configuration left column menu item. 3. Then Click Run the Getting Started Wizard 4. Choose Deploy VPN only 11
Configuring RRAS 5. In the Routing and Remote Access dialog box, select the server name, click Action, and click Configure and Enable Routing and Remote Access 6. In the Routing and Remote Access Server Setup Wizard, click Next 7. On the Configuration page, select Custom Configuration and click Next 8. Select LAN routing 9. Click Next 10. Click Finish 11. When prompted by the Routing and Remote Access dialog box, click Start service 12
Create Policy-based IPsec VPN Tunnel 13
Create tunnel: create tunnel rule 1. Open Server Manager, click Tools, and select Windows Firewall with Advanced Security 2. Select Connection Security Rules, click the Action menu, and click New Rule 3. From the New Connection Security Rule wizard Rule Type page, select Tunnel, and then click Next 14
Create tunnel: type and requirements 4. On the Tunnel Type page, under What type of tunnel would you like to create, select Custom configuration 5. Under Would you like to exempt IPsec-protected connections from this tunnel, leave the default value checked of No, and click Next 6. On the Requirements page, select Require authentication for inbound connections and click Next 15
Create tunnel: endpoint and tunnel definition 7. On Tunnel Endpoints page, enter the local subnet CIDR (10.0.2.0/26 in our example) and Windows IP address in the Endpoint 1 sections shown in the screenshot 8. Enter the remote subnet CIDR (172.16.1.0/24 in our example) and remote endpoint IP in the Endpoint 2 sections show in the screenshot 9. Click Next 16
Create tunnel: PSK authentication 10. On the Authentication Method page, select Advanced, and then click Customize 11. Click Add under the first authentication section 12. Select Preshared key, enter the pre-shared key value, and click OK 13. Click Next 17
Create tunnel: open Windows firewall 14. On the Profile page, select all three checkboxes for each Windows Firewall profile (Domain, Private, and Public), and click Next 15. On the Name page, enter a name for your connection rule and click Finish 18
Enable perfect forward secrecy (PFS) 19
Enable PFS: command line only We recommend using PFS when creating IPsec tunnels but this step is optional. NOTE: any settings included in the following command will be used for the phase2/ipsec security association regardless of settings specified later in the configuration. Also these settings will not be editable or viewable via the UI so take extra care when running this to record the choices. Also the data lifetime value is required so we set it to some large number that is accepted by Windows. Run the following command via the command prompt and replace "rule_name" with the name given to the connection rule on page 17. netsh advfirewall consec set rule name="rule_name" new QMPFS=dhgroup14 QMSecMethods=ESP:SHA1-AES256+60min+10000000kb 20
Phase1 and Phase2 settings 21
Phase1 settings To edit the tunnel's phase1 and phase2 settings, open the Windows Firewall window via the Server Manager. Click on the Tools menu > Windows Firewall with Advanced Security and then click Actions > Properties on the resulting window. 1. From the IPsec Settings tab, under IPsec exemptions, verify that Exempt ICMP from IPsec is No (default). Verify that IPsec tunnel authorization is None. 2. Click Customize next to the IPsec defaults section 3. Under Key exchange (Main Mode), select Advanced and then click Customize 4. Remove any default settings in the Security methods section, then click Add and select the following: Integrity algorithm: SHA-1 Encryption algorithm: AES-CBC-256 Key exchange algorithm: Diffie-Hellman Group 14 5. Click OK 6. Under Key lifetimes, verify that Minutes is 60 and Sessions is 0 7. Under Key exchange options, select Use Diffie-Hellman for enhanced security, and then click OK 22
Phase2 settings 8. From the Customize IPsec Defaults window, under Data protection (Quick Mode), select Advanced, and then click Customize 9. Select Require encryption for all connection security rules that use these settings 10. Remove any default settings in the Data integrity and encryption section, then click Add and select the following: ESP Encryption algorithm : AES-CBC-256 Integrity algorithm: SHA-1 Key lifetime: 480 minutes 11. Choose OK to return to the Customize IPsec Settings dialog box and click OK to save the configuration 23
Enable Dead Peer Detection (DPD) 24
Enable DPD We recommend using DPD when creating IPsec tunnels but this step is optional. 1. From the Registry Editor click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip > Parameters 2. Click on the Edit menu, then click New and select DWORD (32-bit) Value 3. Enter the name EnableDeadGWDetect 4. Select EnableDeadGWDetect, and click Modify from the Edit menu 5. In Value data, enter 1, and then click OK 6. Close the Registry Editor and reboot the server 25
Configure VNS3 26
VNS3 settings based on RRAS options Given the tunnel definition options available in RRAS, the recommended configuration is shown in this document. To match those configuration settings, use the following IPsec endpoint setup for VNS3 1. Name: enter any name. 2. IP: public IP of the Windows 2012 R2 server (this can be a NATed IP if necessary) 3. PSK: use the same PSK from page 17 4. NAT IP: the private IP of the Windows 2012 server if it is not directly accessible via the Internet 5. PFS: enabled (but optional depending on if you followed the steps outlined on page 20) 6. Extra configuration parameters: phase1=aes256-sha1-dh14 phase2=aes256-sha1 pfsgroup=dh14 27
VNS3 Document Links VNS3 Product Resources - Documentation Add-ons VNS3 Configuration Guide Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. VNS3 Administration Guide VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3. 28