VNS3 Configuration. IaaS Private Cloud Deployments

Similar documents
CenturyLink Cloud Configuration. CenturyLink Setup for VNS3

VNS3 Configuration. Google Compute Engine

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

VNS3 Configuration. ElasticHosts

AWS VPC Cloud Environment Setup

Microsoft Azure Configuration. Azure Setup for VNS3

VNS3 version 4. Free and Lite Edition Reset Overlay Subnet

Overlay Engine. VNS3 Plugins Guide 2018

VNS3 IPsec Configuration. Connecting VNS3 Side by Side via IPsec

VNS Administration Guide

Logging Container. VNS3 Plugins Guide 2018

VNS3 4.0 Configuration Guide

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Cloud Security Best Practices

DataDog Container. VNS3 Plugins Guide 2018

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Container System Overview

VMware Cloud on AWS Getting Started. 18 DEC 2017 VMware Cloud on AWS

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

VPN-Cubed 2.x vpcplus Free Edition

VPN-Cubed 2.x Datacenter Connect ElasticHosts

VPN-Cubed 2.x Cloud Only Lite Edition

VNS3 3.5 Container System Add-Ons

VNS3 3.5 Upgrade Instructions

ARCSERVE UDP CLOUD DIRECT DISASTER RECOVERY APPLIANCE VMWARE

VNS3 Plugin Guide. VSN3:turret NIDS Container

VNS3 3.x Trial Edition Configuration Instructions

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

VPN-Cubed Datacenter Connect IBM Trial Edition v201102

VPN-Cubed 2.x vpcplus Enterprise Edition

CA Agile Central Administrator Guide. CA Agile Central On-Premises

VNS3 Plugins. VSN3:turret WAF Container Guide

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

VPN-Cubed 2.x Datacenter Connect SME Edition

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Securing VMware NSX-T J U N E 2018

CloudN Startup Guide. Version Copyright Aviatrix Systems, Inc. All rights reserved. Aviatrix Systems Page 0

Securing VMware NSX MAY 2014

CA Agile Central Installation Guide On-Premises release

VPN-Cubed 2.1 UL for Terremark Datacenter Connect or Cloud Only

Installation. Power on and initial setup. Before You Begin. Procedure

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

Deploy Webex Video Mesh

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

VPN-Cubed 2.x Datacenter Connect Lite Edition

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Amazon Virtual Private Cloud. Network Administrator Guide

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

VPN-Cubed 2.x Datacenter Connect SME Edition

WatchGuard Dimension v2.0 Update 2 Release Notes. Introducing New Dimension Command. Build Number Revision Date 13 August 2015

WatchGuard Dimension v1.1 Update 1 Release Notes

Installing Cisco CMX in a VMware Virtual Machine

Deploying the Cisco ASA 1000V

Installing the Cisco Virtual Network Management Center

VPN Definition SonicWall:

vcloud Director User's Guide

Running the vsan Witness Appliance in vcloud Air First Published On: Last Updated On:

vcloud Director User's Guide

ITCorporation HOW DO I INSTALL A FRESH INSTANCE OF ANALYZER? DESCRIPTION RESOLUTION. Knowledge Database KNOWLEDGE DATABASE

Installing vrealize Network Insight

Integration Guide. Oracle Bare Metal BOVPN

Installing vrealize Network Insight. VMware vrealize Network Insight 3.3

vrealize Network Insight Installation Guide

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

Redhat OpenStack 5.0 and PLUMgrid OpenStack Networking Suite 2.0 Installation Hands-on lab guide

Checkpoint Vpn Domain Manually Defined

ElasterStack 3.2 User Administration Guide - Advanced Zone

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Quick Start Guide for Vmware. Version 2.5 Vmware vsphere Instance

Securing Containers Using a PNSC and a Cisco VSG

vcloud Director User's Guide

Virtual Private Cloud. User Guide. Issue 03 Date

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

Installing vrealize Network Insight. VMware vrealize Network Insight 3.5

vrealize Network Insight Installation Guide

Wave 5.0. Wave OpenVPN Server Guide for Wave 5.0

FusionHub. SpeedFusion Virtual Appliance. Installation Guide Version Peplink

VIRTUAL CENTRAL LOCK

Pexip Infinity and Google Cloud Platform Deployment Guide

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

Installing Cisco MSE in a VMware Virtual Machine

Table of Contents DevOps Administrators

Deploying and Provisioning the Barracuda CloudGen WAF in the Classic Microsoft Azure Management Portal

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

VMware Cloud on AWS Operations Guide. 18 July 2018 VMware Cloud on AWS

vcloud Director User's Guide

SRA Virtual Appliance Getting Started Guide

Pexip Infinity and Amazon Web Services Deployment Guide

Installing Cisco Virtual Switch Update Manager

BIG-IP Virtual Edition and VMware ESXi: Setup. Version 12.1

Baremetal with Apache CloudStack

Monitoring Hybrid Cloud Applications in VMware vcloud Air

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Cisco Modeling Labs OVA Installation

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Transcription:

VNS3 Configuration IaaS Private Cloud Deployments

Table of Contents Requirements 3 Remote Support Operations 12 IaaS Deployment Setup 13 VNS3 Configuration Document Links 19 2

Requirements 3

Requirements You have an IaaS account or local IaaS infrastructure (Citrix, RedHat, VMware, OpenStack, Eucalyptus, etc) where you can run a Virtual Machine instance via an image template provided by Cohesive Networks. You have the ability to deploy image templates to the IaaS infrastructure and create instances of them. Instance Requirements include: 10gig+ ephemeral or block storage-backed image capacity per image template needed 2gig memory and 2 virtual cores are practical production minimum When using L4-L7 plugins, more cores and memory may be needed AES-NI available via hardware - to hypervisor - to VM guests is ideal "Jumbo" ethernet frames in the underlying network (9000 MTU) vs. standard 1500 MTU is ideal Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software. 4

Additional Elements VNS3:ms - When running multiple (more than a handful) virtual VNS3 Controllers it is recommended that VNS3:ms (management system is used). It makes managing virtual networks at scale much easier. VNS3 Routing Agent - When running more than the simplest topologies, especially ones where different network paths (routes) may come and go, it is recommended that you use the VNS3 routing agent on each of the virtual hosts connecting to VNS3 as their network overlay controller. VNS3 overlay uses TLS tunneling technology, for which there is not a standard routing protocol. The VNS3 routing agent allows hosts on an overlay to receive dynamic route updates, eliminating a need for tunneling agent restarts. 5

IPsec Requirements In order to be interoperable with other data centers via IPsec, VNS3 supports a wide range of systems and standards. Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfsense, and Vyatta. Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5. *Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained. 6

Getting Help with VNS3 Custom IaaS deployments will require interaction with the Cohesive team around basics of your deployment. This is required to ensure the product shipped is compatible with your environment. If you are interested in more custom use cases and would like Cohesive to advise and help setup the topology contact sales@cohesive.com for services pricing. This guide covers a very generic VNS3 setup. If you need specific help with project planning, POCs, or audits, contact our professional services team via sales@cohesive.net for details. Please review the VNS3 Support Plans and Contacts before sending support inquiries. 7

Firewall Considerations VNS3 Controller instances use the following TCP and UDP ports. UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients. UDP 1195-1203* For tunnels between Controller peers; must be accessible from all peers in a given topology. TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. UDP port 500 UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection. ESP Protocol 50 and possibly UDP port 4500 Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500** is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation. *VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering. ** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500 8

Sizing Considerations Image Size and Architecture VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the performance will depend on the use-case. Clientpack Key Size VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the clientpacks. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration. 9

Network Considerations Docker for Layer 4-7 Network Function Services VNS3 3.5 provides the ability for users to import and launch Docker and/or LXC application containers inside VNS3 Managers. This allows customization of the VNS3 NFV appliance and adds options for how an application can be deployed to the clouds. In order to provide this functionality, the Docker system needs a subnet to run and communicate to/from the running application containers. Users can edit this subnet but the default is 198.51.100.0/28. If you plan on using the default make sure there is no network overlap with the environments you plan to connect using VNS3. 10

Address Considerations Restrictions Your VLAN CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet. VLANs Virtual machine deployments are launched in VLAN CIDRs. VNS3 VNS3 provides an encrypted subnet in addition to the VLAN subnets. Servers that are configured to join the VNS3 encrypted Overlay Network do so via OpenVPN connections using the VNS3 generated Client Packs. Each Client Pack is tied to a specific Overlay Network Address VLAN Subnets (eth0) Not Encrypted OpenVPN is not required on Client Servers Clients Packs are not required on Client Servers Cannot join generic EC2 directly (public Internet connection required) No Additional Overhead VNS3 Overlay Network Subnet (tun0) Encrypted OpenVPN is required on Client Servers Client Packs are required on Client Servers Can join generic EC2 services directly (OpenVPN or Peer Controller required) Additional Overhead (minimal) 11

Remote Support Note that TCP 22 (ssh) is not required for normal operations. Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation. In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI. Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key. 12

IaaS Deployment Setup 13

Get Access to the current release Cohesive Networks will make an OVF / OVA file applicable for your virtual infrastructure available to you. This should be used to create your standard VNS3 image template in your virtual infrastructure library. Before providing you with the image, Cohesive will need to know if your VNS3 Controllers will have a public Internet edge; regardless of whether directly of via NAT-ing and port/ protocol forwarding. If the VNS3 Controllers will be connectable via the Internet there is a slight, but significant distinction in their boot up sequence. If your controllers will be wholly on-prem wrapping a local application and not providing public edge services you will need a different image. We call this the running local private configuration. 14

Initial Network Configuration Many private virtual infrastructures do not have the dynamic association of static IP addresses (like Amazon does). They also do not have a way to assign an IP address to a virtual adapter (vsphere for example). As a result the Virtual Infrastructure edition ships with a VERY simple configuration script for setting the initial ETH0 address via the virtual infrastructure console. When using VNS3 on prem assume the ETH0 is the outer address of the VNS3 Controller and ETH1 is the inner address of the controller. 15

Running the set_net.sh script Once you create a VNS3 instance, you then need to access it via the virtual infrastructure console. From the console you log in as a simple user which is locked to a single script; the set-net.sh script. The username is console-user The password is console-user Run sudo./set_net.sh. It will prompt you to Add or Create. Use the create option and enter the address you will use to do initial administration of the instance via its Web UI or API via ETH0. Enter the address, CIDR, and gateway. Then Add DNS entry - you can only add one DNS entry. If your controller will have a public edge, this DNS needs to be able to resolve public names. DO NOT ATTEMPT TO SET ETH1 with this script. That is done via WEB UI/API. SEE FOLLOWING PAGES FOR SCREEN SHOTS. 16

VMware Console to access "set_net.sh" Click on "Preview" 17

Login via console as "console-user" 18

Run "sudo./set_net.sh" 19

Use the "C" option to enter static IP info Use the "C" option and enter network information for the outer network adapter (usually eth0). Do not enter information for any other adapters or you may break your VNS3 installation. 20

Use the "E" option to save static IP info Use the "Ex" option to save the information. The network interface will be restarted with the network information provided. IGNORE the resolveconf warning message. 21

Create port access for your instance VNS3 uses the ports listed on the previous page discussing ports. Use the IaaS firewall and/or hypervisor firewall utilities to ensure that access to those ports are set. You should then be able to reach the Web UI for configuration via: https://<vns3 instance ETH0 ip>:8000 22

VNS3 Configuration Document Links 23

VNS3 Configuration Document Links VNS3 Product Resources - Documentation Add-ons VNS3 Configuration Instructions (Free & Lite Editions BYOL) Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps. VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3. 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback