Creating a VPN between the virtual data center edge gateway and the on-premises VPN gateway
This tutorial might incur costs. Use the Cost estimator to generate a cost estimate based on your projected usage.
Objectives
The objective of this tutorial is to demonstrate the basic steps of connecting an IBM Cloud® for VMware Cloud Foundation as a Service single-tenant or multitenant instance with Juniper® vSRX. The connection happens through a Virtual Private Network (VPN). vSRX can either be deployed in the IBM Cloud Classic Infrastructure or in a client data center. The following steps create a basic working environment, providing a VPN, a basic firewall implementation, and end-to-end network connectivity.
In this tutorial, you will learn:
- How to create VPNs between a virtual data center (VDC) edge gateway and vSRX.
- How to create and configure matching IKE and IPsec tunnel proposals and profiles.
- How to configure firewall rules on your VDC edge gateway and vSRX to allow VPN traffic.
The following diagram presents an overview of the solution to be deployed.
Before you begin
This tutorial requires:
- An IBM Cloud billable account.
- Required user permissions. Ensure that your user account has sufficient permissions to create and manage VMware Cloud Foundation (VCF) as a Service resources.
- A preprovisioned VCF as a Service instance.
- A preprovisioned VDC on VCF as a Service.
- IBM Cloud CLI.
- An IBM Cloud API key.
Gather information and requirements
To establish a policy-based tunnel, you need to collect various information from your deployment and design, such as gateway endpoints and local and remote networks. In addition, you need to define the tunnel security policies for IKE and IPsec.
Carefully collect and document the information that is listed and mentioned here. The values must match exactly on tunnel configurations on both sides.
Use IBM Cloud portal and vSRX firewall configuration to collect the following information and then define IPsec and IKE policy parameters for the tunnel based on your security requirements:
-
Collect local and remote network information for the policy-based tunnel.
The private interface of the vSRX is typically configured as follows:
set interfaces reth2 unit <vlan-id> description "Your private network routed through Gateway Appliance" set interfaces reth2 unit <vlan-id> vlan-id <vlan-id> set interfaces reth2 unit <vlan-id> family inet address <private-IP address-of-the-vsrx>/26
You might have multiple secondary IP addresses on the vSRX interface, so collect all the required network information for the tunnel.
Collect all required VDC network information for the tunnel. Use the VMware Cloud Director console or collect the information from your network design documentation (which networks are deployed on the VDC).
Example values are provided as follows:
List of site prefixes or subnets to review before configuring the VPN. Prefix Value Subnets behind vSRX 10.95.1.0/26
Subnets on the VDC 192.168.100.0/24
As your solution might differ, use the subnets from your network design and deployment.
-
Collect local and remote gateway IP address information for the IPsec tunnel.
The public interface IP address of vSRX is typically configured as follows in IBM Cloud:
set interfaces reth1 unit 0 description "SL PUBLIC VLAN INTERFACE" set interfaces reth1 unit 0 family inet address <public-IP address-of-the-vsrx>/29
Collect the Public IP address of the VDC Edge Gateway from your VDC. The public IP addresses are available in the IBM Cloud portal, under your VDC instance.
The following table shows the values that are used in this example:
List of gateway IP addresses to review before configuring the VPN. Gateway IP address Value Public IP address of edge gateway <public-IP address-of-the-vdc-edge-gateway>
Public IP address of vSRX <public-IP address-of-the-vsrx>
As your solution might differ, use the endpoint IP addresses matching your deployment.
-
Create a pre-shared key. Generate a pre-shared key
your-psk
for the IPsec tunnel. The key is used in the firewall and VDC IPsec configuration. -
Define your IKE policy for the tunnel. The following table shows the values that are used in this example:
List of IKE policy parameters to review before configuring the VPN. IKE policy Value Version IKE v2 Encryption AES 256 Digest SHA 2 - 256 Diffie-Hellman Group Group 14 Association Life Time (seconds) 28800 As your requirements might differ, use the values from your deployment.
-
Define your IPsec (or tunnel) policy for the tunnel. The following table shows the values that are used in this example:
List of IPsec (or tunnel) policy parameters to review before configuring the VPN. IPsec (or tunnel) policy Value Perfect Forward Secrecy Enabled Defragmentation Policy Copy Encryption AES 256 Digest SHA 2 - 256 Diffie-Hellman Group Group 14 Association Life Time (seconds) 3600 As your requirements might differ, use the values from your deployment.
-
Define your dead peer detection (DPD) policy for the tunnel. The following table shows the values that are used in this example:
List of dead peer detection (DPD) policy parameters to review before configuring the VPN. DPD Value Probe Interval (seconds) 60 As your requirements might differ, use the values from your deployment.
Configure vSRX
The following configurations use the example policy values that were presented earlier. Your environment and policies might differ, so adjust the configuration commands.
-
Configure the IKE proposal, IKE policy, and pre-shared key:
set security ike proposal ike-phase1-vmwaas authentication-method pre-shared-keys set security ike proposal ike-phase1-vmwaas dh-group group14 set security ike proposal ike-phase1-vmwaas authentication-algorithm sha-256 set security ike proposal ike-phase1-vmwaas encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-vmwaas lifetime-seconds 28800 set security ike policy ike-phase1-policy mode main set security ike policy ike-phase1-policy proposals ike-phase1-vmwaas set security ike policy ike-phase1-policy pre-shared-key ascii-text <your-psk>
-
Configure the IKE gateway:
set security ike gateway vmwaas ike-policy ike-phase1-policy set security ike gateway vmwaas address <public-IP address-of-the-vdc-edge-gateway> set security ike gateway vmwaas external-interface reth1.0 set security ike gateway vmwaas version v2-only
-
Configure the IPsec policy and proposal:
set security ipsec proposal ipsec-phase2-vmwaas protocol esp set security ipsec proposal ipsec-phase2-vmwaas authentication-algorithm hmac-sha-256-128 set security ipsec proposal ipsec-phase2-vmwaas encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-phase2-vmwaas lifetime-seconds 3600 set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group14 set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-vmwaas
-
Configure the IPsec VPN:
set interfaces st0 unit 0 family inet set security ipsec vpn vmwaas-vpn-1 bind-interface st0.0 set security ipsec vpn vmwaas-vpn-1 ike gateway vmwaas set security ipsec vpn vmwaas-vpn-1 ike ipsec-policy ipsec-phase2-policy set security ipsec vpn vmwaas-vpn-1 traffic-selector pair1 local-ip 10.95.1.0/26 set security ipsec vpn vmwaas-vpn-1 traffic-selector pair1 remote-ip 192.168.100.0/24 set security ipsec vpn vmwaas-vpn-1 establish-tunnels immediately set security ipsec vpn vmwaas-vpn-1 df-bit copy
-
Configure the control plane firewall:
set firewall filter PROTECT-IN term PING from destination-address 10.95.1.1/32 set firewall filter PROTECT-IN term PING from protocol icmp set firewall filter PROTECT-IN term IPSec-IKE from destination-address `<public-IP address-of-the-vsrx>/32` # Alternative way to use source-address # set firewall filter PROTECT-IN term IPSec-IKE from source-address `<public-IP address-of-the-vdc-edge-gateway>/32` set firewall filter PROTECT-IN term IPSec-IKE from protocol udp set firewall filter PROTECT-IN term IPSec-IKE from port 500 set firewall filter PROTECT-IN term IPSec-IKE then accept set firewall filter PROTECT-IN term IPSec-ESP from destination-address `<public-IP address-of-the-vsrx>/32` # Alternative way to use source-address # set firewall filter PROTECT-IN term IPSec-ESP from source-address `<public-IP address-of-the-vdc-edge-gateway>/32` set firewall filter PROTECT-IN term IPSec-ESP from protocol esp set firewall filter PROTECT-IN term IPSec-ESP then accept set firewall filter PROTECT-IN term IPSec-4500 from destination-address `<public-IP address-of-the-vsrx>/32` # Alternative way to use source-address # set firewall filter PROTECT-IN term IPSec-4500 from source-address `<public-IP address-of-the-vdc-edge-gateway>/32` set firewall filter PROTECT-IN term IPSec-4500 from protocol udp set firewall filter PROTECT-IN term IPSec-4500 from port 4500 set firewall filter PROTECT-IN term IPSec-4500 then accept
-
Configure the security zones and zone policies:
set security zones security-zone vpn-vmwaas-tunnel interfaces st0.0 set security zones security-zone vsrx-vlan interfaces reth2.2498 set security policies from-zone vsrx-vlan to-zone vpn-vmwaas-tunnel policy vlan_to_vmwaas match source-address any set security policies from-zone vsrx-vlan to-zone vpn-vmwaas-tunnel policy vlan_to_vmwaas match destination-address any set security policies from-zone vsrx-vlan to-zone vpn-vmwaas-tunnel policy vlan_to_vmwaas match application any set security policies from-zone vsrx-vlan to-zone vpn-vmwaas-tunnel policy vlan_to_vmwaas then permit set security policies from-zone vpn-vmwaas-tunnel to-zone vsrx-vlan policy vmwaas_to_vlan match source-address any set security policies from-zone vpn-vmwaas-tunnel to-zone vsrx-vlan policy vmwaas_to_vlan match destination-address any set security policies from-zone vpn-vmwaas-tunnel to-zone vsrx-vlan policy vmwaas_to_vlan match application any set security policies from-zone vpn-vmwaas-tunnel to-zone vsrx-vlan policy vmwaas_to_vlan then permit
-
Configure TCP maximum segment size (MSS):
set security flow tcp-mss ipsec-vpn mss 1360
Configure VCF as a Service instance edge gateway
Log in to your VCF as a Service instance, configure networking subnets, firewall rules, and IPsec tunnel.
Log in to the VCF as a Service console
-
Log in to the VCF as a Service instance with a user that has the
Organization Administrator
role. -
In the left navigation, click Networking.
-
Under Edge Gateways, select the
name
of your Edge Gateway.VCF as a Service VDC Edge Gateway Selection -
On the side menu, click IP Sets and click New to create a new IP Set.
-
Create two IP sets.
IP sets details IP set Name IP address IPSET 1 Firewall-Network 10.95.1.0/26
IPSET 2 VMWaaS-VDC-Network 192.168.100.0/24
VCF as a Service VDC IP sets -
Click Save.
Create the VDC gateway firewall rule
The VCF as a Service tenant instance is provisioned with a default firewall rule that drops all traffic to ensure security.
You must add two extra rules to allow traffic to and from the VPN connection.
-
With the Edge Gateway selected, click Firewall in the left navigation.
-
Click Edit Rules and click New on Top.
-
Repeat for each rule then click Save.
VCF as a Service VDC firewall rules Firewall Rule Name Source Address Destination Address Firewall Rule 1 VMWaaS-to-FW
VMWaaS-VDC-Network
Firewall-Network
Firewall Rule 2 FW-to-VMWaaS
Firewall-Network
VMWaaS-VDC-Network
VCF as a Service VDC firewall rules
Create the VDC IPSec VPN Tunnel
The next step is to create the IPSec VPN tunnel between our Local and Remote Endpoint.
-
With the Edge Gateway selected, click IPSec VPN in the left navigation.
-
Click New to start the wizard.
-
Under General Settings, populate the Name field, for example,
VMWaaS-to-FW-VPN
and click Next. -
Under Peer Authentication mode, populate the pre-shared key. This key must match the firewall. Click Next.
-
Under Endpoint Configuration, set the following values:
VCF as a Service VDC firewall rules Endpoint configuration IP address Network Remote ID Local Endpoint <public-IP address-of-the-vdc-edge-gateway>
192.168.100.0/24
n/a
Remote Endpoint <public-IP address-of-the-vsrx>
10.95.1.1/26
<public-IP address-of-the-vsrx>
-
Click Finish to complete.
VCF as a Service VDC IPSEC VPN configuration
Validate your IPsec tunnel and connectivity
If all steps are completed successfully, your VPN tunnel is established and traffic flows between the two networks.
You can test the connection on the user interface (UI) or the classic way through CLI with ping.
Validate your IPsec tunnel and connectivity on the UI
-
With the Edge Gateway selected, click IPSec VPN in the left navigation.
-
In the list, select your VPN Configured.
-
By the Column State, find the state of the tunnel.
-
Check it in detail by clicking View Statistics.
-
If the status is not green, there might be problems with the tunnel.
VCF as a Service VDC IPSEC VPN first validation
If the tunnel is not working, you can check it by:
-
With the Edge Gateway selected, click IPSec VPN in the left navigation.
-
In the list, select your VPN Configured.
-
Check it in detail by clicking Security Profile Customization.
-
Change the specific details about IKE profile details, Tunnel Configuration, or DPD Configuration.
VCF as a Service VDC IPSEC VPN second validation
If your settings are correct and you click Save, then your tunnel is working and you can check it with the same steps as before, with the only change that the Status column should be green, and View Statistics should show also green.
-
With the Edge Gateway selected, click IPSec VPN in the left navigation.
-
In the list, select your VPN Configured.
-
By the Column State, if it says Enabled and it's green, then it is working.
-
Check it in detail by clicking View Statistics.
VCF as a Service VDC IPSEC VPN third validation
Validate your IPsec tunnel and connectivity on the CLI
You can test the connection by logging in to one of your VMs running on the VDC by using VMware VM Console and test connectivity to your on-premises network virtual machines.
For example, you can use ping to the IP address of vSRX, if your vSRX allows ICMP.
ping 10.95.1.1
Or try TCP port 443 to a remote IP address 10.95.1.10
(assuming the server hosts a web server on TCP port 443) with netcat
.
nc -vz 10.95.1.10 443
Connection to 10.95.1.10 port 443 [tcp/https] succeeded!