IBM Cloud Docs
Creating a VPN between the virtual data center edge gateway and the on-premises VPN gateway

Creating a VPN between the virtual data center edge gateway and the on-premises VPN gateway

This tutorial might incur costs. Use the Cost estimator to generate a cost estimate based on your projected usage.

Objectives

The objective of this tutorial is to demonstrate the basic steps of connecting an IBM Cloud® for VMware Cloud Foundation as a Service single-tenant or multitenant instance with Juniper® vSRX. The connection happens through a Virtual Private Network (VPN). vSRX can either be deployed in the IBM Cloud Classic Infrastructure or in a client data center. The following steps create a basic working environment, providing a VPN, a basic firewall implementation, and end-to-end network connectivity.

In this tutorial, you will learn:

  • How to create VPNs between a virtual data center (VDC) edge gateway and vSRX.
  • How to create and configure matching IKE and IPsec tunnel proposals and profiles.
  • How to configure firewall rules on your VDC edge gateway and vSRX to allow VPN traffic.

The following diagram presents an overview of the solution to be deployed.

Architecture Diagram
Figure 1. Architecture diagram of the tutorial

Before you begin

This tutorial requires:

Some documentation, including, but not limited to, tutorials, solutions architectures, solution guides, videos, and diagrams might still be using the old offering names. This information will be gradually updated to the new offering names in future releases.

Gather information and requirements

To establish a policy-based tunnel, you need to collect various information from your deployment and design, such as gateway endpoints and local and remote networks. In addition, you need to define the tunnel security policies for IKE and IPsec.

Carefully collect and document the information that is listed and mentioned here. The values must match exactly on tunnel configurations on both sides.

Use IBM Cloud portal and vSRX firewall configuration to collect the following information and then define IPsec and IKE policy parameters for the tunnel based on your security requirements:

  1. Collect local and remote network information for the policy-based tunnel.

    The private interface of the vSRX is typically configured as follows:

    set interfaces reth2 unit <vlan-id> description "Your private network routed through Gateway Appliance"
set interfaces reth2 unit <vlan-id> vlan-id <vlan-id>
set interfaces reth2 unit <vlan-id> family inet address <private-IP address-of-the-vsrx>/26

    You might have multiple secondary IP addresses on the vSRX interface, so collect all the required network information for the tunnel.

    Collect all required VDC network information for the tunnel. Use the VMware Cloud Director console or collect the information from your network design documentation (which networks are deployed on the VDC).

    Example values are provided as follows:

    Table 1. List of site prefixes or subnets to review before configuring the VPN.
    Prefix Value
    Subnets behind vSRX 10.95.1.0/26
    Subnets on the VDC 192.168.100.0/24

    As your solution might differ, use the subnets from your network design and deployment.

  2. Collect local and remote gateway IP address information for the IPsec tunnel.

    The public interface IP address of vSRX is typically configured as follows in IBM Cloud:

    set interfaces reth1 unit 0 description "SL PUBLIC VLAN INTERFACE"
set interfaces reth1 unit 0 family inet address <public-IP address-of-the-vsrx>/29

    Collect the Public IP address of the VDC Edge Gateway from your VDC. The public IP addresses are available in the IBM Cloud portal, under your VDC instance.

    The following table shows the values that are used in this example:

    Table 2. List of gateway IP addresses to review before configuring the VPN.
    Gateway IP address Value
    Public IP address of edge gateway <public-IP address-of-the-vdc-edge-gateway>
    Public IP address of vSRX <public-IP address-of-the-vsrx>

    As your solution might differ, use the endpoint IP addresses matching your deployment.

  3. Create a pre-shared key. Generate a pre-shared key your-psk for the IPsec tunnel. The key is used in the firewall and VDC IPsec configuration.

  4. Define your IKE policy for the tunnel. The following table shows the values that are used in this example:

    Table 3. List of IKE policy parameters to review before configuring the VPN.
    IKE policy Value
    Version IKE v2
    Encryption AES 256
    Digest SHA 2 - 256
    Diffie-Hellman Group Group 14
    Association Life Time (seconds) 28800

    As your requirements might differ, use the values from your deployment.

  5. Define your IPsec (or tunnel) policy for the tunnel. The following table shows the values that are used in this example:

    Table 4. List of IPsec (or tunnel) policy parameters to review before configuring the VPN.
    IPsec (or tunnel) policy Value
    Perfect Forward Secrecy Enabled
    Defragmentation Policy Copy
    Encryption AES 256
    Digest SHA 2 - 256
    Diffie-Hellman Group Group 14
    Association Life Time (seconds) 3600

    As your requirements might differ, use the values from your deployment.

  6. Define your dead peer detection (DPD) policy for the tunnel. The following table shows the values that are used in this example:

    Table 5. List of dead peer detection (DPD) policy parameters to review before configuring the VPN.
    DPD Value
    Probe Interval (seconds) 60

    As your requirements might differ, use the values from your deployment.

Configure vSRX

The following configurations use the example policy values that were presented earlier. Your environment and policies might differ, so adjust the configuration commands.

  1. Configure the IKE proposal, IKE policy, and pre-shared key:

    set security ike proposal ike-phase1-vmwaas authentication-method pre-shared-keys
set security ike proposal ike-phase1-vmwaas dh-group group14
set security ike proposal ike-phase1-vmwaas authentication-algorithm sha-256
set security ike proposal ike-phase1-vmwaas encryption-algorithm aes-256-cbc
set security ike proposal ike-phase1-vmwaas lifetime-seconds 28800

set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-vmwaas
set security ike policy ike-phase1-policy pre-shared-key ascii-text <your-psk>

  2. Configure the IKE gateway:

    set security ike gateway vmwaas ike-policy ike-phase1-policy
set security ike gateway vmwaas address <public-IP address-of-the-vdc-edge-gateway>

set security ike gateway vmwaas external-interface reth1.0
set security ike gateway vmwaas version v2-only

  3. Configure the IPsec policy and proposal:

    set security ipsec proposal ipsec-phase2-vmwaas protocol esp
set security ipsec proposal ipsec-phase2-vmwaas authentication-algorithm hmac-sha-256-128
set security ipsec proposal ipsec-phase2-vmwaas encryption-algorithm aes-256-cbc
set security ipsec proposal ipsec-phase2-vmwaas lifetime-seconds 3600

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group14
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-vmwaas

  4. Configure the IPsec VPN:

    set interfaces st0 unit 0 family inet
set security ipsec vpn vmwaas-vpn-1 bind-interface st0.0
set security ipsec vpn vmwaas-vpn-1 ike gateway vmwaas
set security ipsec vpn vmwaas-vpn-1 ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn vmwaas-vpn-1 traffic-selector pair1 local-ip 10.95.1.0/26
set security ipsec vpn vmwaas-vpn-1 traffic-selector pair1 remote-ip 192.168.100.0/24
set security ipsec vpn vmwaas-vpn-1 establish-tunnels immediately
set security ipsec vpn vmwaas-vpn-1 df-bit copy

  5. Configure the control plane firewall:

    set firewall filter PROTECT-IN term PING from destination-address 10.95.1.1/32
set firewall filter PROTECT-IN term PING from protocol icmp

set firewall filter PROTECT-IN term IPSec-IKE from destination-address `<public-IP address-of-the-vsrx>/32`
# Alternative way to use source-address
# set firewall filter PROTECT-IN term IPSec-IKE from source-address `<public-IP address-of-the-vdc-edge-gateway>/32`
set firewall filter PROTECT-IN term IPSec-IKE from protocol udp
set firewall filter PROTECT-IN term IPSec-IKE from port 500
set firewall filter PROTECT-IN term IPSec-IKE then accept

set firewall filter PROTECT-IN term IPSec-ESP from destination-address `<public-IP address-of-the-vsrx>/32`
# Alternative way to use source-address
# set firewall filter PROTECT-IN term IPSec-ESP from source-address `<public-IP address-of-the-vdc-edge-gateway>/32`
set firewall filter PROTECT-IN term IPSec-ESP from protocol esp
set firewall filter PROTECT-IN term IPSec-ESP then accept

set firewall filter PROTECT-IN term IPSec-4500 from destination-address `<public-IP address-of-the-vsrx>/32`
# Alternative way to use source-address
# set firewall filter PROTECT-IN term IPSec-4500 from source-address `<public-IP address-of-the-vdc-edge-gateway>/32`
set firewall filter PROTECT-IN term IPSec-4500 from protocol udp
set firewall filter PROTECT-IN term IPSec-4500 from port 4500
set firewall filter PROTECT-IN term IPSec-4500 then accept

  6. Configure the security zones and zone policies:

    set security zones security-zone vpn-vmwaas-tunnel interfaces st0.0
set security zones security-zone vsrx-vlan interfaces reth2.2498

set security policies from-zone vsrx-vlan to-zone vpn-vmwaas-tunnel policy vlan_to_vmwaas match source-address any
set security policies from-zone vsrx-vlan to-zone vpn-vmwaas-tunnel policy vlan_to_vmwaas match destination-address any
set security policies from-zone vsrx-vlan to-zone vpn-vmwaas-tunnel policy vlan_to_vmwaas match application any
set security policies from-zone vsrx-vlan to-zone vpn-vmwaas-tunnel policy vlan_to_vmwaas then permit

set security policies from-zone vpn-vmwaas-tunnel to-zone vsrx-vlan policy vmwaas_to_vlan match source-address any
set security policies from-zone vpn-vmwaas-tunnel to-zone vsrx-vlan policy vmwaas_to_vlan match destination-address any
set security policies from-zone vpn-vmwaas-tunnel to-zone vsrx-vlan policy vmwaas_to_vlan match application any
set security policies from-zone vpn-vmwaas-tunnel to-zone vsrx-vlan policy vmwaas_to_vlan then permit

  7. Configure TCP maximum segment size (MSS):

    set security flow tcp-mss ipsec-vpn mss 1360

Configure VMware-as-a-Service Instance Edge Gateway

Log in to your VCF as a Service instance, configure networking subnets, firewall rules, and IPsec tunnel.

Log in to the VCF as a Service console

  1. Log in to the VCF as a Service instance with a user that has the Organization Administrator role.

  2. In the left navigation, click Networking.

  3. Under Edge Gateways, select the name of your Edge Gateway.

    Login
    Figure 2. VCF as a Service VDC Edge Gateway Selection

  4. On the side menu, click IP Sets and click New to create a new IP Set.

  5. Create two IP sets.

    Table 6. IP sets details
    IP set Name IP address
    IPSET 1 Firewall-Network 10.95.1.0/26
    IPSET 2 VMWaaS-VDC-Network 192.168.100.0/24

    VDC IPsec Rules
    Figure 3. VCF as a Service VDC IP sets

  6. Click Save.

Create VDC Gateway firewall rule

The VCF as a Service tenant instance is provisioned with a default firewall rule that drops all traffic to ensure security.

You must add two extra rules to allow traffic to and from the VPN connection.

  1. With the Edge Gateway selected, click Firewall in the left navigation.

  2. Click Edit Rules and click New on Top.

  3. Repeat for each rule then click Save.

    Table 7. VCF as a Service VDC firewall rules
    Firewall Rule Name Source Address Destination Address
    Firewall Rule 1 VMWaaS-to-FW VMWaaS-VDC-Network Firewall-Network
    Firewall Rule 2 FW-to-VMWaaS Firewall-Network VMWaaS-VDC-Network

    VDC firewall rules
    Figure 4. VCF as a Service VDC firewall rules

Create VDC IPSec VPN Tunnel

The next step is to create the IPSec VPN tunnel between our Local and Remote Endpoint.

  1. With the Edge Gateway selected, click IPSec VPN in the left navigation.

  2. Click New to start the wizard.

  3. Under General Settings, populate the Name field, for example, VMWaaS-to-FW-VPN and click Next.

  4. Under Peer Authentication mode, populate the pre-shared key. This key must match the firewall. Click Next.

  5. Under Endpoint Configuration, set the following values:

    Table 8. VCF as a Service VDC firewall rules
    Endpoint configuration IP address Network Remote ID
    Local Endpoint <public-IP address-of-the-vdc-edge-gateway> 192.168.100.0/24 n/a
    Remote Endpoint <public-IP address-of-the-vsrx> 10.95.1.1/26 <public-IP address-of-the-vsrx>

  6. Click Finish to complete.

    VDC IPsec VPN
    Figure 5. VCF as a Service VDC IPSEC VPN configuration

Validate your IPsec tunnel and connectivity

If all steps are completed successfully, your VPN tunnel is established and traffic flows between the two networks.

You can test the connection on the user interface (UI) or the classic way through CLI with ping.

Validate your IPsec tunnel and connectivity on the UI

  1. With the Edge Gateway selected, click IPSec VPN in the left navigation.

  2. In the list, select your VPN Configured.

  3. By the Column State, find the state of the tunnel.

  4. Check it in detail by clicking View Statistics.

  5. If the status is not green, there might be problems with the tunnel.

    VDC IPsec Validation
    Figure 6. VCF as a Service VDC IPSEC VPN first validation

If the tunnel is not working, you can check it by:

  1. With the Edge Gateway selected, click IPSec VPN in the left navigation.

  2. In the list, select your VPN Configured.

  3. Check it in detail by clicking Security Profile Customization.

  4. Change the specific details about IKE profile details, Tunnel Configuration, or DPD Configuration.

    VDC IPsec Validation
    Figure 7. VCF as a Service VDC IPSEC VPN second validation

If your settings are correct and you click Save, then your tunnel is working and you can check it with the same steps as before, with the only change that the Status column should be green, and View Statistics should show also green.

  1. With the Edge Gateway selected, click IPSec VPN in the left navigation.

  2. In the list, select your VPN Configured.

  3. By the Column State, if it says Enabled and it's green, then it is working.

  4. Check it in detail by clicking View Statistics.

    VDC IPsec Validation
    Figure 8. VCF as a Service VDC IPSEC VPN third validation

Validate your IPsec tunnel and connectivity on the CLI

You can test the connection by logging in to one of your VMs running on the VDC by using VMware VM Console and test connectivity to your on-premises network virtual machines.

For example, you can use ping to the IP address of vSRX, if your vSRX allows ICMP.

ping 10.95.1.1

Or try TCP port 443 to a remote IP address 10.95.1.10 (assuming the server hosts a web server on TCP port 443) with netcat.

nc -vz 10.95.1.10 443
Connection to 10.95.1.10 port 443 [tcp/https] succeeded!