Zettagrid Dynamic VPN Customer Guide

Summary

As Zettagrid have been upgrading our core VMware networking backend from NSX-V to NSX-T we have found a few customer requirements that are not supported in NSX-T as they are in NSX-V. This is our solution for those customers still needing to connect a VPN from a Dynamic IP address using Peer ID as the remote CPE identifier over IP address. This is mostly used when the remote side is connecting from a source that dose not have a Static IP. e.g. Mobile services using 4G/5G networks.

To resolve this we have introduced a VPN appliance based on OPNsense into the environment to handle advanced VPN requirements. A Typical VPN looks like.

 

After the appliance is installed the VPN topology has changed to route via the VPN appliance, all None VPN traffic will still flow directly though the Zettagrid Firewall to its destination.

 

 

The appliance is deployed within the customer vDC

Connected to two new Networks called VPN_EXTERNAL and VPN_INTERNAL refer to above Network diagram

 

 

Scope and Responsibilities

As this is a change we need to be done Zettagrid will do the following

  • Install VPN Appliance

  • Pre configure it based on existing VPN rules defined with in existing Firewall.

    • Add Customer account to VPN Appliance

  • Schedule a time with customer to cut over existing VPN to VPN appliance this consists of Zettagrid doing the following, at cut over time.

    • Disable IPSEC on NSX Edge

    • Redirect VPN from NSX to Appliance by installing required NAT/FW rules

    • Install Static route on NSX to re route outbound VPN traffic via VPN Appliance

    • Troubleshoot Remote VPNs connecting to VPN appliance

    • Confirm with customer that VPN traffic is flowing as expected.

    • Assist customer connecting to VPN appliance to monitor VPN status.

  • End Customer is then responsible for.

    • Level 1 troubleshooting of VPN issues.

      • Confirm if it is up

      • Reset VPN tunnels from both ends

      • If still not down log a ticket for Zettagrid Engineers to assist.

    • Configure any new IPSEC VPN requirements after cut over.

    • Apply any required Security updates to appliance

 

Once the VPN is all moved, Zettagrid will then schedule a time to migrate the customers vDC from NSX-V to NSX-T

VPN Appliance User Manual.

Remote access

If not already configured Configure remote access to appliance so customers can log onto it.

NSX-V Edge

Create new DNAT rule in Edge Gateway, Set Original port as something other then 443 if you already have HTTPS web servers. Original IP will be your external IP of vDC you can get this by pressing select.

Create new Firewall rule, with Src IP being your admin/management IP you want to administer the Firewall from, Destination IP is Original IP from above, and Service being the Original IP also from above.

NSX-T

Create IP Set for your Admin IP, and the VPN Appliance

 

 

Create DNAT Rule

And the Firewall Rule.

If using non standard port e.g. 8443 instead of 443 for HTTPS then you need to create a Custom Application first.

And then the Firewall Rule

Logging in

You should now be able to log into the Appliance from your Administrative IP, via the external Port and IP, e.g. if external IP is 119.252.85.10 and your mapping 9443 to 443 then the URL would look like https://119.252.85.10:8443

Using the username/password supplied by Zettagrid you should be able to login and see the base dashboard.

 

Troubleshoot VPN

The following process should also be done on the remote side of the VPN

Confirm VPN Status

Go to, VPN → IPSEC → Status Overview

If VPN is up Status will have a Green Arrow. If down the a red X

Down

Up

Confirm VPN Settings

Go to VPN → IPSEC → Tunnel Settings

Phase 1 Details (IKE)

Select Edit

And then compare with remote end the following settings.

  • IKE Key Exchange Version

  • My Identifier, should be Peer IP configured on the remote VPN

  • Peer Identifier, should be Peer ID configured on remote VPN

  • Pre-Shared Key, should match configuration on remote VPN

  • Phase 1 proposal (Algorithms) should match what is configured on remote VPN

    • Encryption algorithm

    • Hash algorithm

    • DH Key group

  • Dead Peer Detection should match DPD configuration on remote VPN

  • Lifetime should match configuration on remote VPN

 

 

 

Phase 2 (IPSEC)

Select Edit under Phase 2

And then compare with remote end the following settings.

  • Local Network, will be remote network configured on the remote VPN

  • Remote Network, will be local network configured on the remote VPN

  • Phase 2 proposal (SA/Key Exchange) should match what is configured on remote VPN

    • Should be ESP for both sides

    • Encryption algorithms

    • Hash algorithms

    • PFS key group

    • Lifetime

 

 

 

Restart VPN

First try resetting IKE, but selecting the Disconnect button on the Status Overview page

Also do this on the remote end.

You can also restart IPSEC from the same page but this will reset all VPN tunnels not just one of them.

 

Configure New VPN

For any New VPN’s you can clone one of the existing tunnels and make appropriate changes or build up from start following the OPNsense documentation.

https://docs.opnsense.org/manual/vpnet.html#ipsec

Things to be aware of to make a new VPN work on this Appliance.

  • Ensure to set ‘My Identifier’ in Phase 1 proposal as the public IP address of the Appliance.

  • If you have a new Internal subnet you will need to add a route back to this via the NSX Edge

  • Update any NSX Firewall rules allowing traffic from the vDC to the new remote VPN to go out and in the VPN_INTERNAL Interface of the NSX Edge

Security Updates

To check for and apply any Security updates for the appliance go to System → Firmware → Updates