Zettagrid Dynamic VPN Customer Guide
- 1 Summary
- 2 Scope and Responsibilities
- 3 VPN Appliance User Manual.
- 3.1 Remote access
- 3.1.1 NSX-V Edge
- 3.1.2 NSX-T
- 3.1.3 Logging in
- 3.2 Troubleshoot VPN
- 3.2.1 Confirm VPN Status
- 3.2.2 Confirm VPN Settings
- 3.2.2.1 Phase 1 Details (IKE)
- 3.2.2.2 Phase 2 (IPSEC)
- 3.2.3 Restart VPN
- 3.3 Configure New VPN
- 3.4 Security Updates
- 3.1 Remote access
Summary
As Zettagrid have been upgrading our core VMware networking backend from NSX-V to NSX-T we have found a few customer requirements that are not supported in NSX-T as they are in NSX-V. This is our solution for those customers still needing to connect a VPN from a Dynamic IP address using Peer ID as the remote CPE identifier over IP address. This is mostly used when the remote side is connecting from a source that dose not have a Static IP. e.g. Mobile services using 4G/5G networks.
To resolve this we have introduced a VPN appliance based on OPNsense into the environment to handle advanced VPN requirements. A Typical VPN looks like.
After the appliance is installed the VPN topology has changed to route via the VPN appliance, all None VPN traffic will still flow directly though the Zettagrid Firewall to its destination.
The appliance is deployed within the customer vDC
Connected to two new Networks called VPN_EXTERNAL and VPN_INTERNAL refer to above Network diagram
Scope and Responsibilities
As this is a change we need to be done Zettagrid will do the following
Install VPN Appliance
Pre configure it based on existing VPN rules defined with in existing Firewall.
Add Customer account to VPN Appliance
Schedule a time with customer to cut over existing VPN to VPN appliance this consists of Zettagrid doing the following, at cut over time.
Disable IPSEC on NSX Edge
Redirect VPN from NSX to Appliance by installing required NAT/FW rules
Install Static route on NSX to re route outbound VPN traffic via VPN Appliance
Troubleshoot Remote VPNs connecting to VPN appliance
Confirm with customer that VPN traffic is flowing as expected.
Assist customer connecting to VPN appliance to monitor VPN status.
End Customer is then responsible for.
Level 1 troubleshooting of VPN issues.
Confirm if it is up
Reset VPN tunnels from both ends
If still not down log a ticket for Zettagrid Engineers to assist.
Configure any new IPSEC VPN requirements after cut over.
Apply any required Security updates to appliance
Once the VPN is all moved, Zettagrid will then schedule a time to migrate the customers vDC from NSX-V to NSX-T
VPN Appliance User Manual.
Remote access
If not already configured Configure remote access to appliance so customers can log onto it.
NSX-V Edge
Create new DNAT rule in Edge Gateway, Set Original port as something other then 443 if you already have HTTPS web servers. Original IP will be your external IP of vDC you can get this by pressing select.
Create new Firewall rule, with Src IP being your admin/management IP you want to administer the Firewall from, Destination IP is Original IP from above, and Service being the Original IP also from above.
NSX-T
Create IP Set for your Admin IP, and the VPN Appliance
|
---|
Create DNAT Rule
And the Firewall Rule.
If using non standard port e.g. 8443 instead of 443 for HTTPS then you need to create a Custom Application first.
And then the Firewall Rule
Logging in
You should now be able to log into the Appliance from your Administrative IP, via the external Port and IP, e.g. if external IP is 119.252.85.10 and your mapping 9443 to 443 then the URL would look like https://119.252.85.10:8443
Using the username/password supplied by Zettagrid you should be able to login and see the base dashboard.
Troubleshoot VPN
The following process should also be done on the remote side of the VPN
Confirm VPN Status
Go to, VPN → IPSEC → Status Overview
If VPN is up Status will have a Green Arrow. If down the a red X
Down
Up
Confirm VPN Settings
Go to VPN → IPSEC → Tunnel Settings
Phase 1 Details (IKE)
Select Edit
And then compare with remote end the following settings.
IKE Key Exchange Version
My Identifier, should be Peer IP configured on the remote VPN
Peer Identifier, should be Peer ID configured on remote VPN
Pre-Shared Key, should match configuration on remote VPN
Phase 1 proposal (Algorithms) should match what is configured on remote VPN
Encryption algorithm
Hash algorithm
DH Key group
Dead Peer Detection should match DPD configuration on remote VPN
Lifetime should match configuration on remote VPN
|
|
|
Phase 2 (IPSEC)
Select Edit under Phase 2
And then compare with remote end the following settings.
Local Network, will be remote network configured on the remote VPN
Remote Network, will be local network configured on the remote VPN
Phase 2 proposal (SA/Key Exchange) should match what is configured on remote VPN
Should be ESP for both sides
Encryption algorithms
Hash algorithms
PFS key group
Lifetime
|
|
Restart VPN
First try resetting IKE, but selecting the Disconnect button on the Status Overview page
Also do this on the remote end.
You can also restart IPSEC from the same page but this will reset all VPN tunnels not just one of them.
Configure New VPN
For any New VPN’s you can clone one of the existing tunnels and make appropriate changes or build up from start following the OPNsense documentation.
https://docs.opnsense.org/manual/vpnet.html#ipsec
Things to be aware of to make a new VPN work on this Appliance.
Ensure to set ‘My Identifier’ in Phase 1 proposal as the public IP address of the Appliance.
If you have a new Internal subnet you will need to add a route back to this via the NSX Edge
Update any NSX Firewall rules allowing traffic from the vDC to the new remote VPN to go out and in the VPN_INTERNAL Interface of the NSX Edge
Security Updates
To check for and apply any Security updates for the appliance go to System → Firmware → Updates