SlideShare a Scribd company logo

Cohesive Networks Support Docs: VNS3 Side by Side IPsec Tunnel Guide

Cohesive Networks
Cohesive Networks

Create side by side IPsec tunnels using two or more VNS3 Controllers. Use either NAT-Traversal or Native IPsec methods to configure a secure tunnel you control to endpoints you specify in public, private, or hybrid clouds.

1 of 19
Download to read offline
© 2016 VNS3 IPsec Side by Side Connecting two or more VNS3 Controller Instances via IPsec 2016
© 2016 Requirements and Restrictions 2 You have access to two or more VNS3 controller instances The VNS3 controller instances are running in non-overlapping VLANs (e.g. VPC Subnets, Google Networks, etc.) and non-overlapping VNS3 Overlay Subnets Side-by-side IPsec connections can connect two VNS3 topologies using the Overlay Network in all clouds Connecting underlying unencrypted VLANs is restricted to Cloud environments that provided both packet forwarding features and route table controls to enable VNS3 controller instances as the router/switch for packets being sent to a connected environment
© 2016 Using NAT-Traversal Encapsulation 3
© 2016 Topology Setup 4 For the purpose of this example the IPsec tunnel connection will be made between VNS3 Controller Instance A (VNS3-A) and VNS3 Controller Instance B (VNS3-B). Note the topology name in the screenshots. Both VNS3 controller instances are configured with a different/non-overlapping Overlay Subnet and are running in a different/non-overlapping VLAN. Our example setup is: VNS3-A
 Overlay Subnet: 172.31.10.0/24
 VLAN: 192.168.200.0/24 VNS3-B
 Overlay Subnet: 172.31.11.0/24
 VLAN: 192.168.201.0/24 NOTE: NAT-Traversal IPsec requires UDP 500 and 4500 access between the two VNS3 Controller instances.
© 2016 Change VNS3 Local Private IP 5 When connecting two VNS3 topologies using NAT- Traversal IPsec, the local private IP address is required in the Endpoint definitions. The default value of 192.0.2.254 must be changed on one of the VNS3 controller instances as the overlap will preview the tunnel from fully negotiating. NOTE: the Local private IP address should be unique among all VNS3 Controllers in that Controller’s topology and must not be inside the topology's data subnet. Change the Local private IP address on VNS3-B to 192.0.2.253. Click IPsec and eBGP under the Connections left menu. Click Change next the the Local private IP address. On the resulting page enter 192.0.2.253 in the New local IP address field. Click Save changes.
© 2016 VNS3-A: Create a New Endpoint 6 On VNS3-A click Define new remote endpoint. Enter a name for the connection to VNS3-B. Enter the VNS3-B controller instance's Public IP address in the Enter Internet IP address for this endpoint field. Enter a PSK in the Preshared Key fields. Enter the VNS3-B controller instance's Local private IP (see previous page) in the NAT IP field. Click the Enable PFS checkbox (optional but recommended). Enter any IPsec parameters needed in the Extra configuration parameters field. This can be left blank to allow VNS3 to auto negotiate. These parameters need to match both sides to allow the tunnel to negotiate. Click Save.
© 2016 VNS3-A: Create a New Tunnel 7 On VNS3-A, click New tunnel next to the newly created endpoint definition. Enter the VNS3-A Overlay Subnet in the Local subnet field. Enter the VNS3-B Overlay Subnet in the Remote subnet field. Enter a descriptive name in the Name field. Click Create.
© 2016 VNS3-B: Create a New Endpoint 8 On VNS3-B click Define new remote endpoint. Enter a name for the connection to VNS3-A. Enter the VNS3-A controller instance's Public IP address in the Enter Internet IP address for this endpoint field. Enter a PSK in the Preshared Key fields. Enter the VNS3-A controller instance's Local private IP in the NAT IP field. Click the Enable PFS checkbox (optional but recommended). Enter any IPsec parameters needed in the Extra configuration parameters field. This can be left blank to allow VNS3 to auto negotiate. These parameters need to match both sides to allow the tunnel to negotiate. Click Save.
© 2016 VNS3-B: Create a New Tunnel 9 On VNS3-B, click New tunnel next to the newly created endpoint definition. Enter the VNS3-B Overlay Subnet in the Local subnet field. Enter the VNS3-A Overlay Subnet in the Remote subnet field. Enter a descriptive name in the Name field. Click Create.
© 2016 Connected 10
© 2016 Using Native IPsec 11
© 2016 Topology Setup 12 For the purpose of this example the IPsec tunnel connection will be made between VNS3 Controller Instance A (VNS3-A) and VNS3 Controller Instance B (VNS3-B). Note the topology name in the screenshots. Both VNS3 controller instances are configured with a different/non-overlapping Overlay Subnet and are running in a different/non-overlapping VLAN. Our example setup is: VNS3-A
 Overlay Subnet: 172.31.10.0/24
 VLAN: 192.168.200.0/24 VNS3-B
 Overlay Subnet: 172.31.11.0/24
 VLAN: 192.168.201.0/24 NOTE: Native IPsec requires UDP 500 and Protocol 50 (ESP) access between the two VNS3 Controller instances.
© 2016 Change VNS3 Local Private IP 13 Disable NAT-Traversal on both VNS3-A and VNS3-B. Click IPsec and eBGP under the Connections left menu. Click Toggle next to NAT-Traversal to disable.
© 2016 VNS3-A: Create a New Endpoint 14 On VNS3-A click Define new remote endpoint. Enter a name for the connection to VNS3-B. Enter the VNS3-B controller instance's Public IP address in the Enter Internet IP address for this endpoint field. Enter a PSK in the Preshared Key fields. Leave the NAT IP field blank. Click the Enable PFS checkbox (optional but recommended). Enter any IPsec parameters needed in the Extra configuration parameters field. This can be left blank to allow VNS3 to auto negotiate. These parameters need to match both sides to allow the tunnel to negotiate. Click Save.
© 2016 VNS3-A: Create a New Tunnel 15 On VNS3-A, click New tunnel next to the newly created endpoint definition. Enter the VNS3-A Overlay Subnet in the Local subnet field. Enter the VNS3-B Overlay Subnet in the Remote subnet field. Enter a descriptive name in the Name field. Click Create.
© 2016 VNS3-B: Create a New Endpoint 16 On VNS3-B click Define new remote endpoint. Enter a name for the connection to VNS3-A. Enter the VNS3-A controller instance's Public IP address in the Enter Internet IP address for this endpoint field. Enter a PSK in the Preshared Key fields. Leave the NAT IP field blank. Click the Enable PFS checkbox (optional but recommended). Enter any IPsec parameters needed in the Extra configuration parameters field. This can be left blank to allow VNS3 to auto negotiate. These parameters need to match both sides to allow the tunnel to negotiate. Click Save.
© 2016 VNS3-B: Create a New Tunnel 17 On VNS3-B, click New tunnel next to the newly created endpoint definition. Enter the VNS3-B Overlay Subnet in the Local subnet field. Enter the VNS3-A Overlay Subnet in the Remote subnet field. Enter a descriptive name in the Name field. Click Create.
© 2016 Connected 18
© 2016 VNS3 Document Links 19 VNS3 Product Resources - Documentation | Add-ons VNS3 Configuration Document
 Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. 
 VNS3 Docker Instructions
 Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers. VNS3 Troubleshooting
 Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.


More Related Content

Cohesive Networks Support Docs: VNS3 Side by Side IPsec Tunnel Guide

  • 1. © 2016 VNS3 IPsec Side by Side Connecting two or more VNS3 Controller Instances via IPsec 2016
  • 2. © 2016 Requirements and Restrictions 2 You have access to two or more VNS3 controller instances The VNS3 controller instances are running in non-overlapping VLANs (e.g. VPC Subnets, Google Networks, etc.) and non-overlapping VNS3 Overlay Subnets Side-by-side IPsec connections can connect two VNS3 topologies using the Overlay Network in all clouds Connecting underlying unencrypted VLANs is restricted to Cloud environments that provided both packet forwarding features and route table controls to enable VNS3 controller instances as the router/switch for packets being sent to a connected environment
  • 3. © 2016 Using NAT-Traversal Encapsulation 3
  • 4. © 2016 Topology Setup 4 For the purpose of this example the IPsec tunnel connection will be made between VNS3 Controller Instance A (VNS3-A) and VNS3 Controller Instance B (VNS3-B). Note the topology name in the screenshots. Both VNS3 controller instances are configured with a different/non-overlapping Overlay Subnet and are running in a different/non-overlapping VLAN. Our example setup is: VNS3-A
 Overlay Subnet: 172.31.10.0/24
 VLAN: 192.168.200.0/24 VNS3-B
 Overlay Subnet: 172.31.11.0/24
 VLAN: 192.168.201.0/24 NOTE: NAT-Traversal IPsec requires UDP 500 and 4500 access between the two VNS3 Controller instances.
  • 5. © 2016 Change VNS3 Local Private IP 5 When connecting two VNS3 topologies using NAT- Traversal IPsec, the local private IP address is required in the Endpoint definitions. The default value of 192.0.2.254 must be changed on one of the VNS3 controller instances as the overlap will preview the tunnel from fully negotiating. NOTE: the Local private IP address should be unique among all VNS3 Controllers in that Controller’s topology and must not be inside the topology's data subnet. Change the Local private IP address on VNS3-B to 192.0.2.253. Click IPsec and eBGP under the Connections left menu. Click Change next the the Local private IP address. On the resulting page enter 192.0.2.253 in the New local IP address field. Click Save changes.
  • 6. © 2016 VNS3-A: Create a New Endpoint 6 On VNS3-A click Define new remote endpoint. Enter a name for the connection to VNS3-B. Enter the VNS3-B controller instance's Public IP address in the Enter Internet IP address for this endpoint field. Enter a PSK in the Preshared Key fields. Enter the VNS3-B controller instance's Local private IP (see previous page) in the NAT IP field. Click the Enable PFS checkbox (optional but recommended). Enter any IPsec parameters needed in the Extra configuration parameters field. This can be left blank to allow VNS3 to auto negotiate. These parameters need to match both sides to allow the tunnel to negotiate. Click Save.
  • 7. © 2016 VNS3-A: Create a New Tunnel 7 On VNS3-A, click New tunnel next to the newly created endpoint definition. Enter the VNS3-A Overlay Subnet in the Local subnet field. Enter the VNS3-B Overlay Subnet in the Remote subnet field. Enter a descriptive name in the Name field. Click Create.
  • 8. © 2016 VNS3-B: Create a New Endpoint 8 On VNS3-B click Define new remote endpoint. Enter a name for the connection to VNS3-A. Enter the VNS3-A controller instance's Public IP address in the Enter Internet IP address for this endpoint field. Enter a PSK in the Preshared Key fields. Enter the VNS3-A controller instance's Local private IP in the NAT IP field. Click the Enable PFS checkbox (optional but recommended). Enter any IPsec parameters needed in the Extra configuration parameters field. This can be left blank to allow VNS3 to auto negotiate. These parameters need to match both sides to allow the tunnel to negotiate. Click Save.
  • 9. © 2016 VNS3-B: Create a New Tunnel 9 On VNS3-B, click New tunnel next to the newly created endpoint definition. Enter the VNS3-B Overlay Subnet in the Local subnet field. Enter the VNS3-A Overlay Subnet in the Remote subnet field. Enter a descriptive name in the Name field. Click Create.
  • 12. © 2016 Topology Setup 12 For the purpose of this example the IPsec tunnel connection will be made between VNS3 Controller Instance A (VNS3-A) and VNS3 Controller Instance B (VNS3-B). Note the topology name in the screenshots. Both VNS3 controller instances are configured with a different/non-overlapping Overlay Subnet and are running in a different/non-overlapping VLAN. Our example setup is: VNS3-A
 Overlay Subnet: 172.31.10.0/24
 VLAN: 192.168.200.0/24 VNS3-B
 Overlay Subnet: 172.31.11.0/24
 VLAN: 192.168.201.0/24 NOTE: Native IPsec requires UDP 500 and Protocol 50 (ESP) access between the two VNS3 Controller instances.
  • 13. © 2016 Change VNS3 Local Private IP 13 Disable NAT-Traversal on both VNS3-A and VNS3-B. Click IPsec and eBGP under the Connections left menu. Click Toggle next to NAT-Traversal to disable.
  • 14. © 2016 VNS3-A: Create a New Endpoint 14 On VNS3-A click Define new remote endpoint. Enter a name for the connection to VNS3-B. Enter the VNS3-B controller instance's Public IP address in the Enter Internet IP address for this endpoint field. Enter a PSK in the Preshared Key fields. Leave the NAT IP field blank. Click the Enable PFS checkbox (optional but recommended). Enter any IPsec parameters needed in the Extra configuration parameters field. This can be left blank to allow VNS3 to auto negotiate. These parameters need to match both sides to allow the tunnel to negotiate. Click Save.
  • 15. © 2016 VNS3-A: Create a New Tunnel 15 On VNS3-A, click New tunnel next to the newly created endpoint definition. Enter the VNS3-A Overlay Subnet in the Local subnet field. Enter the VNS3-B Overlay Subnet in the Remote subnet field. Enter a descriptive name in the Name field. Click Create.
  • 16. © 2016 VNS3-B: Create a New Endpoint 16 On VNS3-B click Define new remote endpoint. Enter a name for the connection to VNS3-A. Enter the VNS3-A controller instance's Public IP address in the Enter Internet IP address for this endpoint field. Enter a PSK in the Preshared Key fields. Leave the NAT IP ��eld blank. Click the Enable PFS checkbox (optional but recommended). Enter any IPsec parameters needed in the Extra configuration parameters field. This can be left blank to allow VNS3 to auto negotiate. These parameters need to match both sides to allow the tunnel to negotiate. Click Save.
  • 17. © 2016 VNS3-B: Create a New Tunnel 17 On VNS3-B, click New tunnel next to the newly created endpoint definition. Enter the VNS3-B Overlay Subnet in the Local subnet field. Enter the VNS3-A Overlay Subnet in the Remote subnet field. Enter a descriptive name in the Name field. Click Create.
  • 19. © 2016 VNS3 Document Links 19 VNS3 Product Resources - Documentation | Add-ons VNS3 Configuration Document
 Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. 
 VNS3 Docker Instructions
 Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers. VNS3 Troubleshooting
 Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.