HP Helion Configuration HP Setup for VNS3 2015 copyright 2015 1
Table of Contents Introduction 3 Step 1: HP Helion Deployment Setup 9 Step 2: Launching a VNS3 Controller 15 Server VNS3 Configuration Document Links 19 copyright 2015 2
Requirements copyright 2015 3
Requirements You have an HP Helion Public Cloud account. You agree to the following VNS3 Terms and Conditions (Terms License) Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software. You have a compliant IPsec firewall/router networking device: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfsense, and Vyatta. Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5. *Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained. copyright 2015 4
Getting Help with VNS3 This guide covers a very generic VNS3 GCE setup. If you are interested in more custom use cases and would like Cohesive to advise and help setup the topology contact sales@cohesive.net for services pricing. This guide uses Cisco s Adaptive Security Device Manager UI. Setting up your IPsec Extranet device may have a different user experience than what is shown here. All the information entered in this guide will be same regardless of your UI or cmd line setup. Please review the VNS3 Support Plans and Contacts before sending support inquiries. copyright 2015 5
Firewall Considerations HP Helion deployment access is controlled by the HP Cloud network. This document will show you how to open the correct ports in order to access, peer, connect, and negotiate an IPsec tunnel with VNS3 Controllers. VNS3 Controller instance uses the following TCP and UDP ports. This guide uses two Security Groups - 1 for Controllers, 1 for Client Servers. UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients. UDP 1195-1203* For tunnels between Controller peers; must be accessible from all peers in a given topology. TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. UDP port 500 UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection. UDP port 4500 or Protocol 50 (ESP) Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation. *VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering. ** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500 copyright 2015 6
Remote Support Note that TCP 22 (ssh) is not required for normal operations. Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation. In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI. Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key. copyright 2015 7
Sizing Considerations Image Size and Architecture VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the performance will depend on the use-case. Clientpack Key Size VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the clientpacks. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration. copyright 2015 8
Step 1: HP Helion Deployment Setup copyright 2015 9
HP Configuration: Create a Network A default configuration comes with HP Public Cloud compute activation and includes a network, subnet, router connecting the subnets to the Internet and a security group with basic server options, both SSH and Ping rules. You can use the default network to deploy VNS3 Controllers and Client Servers in single security group, or follow these instructions to create a new custom network, subnet, router and security groups. On the HP Public Cloud console interface, click Project, on the left-side bar then Networks under Manage Networks. Click Create Network in the right-hand navigation. Enter a "Network Name" in the Create Network pop-up screen, leave the Admin State box checked. Click the Subnet tab. Note: If you click the Create button on the Create Network pop-up before setting up a "Subnet," you are prompted to specify a network address or turn off the option to create a subnet through an error message. copyright 2015 10
HP Configuration: Create a Subnet On the Subnet tab in the Create Network pop-up screen enter the subnet name. Enter a Subnet using CIDR (Classless Inter-Domain Routing) notation in the Network Address field. In this example we used 172.31.2.0/24. Keep the IPv4 default in the IP Version field. Leave the Gateway IP box blank to use the default value of the network address; e.g., 172.31.2.1 for 172.31.2.0/24. Leave the Disable Gateway box unchecked to use the default and click Create. The Networks screen displays your network name and associated subnets. copyright 2015 11
HP Configuration: Create a Router Click Routers in the left column menu. Click Create Router in the top right-hand navigation and enter a name for the router Click Set Gateway under Actions to connect your router to the Internet. On the resulting popup window, set the External Network drop-down menu in to "Ext-Net," and click Set Gateway. Note: The external network is the router's default route, with the router acting as a gateway for external connectivity. While you can configure a subnet that is internal-only, you must connect it to another subnet with external connectivity. copyright 2015 12
HP Configuration: Connect your Network Click the router name on the Routers page. On the Router Detail page click Add Interface. On the Add Interface popup, set the Select Subnet drop-down menu to the subnet you just configured. Leave the IP Address field blank. Click Add Interface. copyright 2015 13
HP Configuration: Create Security Groups Security groups and security group rules allow you to specify the type of traffic and direction (inbound/outbound) that is allowed to pass through a network port. A security group is a container for security group rules. Click Access & Security in the left column menu then click Create Security Group to create a VNS3-MGR and VNS3-Clients. The default setting allows all outgoing traffic on all protocols and ports. Add the following Inbound exceptions to the VNS3-MGR Security Group: TCP port 8000 from your public IP (you can find your IP address by navigating to http://whatismyip.com) TCP port 8000 from the VNS3-MGR security group UPD ports 1194 from the VNS3-Clients security group UDP port 500 from the IP of your Datacenter-based IPsec Device Protocol 50 from the UP of your Datacenter-based IPsec Device (only required if you will not use NAT-Traversal encapsulation) UDP port 4500 from the IP of your Datacenter-based IPsec Device (only required if you will use NAT-Traversal encapsulation) UDP ports 1195-1197 from the VNS3-MGR security group (only required for multiple Controller topologies - SME or Enterprise Editions) NOTE: No VNS3 specific inbound rules need to be added to the VNS3-Clients group other than what is needed for normal ssh or RDP access from your IP. copyright 2015 14
Step 2: Launching a VNS3 Controller Server copyright 2015 15
VNS3 Server Launch: Create an Instance Click Instances in the left column menu. On the Instances page click Launch Instance. You can leave the default choice of the "Any Availability Zone" (AZ) box, which arbitrarily assigns an AZ for an instance or click the drop box to specify where to locate an instance. Enter a name in the Instance Name field. Set the Flavor drop-down menu to select the hardware configuration you want to emulate, i.e., how much disk space and RAM you need. We recommend using standard.small or larger. Enter the number of instances you want to create in the Instance Count field. Select Boot from Image in the the Instance Boot Source drop-down menu. Select the appropriate Cohesive VNS3 3.0.4 Image from the Image Name drop-down menu. PAYG has the Free Edition license included in the image and requires no interaction with Cohesive. BYOL is an unlicensed version of the image that can be configured as a Lite, SME or Enterprise Edition (see VNS3 product page for more information). Contact our sales team to setup a subscription in order to receive a license. Click the Access & Security tab. copyright 2015 16
VNS3 Server Launch: Create an Instance On the Access & Security tab, leave the Keypair, Admin Pass and Confirm Admin Pass fields as default. Select the VNS3-MGR Security Group. Click the Networking tab. Drag and drop the network you previously created from from the Available Networks box to the Selected Networks box. Click Launch. copyright 2015 17
VNS3 Server Launch: Associate a Floating IP Once your Controller instance has launched, click Associate Floating IP. On the Associate Floating IP popup, set the Pool drop-down menu to Ext- Net (external network or public Internet). Click Allocated IP. On the resulting popup window, Manage Floating IP Associations, specify a Floating IP in the IP Address drop-down menu and click Associate. NOTE: If there are no IPs available click the + button next to the IP Address field and allocate a new Floating IP. copyright 2015 18
VNS3 Configuration Document Links copyright 2015 19
VNS3 Configuration Document Links VNS3 Product Resources - Documentation Add-ons VNS3 Configuration Instructions Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps. VNS3 Docker Instructions Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers. VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3. copyright 2015 20