By: Chris Colotti
This is a repost from Chris Colotti's blog, chriscolotti.us.
In the process of building my experimental "MonsterCloud" vCloud Director Hybrid setup I obviously needed to do some site to site VPN between the following locations:
- VMware Eval Cloud
- Stratogen Cloud
- My House
The trick here is that this is now turning into a true Hybrid cloud as two sites are running vCloud Director, and my house is not. It's a standard datacenter with a Cisco Firewall for IPsec VPN. The idea is to connect the two vCloud Director clouds first, then connect the home datacenter to each of the two vCloud providers. Let's look at the vCloud to vCloud VPN setup as that is the easiest thing to configure in the world with both ends are vCloud Director.
Configure vCloud 2 vCloud VPN
Select your Edge Gateway in your vCloud organization and select the VPN tab. Once there select "Add" and you will see the following screen.
Select "A Network in another Organization, and then select " Log Into Remote vCD"
Fill in the required fields for just the vCloud URL and the org with your credentials. Once you log in you will be presented with the other vCloud Organization's networks so you can multi-select the mappings for the networks in each Organization. The rest of the options you can pretty much leave the defaults as they are populated.
Once this is done the two sites should come up with VPN between them. However, you will need to configure the firewall rules in the Edge Gateway before you can connect the networks. I will cover that last after the IPsec VPN setup.
Configure IPsec VPN From Cisco RV042
Now I am sure everyone has a different router or IPsec firewall, but I have located and found the correct IPsec settings to use that seem to work best for this which are listed below. I have included the RV042 specific settings as well.
vCloud Edge Gateway IPSEC Setup:
For this end it's pretty simple but there are a few things I noticed and this is what I configured that worked for me. When you add the new VPN simply Select "A Remote Network" and use settings similar to these:
Peer Networks: List the remote networks for mapping
Local ID: I have found using the external IP of the Edge Works
Peer ID: Also use the External Address of the Peer Firewall
Peer IP: Same as the Peer ID
Encryption: 3DES seems to work best
Shared Key: <Various>
RV042 IPsec Setup:
Phase 1 Mode: IKE with pre-shared Key
Phase 1 DH Group: Group 2
Phase 1 Encryption: 3DES
Phase 1 Authentication: SHA1
Phase 1 SA Life: 28800
Perfect Forward Secrecey: On
Phase 2 DH Group: Group 2
Phase 2 Encryption: 3DES
Phase 2 Authentication: SHA1
Phase 2 SA Life: 3600
Pre-Shared Key: <Various>
Configure the vCloud Edge Gateway Firewall Rules
This is probably the SINGLE most missed area by people setting this up. Even with the connections made, nothing will pass for traffic through the vCloud Director Edge Gateway to the peer networks without firewall rules. Last month I wrote about the Changing Role of the VMware Admin, and this section alone is why I think many people will struggle. I was an ex-admin for checkpoint in my day so I personally like writing firewall rules. It's sad but true. Below are the rules I have in both the Stratogen and VMware Eval Cloud Edge Gateways for traffic to pass between the two clouds as well as to the 'Server' network back at my house.
This is a screen shot from the VMware Eval Cloud, and you can see I have allowed traffic on both directions from the Stratogen Cloud to and from the Desktop and Private networks as well as from the Home Server network to the Private network. You MUST create rules in the vCloud Edge Gateway or you will not have connectivity just with the VPN connections. I cannot stress this enough, and you can control which networks are accessible from the other sites through the VPN this way.
In my case I also use vShield App rules in the home lab to prevent traffic from the Hybrid Active Directory server to my "Corporate" network while allowing it to access the Server Network and the router. This is an added step I took to isolate the Active Directory server on the Server segment from the rest of my network.
The bottom line here from this step? You really must brush up on your firewall rule skills for both the Edge Gateway and App Firewall for that matter. These are both tools that the new vSphere Administrator really must understand how to use. Personally, I like creating and figuring out firewall rules for some reason, and I was a Checkpoint Admin for years. Get these things under your belt and the next and last post will be the final Hybrid Cloud Configuration with the final Visio Diagram for what I have built. I really do hope to maybe turn this into a couple of VMworld 2013 submissions, so if you think these topics are useful, be on the lookout!
Chris is a Consulting Architect with the VMware vCloud Delivery Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of a Consultant and now Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud solutions and architectures for enterprise-wide private cloud deployments.
No comments:
Post a Comment