🥇VMware NSX for the little ones. Part 6. VPN setup

Part one. Introductory
Part two. Configuring Firewall and NAT Rules
Part three. Configuring DHCP
Part four. Routing setup
Part five. Setting up a load balancer

Today we're going to take a look at the VPN configuration options that NSX Edge offers us.

In general, we can divide VPN technologies into two key types:

Site-to-site VPN. The most common use of IPSec is to create a secure tunnel, for example, between a main office network and a network at a remote site or in the cloud.
Remote Access VPN. Used to connect individual users to corporate private networks using the VPN client software.

NSX Edge allows us to use both options.
We will configure using a test bench with two NSX Edge, a Linux server with an installed daemon racoon and a Windows laptop to test Remote Access VPN.

IPsec

In the vCloud Director interface, go to the Administration section and select the vDC. On the Edge Gateways tab, select the Edge we need, right-click and select Edge Gateway Services.
In the NSX Edge interface, go to the VPN-IPsec VPN tab, then to the IPsec VPN Sites section and click + to add a new site.
Fill in the required fields:
- Enabled – activates the remote site.
- PFS – ensures that each new cryptographic key is not associated with any previous key.
- Local ID and Local Endpointt is the external address of the NSX Edge.
- local subnets - local networks that will use IPsec VPN.
- Peer ID and Peer Endpoint – address of the remote site.
- Peer subnets – networks that will use IPsec VPN on the remote side.
- Encryption Algorithm – tunnel encryption algorithm.
- Authentication - how we will authenticate the peer. You can use a Pre-Shared Key or a certificate.
- Pre Shared Key - specify the key that will be used for authentication and must match on both sides.
- Diffie Hellman Group – key exchange algorithm.
After filling in the required fields, click Keep.
Done.
After adding the site, go to the Activation Status tab and activate the IPsec Service.
After the settings are applied, go to the Statistics -> IPsec VPN tab and check the status of the tunnel. We see that the tunnel has risen.
Check the tunnel status from the Edge gateway console:
- show service ipsec - check the status of the service.
- show service ipsec site - Information about the state of the site and negotiated parameters.
- show service ipsec sa - check the status of the Security Association (SA).

Checking connectivity with a remote site:

root@racoon:~# ifconfig eth0:1 | grep inet
        inet 10.255.255.1  netmask 255.255.255.0  broadcast 0.0.0.0

root@racoon:~# ping -c1 -I 10.255.255.1 192.168.0.10 
PING 192.168.0.10 (192.168.0.10) from 10.255.255.1 : 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=63 time=59.9 ms

--- 192.168.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 59.941/59.941/59.941/0.000 ms

Configuration files and additional commands for diagnostics from a remote Linux server:

root@racoon:~# cat /etc/racoon/racoon.conf 

log debug;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

listen {
  isakmp 80.211.43.73 [500];
   strict_address;
}

remote 185.148.83.16 {
        exchange_mode main,aggressive;
        proposal {
                 encryption_algorithm aes256;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group modp1536;
         }
         generate_policy on;
}
 
sainfo address 10.255.255.0/24 any address 192.168.0.0/24 any {
         encryption_algorithm aes256;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;
}

===

root@racoon:~# cat /etc/racoon/psk.txt
185.148.83.16 testkey

===

root@racoon:~# cat /etc/ipsec-tools.conf 
#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 192.168.0.0/24 10.255.255.0/24 any -P in ipsec
      esp/tunnel/185.148.83.16-80.211.43.73/require;

spdadd 10.255.255.0/24 192.168.0.0/24 any -P out ipsec
      esp/tunnel/80.211.43.73-185.148.83.16/require;

===


root@racoon:~# racoonctl show-sa isakmp
Destination            Cookies                           Created
185.148.83.16.500      2088977aceb1b512:a4c470cb8f9d57e9 2019-05-22 13:46:13 

===

root@racoon:~# racoonctl show-sa esp
80.211.43.73 185.148.83.16 
        esp mode=tunnel spi=1646662778(0x6226147a) reqid=0(0x00000000)
        E: aes-cbc  00064df4 454d14bc 9444b428 00e2296e c7bb1e03 06937597 1e522ce0 641e704d
        A: hmac-sha1  aa9e7cd7 51653621 67b3b2e9 64818de5 df848792
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
        diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
        last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
        current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 860  hard: 0 soft: 0
        sadb_seq=1 pid=7739 refcnt=0
185.148.83.16 80.211.43.73 
        esp mode=tunnel spi=88535449(0x0546f199) reqid=0(0x00000000)
        E: aes-cbc  c812505a 9c30515e 9edc8c4a b3393125 ade4c320 9bde04f0 94e7ba9d 28e61044
        A: hmac-sha1  cd9d6f6e 06dbcd6d da4d14f8 6d1a6239 38589878
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: May 22 13:46:13 2019   current: May 22 14:07:43 2019
        diff: 1290(s)   hard: 3600(s)   soft: 2880(s)
        last: May 22 13:46:13 2019      hard: 0(s)      soft: 0(s)
        current: 72240(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 860  hard: 0 soft: 0
        sadb_seq=0 pid=7739 refcnt=0

Everything is ready, site-to-site IPsec VPN is up and running.
In this example, we used PSK for peer authentication, but certificate authentication is also possible. To do this, go to the Global Configuration tab, enable certificate authentication and select the certificate itself.

In addition, in the site settings, you will need to change the authentication method.

I note that the number of IPsec tunnels depends on the size of the deployed Edge Gateway (read about this in our first article).

SSL VPN

SSL VPN-Plus is one of the Remote Access VPN options. It allows individual remote users to securely connect to private networks behind the NSX Edge Gateway. An encrypted tunnel in the case of SSL VPN-plus is established between the client (Windows, Linux, Mac) and NSX Edge.

Let's start setting up. In the Edge Gateway service control panel, go to the SSL VPN-Plus tab, then to Server Settings. We select the address and port on which the server will listen for incoming connections, enable logging and select the necessary encryption algorithms.

Here you can also change the certificate that the server will use.
After everything is ready, turn on the server and do not forget to save the settings.
Next, we need to set up a pool of addresses that we will issue to clients upon connection. This network is separate from any existing subnet in your NSX environment and does not need to be configured on other devices on the physical networks, except for the routes that point to it.
Go to the IP Pools tab and click +.
Select addresses, subnet mask and gateway. Here you can also change the settings for DNS and WINS servers.
The resulting pool.
Now let's add the networks that users connecting to the VPN will have access to. Go to the Private Networks tab and click +.
We fill in:
- Network - a local network to which remote users will have access.
- Send traffic, it has two options:
  - over tunnel - send traffic to the network through the tunnel,
  — bypass tunnel—send traffic to the network directly bypassing the tunnel.
- Enable TCP Optimization - check if you chose the over tunnel option. When optimization is enabled, you can specify the port numbers for which you want to optimize traffic. Traffic for the remaining ports on that particular network will not be optimized. If no port numbers are specified, traffic for all ports is optimized. Read more about this feature here.
Next, go to the Authentication tab and click +. For authentication, we will use a local server on the NSX Edge itself.
Here we can select policies for generating new passwords and configure options for blocking user accounts (for example, the number of retries if the password is entered incorrectly).
Since we are using local authentication, we need to create users.
In addition to basic things like a name and password, here you can, for example, prohibit the user from changing the password or, conversely, force him to change the password the next time he logs in.
After all the necessary users have been added, go to the Installation Packages tab, click + and create the installer itself, which will be downloaded by a remote employee for installation.
Press +. Select the address and port of the server to which the client will connect, and the platforms for which you want to generate the installation package.

Below in this window, you can specify the client settings for Windows. Choose:
- start client on logon – the VPN client will be added to startup on the remote machine;
- create desktop icon - will create a VPN client icon on the desktop;
- server security certificate validation - will validate the server certificate upon connection.
  Server setup is complete.
Now let's download the installation package we created in the last step to a remote PC. When setting up the server, we specified its external address (185.148.83.16) and port (445). It is at this address that we need to go in a web browser. In my case it is 185.148.83.16: 445.
In the authorization window, you must enter the credentials of the user we created earlier.
After authorization, we see a list of created installation packages available for download. We have created only one - we will download it.
We click on the link, the download of the client begins.
Unpack the downloaded archive and run the installer.
After installation, launch the client, in the authorization window, click Login.
In the certificate verification window, select Yes.
We enter the credentials for the previously created user and see that the connection was completed successfully.
We check the statistics of the VPN client on the local computer.
In the Windows command line (ipconfig / all), we see that an additional virtual adapter has appeared and there is connectivity to the remote network, everything works:
And finally, check from the Edge Gateway console.

L2 VPN

L2VPN will be needed when you need to combine several geographically
distributed networks into one broadcast domain.

This can be useful, for example, when migrating a virtual machine: when a VM moves to another geographical area, the machine will retain its IP addressing settings and will not lose connectivity with other machines located in the same L2 domain with it.

In our test environment, we will connect two sites to each other, we will call them A and B, respectively. We have two NSXs and two identically created routed networks attached to different Edges. Machine A has the address 10.10.10.250/24, Machine B has the address 10.10.10.2/24.

In vCloud Director, go to the Administration tab, go to the VDC we need, go to the Org VDC Networks tab and add two new networks.
Select the routed network type and bind this network to our NSX. We put the checkbox Create as subinterface.
As a result, we should get two networks. In our example, they are called network-a and network-b with the same gateway settings and the same mask.
Now let's go to the settings of the first NSX. This will be the NSX that Network A is attached to. It will act as a server.
We return to the NSx Edge interface / Go to the VPN tab -> L2VPN. We turn on L2VPN, select the Server operation mode, in the Server Global settings we specify the external NSX IP address on which the port for the tunnel will listen. By default, the socket will open on port 443, but this can be changed. Do not forget to select the encryption settings for the future tunnel.
Go to the Server Sites tab and add a peer.
We turn on the peer, set the name, description, if necessary, set the username and password. We will need this data later when setting up the client site.
In Egress Optimization Gateway Address we set the gateway address. This is necessary so that there is no conflict of IP addresses, because the gateway of our networks has the same address. Then click on the SELECT SUB-INTERFACES button.
Here we select the desired subinterface. We save the settings.
We see that the newly created client site has appeared in the settings.
Now let's move on to configuring NSX from the client side.
We go to NSX side B, go to VPN -> L2VPN, enable L2VPN, set L2VPN mode to client mode. On the Client Global tab, set the address and port of NSX A, which we specified earlier as Listening IP and Port on the server side. It is also necessary to set the same encryption settings so that they are consistent when the tunnel is raised.

We scroll below, select the subinterface through which the tunnel for L2VPN will be built.
In Egress Optimization Gateway Address we set the gateway address. Set user-id and password. We select the subinterface and do not forget to save the settings.
Actually, that's all. The settings of the client and server side are almost identical, with the exception of a few nuances.
Now we can see that our tunnel has worked by going to Statistics -> L2VPN on any NSX.
If we now go to the console of any Edge Gateway, we will see on each of them in the arp table the addresses of both VMs.

That's all about VPN on NSX Edge. Ask if something is unclear. It is also the last part of a series of articles on working with NSX Edge. We hope they were helpful 🙂

Source: habr.com

VMware NSX for the little ones. Part 6: VPN Setup

IPsec

SSL VPN

L2 VPN

Add a comment Отменить ответ