Table of Contents
This guide covers a very generic VNS3 setup in Softlayer cloud. If you need specific help with project planning, POCs, or audits, contact our professional services team via firstname.lastname@example.org for details.
- You have a Softlayer CCI.
- Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.
- You have a compliant IPsec firewall/router networking device:
Preferred: Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.
Best Effort: Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.
Known Exclusions: Checkpoint R65-R80 require native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards in these versions. In Checkpoint R80+, GuiDBedit must be used to force either native IPsec or NAT-T in order to maintain a reliable connection. (See https://support.cohesive.net/support/solutions/articles/31000156433-nat-t-compatibility-with-check-point-devices)
Cisco ASA 8.4(2)-8.4(any) bugs prevent a stable connection from being maintained.
VNS3 Controller instances use the following TCP and UDP ports:
UDP port 1194 - For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.
UDP 1195-1203* - For tunnels between Controller peers; must be accessible from all peers in a given topology. VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.
TCP port 8000 - HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.
UDP port 500 - UDP port 500 is used for the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.
Protocol 50 - This is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec.
UDP port 4500** - This is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.
*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.
_** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500._
Image Size and Architecture
VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the performance will depend on the use-case.
Clientpack Key Size
VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the “clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration.
Step 1: Softlayer Deployment Setup
Softlayer Configuration: Select VNS3 Template
From the Public Image listing, (Devices Menu, Manage, Images) select the “Order Hourly” option on the Actions menu for the Cohesive VNS3 template.
You will find free/trial/pay-as-you-go editions in the Softlayer public image listing. Bring-yourown-license editions may have been shared with you by Cohesive and then be visible in your private images listing.
Softlayer Configuration: Public IP Access
There are two ways of accessing the VNS3 UI in Softlayer; in both instances the public facing IP must be configured on the “outer” adapter of the Controller, which at Softlayer is eth1, and the “inner” adapter (eth0) must be configured with an IP from your internal private VLAN.
- Option 1 (RECOMMENDED) - Use a Softlayer VLAN which is comprised of a “front end” network (Softlayer describes it as the FCR) choice and a corresponding “back end” network choice (Softlayer describes it as the BCR). Softlayer will allocate one of the public IPs in your front end network to your VNS3 Controller.
- Option 2 - If you do not launch VNS3 in a specific “front end” network and “back end” network, then VNS3 will receive a public IP on its outer ethernet adapter, which at Softlayer is eth1. Softlayer will assign a public IP to your instance with no choice on your part.
Launch a VNS3 Controller
After selecting “Order Hourly” or “Order Monthly” from the Images page a configuration screen will pop up.
You will be able to specify how many instances to launch (usually 1) and select the Softlayer datacenter within which to launch the instance.
You can then configure the amount of memory to and CPU to use for your VNS3 Controller. A minimum of 2 GB of memory is recommended and at least two virtual cores.
However, the amount of memory and number of cores to use is a function of how much load you will be putting on the VNS3 Controller in terms of total throughput, number of network connections, etc..
Even though you clicked on a specific image, you will still need to click on the “Select Operating System” tab in order to expose the operating system that is insideyour VNS3 Image template.
Pick Ubuntu Linux 10.04 LTS as shown.
There are a number of additional options on the Softlayer configuration page for additional disks, adapters, etc. Do not choose any of these.
At the bottom of the configuration page there is a choice to “Continue Your Order”.
Choose it after confirming your choices for Softlayer data center location, Operating System, Memory and CPU.
The next page to pop up is an “Order Summary and Billing” page which reviews your previous choices.
Further down the page you then make your VLAN selection with the Backend VLAN selected first.
A Hostname and Domain name entry is required.
Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts.
You then select the “Place an order” radio button.
At the bottom of the page acknowledge the Softlayer Master Services Agreement and select “Finalize Your Order”.
Optional - Configuring VNS3 as the Network Device Gateway
Softlayer Configuration: Public IP Access
In Softlayer an instance can have a public IP on eth1 and a private VLAN IP on eth0. As a result VNS3 can be used as an Internet Gateway, sitting at a private VLAN edge, providing NAT-ing and port forwarding for the other devices in the private VLAN.
Configure Hosts to use VNS3 as Internet Gateway
Here we show the first steps to make the VNS3 appliance an the internet or network device gateway,. In this case the addresses used are based upon the private VLAN addresses used for the VNS3 Controller in Softlayer.
After bringing up the “eth1” interface and configuring the network interface information, the networking can be restarted. In this instance, using Ubuntu. The setup will be comparable but a bit different on RedHat based hosts.
After the networking is restarted, an “ifconfig” command shows the instance has an “eth1” with the address of 192.168.10.2 as specified.
Configure VNS3 as Internet Gateway
In order to configure VNS3 as the Internet Gateway the following Firewall rules need to be entered. (The example continues assuming the VLAN is
# Allow traffic to/from the VLAN to this VNS3:net Controller INPUT_CUST -s 192.168.10.0/24 -j ACCEPT OUTPUT_CUST -d 192.168.10.0/24 -j ACCEPT # NAT traffic from the VLAN that is using this VNS3 Controller as Internet Gateway MACRO_CUST -o eth1 -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQUERADE # Port forward traffic to my 192.168.10.2 host PREROUTING_CUST -i eth1 -p tcp -s 0.0.0.0/0 --dport 33 -j DNAT --to 192.168.10.2:22
Assuming your VLAN host is like the example, at 192.168.10.2, and is accessible via SSH, then the firewall is now configured to NAT traffic for any VLAN host configured to use it as the Internet Gateway, and shows how to port forward traffic into the VLAN through the VNS3 Controller
Configure Hosts Route to VNS3 Controller
The last step after all the previous are complete is to enter a route on the Softlayer VLAN host, pointing to the VNS3 Controller’s private ip as the gateway to the Internet.
On the Softlayer host enter:
ip route add 0.0.0.0/0 via 192.168.10.1
192.168.10.1 is used because in this example that is the VNS3 Controller private IP.)
You should now be able to reach Internet resources even without a public IP attached to the Softlayer host.
Depending on the operating system used in the cloud hosts, the route will need to be made persistent. This varies by operating system.