VNS3 setup

This guide describes VNS3 firewall requirements and the IPsec devices that VNS3 supports

Launch in environment of choice

Set up a cloud account at a public cloud provider. VNS3 is available in most public and private cloud formats including:

  • Public Clouds: Amazon Web Services EC2, Amazon Web Services VPC, Microsoft Azure, CenturyLink Cloud, Google Compute Engine (GCE), Rackspace, IBM SoftLayer, ElasticHosts, Verizon Terremark vCloud Express, InterRoute, Abiquo

  • Private Clouds: Openstack, Flexiant, Eucalyptus, Abiquo, HPE Helion, and more

  • Virtual Infrastructure: VMware (all formats), Citrix, Xen, KVM, and more


Familiarize yourself with OpenVPN TLS client if you plan on using the encrypted VNS3 Overlay Network.

Familiarize yourself with your IPsec firewall/router network device if you plan on creating a site-to-site IPsec connection to your cloud application deployment via VNS3. VNS3 supports most IPsec data center solutions including:

  • Preferred: Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.

  • Best Effort: Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.

  • Known Exclusions: Checkpoint R65-R80 require native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards in these versions. In Checkpoint R80+, GuiDBedit must be used to force either native IPsec or NAT-T in order to maintain a reliable connection. (See https://support.cohesive.net/support/solutions/articles/31000156433-nat-t-compatibility-with-check-point-devices)

    Cisco ASA 8.4(2)-8.4(any) bugs prevent a stable connection from being maintained.

Firewall Setup

The VNS3 network appliance uses the following portsVNS3 Controller instances use the following TCP and UDP ports.

VNS3 Web UI/API - TCP port 8000 - HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

VNS3 encrypted Overlay Network - UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.

VNS3 Controller Mesh Peering - UDP 1195-1203 * For tunnels between Controller peers; must be accessible from all peers in a given topology.

IPsec Phase1/ISAKMP - UDP port 500 UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.

IPsec Phase2/ESP or NAT-Traversal - UDP port 4500 or Protocol 50 (ESP) ** Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.

*Note: VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering. **Note Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500