Getting Started with Free/Lite Edition Administration Videos AWS Quickstart: Encrypted Overlay Network VNS3 in AWS Routing to and from plugins Azure VPN to VNS3 via IPSec VNS3 in Azure Configuring VNS3 via the API Multi-Cloud with Terraform and VNS3 Multi-Region Peering mesh with Terraform and VNS3 Creating IPsets with VNS3 API Route-based VPN with the API VNS3 Troubleshooting Videos Google Cloud Platform VPN

Azure VPN to VNS3 via IPSec

This tutorial will show demonstrate how to connect any Azure VPN SKU to a VNS3 controller via IPSec. For more information about IPSec in general, please review the following article: https://docs.cohesive.net/glossary/ipsec/

To create a successful site-to-site IPsec connection from your Azure VNET to a VNS3 controller, you will have to create the following objects in azure: a virtual network gateway, local network gateway, and a connection. These three objects must be created for any Azure VPN SKU. Once those objects are created, you will update your Azure routing table accordingly to cause traffic to traverse to IPSec connection.

For a policy-based IPSec connection in VNS3, you will create an endpoint and then define tunnels (local and remote CIDR pairs) that will be able to traverse the connection.

For a route-based IPSec connection in VNS3, you will create an endpoint and define VTI (virtual tunnel interface) routes for the Azure subnet(s) to cause the relevant traffic to traverse the IPSec connection.

Virtual Network Gateway

An Azure Virtual Network Gateway is the first object you will create. It acts as the entry point for packets leaving the Azure vNet and is used in the Azure route table to direct traffic over an IPSec connection.

Local Network Gateway

An Azure Local Network Gateway contains the VNS3 public IP and subnet CIDR(s) local to VNS3 (any subnet/address in CIDR notation).

Connection

Once the virtual network gateway is created, you will create the connection, instantiating an IPSec connection between the Azure virtual network gateway and the VNS3 controller.

Azure Basic VPN: Policy-based IKEv1

Create an Azure Virtual Network Gateway

Navigate to you Azure portal and search for ‘Virtual Network Gateway’ in the search bar. Select Add. Fill out the following information:

• Select the VNET
• Check the box for Policy-based
• Specify the virtual network
• Create new IP address and name it accordingly
• Review + create.

Create the Connection

Once the Virtual Network Gateway is created, navigate to it and select Connections under Settings on the left side panel. Select ‘Add +’.

Name this VPN connection something unique and set the Connection type to Site-to-site (IPSec). Select ‘Local Network Gateway’ and ‘Create New’. The local network gateway will contain the public IP of the VNS3 device as well as the subnet(s) that are behind the VNS3 device. For this example we will be creating a connection to the default VNS3 encrypted overlay network (100.127.255.192/26).

Defined a Pre-shared Key (PSK). Select IKEv1, then Create.

Once the connection is created, navigate to the connection homepage and go to Overview. Select “Download Configuration” at the top menu and specify a Cohesive VNS3 device. This Configuration document will give you the proper VNS3 configuration parameters for setting up the VNS3 side of the connection.

Once both sides are configured and connected, you will need to update your Cloud Route Table(s) accordingly. For this example we will add a route to the VNS3 encrypted overlay network (100.127.255.192/26). The “Next Hop” will be the Virtual Network Gateway we created earlier.

VNS3 IKEv1 Setup

Navigate to the IPsec page in your VNS3 console and select “Create New Endpoint”. Here you will fill out the information that is provided in the Configuration Document that was downloaded locally in the last step. Fill out the information and paste the configuration parameters into the “extra configuration parameters” box, then select Create.

Define a policy which will permit certain traffic across the tunnel. Under Actions on the right side, select “New Tunnel”.

Specify the local (VNS3’s network) and remote (Azure subnet) CIDRs and select Create.

You have now created a policy based IPSec connection from Azure to VNS3.

If you have any questions please contact Cohesive support at support.cohesive.net or by email at support@cohesive.net.

Azure VpnGw1+: Route-based IPSec, IKEv2

Create an Azure Virtual Network Gateway

We will use VpnGW1 for this example although VpnGw2-VpnGw5 can be used. The VpnGw2-VpnGw5 SKUs allow for greater aggregate throughput from a larger number of IPsec connections than VpnGw1, but a single connection will not be aided by a higher SKU. The configuration will not differ on Azure or VNS3 when using one of these scaled VPN objects (VpnGw2-VpnGw5).

Navigate to your Azure portal and search for ‘Virtual Network Gateway’ in the search bar. Select Add. Fill out the following information:

• Select the VNET
• Check the box for Route-based
• Specify the virtual network
• Create new IP address and name it
• Review + create.

Create the Connection

Once the Virtual Network Gateway is created, navigate to it and select Connections under Settings on the left side panel. Select ‘Add +’.

Name this VPN connection something unique and set the Connection type to Site-to-site (IPSec). Select ‘Local Network Gateway’ and ‘Create New’. The local network gateway will contain the public IP of the VNS3 device as well as the subnet(s) that are behind the VNS3 device. For this example we will be creating a connection to the default VNS3 encrypted overlay network (100.127.255.192/26).

Defined a Pre-shared Key (PSK). Select IKEv2, then Create.

Once the connection is created, navigate to the connection homepage and go to Overview. Select “Download Configuration” at the top menu and specify a Cohesive VNS3 device. This Configuration document will give you the proper VNS3 configuration parameters for setting up the VNS3 side of the connection.

Once both sides are configured and connected, you will need to update your Cloud Route Table accordingly. For this example we will add a route to the VNS3 encrypted overlay network (100.127.255.192/26). The “Next Hop” will be the Virtual Network Gateway we created earlier.

VNS3 IKEv2 Setup

Navigate to the IPsec page in your VNS3 console and select “Create New Endpoint”. Tick the IKEv2 radio button and tick the “Enable Route-based VPN” box. Set the local and remote CIDRs to 0.0.0.0/0. You will define what traffic is able to traverse the tunnel via the VNS3 Routes page, and what traffic is allowed via the VNS3 Firewall page.

Fill out the information that is provided in the Configuration Document that was downloaded locally in the last step. Fill out the information and paste the configuration parameters into the “extra configuration parameters” box, then select Create.

For route based IPSec connection in VNS3, a Virtual Tunnel Interface (VTI) is brought up and used to route traffic over the IPSec connection.

Once the tunnel shows connected, navigate to the VNS3 Routes page.

Specify the Azure VNET or subnet in CIDR notation, enter a route description, set the “route type” to Route-based VPN tunnel, and check the box for “Advertise to Overlay”. If this is your first connection, you will only have one option for the interface; otherwise select the IPsec Endpoint that you just created. Click Add Route.

You have now created a route-based IPSec connection between Azure to VNS3.

For more information about route-based VPN’s please click HERE. If you have any questions please contact Cohesive support at support.cohesive.net or by email at support@cohesive.net.

Azure VpnGw1+: Route-based with BGP

Azure VPN with BGP supports active-active mode where there is a primary and secondary(failover) VPN connection. In the case that the primary endpoint goes down, the traffic will automatically get routed through the secondary VPN connection, providing automatic failover. The configuration will not differ on Azure or VNS3 when using one of the scaled VPN objects (VpnGw2-VpnGw5).

BGP is a routing protocol that allows BGP “peers” (connected devices) to exchange routing and reachability information autonomously. Each peer manages a routing table with all the routing information it knows about, then advertises this information to its BGP peers. This way, if a system goes down, the BGP peers’ routing tables will get updated automatically, allowing traffic to get to its desired destination in the case of a system down or failover event.

Click HERE for more information about BGP in Azure.

Create an Azure Virtual Network Gateway

Navigate to your Azure portal and search for ‘Virtual Network Gateway’ in the search bar. Select ‘Add +’ and fill out the following information:

• Select the VNET
• Check the box for Route-based
• SKU: Select VpnGw1 (if enhanced throughput is required, select a VPN SKU higher than VpnGw1 as appropriate)
• Specify the virtual network
• Create a new IP address and name it accordingly
• Enable Active-active mode
• Create a new IP address (this will be associated to the ‘Secondary’ VPN)
• Enable Configure BGP ASN
• Review + create.

Creating the Connection

Once the Virtual Network Gateway is created, type ‘local network gateway’ in the search bar and select ‘Add +’. The local network gateway will contain configuration information about the VNS3 controller. Fill in the following information:

• Create a name for the local network gateway
• Enter the Public IP address of your VNS3 controller
• For the address space, enter your VNS3 controller’s Overlay IP, available on the status page, as a /32 CIDR.
• Check the box for ‘Configure BGP settings’
• Enter VNS3’s autonomous system number (ASN). (Configured during licensing and can be found at the bottom of the VNS3 IPSec page. The default ASN is 65001.)
• For the BGP peer IP address, enter your VNS3 controller’s Overlay IP, available on the Status page.
• Create

Navigate to your Azure Virtual Network Gateway and select Connections under Settings on the left side menu. Select ‘Add +’.

Name this VPN connection something unique and set the Connection type to Site-to-site (IPSec). Select the local network gateway that you created in the previous step.

Defined a Pre-shared Key (PSK). Select IKEv2, then Create.

Once the connection is created, navigate to the connection homepage and select ‘Configuration’ in the left hand column. Toggle Enable BGP and ‘Save’.

Then go to the Overview tab under the connection and select “Download Configuration” at the top menu and specify a Cohesive VNS3 device. This Configuration document will give you the proper settings for configuring the VNS3 side of the connection.

VNS3 BGP Setup

Navigate to the IPsec page in your VNS3 console and select “Create New Endpoint”. Tick the IKEv2 radio button and tick the “Enable Route-based VPN” box. Set the local and remote CIDRs to 0.0.0.0/0. You will define what traffic is able to traverse the tunnel via the VNS3 Routes page, and what traffic is allowed via the VNS3 Firewall page.

Use the information provided in the Configuration Document to fill out the endpoint configuration. Paste the encryption parameters/lifetimes into the ‘extra configuration parameters’ box, then select Create.

For route-based IPSec connections in VNS3, a Virtual Tunnel Interface (VTI) is brought up and used to route traffic over the IPSec connection. The VTI interface address can be any non-overlapping address, defined as a /30 CIDR. Addresses from the 169.254.x.y space are commonly used.

Repeat the previous steps for the secondary IP that is listed in the Configuration Document. This second endpoint will be for the Secondary BGP connection; name it accordingly.

From the Actions menu on the primary endpoint, select ‘New eBGP peer’.

The Peer’s IP address will be under ‘BGP peer IP1’ in the Configuration Document along with the Azure BGP ASN. The “peer’s access list” will be where you define the local and remote CIDRs. Use the terms ‘in permit’ and ‘out permit’ to define what traffic will traverse this BGP connection. The “out permit” addresses will be advertised to the BGP peer(s), and “in permit” addresses will accept specific advertisements from the Azure peer. Do not configure network distance for the primary endpoint.

Repeat the same steps for the secondary endpoint and be sure to add inbound network distance of 10. This network distance will be advertised to the BGP peers and traffic will only traverse the secondary tunnel if the primary tunnel is not available.

Once the eBGP peers are created, navigate to the VNS3 Routes page. Specify the Azure BGP Peer IP in CIDR notation (10.6.1.4/32) as the route CIDR, enter a route description, set the “route type” to Route-based VPN tunnel, select the primary IPsec endpoint, and click Create.

Create another route with the same settings, but for the secondary Azure BGP IP and to the secondary IPsec endpoint. Click Create.

Now you can test passing traffic across the tunnels(ping, telnet, etc.). One way to make sure these connections are configured correctly is with the VNS3 Network Sniffer. Go to the Network Sniffer and set the network interface to the primary VTI interface, then click Start. You should see traffic request and replies in the network sniffer output. If you are only seeing traffic in one direction, you may need to change the network distance metric in the eBGP configuration.

You have now created two route-based BGP IPSec connections between Azure and your VNS3 controller.

If you have any questions please contact Cohesive support at support.cohesive.net or by email at support@cohesive.net.