27
© 2016 IBM Softlayer Conguration Softlayer Setup for VNS3 2016

IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

  • Upload
    others

  • View
    15

  • Download
    0

Embed Size (px)

Citation preview

Page 1: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

IBM Softlayer ConfigurationSoftlayer Setup for VNS3 2016

Page 2: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Table of Contents

2

Requirements 3

Step 1: Softlayer Deployment Setup 9

VNS3 Configuration Document Links 21

Page 3: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Requirements

3

Page 4: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Requirements

4

•You have a Softlayer CCI.

•Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.

•You have a compliant IPsec firewall/router networking device:

Preferred  Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta. Best Effort  Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5. *Known Exclusions  Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained.

Page 5: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Getting Help with VNS3

5

This guide covers a very generic VNS3 setup in Softlayer cloud. If you need specific help with project planning, POCs, or audits, contact our professional services team via [email protected] for details.

This guide uses Cisco’s Adaptive Security Device Controller UI. Setting up your IPsec Extranet device may have a different user experience than what is shown here. All the information entered in this guide will be same regardless of your UI or cmd line setup.

Please review the VNS3 Support Plans and Contacts before sending support inquiries.

Page 6: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Firewall Considerations

6

VNS3 Controller instances use the following TCP and UDP ports.

• UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.

• UDP 1195-1203*For tunnels between Controller peers; must be accessible from all peers in a given topology.

• TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

• UDP port 500UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.

• ESP Protocol 50 and possibly UDP port 4500Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500** is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.

*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering. ** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500

Page 7: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Sizing Considerations

7

Image Size and Architecture

VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the performance will depend on the use-case.

Clientpack Key Size

VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the “clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration.

Page 8: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Remote Support

8

Note that TCP 22 (ssh) is not required for normal operations.

Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key.

Page 9: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Step 1: Softlayer Deployment Setup

9

Page 10: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Softlayer Configuration: Select VNS3:net Template

10

From the Public Image listing, (Devices Menu, Manage, Images) select the “Order Hourly” option on the Actions menu for the Cohesive VNS3 template.

You will find free/trial/pay-as-you-go editions in the Softlayer public image listing. Bring-your-own-license editions may have been shared with you by Cohesive and then be visible in your private images listing.

Page 11: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Softlayer Configuration: Public IP Access

11

There are two ways of accessing the VNS3 UI in Softlayer; in both instances the public facing IP must be configured on the “outer” adapter of the Controller, which at Softlayer is eth1, and the “inner” adapter (eth0) must be configured with an IP from your internal private VLAN.

• Option 1 - If you do not launch VNS3 in a specific “front end” network and “back end” network, then VNS3 will receive a public IP on its outer ethernet adapter, which at Softlayer is eth1. Softlayer will assign a public IP to your instance with no choice on your part.

• Option 2 (RECOMMENDED) - Use a Softlayer VLAN which is comprised of a “front end” network (Softlayer describes it as the FCR) choice and a corresponding “back end” network choice (Softlayer describes it as the BCR). Softlayer will allocate one of the public IPs in your front end network to your VNS3 Controller.

• NOTE: VLANs are created by contacting your Softlayer account representative.

Page 12: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Launch a VNS3 Controller

12

After selecting “Order Hourly” or “Order Monthly” from the Images page a configuration screen will pop up.

You will be able to specify how many instances to launch (usually 1) and select the Softlayer datacenter within which to launch the instance.

Page 13: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Launch a VNS3 Controller

13

You can then configure the amount of memory to and CPU to use for your VNS3 Controller. A minimum of 2 GB of memory is recommended and at least two virtual cores.

However, the amount of memory and number of cores to use is a function of how much load you will be putting on the VNS3 Controller in terms of total throughput, number of network connections, etc..

Even though you clicked on a specific image, you will still need to click on the “Select Operating System” tab in order to expose the operating system that is inside your VNS3 Image template.

Pick Ubuntu Linux 10.04 LTS as shown.

Page 14: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Launch a VNS3 Controller

14

You can then configure the amount of memory to and CPU to use for your VNS3 Controller. A minimum of 2 GB of memory is recommended and at least two virtual cores.

However, the amount of memory and number of cores to use is a function of how much load you will be putting on the VNS3 Controller in terms of total throughput, number of network connections, etc..

Even though you clicked on a specific image, you will still need to click on the “Select Operating System” tab in order to expose the operating system that is inside your VNS3 Image template.

Pick Ubuntu Linux 10.04 LTS as shown.

Page 15: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Launch a VNS3 Controller

15

There are quite a number of additional options on the Softlayer configuration page for additional disks, adapters, etc. Do not choose any of these.

At the bottom of the configuration page there is a choice to “Continue Your Order”.

Choose it after confirming your choices for Softlayer data center location, Operating System, Memory and CPU.

Page 16: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Launch a VNS3 Controller

16

The next page to pop up is an “Order Summary and Billing” page which reviews your previous choices.

Page 17: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Launch a VNS3 Controller

17

Further down the page you then make your VLAN selection with the Backend VLAN selected first.

Page 18: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Launch a VNS3 Controller

18

A Hostname and Domain name entry is required.

Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts.

You then select the “Place an oder” radio button.

Page 19: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Launch a VNS3 Controller

19

A Hostname and Domain name entry is required.

Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts.

You then select the “Place an oder” radio button.

At the bottom of the page acknowledge the Softlayer Master Services Agreement and select “Finalize Your Order”.

Page 20: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Optional - Configuring VNS3 as the network device gateway

20

Page 21: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Softlayer Configuration: Public IP Access

21

In Softlayer an instance can have a public IP on eth1 and a private VLAN IP on eth0.

As a result VNS3 can be used as an Internet Gateway, sitting at a private VLAN edge, providing NAT-ing and port forwarding for the other devices in the private VLAN.

Page 22: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Configure Hosts to use VNS3 as Internet Gateway

22

WARNING

Do not configure private VLAN hosts to use VNS3 as an Internet Gateway until the VNS3 instance is fully configured with Private VLAN settings and Firewall rules for NAT-ing installed. If you have public IPs temporarily assigned to your private VLAN hosts, and create a route to the VNS3 as the gateway to 0.0.0.0/0, you will most likely lose connectivity until the VNS3 configuration is complete, including port forwarding information to SSH or RDP into the VLAN host through the VNS3 Controller.

Here we show the first steps to make the VNS3 appliance an the internet or network device gateway,. In this case the addresses used are based upon the private VLAN addresses used for the VNS3 Controller in Softlayer.

eth0eth0

eth0

Page 23: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Configure Softlayer Hosts to use VNS3 as Internet Gateway

23

WARNING

Do not configure private VLAN hosts to use VNS3 as an Internet Gateway until the VNS3 instance is fully configured with Private VLAN settings and Firewall rules for NAT-ing installed. If you have public IPs temporarily assigned to your private VLAN hosts, and create a route to the VNS3 as the gateway to 0.0.0.0/0, you will most likely lose connectivity until the VNS3 configuration is complete, including port forwarding information to SSH or RDP into the VLAN host through the VNS3 Controller.

After bringing up the “eth1” interface and configuring the network interface information, the networking can be restarted. In this instance, using Ubuntu. The setup will be comparable but a bit different on RedHat based hosts.

After the networking is restarted, an “ifconfig” command shows the instance has an “eth1” with the address of 192.168.10.2 as specified.

eth1

eth0

Page 24: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Configure VNS3 as Internet Gateway

24

In order to configure VNS3 as the Internet Gateway the following Firewall rules need to be entered. (The example continues assuming the VLAN is 192.168.10.0/24)

# Allow traffic to/from the VLAN to this VNS3:net ControllerINPUT_CUST -s 192.168.10.0/24 -j ACCEPT OUTPUT_CUST -d 192.168.10.0/24 -j ACCEPT

# NAT traffic from the VLAN that is using this VNS3 Controller as Internet GatewayMACRO_CUST -o eth1 -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQUERADE

# Port forward traffic to my 192.168.10.2 host PREROUTING_CUST -i eth1 -p tcp -s 0.0.0.0/0 --dport 33 -j DNAT --to 192.168.10.2:22

Assuming your VLAN host is like the example, at 192.168.10.2, and is accessible via SSH, then the firewall is now configured to NAT traffic for any VLAN host configured to use it as the Internet Gateway, and shows how to port forward traffic into the VLAN through the VNS3 Controller.

Page 25: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

Configure Hosts Route to VNS3 Controller

25

WARNING

Do not configure private VLAN hosts to use VNS3 as an Internet Gateway until the VNS3 instance is fully configured with Private VLAN settings and Firewall rules for NAT-ing installed. If you have public IPs temporarily assigned to your private VLAN hosts, and create a route to the VNS3 as the gateway to 0.0.0.0/0, you will most likely lose connectivity until the VNS3 configuration is complete, including port forwarding information to SSH or RDP into the VLAN host through the VNS3 Controller.

The last step after all the previous are complete is to enter a route on the Softlayer VLAN host, pointing to the VNS3 Controller’s private ip as the gateway to the Internet.

On the Softlayer host enter:ip route add 0.0.0.0/0 via 192.168.10.1

(The address 192.168.10.1 is used because in this example that is the VNS3 Controller private IP.)

You should now be able to reach Internet resources even without a public IP attached to the Softlayer host.

Depending on the operating system used in the cloud hosts, the route will need to be made persistent. This varies by operating system.

Page 26: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

VNS3 Configuration Document Links

26

Page 27: IBM Softlayer Con guration · Softlayer allows you to use the domain softlayer.com as part of your fully qualified domain name. This name must be unique across all Softlayer hosts

© 2016

VNS3 Configuration Document Links

27

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Instructions Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.

VNS3 Docker InstructionsExplains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.

VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.