WIXLIB

IBM SoftlayerConfigurationSoftlayer Setup for VNS32016 2016

Table of ContentsRequirements3Step 1: Softlayer Deployment Setup9VNS3 Configuration Document Links21 20162

Requirements 20163

Requirements You have a Softlayer CCI. Ability to configure a client (whether desktop based or cloud based) to use OpenVPN clientsoftware. You have a compliant IPsec firewall/router networking device:Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear,Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, HewlettPackard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 orMD5.*Known Exclusions Checkpoint R65 requires native IPSec connections as Checkpoint doesnot conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stableconnection from being maintained. 20164

Getting Help with VNS3This guide covers a very generic VNS3 setup in Softlayer cloud. If you need specific helpwith project planning, POCs, or audits, contact our professional services team viasales@cohesive.net for details.This guide uses Cisco’s Adaptive Security Device Controller UI. Setting up your IPsecExtranet device may have a different user experience than what is shown here. All theinformation entered in this guide will be same regardless of your UI or cmd line setup.Please review the VNS3 Support Plans and Contacts before sending support inquiries. 20165

Firewall ConsiderationsVNS3 Controller instances use the following TCP and UDP ports. UDP port 1194For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients. UDP 1195-1203*For tunnels between Controller peers; must be accessible from all peers in a given topology. TCP port 8000HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and fromthe Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. UDP port 500UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection. ESP Protocol 50 and possibly UDP port 4500Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDPport 4500** is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500 20166

Sizing ConsiderationsImage Size and ArchitectureVNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. Werecommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but theperformance will depend on the use-case.Clientpack Key SizeVNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the“clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Futurereleases of VNS3 will provide the user control over key size and cipher during initialization and configuration. 20167

Remote SupportNote that TCP 22 (ssh) is not required for normal operations.Each VNS3 Controller is running a restricted SSH daemon, withaccess limited only to Cohesive for debugging purposes controlledby the user via the Remote Support toggle and key exchangegeneration.In the event Cohesive needs to observe runtime state of a VNS3Controller in response to a tech support request, we will ask you toopen Security Group access to SSH from our support IP range andEnable Remote Support via the Web UI.Cohesive will send you an encrypted passphrase to generate aprivate key used by Cohesive Support staff to access yourController. Access to the restricted SSH daemon is completelycontrolled by the user. Once the support ticket has been closedyou can disable remote support access and invalidate the accesskey. 20168

Step 1: Softlayer Deployment Setup 20169

Softlayer Configuration: Select VNS3:net TemplateFrom the Public Image listing, (Devices Menu,Manage, Images) select the “Order Hourly”option on the Actions menu for the CohesiveVNS3 template.You will find free/trial/pay-as-you-go editions inthe Softlayer public image listing. Bring-yourown-license editions may have been sharedwith you by Cohesive and then be visible inyour private images listing. 201610

Softlayer Configuration: Public IP AccessThere are two ways of accessing the VNS3 UI in Softlayer; in both instances the public facing IPmust be configured on the “outer” adapter of the Controller, which at Softlayer is eth1, and the“inner” adapter (eth0) must be configured with an IP from your internal private VLAN. Option 1 - If you do not launch VNS3 in a specific “front end” network and “back end” network, thenVNS3 will receive a public IP on its outer ethernet adapter, which at Softlayer is eth1. Softlayer willassign a public IP to your instance with no choice on your part. Option 2 (RECOMMENDED) - Use a Softlayer VLAN which is comprised of a “front end” network(Softlayer describes it as the FCR) choice and a corresponding “back end” network choice (Softlayerdescribes it as the BCR). Softlayer will allocate one of the public IPs in your front end network toyour VNS3 Controller. NOTE: VLANs are created by contacting your Softlayer account representative. 201611

Launch a VNS3 ControllerAfter selecting “Order Hourly” or “OrderMonthly” from the Images page aconfiguration screen will pop up.You will be able to specify how many instancesto launch (usually 1) and select the Softlayerdatacenter within which to launch theinstance. 201612

Launch a VNS3 ControllerYou can then configure the amount of memory to andCPU to use for your VNS3 Controller. A minimum of2 GB of memory is recommended and at least twovirtual cores.However, the amount of memory and number ofcores to use is a function of how much load you willbe putting on the VNS3 Controller in terms of totalthroughput, number of network connections, etc.Even though you clicked on a specific image, you willstill need to click on the “Select Operating System” tabin order to expose the operating system that is insideyour VNS3 Image template.Pick Ubuntu Linux 10.04 LTS as shown. 201613

Launch a VNS3 ControllerYou can then configure the amount of memory to andCPU to use for your VNS3 Controller. A minimum of2 GB of memory is recommended and at least twovirtual cores.However, the amount of memory and number ofcores to use is a function of how much load you willbe putting on the VNS3 Controller in terms of totalthroughput, number of network connections, etc.Even though you clicked on a specific image, you willstill need to click on the “Select Operating System” tabin order to expose the operating system that is insideyour VNS3 Image template.Pick Ubuntu Linux 10.04 LTS as shown. 201614

Launch a VNS3 ControllerThere are quite a number of additionaloptions on the Softlayer configuration page foradditional disks, adapters, etc. Do not chooseany of these.At the bottom of the configuration page thereis a choice to “Continue Your Order”.Choose it after confirming your choices forSoftlayer data center location, OperatingSystem, Memory and CPU. 201615

Launch a VNS3 ControllerThe next page to pop up is an “OrderSummary and Billing” page which reviews yourprevious choices. 201616

Launch a VNS3 ControllerFurther down the page you then make yourVLAN selection with the Backend VLANselected first. 201617

Launch a VNS3 ControllerA Hostname and Domain name entry isrequired.Softlayer allows you to use the domainsoftlayer.com as part of your fully qualifieddomain name. This name must be uniqueacross all Softlayer hosts.You then select the “Place an oder” radiobutton. 201618

Launch a VNS3 ControllerA Hostname and Domain name entry is required.Softlayer allows you to use the domain softlayer.comas part of your fully qualified domain name. This namemust be unique across all Softlayer hosts.You then select the “Place an oder” radio button.At the bottom of the page acknowledge the SoftlayerMaster Services Agreement and select “Finalize YourOrder”. 201619

Optional - Configuring VNS3 as the network device gateway 201620

Softlayer Configuration: Public IP AccessIn Softlayer an instance can have a public IP on eth1 and a private VLAN IP on eth0.As a result VNS3 can be used as an Internet Gateway, sitting at a private VLAN edge,providing NAT-ing and port forwarding for the other devices in the private VLAN. 201621

Configure Hosts to use VNS3 as Internet GatewayWARNINGeth0Do not configure private VLAN hosts to use VNS3 as anInternet Gateway until the VNS3 instance is fully configuredwith Private VLAN settings and Firewall rules for NAT-inginstalled. If you have public IPs temporarily assigned to yourprivate VLAN hosts, and create a route to the VNS3 as thegateway to 0.0.0.0/0, you will most likely lose connectivityuntil the VNS3 configuration is complete, including portforwarding information to SSH or RDP into the VLAN hostthrough the VNS3 Controller.eth0eth0Here we show the first steps to make the VNS3 appliance anthe internet or network device gateway,. In this case theaddresses used are based upon the private VLAN addressesused for the VNS3 Controller in Softlayer. 201622

Configure Softlayer Hosts to use VNS3 as Internet GatewayWARNINGDo not configure private VLAN hosts to use VNS3 as anInternet Gateway until the VNS3 instance is fully configuredwith Private VLAN settings and Firewall rules for NAT-inginstalled. If you have public IPs temporarily assigned to yourprivate VLAN hosts, and create a route to the VNS3 as thegateway to 0.0.0.0/0, you will most likely lose connectivityuntil the VNS3 configuration is complete, including portforwarding information to SSH or RDP into the VLAN hostthrough the VNS3 Controller.After bringing up the “eth1” interface and configuring thenetwork interface information, the networking can be restarted.In this instance, using Ubuntu. The setup will be comparable buta bit different on RedHat based hosts.eth1eth0After the networking is restarted, an “ifconfig” command showsthe instance has an “eth1” with the address of 192.168.10.2 asspecified. 201623

Configure VNS3 as Internet GatewayIn order to configure VNS3 as the Internet Gateway thefollowing Firewall rules need to be entered. (The examplecontinues assuming the VLAN is 192.168.10.0/24)# Allow traffic to/from the VLAN to this VNS3:net ControllerINPUT CUST -s 192.168.10.0/24 -j ACCEPTOUTPUT CUST -d 192.168.10.0/24 -j ACCEPT# NAT traffic from the VLAN that is using this VNS3Controller as Internet GatewayMACRO CUST -o eth1 -s 192.168.10.0/24 -d 0.0.0.0/0 -jMASQUERADE# Port forward traffic to my 192.168.10.2 hostPREROUTING CUST -i eth1 -p tcp -s 0.0.0.0/0 --dport 33 -jDNAT --to 192.168.10.2:22Assuming your VLAN host is like the example, at 192.168.10.2,and is accessible via SSH, then the firewall is now configuredto NAT traffic for any VLAN host configured to use it as theInternet Gateway, and shows how to port forward traffic intothe VLAN through the VNS3 Controller. 201624