-
Creating IPSec Site-to-Site VPN Tunnel between a Organization
vDC vShield Edge and Remote Network
In this document you will find the manual for configuring the
Network, creating firewall rules and test the connection.
Version 1.0
1. Create a VPN Tunnel from an Organization vDC Network Backed
by an Edge Gateway to a Remote Network
...........................................................................................................................
2
Procedure: Create a VPN Rule from the vCloud
Network&Security Edge 4
Procedure: Create a VPN Rule from the Microsoft ISA Server 6
2. Create Firewall Rules for the IPSec VPN Tunnel communication
between an Organization vDC Network Backed by an Edge Gateway to a
Remote Network
........................................................ 13
Procedure: vCloud Networking&Security Edge Firewall Rules
13
-
1. Create a VPN Tunnel from an Organization vDC Network Backed
by an Edge Gateway to a Remote Network You can create VPN tunnels
between an organization vDC network and your internal Enterprise
Network (Remote Network). Organization administrators can create
VPN tunnels with the vShield Edge Gateway. vShield Edge modules
support site-to-site IPSec VPN between a vShield Edge instance and
remote sites. vShield Edge supports certificate authentication,
preshared key mode, IP unicast traffic, and no dynamic routing
protocol between the vShield Edge instance and remote VPN routers.
Behind each remote VPN router, you can configure multiple subnets
to connect to the internal network behind a vShield Edge through
IPSec tunnels. These subnets and the internal network behind a
vShield Edge must have address ranges that do not overlap. You can
have a maximum of 64 tunnels across a maximum of 10 sites. IPSec is
a framework of open standards. There are many technical terms in
the logs of the vShield Edge and other VPN appliances that you can
use to troubleshoot the IPSEC VPN. These are some of the standards
you may encounter:
ISAKMP (Internet Security Association and Key Management
Protocol) is a protocol defined by RFC 2408 for
establishing Security Associations (SA) and cryptographic keys
in an Internet environment. ISAKMP only
provides a framework for authentication and key exchange and is
designed to be key exchange independent.
Oakley is a key-agreement protocol that allows authenticated
parties to exchange keying material across an
insecure connection using the Diffie-Hellman key exchange
algorithm.
IKE (Internet Key Exchange) is a combination of ISAKMP framework
and Oakley. vShield Edge provides IKEv2.
Diffie-Hellman (DH) key exchange is a cryptographic protocol
that allows two parties that have no prior
knowledge of each other to jointly establish a shared secret key
over an insecure communications channel.
VSE supports DH group 2 (1024 bits) on the Denit vCloud
environment.
IKE Phase 1 and Phase 2 IKE is a standard method used to arrange
secure, authenticated communications. Phase 1 Parameters Phase 1
sets up mutual authentication of the peers, negotiates
cryptographic parameters, and creates session keys. The Phase 1
parameters used by the vShield Edge are: Main mode TripleDES / AES
[Configurable] SHA-1 MODP group 2 (1024 bits) pre-shared secret
[Configurable] SA lifetime of 28800 seconds (eight hours) with no
Kbytes rekeying ISAKMP aggressive mode disabled Phase 2 Parameters
IKE Phase 2 negotiates an IPSec tunnel by creating keying material
for the IPSec tunnel to use (either by using the IKE phase one keys
as a base or by performing a new key exchange). The IKE Phase 2
parameters supported by vShield Edge are: TripleDES / AES [Will
match the Phase 1 setting] SHA-1 ESP tunnel mode MODP group 2 (1024
bits) Perfect forward secrecy for rekeying SA lifetime of 3600
seconds (one hour) with no kbytes rekeying Selectors for all IP
protocols, all ports, between the two networks, using IPv4
subnets
-
If a firewall is between the tunnel endpoints, you must
configure it to allow the following IP protocols and UDP ports:
IP Protocol ID 50 (ESP)
IP Protocol ID 51 (AH)
UDP Port 500 (IKE)
UDP Port 4500
Prerequisites Verify that you have a routed remote network that
uses IPSec and an organization vDC network backed by an edge
gateway.
Example: VPN Tunnel Example
vCloud External Network
Ext-Network-Vlan210
62.148.163.0/24
vCloud Network &
Security Edge
Device:
BetaEdge_Internet
Sub-Allocate IP Pools:
62.148.163.31 - 62.148.163.38
Beta_OrgvDC_Internet
Internet
Ext:62.148.163.30
BetaSrv01 BetaSrv02
Int:192.168.11.1
Remote Network
Ext:213.208.238.186
Int:10.208.238.10
Enterprise Internal Network
192.168.11.0/24 10.208.238.0/24
Microsoft ISA Server
Device
213.208.238.184/29
Ipsec VPN Tunnel
-
Procedure: Create a VPN Rule from the vCloud
Network&Security Edge
A. Click the Administration tab and click the vDC BetaOrgvDC in
the left pane.
B. Double-click the organization vDC name to open the
organization vDC.
C. Click the Edge Gateways tab, right-click the edge gateway
name and select Edge Gateway Services.
D. Click the VPN tab, Select the option Enable VPN and click
Add.
E. Type a name and optional description. (See screenshot on the
next page)
F. Select a remote network from the drop-down menu. (See
screenshot on the next page)
G. Select the local organization vDC network. (See screenshot on
the next page)
H. Type the peer settings. (See screenshot on the next page)
I. Review the tunnel settings and click OK. (See screenshot on
the next page)
-
Procedure: Create a VPN Rule from the Microsoft ISA Server
A. From the Forefront TMG click the Remote Access Policy (VPN)
tab and click the vDC BetaOrgvDC in the right
pane Create VPN Site-to-Site Connection.
B. Give a Site-to-Site network name and Click Next
-
C. Select the option IP Security Protocol (IPSec) tunnel mode
and Click Next
D. Specify the tunnel endpoints on the remote and local VPN
Servers and Click Next
-
E. Enter a pre-shared key for IPsec Authentication
-
F. Specify the IP address ranges of the vCloud remote site
internal network
-
G. Create a Site-to-Site Network rule between the internal
Network 10.208.238.0/24 and the vCloud Organization Network
192.168.11.0/24
-
H. Create a Site-to-Site Network Access rule between the
internal Network 10.208.238.0/24 and the vCloud Organization
Network 192.168.11.0/24
-
I. Click Finish to complete the Site-to-Site Network
configuration
-
2. Create Firewall Rules for the IPSec VPN Tunnel communication
between an Organization vDC Network Backed by an Edge Gateway to a
Remote Network
Procedure: vCloud Networking&Security Edge Firewall
Rules
A. Click the Administration tab and click the vDC BetaOrgvDC in
the left pane.
B. Double-click the organization vDC name to open the
organization vDC.
C. Click the Edge Gateways tab, right-click the edge gateway
name and select Edge Gateway Services.
D. Click the Firewall tab, Select the option Enable Firewall and
click Add.
-
E. Select the Enabled option
F. Type a name for the rule.
G. Type the traffic Source from the Remote Network
H. Select the Source port ANY to apply this rule on from the
drop-down menu.
I. Type the traffic Destination to the Beta_OrgvDC_Internet
vCloud Organization Network
J. Select the Destination port ANYto apply this rule on from the
drop-down menu.
K. Select the Protocol ANY to apply this rule on from the
drop-down menu.
L. Select the action Allow.
M. Click OK and click OK again.
-
Repeat steps Step D through Step M to add a Firewall Rul2 from
the Beta_OrgvDC_Internet vCloud Organization Network to the Remote
Network