2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS...

13
SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 2020 VMware SD-WAN by VeloCloud 3.3

Transcript of 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS...

Page 1: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

2020VMware SD-WAN by VeloCloud 3.3

Page 2: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2020 VMware, Inc. All rights reserved. Copyright and trademark information.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 2

Page 3: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

Contents

1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

Required Software Requirements and Components 5

Procedures 6

Troubleshooting 13

VMware, Inc. 3

Page 4: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 1The VMware SD-WAN™ by VeloCloud® and VMware Cloud on AWS deployment guide provides step-by-step instructions on how to optimize connectivity between VMware Cloud on AWS and VMware SD-WAN enabled branches.

This chapter includes the following topics:

n SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview

n Required Software Requirements and Components

n Procedures

n Troubleshooting

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment OverviewThis section provides an overview of the SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide.

VMware Cloud on AWS delivers a seamlessly integrated hybrid cloud solution that extends on-premises vSphere environments to a VMware Software-Defined Data Center (SDDC) running on Amazon Elastic Compute Cloud (Amazon EC2) elastic, bare-metal infrastructure that is fully integrated as part of AWS. It serves a broad range of customer use cases including cloud migration, data center extension, DR and next-generation application modernization. With VMware SD-WAN support for VMware Cloud on AWS, users at branches or remote locations can have a better network connectivity to workloads deployed on VMware Cloud on AWS leveraging the distributed hosted VMware SD-WAN Cloud Gateways. This deployment guide provides details on how to achieve this connectivity between an SD-WAN Gateway and VMC Gateway.

The figure below illustrates the Integration of VMware SD-WANTM by VeloCloud and VMware CloudTM on AWS, which uses IPSec connectivity between the SD-WAN Gateway and the VMC T0 Route.

VMware, Inc. 4

Page 5: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

Required Software Requirements and ComponentsThis section describes the required software requirements and components to optimize connectivity between VMware Cloud on AWS and VMware SD-WAN enabled branches.

n VMware SD-WAN by VeloCloud VMware SD-WAN by VeloCloud

n Software version 3.3.2 or higher

n “Non-VeloCloud-Site” (NVS) Policy-Based IPsec IKEv1

n “Edge Profile” configured for Edges

n VeloCloud Edge appliance with clients connected on LAN or WLAN

n Gateway address which can be procured at the time of configuring the NVS. Note: Private IP of Gateway is also needed (in this release, this IP is hidden from the UI and the network administrator must contact VeloCloud support for this IP)

n Traffic selection for subnets to be encrypted over tunnel

n Client connected to a LAN-side Subnet of the Edge

n VMware Cloud on AWS

n Software Version SDDC M10v2 or higher

n Logical network in the form of a segment with a subnet

n VMC Public IP

n Policy-based IPSec IKEv1 VPN

n Traffic selection for subnets to be encrypted over tunnel

n Client VMs connected to a segment within VMware Cloud on AWS that is designated as traffic for IPSec encryption

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 5

Page 6: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

ProceduresThis section provides step-by-step procedures on how to achieve connectivity between an SD-WAN Gateway and a VMware Cloud Gateway.

1 Log into the VMware Cloud Console based on the URL for your SDDC organization (The VMware Cloud Services Login Page).

On the Cloud Services Platform, select VMware Cloud on AWS.

2 Find Public IP used for VPN connectivity by clicking the Networking and Security tab. The VPN Public IP displays below the Overview pane.

3 Determine the networks/subnets for traffic encryption selection (interesting traffic) and note them down. These should originate from Segments in Networking/Security in the VMware Cloud. (Locate this by clicking Segments, under Network.

4 Log into the VMware SD-WAN Orchestrator and verify that Edges that are present with a green status icon displayed next to them.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 6

Page 7: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

5 Go to the Configure tab and click Network Services, and then under non-VeloCloud Sites, click the New button.

6 Provide a name for the NVS, select the type, in this case, Generic Firewall (Policy Based VPN), and Enter the Public IP from VMC obtained in Step 2, and click Next.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 7

Page 8: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

7 Click the Advanced button, and under the Primary VPN Gateway:

a Change to the desired PSK.

b Ensure encryption set to AES 256

c Change DH group to 5.

d Enable PFS to 5.

e Enter the site-subnets captured in Step 3.

f Click the checkbox to Enable Tunnels.

g Click Save Changes.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 8

Page 9: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

8 Click View IKE/IPSec Template and copy the information into a text file, and then close the window.

9 Along the left pane, click Configure > Profiles.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 9

Page 10: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

10 Go to the profile for the associated Edge and click the appropriate profile.

11 Under the correct Profile:

a Go to the Device tab, under Cloud VPN and Branch to Non-VeloCloud Site, click the checkbox next to Enable.

b In the drop-down menu, select the NVS Network Service that was created (beginning in Step 5).

c Click the Save Changes button at the top of the screen.

12 The tunnel should be ready on the SD-WAN Orchestrator.

13 Log into the VMware Cloud Console.

14 Go to Networking and Security and click the VPN tab. In the VPN area, select Policy Based VPN, and click Add VPN.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 10

Page 11: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

15 Provide a name for the Policy Based VPN and configure the following:

a Choose a name. (Choose a name that starts with “To_SDWAN_Gateway,” so the VPN can be easily identified during troubleshooting and future support).

b Select the Public IP.

c Enter the remote Public IP.

d Enter the remote Private IP. NOTE: This will require a call to GSS Support, please refer to the following KB article, and mention the KB ID when contacting Support. https://ikb.vmware.com/s/article/78196.

e Specify the remote networks located on the VMware SD-WAN Orchestrator.

f Select the Local Networks.

g Under Tunnel Encryption, select AES 256.

h Under Tunnel Digest Algorithm, select SHA1.

i Make sure Perfect Forward Secrecy is set to Enabled.

j Enter the PSK, to match Step 7A.

k Under IKE Encryption, select AES 256.

l Under IKE Digest Algorithm, select SHA 1.

m Under IKE Type, select IKEv2.

n Under Diffie Hellman, select Group 5.

o Click Save.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 11

Page 12: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

16 Once the configuration is complete, the tunnel is automatically enabled and will proceed to negotiate the IKE Phase 1 and Phase 2 parameters with the peer, which is the SD-WAN Gateway.

17 Once the tunnel displays (green), verify that the tunnel disaplays green in the SD-WAN orchestrator (go to Monitor > Network Services)).

18 Start a ping from a client connected at each end towards the opposite client, and verify ping reachability.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 12

Page 13: 2020 VMware SD-WAN by VeloCloud 3€¦ · 1 VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide 4 SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4

The tunnel configuration has been complete and verified.

TroubleshootingThis section describes troubleshooting information when connecting an SD-WAN Gateway and a VMware Cloud Gateway.

While from a user perspective there is limited CLI and log access, there are errors you can capture and share with Support. One of the first areas to troubleshoot is to ensure that IKE Phase 1 and 2 parameters are equivalent on both ends. It’s possible that the Pre-Shared-Key might be incorrectly entered, causing IKE to fail in authentication.

Some Tips to Consider:

n The private IP of SD-WAN Gateway is needed and can only be picked up using a diagnostic bundle of the SD-WAN Gateway or by using SSH to access the Gateway. This activity can only be done by VMware SD-WAN Support.

n End-users can check events/alerts in the SD-WAN Orchestrator and set it up to receive emails.

n End-users can view the tunnel status under the VMC Networking/Security Policy VPN section.

n End-users can also click the info icon next to the tunnel status to view some additional messages.

n vRealize Log Insight Cloud is another tool that provides log information of VMC.

n If not resolved by the end-user, engage VMware Global Support Services (GSS) and must mention the use of both VMC and VMW SD-WAN.

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide

VMware, Inc. 13