copyright 2015 1

Flexiant Cloud Orchestrator ConfigurationFlexiant Deployment Setup for VNS3:vpn, VNS3:net and VNS3:turret 2015

copyright 2015 2

Introduction 3Flexiant Cloud Orchestrator Deployment Setup

9VNS3 Configuration Document Links 14

Table of Contents

copyright 2015

Introduction

3

copyright 2015

Requirements

4

• You have an Flexiant Cloud Orchestrator account.

• You agree to the following VNS3 Terms and Conditions (Free Edition | BYOL)

• Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.

• You have a compliant IPsec firewall/router networking device:

Preferred  Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.

Best Effort  Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5.

*Known Exclusions  Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained.

copyright 2015

Getting Help with VNS3

5

This guide covers a very generic VNS3 setup in an Flexiant Cloud Orchestrator computing facility. If you are interested in more custom use cases and would like Cohesive to advise and help setup the topology contact sales@cohesive.net for services pricing.Please review the VNS3 Support Plans and Contacts before sending support inquiries.

copyright 2015

Firewall Considerations

6

VNS3 Controller instances use the following TCP and UDP ports. • UDP port 1194

For client VPN connections; network cal or hypervisor access rule for the VNS3 Controller must allow UDP port 1194 from all servers that will join VNS3 topology as clients.

• UDP 1195-1197 For peering between VNS3 Controller peers; must be accessible from all peers in a given topology. Free Edition and Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering (Single Controller Topologies).

• TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure your VNS3 topology, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

• UDP port 500, ESP Protocol and possibly UDP port 4500 IPsec connections to CenturyLink Cloud support both native IPsec (UDP 500 and ESP Protocol 50) and NAT-Traversal encapsulation (UDP 500 and UDP 4500).

• Free Edition: TCP port 8081For access to the Cohesive License Controller service to register the Free Edition instance and receive a Free Edition License.

copyright 2015

Remote Support

7

Note that TCP 22 (ssh) is not required for normal operations.

Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key.

copyright 2015

Sizing Considerations

8

Image Size and Architecture VNS3 Edition Controller Images (Free Edition and BYOL-UL) are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the performance will depend on the use-case.

!

Clientpack Key Size VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the “clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration.

!

copyright 2015

Flexiant Cloud Orchestrator Deployment Setup

9

copyright 2015

Flexiant Cloud Orchestrator : Select VNS3 Image and Build

10

Login to your Flexiant Cloud Orchestrator (FCO) account and go to the Images tab to ensure you have a VNS3 image in your account. If not then you should contact Flexiant Support.

On the dashboard page click on Create Server.

On the Create Server page give your targeted VNS3 instance a name. Select your desired memory and CPU.

Select VNS3 as your image, select your Disk Size (note 8gb is required as a minimum). Finally select your network; you should ensure that this network has access to a public IP address either via NAT to NIC 1/eth 0 or directly assigned on NIC 1/eth 0.

Select Save.

copyright 2015

FCO Configuration: Public IP Access

11

Once your VNS3 created, scroll down the manage server window to the NIC’s section.

Then enter a new name for your private VLAN NIC and select the private VLAN you wish to use.

Note down the Public IP which has been assigned to NIC 1, as this is needed to access the VNS3 UI.

Once complete click Start Server.

copyright 2015

FCO Configuration: Private VLAN

12

!

If you are using DCHP for your private VLAN then please proceed to the next page.

In an FCO cloud; an instance can have a public IP on eth0 and a private VLAN IP on eth1. When you create a private VLAN in FCO don’t define a specific subnet mask. Clients launched with “eth1" connected to a private VLAN must have addresses in the same subnet in their local configurations.

As a result VNS3 can be used as an Internet Gateway, sitting at a private VLAN edge, providing NAT-ing and port forwarding for the other devices in the private VLAN.

copyright 2015

VNS3 Controller Log in

13

Login to the VNS3 Web UI - https://<Controller IP>:8000

Default username: vnscubed. Default password: vnscubed

Reset your passwords: • Reset the Web UI Password - Even though the instance id is unlikely to be

“guessed”, please change it for security purposes. • NOTE: Your VNS3 Controller answers to API calls on the same port 8000 as the

web interface runs on. Ideally make a separate password for the API usage against the Controller.

• Reset the API Password - Even though the instance id is unlikely to be “guessed”, please change it for security purposes, again making it a different password than the web interface is probably best.

• NOTE: Cohesive does not have any key access or remote access to your VNS3 Controllers unless provided by you. If you forget these passwords we cannot recover them for you.

copyright 2015

Configure VNS3 for the Private VLAN

14

Before any other configuration steps of your VNS3 Manager you can configure it to use your Private VLAN.

Select the “Private VLAN” menu item under the “Admin” section. (Remember - the VLAN is defined “collectively” by the addresses assigned to the instance in the VLAN.) Please note, the instances in the VLAN should be configured to be in the same subnet mask.

In this case we are de facto making the VLAN a 192.168.10.0/24 subnet. This is done by setting an address for the VNS3 Manager’s private IP (192.168.10.1) and then setting a network mask for the entirety of the subnet (255.255.255.0, which translates to a /24).

Hit “Save and Reboot” and the VNS3 Manager will set up its internal “eth1” and reboot to properly initialize the interface and associated internal ACLs.

!

copyright 2015 15

Configure VNS3 as Internet GatewayIn order to configure VNS3 as the Internet Gateway the following Firewall rules need to be entered. (The example continues assuming the VLAN is 192.168.10.0/24)

# Allow traffic to/from the VLAN to this VNS3 ManagerINPUT_CUST -s 192.168.10.0/24 -j ACCEPT OUTPUT_CUST -d 192.168.10.0/24 -j ACCEPT

# NAT traffic from the VLAN that is using this VNS3 Manager as Internet Gateway MACRO_CUST -o eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQUERADE

# Port forward traffic to my 192.168.10.2 host PREROUTING_CUST -i eth0 -p tcp -s 0.0.0.0/0 --dport 33 -j DNAT --to 192.168.10.2:22

Assuming your VLAN host is like the example, at 192.168.10.2, and is accessible via SSH, then the firewall is now configured to NAT traffic for any VLAN host configured to use it as the Internet Gateway, and shows how to port forward traffic into the VLAN through the VNS3 Manager.

copyright 2015

VNS3 Configuration Document Links

16

copyright 2015

VNS3 Configuration Document Links

17

VNS3 Product Resources - Documentation | Add-ons !

VNS3 Configuration InstructionsInstructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Administration DocumentCovers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.

VNS3 Docker InstructionsExplains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers. !

VNS3 TroubleshootingTroubleshooting document that provides explanation issues that are more commonly experienced with VNS3.