Creating IPSec Site-to-Site VPN Tunnel between a Organization vDC vShield Edge and Remote Network

In this document you will find the manual for configuring the Network, creating firewall rules and test the connection.

Version 1.0

1. Create a VPN Tunnel from an Organization vDC Network Backed by an Edge Gateway to a Remote Network ........................................................................................................................... 2

Procedure: Create a VPN Rule from the vCloud Network&Security Edge 4

Procedure: Create a VPN Rule from the Microsoft ISA Server 6

2. Create Firewall Rules for the IPSec VPN Tunnel communication between an Organization vDC Network Backed by an Edge Gateway to a Remote Network ........................................................ 13

Procedure: vCloud Networking&Security Edge Firewall Rules 13

1. Create a VPN Tunnel from an Organization vDC Network Backed by an Edge Gateway to a Remote Network You can create VPN tunnels between an organization vDC network and your internal Enterprise Network (Remote Network). Organization administrators can create VPN tunnels with the vShield Edge Gateway. vShield Edge modules support site-to-site IPSec VPN between a vShield Edge instance and remote sites. vShield Edge supports certificate authentication, preshared key mode, IP unicast traffic, and no dynamic routing protocol between the vShield Edge instance and remote VPN routers. Behind each remote VPN router, you can configure multiple subnets to connect to the internal network behind a vShield Edge through IPSec tunnels. These subnets and the internal network behind a vShield Edge must have address ranges that do not overlap. You can have a maximum of 64 tunnels across a maximum of 10 sites. IPSec is a framework of open standards. There are many technical terms in the logs of the vShield Edge and other VPN appliances that you can use to troubleshoot the IPSEC VPN. These are some of the standards you may encounter:

ISAKMP (Internet Security Association and Key Management Protocol) is a protocol defined by RFC 2408 for

establishing Security Associations (SA) and cryptographic keys in an Internet environment. ISAKMP only

provides a framework for authentication and key exchange and is designed to be key exchange independent.

Oakley is a key-agreement protocol that allows authenticated parties to exchange keying material across an

insecure connection using the Diffie-Hellman key exchange algorithm.

IKE (Internet Key Exchange) is a combination of ISAKMP framework and Oakley. vShield Edge provides IKEv2.

Diffie-Hellman (DH) key exchange is a cryptographic protocol that allows two parties that have no prior

knowledge of each other to jointly establish a shared secret key over an insecure communications channel.

VSE supports DH group 2 (1024 bits) on the Denit vCloud environment.

IKE Phase 1 and Phase 2 IKE is a standard method used to arrange secure, authenticated communications. Phase 1 Parameters Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by the vShield Edge are: Main mode TripleDES / AES [Configurable] SHA-1 MODP group 2 (1024 bits) pre-shared secret [Configurable] SA lifetime of 28800 seconds (eight hours) with no Kbytes rekeying ISAKMP aggressive mode disabled Phase 2 Parameters IKE Phase 2 negotiates an IPSec tunnel by creating keying material for the IPSec tunnel to use (either by using the IKE phase one keys as a base or by performing a new key exchange). The IKE Phase 2 parameters supported by vShield Edge are: TripleDES / AES [Will match the Phase 1 setting] SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kbytes rekeying Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets

If a firewall is between the tunnel endpoints, you must configure it to allow the following IP protocols and UDP ports:

IP Protocol ID 50 (ESP)

IP Protocol ID 51 (AH)

UDP Port 500 (IKE)

UDP Port 4500

Prerequisites Verify that you have a routed remote network that uses IPSec and an organization vDC network backed by an edge gateway.

Example: VPN Tunnel Example

vCloud External Network

Ext-Network-Vlan210

62.148.163.0/24

vCloud Network &

Security Edge

Device:

BetaEdge_Internet

Sub-Allocate IP Pools:

62.148.163.31 - 62.148.163.38

Beta_OrgvDC_Internet

Internet

Ext:62.148.163.30

BetaSrv01 BetaSrv02

Int:192.168.11.1

Remote Network

Ext:213.208.238.186

Int:10.208.238.10

Enterprise Internal Network

192.168.11.0/24 10.208.238.0/24

Microsoft ISA Server

Device

213.208.238.184/29

Ipsec VPN Tunnel

Procedure: Create a VPN Rule from the vCloud Network&Security Edge

A. Click the Administration tab and click the vDC BetaOrgvDC in the left pane.

B. Double-click the organization vDC name to open the organization vDC.

C. Click the Edge Gateways tab, right-click the edge gateway name and select Edge Gateway Services.

D. Click the VPN tab, Select the option Enable VPN and click Add.

E. Type a name and optional description. (See screenshot on the next page)

F. Select a remote network from the drop-down menu. (See screenshot on the next page)

G. Select the local organization vDC network. (See screenshot on the next page)

H. Type the peer settings. (See screenshot on the next page)

I. Review the tunnel settings and click OK. (See screenshot on the next page)

Procedure: Create a VPN Rule from the Microsoft ISA Server

A. From the Forefront TMG click the Remote Access Policy (VPN) tab and click the vDC BetaOrgvDC in the right

pane Create VPN Site-to-Site Connection.

B. Give a Site-to-Site network name and Click Next

C. Select the option IP Security Protocol (IPSec) tunnel mode and Click Next

D. Specify the tunnel endpoints on the remote and local VPN Servers and Click Next

E. Enter a pre-shared key for IPsec Authentication

F. Specify the IP address ranges of the vCloud remote site internal network

G. Create a Site-to-Site Network rule between the internal Network 10.208.238.0/24 and the vCloud Organization Network 192.168.11.0/24

H. Create a Site-to-Site Network Access rule between the internal Network 10.208.238.0/24 and the vCloud Organization Network 192.168.11.0/24

I. Click Finish to complete the Site-to-Site Network configuration

2. Create Firewall Rules for the IPSec VPN Tunnel communication between an Organization vDC Network Backed by an Edge Gateway to a Remote Network

Procedure: vCloud Networking&Security Edge Firewall Rules

A. Click the Administration tab and click the vDC BetaOrgvDC in the left pane.

B. Double-click the organization vDC name to open the organization vDC.

C. Click the Edge Gateways tab, right-click the edge gateway name and select Edge Gateway Services.

D. Click the Firewall tab, Select the option Enable Firewall and click Add.

E. Select the Enabled option

F. Type a name for the rule.

G. Type the traffic Source from the Remote Network

H. Select the Source port ANY to apply this rule on from the drop-down menu.

I. Type the traffic Destination to the Beta_OrgvDC_Internet vCloud Organization Network

J. Select the Destination port ANYto apply this rule on from the drop-down menu.

K. Select the Protocol ANY to apply this rule on from the drop-down menu.

L. Select the action Allow.

M. Click OK and click OK again.

Repeat steps Step D through Step M to add a Firewall Rul2 from the Beta_OrgvDC_Internet vCloud Organization Network to the Remote Network