VNS3 GRE over IPsec Connecting to a remote device using a GRE tunnel over IPsec

© 2018

Requirements and Restrictions

2

• You have access to a VNS3 controller instance

• The VNS3 controller instance is running in non-overlapping VLAN (e.g. VPC Subnet, Google Network, etc.) and non-overlapping VNS3 Overlay Subnet

• Connecting underlying unencrypted VLANs is restricted to Cloud environments that provided both packet forwarding features and route table controls to enable VNS3 controller instances as the router/switch for packets being sent to a connected environment

© 2018

Using NAT-Traversal Encapsulation

3

© 2018

Change VNS3 Local Private IP

4

When connecting a GRE tunnel the local private IP address is required in the remote Endpoint definition.

Change the default value of 192.0.2.254 to either:

1. the public IP of the VNS3 controller (in the example to the right it would be 52.14.33.41)-OR-

2.the VPC private IP (in the example to the right it would be 192.168.201.8) if the VNS3 controller is on a Direct Connect or VPC Peering edge

Click IPsec under the Connections left menu.

Click Change next the the Local private IP address.

On the resulting page enter the public IP address of your VNS3 controller in the New local IP address field.

Click Save changes.

© 2018

IPsec Configuration: Define a New Remote Endpoint

To create an IPsec endpoint, click Define new remote endpoint.

Enter a name for the Endpoint configuration

Occasionally there is another router between the IPsec firewall and the Internet. Enter the public facing IP address of either the IPsec device or router between the cloud and the IPsec device (see picture below).

If your IPsec device is behind a router, enter the external IP interface of the IPsec device (see picture below).

Click the Enable NAT-Traversal checkbox Enter a PSK in the Preshared Key fields.

Click the Enable PFS checkbox (optional but recommended).

Click the Enable GRE over IPSec checkbox.

Enter any IPsec parameters needed in the Extra configuration parameters field. These parameters need to match both sides to allow the tunnel to negotiate.

Click Create.

5

LAN

IPsec Device Router (optional)

Your Data Center

Overlay Clients

Overlay Network

Public Cloud

VNS3

IPsec

If present enterPublic IP as Endpoint

Use Local IP as NAT IP w/routerUse Public IP as Endpoint IP w/o router

© 2018

Unlike a traditional IPSec connection VNS3 will automatically create the tunnel definitions.

Providing the endpoint configuration is correct the tunnel will establish and connect.

VNS3-A: Create a New Tunnel

6

© 2018

Connected

7

© 2018

VNS3 Document Links

8

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Document Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Docker InstructionsExplains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.

VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.