© 2018

VNS3 to Windows RRAS InstructionsWindows 2012 R2 RRAS Configuration Guide 2018

© 2018

Site-to-Site IPsec Tunnel

2

IPsec protocol allows you to securely connect two sites together over the public internet using cryptographically secured services. IPsec ensure private and secure communication between two devices. This type of VPN has many use-cases. We will focus on the Site-to-Site or LAN-to-LAN setup most often used with VNS3 to build Hybrid Clouds.

• Many network hardware devices support IPsec tunneling functionality. Check your device's data sheet to see if it is compatible with VNS3. The requirements are:

• IKE1 or IKE2 • AES256 or AES128 or 3DES • SHA1 or MD5 • NAT-Traversal capability (some clouds require NAT-Traversal encapsulation -

AWS Generic EC2, Microsoft Azure, etc.) A diagram of the typical secure hybrid cloud setup using VNS3 is provided on the right. The IPsec tunnel provides secure and encrypted connectivity between the office subnet (10.0.2.0/26) and the VNS3 Overlay Network (172.16.1.0/24).

This guide will provide steps to setup the Windows 2012 R2 RRAS side of the IPsec configuration.

The most important thing in any IPsec configuration is to make sure all settings match on both devices that are going to connect to each other. Mismatches are the primary cause for tunnel failure or instability.

Public Cloud

Overlay Network Subnet: 172.16.1.0/24

Cloud Server Overlay IP: 172.16.1.1

Server B LAN IP: 10.0.2.2

Server A LAN IP: 10.0.2.1

Customer Remote Office Remote subnet: 10.0.2.0/26

VNS3 public IP: 54.54.54.131 overlay IP: 172.16.1.253

Windows RRAS

Active IPsec tunnel 10.0.2.0/26 - 172.16.1.0/24

© 2018

Update Windows Network Adapter Settings

3

This step may be required depending on the Windows server deployment environment. We recommend you take this step if the Windows server is deployed to a public cloud environment like AWS EC2.

To update your adapter settings:

1. Open the Control Panel

2. Click View network status and tasks under the Network and Internet setting category

3. Click the Ethernet connection listed under the active networks

4. Click Properties on the resulting Ethernet Status window

5. Click Configure on the resulting Ethernet Properties window

6. Disable the IPv4 Checksum Offload, TCP Checksum Offload (IPv4), and UDP Checksum Offload (IPv4) properties, and then click OK

© 2018

Install RRAS

4

© 2018

Before configuring an IPsec tunnel, RRAS needs to be installed and configured on the Windows 2012 R2 server.

1. Open Server Manager from the start menu

2. Click Manage

3. Click Add Roles and Features

4. Click Role-based or feature-based installation

5. Click Next

6. Click on your Windows 2012 R2 server, and then click Next

Installing RRAS

5

© 2018

7. Click Network Policy and Access Services in the list and in the popup window, click Add Features

8. Click Remote Access

9. Click Next

10. On the Select features page, click Next

Installing RRAS

6

© 2018

Installing RRAS

7

11. On the Network Policy and Access Services page, click Next

12. Leave Network Policy Server selected, and click Next

© 2018

Installing RRAS

8

13. On the Remote Access page, click Next

14. On the next page, select DirectAccess and VPN (RAS) and in the popup window, click Add Features

15. Click Routing

16. Click Next

© 2018

Installing RRAS

9

17. On the Web Server Role (IIS) page, click Next

18. Leave the default selection, and click Next

19. Click Install

© 2018

Configure RRAS

10

© 2018

Configuring RRAS

11

1. From the Server Manager Dashboard, click Remote Access Manager from the Tools menu.

2. On the resulting Remote Access Management Console window click DirectAccess and VPN under the Configuration left column menu item.

3. Then Click Run the Getting Started Wizard

4. Choose Deploy VPN only

© 2018

Configuring RRAS

12

5. In the Routing and Remote Access dialog box, select the server name, click Action, and click Configure and Enable Routing and Remote Access

6. In the Routing and Remote Access Server Setup Wizard, click Next

7. On the Configuration page, select Custom Configuration and click Next

8. Select LAN routing

9. Click Next

10. Click Finish

11. When prompted by the Routing and Remote Access dialog box, click Start service

© 2018

Create Policy-based IPsec VPN Tunnel

13

© 2018

Create tunnel: create tunnel rule

14

1. Open Server Manager, click Tools, and select Windows Firewall with Advanced Security

2. Select Connection Security Rules, click the Action menu, and click New Rule

3. From the New Connection Security Rule wizard Rule Type page, select Tunnel, and then click Next

© 2018

Create tunnel: type and requirements

15

4. On the Tunnel Type page, under What type of tunnel would you like to create, select Custom configuration

5. Under Would you like to exempt IPsec-protected connections from this tunnel, leave the default value checked of No, and click Next

6. On the Requirements page, select Require authentication for inbound connections and click Next

© 2018

Create tunnel: endpoint and tunnel definition

16

7. On Tunnel Endpoints page, enter the local subnet CIDR (10.0.2.0/26 in our example) and Windows IP address in the Endpoint 1 sections shown in the screenshot

8. Enter the remote subnet CIDR (172.16.1.0/24 in our example) and remote endpoint IP in the Endpoint 2 sections show in the screenshot

9. Click Next

© 2018

Create tunnel: PSK authentication

17

10. On the Authentication Method page, select Advanced, and then click Customize

11. Click Add under the first authentication section

12. Select Preshared key, enter the pre-shared key value, and click OK

13. Click Next

© 2018

Create tunnel: open Windows firewall

18

14. On the Profile page, select all three checkboxes for each Windows Firewall profile (Domain, Private, and Public), and click Next

15. On the Name page, enter a name for your connection rule and click Finish

© 2018

Enable perfect forward secrecy (PFS)

19

© 2018

Enable PFS: command line only

20

We recommend using PFS when creating IPsec tunnels but this step is optional.

NOTE: any settings included in the following command will be used for the phase2/IPsec security association regardless of settings specified later in the configuration. Also these settings will not be editable or viewable via the UI so take extra care when running this to record the choices. Also the data lifetime value is required so we set it to some large number that is accepted by Windows.

Run the following command via the command prompt and replace "rule_name" with the name given to the connection rule on page 17.

netsh advfirewall consec set rule name="rule_name" new QMPFS=dhgroup14 QMSecMethods=ESP:SHA1-AES256+60min+10000000kb

© 2018

Phase1 and Phase2 settings

21

© 2018

Phase1 settings

22

To edit the tunnel's phase1 and phase2 settings, open the Windows Firewall window via the Server Manager. Click on the Tools menu > Windows Firewall with Advanced Security and then click Actions > Properties on the resulting window.

1. From the IPsec Settings tab, under IPsec exemptions, verify that Exempt ICMP from IPsec is No (default). Verify that IPsec tunnel authorization is None.

2. Click Customize next to the IPsec defaults section

3. Under Key exchange (Main Mode), select Advanced and then click Customize

4. Remove any default settings in the Security methods section, then click Add and select the following:

• Integrity algorithm: SHA-1

• Encryption algorithm: AES-CBC-256

• Key exchange algorithm: Diffie-Hellman Group 14

5. Click OK

6. Under Key lifetimes, verify that Minutes is 60 and Sessions is 0

7. Under Key exchange options, select Use Diffie-Hellman for enhanced security, and then click OK

© 2018

Phase2 settings

23

8. From the Customize IPsec Defaults window, under Data protection (Quick Mode), select Advanced, and then click Customize

9. Select Require encryption for all connection security rules that use these settings

10. Remove any default settings in the Data integrity and encryption section, then click Add and select the following:

• ESP

• Encryption algorithm : AES-CBC-256

• Integrity algorithm: SHA-1

• Key lifetime: 480 minutes

11. Choose OK to return to the Customize IPsec Settings dialog box and click OK to save the configuration

© 2018

Enable Dead Peer Detection (DPD)

24

© 2018

Enable DPD

25

We recommend using DPD when creating IPsec tunnels but this step is optional.

1. From the Registry Editor click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip > Parameters

2. Click on the Edit menu, then click New and select DWORD (32-bit) Value

3. Enter the name EnableDeadGWDetect

4. Select EnableDeadGWDetect, and click Modify from the Edit menu

5. In Value data, enter 1, and then click OK

6. Close the Registry Editor and reboot the server

© 2018

Configure VNS3

26

© 2018

VNS3 settings based on RRAS options

27

Given the tunnel definition options available in RRAS, the recommended configuration is shown in this document. To match those configuration settings, use the following IPsec endpoint setup for VNS3

1. Name: enter any name.

2. IP: public IP of the Windows 2012 R2 server (this can be a NATed IP if necessary)

3. PSK: use the same PSK from page 17

4. NAT IP: the private IP of the Windows 2012 server if it is not directly accessible via the Internet

5. PFS: enabled (but optional depending on if you followed the steps outlined on page 20)

6. Extra configuration parameters:phase1=aes256-sha1-dh14phase2=aes256-sha1pfsgroup=dh14

© 2018

VNS3 Document Links

28

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Guide Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Administration Guide

VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.