HP Helion Configuration

copyright 2015 1

HP Setup for VNS3

2015

HP Helion

copyright 2015 2

Table of Contents

Introduction

3

Step 1: HP Helion Deployment Setup

9

Step 2: Launching a VNS3 Controller

Server

15

copyright 2015

Requirements

copyright 2015 4

Requirements

• You have an HP Helion Public Cloud account.

• You agree to the following VNS3 Terms and Conditions (Terms | License)

• Ability to configure a client (whether desktop based or cloud based) to use

OpenVPN client software.

• You have a compliant IPsec firewall/router networking device:

Preferred  Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet,

Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link,

WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.

Best Effort  Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5.

copyright 2015 5

Getting Help with VNS3

This guide covers a very generic VNS3 GCE setup. If you are interested in more

custom use cases and would like Cohesive to advise and help setup the topology

contact [email protected] for services pricing.

This guide uses Cisco’s Adaptive Security Device Manager UI. Setting up your IPsec

Extranet device may have a different user experience than what is shown here. All the

information entered in this guide will be same regardless of your UI or cmd line setup.

copyright 2015 6

Firewall Considerations

HP Helion deployment access is controlled by the HP Cloud network. This document will show you how to

open the correct ports in order to access, peer, connect, and negotiate an IPsec tunnel with VNS3 Controllers.

VNS3 Controller instance uses the following TCP and UDP ports. This guide uses two Security Groups - 1 for

Controllers, 1 for Client Servers.


• UDP port 1194 


For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients. • UDP 1195-1203*


For tunnels between Controller peers; must be accessible from all peers in a given topology. • TCP port 8000 


HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be

open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

• UDP port 500


UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection. • UDP port 4500 or Protocol 50 (ESP)


Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.

copyright 2015 7

Remote Support

Note that TCP 22 (ssh) is not required for normal operations.

Each VNS3 Controller is running a restricted SSH daemon, with access

limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security

Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the

copyright 2015 8

Sizing Considerations

Image Size and Architecture

VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We

recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but

the performance will depend on the use-case.

Clientpack Key Size

VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the

“clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit).

copyright 2015

Step 1: HP Helion Deployment Setup

copyright 2015 10

HP Configuration: Create a Network

A default configuration comes with HP Public Cloud compute activation and includes a network, subnet, router connecting the subnets to the

Internet and a security group with basic server options, both SSH and Ping rules.

You can use the default network to deploy VNS3 Controllers and Client

Servers in single security group, or follow these instructions to create a new custom network, subnet, router and security groups.

On the HP Public Cloud console interface, click Project, on the left-side bar then Networks under Manage Networks.

Click Create Network in the right-hand navigation.

Enter a "Network Name" in the Create Network pop-up screen, leave the Admin State box checked.

Click the Subnet tab.

copyright 2015 11

HP Configuration: Create a Subnet

On the Subnet tab in the Create Network pop-up screen enter the subnet name.

Enter a Subnet using CIDR (Classless Inter-Domain Routing) notation in the

Network Address field. In this example we used 172.31.2.0/24.

Keep the IPv4 default in the IP Version field.

Leave the Gateway IP box blank to use the default value of the network address; e.g., 172.31.2.1 for 172.31.2.0/24.

Leave the Disable Gateway box unchecked to use the default and click Create.

copyright 2015 12

HP Configuration: Create a Router

Click Routers in the left column menu.

Click Create Router in the top right-hand navigation and enter a name for the router

Click Set Gateway under Actions to connect your router to the Internet.

On the resulting popup window, set the External Network drop-down menu in to "Ext-Net," and click Set Gateway.

copyright 2015 13

HP Configuration: Connect your Network

Click the router name on the Routers page. On the Router Detail page click Add Interface.

On the Add Interface popup, set the Select Subnet drop-down menu to the subnet you just configured.

copyright 2015 14

HP Configuration: Create Security Groups

Security groups and security group rules allow you to specify the type of traffic and direction (inbound/outbound) that is allowed to pass through a network port. A security group is a container for security group rules.

Click Access & Security in the left column menu then click Create Security Group to create a VNS3-MGR and VNS3-Clients.

The default setting allows all outgoing traffic on all protocols and ports. Add the following Inbound exceptions to the VNS3-MGR Security Group:

• TCP port 8000 from your public IP (you can find your IP address by navigating to http://whatismyip.com)

• TCP port 8000 from the VNS3-MGR security group • UPD ports 1194 from the VNS3-Clients security group

• UDP port 500 from the IP of your Datacenter-based IPsec Device

• Protocol 50 from the UP of your Datacenter-based IPsec Device (only required if you will not use NAT-Traversal encapsulation)

• UDP port 4500 from the IP of your Datacenter-based IPsec Device (only required if you will use NAT-Traversal encapsulation)

• UDP ports 1195-1197 from the VNS3-MGR security group (only required for multiple Controller topologies - SME or Enterprise Editions)

copyright 2015

Step 2: Launching a VNS3 Controller Server

copyright 2015 16

Click Instances in the left column menu.

On the Instances page click Launch Instance.

You can leave the default choice of the "Any Availability Zone" (AZ) box, which arbitrarily assigns an AZ for an instance or click the drop box to specify where to locate an instance.

Enter a name in the Instance Name field.

Set the Flavor drop-down menu to select the hardware configuration you want to emulate, i.e., how much disk space and RAM you need. We

recommend using standard.small or larger.

Enter the number of instances you want to create in the Instance Count field. Select Boot from Image in the the Instance Boot Source drop-down menu.

Select the appropriate Cohesive VNS3 3.0.4 Image from the Image Name drop-down menu. PAYG has the Free Edition license included in the image and requires no interaction with Cohesive. BYOL is an unlicensed version of the image that can be configured as a Lite, SME or Enterprise Edition (see VNS3 product page for more information). Contact our sales team to

setup a subscription in order to receive a license. Click the Access & Security tab.

copyright 2015 17

VNS3 Server Launch: Create an Instance

On the Access & Security tab, leave the Keypair, Admin Pass and Confirm

Admin Pass fields as default.

Select the VNS3-MGR Security Group. Click the Networking tab.

Drag and drop the network you previously created from from the Available

Networks box to the Selected Networks box.

copyright 2015 18

VNS3 Server Launch: Associate a Floating IP

Once your Controller instance has launched, click Associate Floating IP. On the Associate Floating IP popup, set the Pool drop-down menu to Ext-Net (external network or public Internet).

Click Allocated IP.

On the resulting popup window, Manage Floating IP Associations, specify a Floating IP in the IP Address drop-down menu and click Associate.

copyright 2015

VNS3 Configuration Document Links

copyright 2015 20

VNS3 Configuration Document Links

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Instructions


Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps

include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client

servers to the Overlay Network. 


VNS3 Administration Document


Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3

Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.


VNS3 Docker Instructions


Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.

VNS3 Troubleshooting