How To Configure vCloud 5.1 Hybrid Cloud Site 2 Site VPN

In the process of building my experimental “MonsterCloud” vCloud Director Hybrid setup I obviously needed to do some site to site VPN between the following locations:

The trick here is that this is now turning into a true Hybrid cloud as two sites are running vCloud Director, and my house is not.  It’s a standard datacenter with a Cisco Firewall for IPsec VPN.  The idea is to connect the two vCloud Director clouds first, then connect the home datacenter to each of the two vCloud providers.  Let’s look at the vCloud to vCloud VPN setup as that is the easiest thing to configure in the world with both ends are vCloud Director.

Configure vCloud 2 vCloud VPN

Select your Edge Gateway in your vCloud organization and select the VPN tab.  Once there select “Add” and you will see the following screen.

vcloud_vpn

Select “A Network in another Organization, and then select ” Log Into Remote vCD”

vcloud_connection

Fill in the required fields for just the vCloud URL and the org with your credentials.  Once you log in you will be presented with the other vCloud Organization’s networks so you can multi-select the mappings for the networks in each Organization.  The rest of the options you can pretty much leave the defaults as they are populated.

Once this is done the two sites should come up with VPN between them.  However, you will need to configure the firewall rules in the Edge Gateway before you can connect the networks.  I will cover that last after the IPsec VPN setup.

Configure IPsec VPN From Cisco RV042

Now I am sure everyone has a different router or IPsec firewall, but I have located and found the correct IPsec settings to use that seem to work best for this which are listed below.  I have included the RV042 specific settings as well.

 

vCloud Edge Gateway IPSEC Setup:

For this end it’s pretty simple but there are a few things I noticed and this is what I configured that worked for me.  When you add the new VPN simply Select “A Remote Network” and use settings similar to these:

Peer Networks:  List the remote networks for mapping
Local ID:  I have found using the external IP of the Edge Works
Peer ID:  Also use the External Address of the Peer Firewall
Peer IP: Same as the Peer ID
Encryption: 3DES seems to work best
Shared Key: <Various>

vcloud_vpn2

RV042 IPsec Setup:

Phase 1 Mode:  IKE with pre-shared Key
Phase 1 DH Group: Group 2
Phase 1 Encryption: 3DES
Phase 1 Authentication: SHA1
Phase 1 SA Life: 28800

Perfect Forward Secrecey: On

Phase 2 DH Group: Group 2
Phase 2 Encryption: 3DES
Phase 2 Authentication: SHA1
Phase 2 SA Life: 3600

Pre-Shared Key:  <Various>

Configure the vCloud Edge Gateway Firewall Rules

This is probably the SINGLE most missed area by people setting this up.  Even with the connections made, nothing will pass for traffic through the vCloud Director Edge Gateway to the peer networks without firewall rules.  Last month I wrote about the Changing Role of the VMware Admin, and this section alone is why I think many people will struggle.  I was an ex-admin for checkpoint in my day so I personally like writing firewall rules.  It’s sad but true.  Below are the rules I have in both the Stratogen and VMware Eval Cloud Edge Gateways for traffic to pass between the two clouds as well as to the ‘Server’ network back at my house.

vcloud_vpn_FWRules

This is a screen shot from the VMware Eval Cloud, and you can see I have allowed traffic on both directions from the Stratogen Cloud to and from the Desktop and Private networks as well as from the Home Server network to the Private network.  You MUST create rules in the vCloud Edge Gateway or you will not have connectivity just with the VPN connections.  I cannot stress this enough, and you can control which networks are accessible from the other sites through the VPN this way.

In my case I also use vShield App rules in the home lab to prevent traffic from the Hybrid Active Directory server to my “Corporate” network while allowing it to access the Server Network and the router.  This is an added step I took to isolate the Active Directory server on the Server segment from the rest of my network.

vshield_app_firewall

The bottom line here from this step?  You really must brush up on your firewall rule skills for both the Edge Gateway and App Firewall for that matter.  These are both tools that the new vSphere Administrator really must understand how to use.  Personally, I like creating and figuring out firewall rules for some reason, and I was a Checkpoint Admin for years.  Get these things under your belt and the next and last post will be the final Hybrid Cloud Configuration with the final Visio Diagram for what I have built.  I really do hope to maybe turn this into a couple of VMworld 2013 submissions, so if you think these topics are useful, be on the lookout!

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

9 comments

  1. Hi Chris,

    Probably worth mentioning that for “Log into remote vCD” to work, vCloud cells must be able to establish outgoing connections to the Internet (at least it’s the case for the vCD 1.5). This is something that is easy to overlook when designing a vCloud installation, and could in some cases be not as easy to fix after the fact.

    Cheers,

    — Dmitri

    • Actually it is not the vCloud cell who configures and logs into the remote vCloud Director, but the VPN configuration applet in the browser of the client.

      • Hi Tom,

        Thanks for the clarification, it is good news (and I guess shows that vCD isn’t that well understood by the wider community).

        Does the applet connect to the remote vCD via http, or, does it use a different protocol and port?

        Thanks!

      • Replying to myself, I guess: just ran a wireshark capture of a session; looks like it only uses http, and seems to work just fine from where I am now (when vCD client UI is on an open Internet connection). The case when we had trouble getting it to work was when the browser with client UI was sitting behind a corporate firewall – we kept on getting message saying that the remote vCD isn’t correctly configured, or something on these lines. We asked around, and were told that it was likely because our vCD cells can’t establish outgoing connections (which made sense at the time, because “regular” http connections from behind the same corporate firewall work perfectly fine – case in point is the vCD UI itself). My chielf suspect now is the JRE’s interaction with proxy settings in the OS and browser.

        Well, the case is closed from vCD’s side. Thank you! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *