Google Git
Sign in
apache / cloudstack-docs-admin / 58697539fdf780bb613540461110cabd02c36e94 / . / source / networking / site_to_site_vpn.rst
blob: 3049396e0bceaf898b3363d75282dd0845b4a174 [file] [log] [blame]
.. _setting-s2s-vpn-conn:
Setting Up a Site-to-Site VPN Connection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A Site-to-Site VPN connection helps you establish a secure connection
from an enterprise datacenter to the cloud infrastructure. This allows
users to access the guest VMs by establishing a VPN connection to the
virtual router of the account from a device in the datacenter of the
enterprise. You can also establish a secure connection between two VPC
setups or high availability zones in your environment. Having this
facility eliminates the need to establish VPN connections to individual
VMs.
The difference from Remote VPN is that Site-to-site VPNs connects entire
networks to each other, for example, connecting a branch office network
to a company headquarters network. In a site-to-site VPN, hosts do not
have VPN client software; they send and receive normal TCP/IP traffic
through a VPN gateway.
The supported endpoints on the remote datacenters are:
- Cisco ISR with IOS 12.4 or later
- Juniper J-Series routers with JunOS 9.5 or later
- CloudStack virtual routers
.. note::
In addition to the specific Cisco and Juniper devices listed above, the
expectation is that any Cisco or Juniper device running on the supported
operating systems are able to establish VPN connections.
To set up a Site-to-Site VPN connection, perform the following:
#. Create a Virtual Private Cloud (VPC).
See ":ref:`configuring-vpc`".
#. Create a VPN Customer Gateway.
#. Create a VPN gateway for the VPC that you created.
#. Create VPN connection from the VPC VPN gateway to the customer VPN
gateway.
Creating and Updating a VPN Customer Gateway
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note::
A VPN customer gateway can be connected to only one VPN gateway at a time.
To add a VPN Customer Gateway:
#. Log in to the CloudStack UI as an administrator or end user.
#. In the left navigation, choose Network.
#. In the Select view, select VPN Customer Gateway.
#. Click Add VPN Customer Gateway.
|addvpncustomergateway.png|
Provide the following information:
- **Name**: A unique name for the VPN customer gateway you create.
- **Gateway**: The IP address for the remote gateway.
- **CIDR list**: The guest CIDR list of the remote subnets. Enter a
CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR
list is not overlapped with the VPC's CIDR, or another guest CIDR.
The CIDR must be RFC1918-compliant.
- **IPsec Preshared Key**: Preshared keying is a method where the
endpoints of the VPN share a secret key. This key value is used to
authenticate the customer gateway and the VPC VPN gateway to each
other. The sequence cannot contain a newline or double-quote.
.. note::
The IKE peers (VPN end points) authenticate each other by
computing and sending a keyed hash of data that includes the
Preshared key. If the receiving peer is able to create the same
hash independently by using its Preshared key, it knows that both
peers must share the same secret, thus authenticating the customer
gateway.
- **IKE Encryption**: The Internet Key Exchange (IKE) policy for
phase-1. The supported encryption algorithms are AES128, AES192,
AES256, and 3DES. Authentication is accomplished through the
Preshared Keys.
.. note::
The phase-1 is the first phase in the IKE process. In this initial
negotiation phase, the two VPN endpoints agree on the methods to
be used to provide security for the underlying IP traffic. The
phase-1 authenticates the two VPN gateways to each other, by
confirming that the remote gateway has a matching Preshared Key.
- **IKE Hash**: The IKE hash for phase-1. The supported hash
algorithms are SHA1 and MD5.
- **IKE DH**: A public-key cryptography protocol which allows two
parties to establish a shared secret over an insecure
communications channel. The 1536-bit Diffie-Hellman group is used
within IKE to establish session keys. The supported options are
None, Group-5 (1536-bit) and Group-2 (1024-bit).
- **ESP Encryption**: Encapsulating Security Payload (ESP) algorithm
within phase-2. The supported encryption algorithms are AES128,
AES192, AES256, and 3DES.
.. note::
The phase-2 is the second phase in the IKE process. The purpose of
IKE phase-2 is to negotiate IPSec security associations (SA) to
set up the IPSec tunnel. In phase-2, new keying material is
extracted from the Diffie-Hellman key exchange in phase-1, to
provide session keys to use in protecting the VPN data flow.
- **ESP Hash**: Encapsulating Security Payload (ESP) hash for
phase-2. Supported hash algorithms are SHA1 and MD5.
- **Perfect Forward Secrecy**: Perfect Forward Secrecy (or PFS) is
the property that ensures that a session key derived from a set of
long-term public and private keys will not be compromised. This
property enforces a new Diffie-Hellman key exchange. It provides
the keying material that has greater key material life and thereby
greater resistance to cryptographic attacks. The available options
are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security
of the key exchanges increase as the DH groups grow larger, as
does the time of the exchanges.
.. note::
When PFS is turned on, for every negotiation of a new phase-2 SA
the two gateways must generate a new set of phase-1 keys. This
adds an extra layer of protection that PFS adds, which ensures if
the phase-2 SA's have expired, the keys used for new phase-2 SA's
have not been generated from the current phase-1 keying material.
- **IKE Lifetime (seconds)**: The phase-1 lifetime of the security
association in seconds. Default is 86400 seconds (1 day). Whenever
the time expires, a new phase-1 exchange is performed.
- **ESP Lifetime (seconds)**: The phase-2 lifetime of the security
association in seconds. Default is 3600 seconds (1 hour). Whenever
the value is exceeded, a re-key is initiated to provide a new
IPsec encryption and authentication session keys.
- **Dead Peer Detection**: A method to detect an unavailable
Internet Key Exchange (IKE) peer. Select this option if you want
the virtual router to query the liveliness of its IKE peer at
regular intervals. It's recommended to have the same configuration
of DPD on both side of VPN connection.
#. Click OK.
Updating and Removing a VPN Customer Gateway
''''''''''''''''''''''''''''''''''''''''''''
You can update a customer gateway either with no VPN connection, or
related VPN connection is in error state.
#. Log in to the CloudStack UI as an administrator or end user.
#. In the left navigation, choose Network.
#. In the Select view, select VPN Customer Gateway.
#. Select the VPN customer gateway you want to work with.
#. To modify the required parameters, click the Edit VPN Customer
Gateway button |vpn-edit-icon.png|
#. To remove the VPN customer gateway, click the Delete VPN Customer
Gateway button |delete.png|
#. Click OK.
Creating a VPN gateway for the VPC
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#. Log in to the CloudStack UI as an administrator or end user.
#. In the left navigation, choose Network.
#. In the Select view, select VPC.
All the VPCs that you have created for the account is listed in the
page.
#. Click the Configure button of the VPC to which you want to deploy the
VMs.
The VPC page is displayed where all the tiers you created are listed
in a diagram.
For each tier, the following options are displayed:
- Internal LB
- Public LB IP
- Static NAT
- Virtual Machines
- CIDR
The following router information is displayed:
- Private Gateways
- Public IP Addresses
- Site-to-Site VPNs
- Network ACL Lists
#. Select Site-to-Site VPN.
If you are creating the VPN gateway for the first time, selecting
Site-to-Site VPN prompts you to create a VPN gateway.
#. In the confirmation dialog, click Yes to confirm.
Within a few moments, the VPN gateway is created. You will be
prompted to view the details of the VPN gateway you have created.
Click Yes to confirm.
The following details are displayed in the VPN Gateway page:
- IP Address
- Account
- Domain
Creating a VPN Connection
^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: CloudStack supports creating up to 8 VPN connections.
#. Log in to the CloudStack UI as an administrator or end user.
#. In the left navigation, choose Network.
#. In the Select view, select VPC.
All the VPCs that you create for the account are listed in the page.
#. Click the Configure button of the VPC to which you want to deploy the
VMs.
The VPC page is displayed where all the tiers you created are listed
in a diagram.
#. Click the Settings icon.
For each tier, the following options are displayed:
- Internal LB
- Public LB IP
- Static NAT
- Virtual Machines
- CIDR
The following router information is displayed:
- Private Gateways
- Public IP Addresses
- Site-to-Site VPNs
- Network ACL Lists
#. Select Site-to-Site VPN.
The Site-to-Site VPN page is displayed.
#. From the Select View drop-down, ensure that VPN Connection is
selected.
#. Click Create VPN Connection.
The Create VPN Connection dialog is displayed:
|createvpnconnection.png|
#. Select the desired customer gateway.
#. Select Passive if you want to establish a connection between two VPC
virtual routers.
If you want to establish a connection between two VPC virtual
routers, select Passive only on one of the VPC virtual routers, which
waits for the other VPC virtual router to initiate the connection. Do
not select Passive on the VPC virtual router that initiates the
connection.
#. Click OK to confirm.
Within a few moments, the VPN Connection is displayed.
The following information on the VPN connection is displayed:
- IP Address
- Gateway
- State
- IPSec Preshared Key
- IKE Policy
- ESP Policy
Site-to-Site VPN Connection Between VPC Networks
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
CloudStack provides you with the ability to establish a site-to-site VPN
connection between CloudStack virtual routers. To achieve that, add a
passive mode Site-to-Site VPN. With this functionality, users can deploy
applications in multiple Availability Zones or VPCs, which can
communicate with each other by using a secure Site-to-Site VPN Tunnel.
This feature is supported on all the hypervisors.
#. Create two VPCs. For example, VPC A and VPC B.
For more information, see ":ref:`configuring-vpc`".
#. Create VPN gateways on both the VPCs you created.
For more information, see `"Creating a VPN gateway
for the VPC" <#creating-a-vpn-gateway-for-the-vpc>`_.
#. Create VPN customer gateway for both the VPCs.
For more information, see `"Creating and Updating
a VPN Customer Gateway" <#creating-and-updating-a-vpn-customer-gateway>`_.
#. Enable a VPN connection on VPC A in passive mode.
For more information, see `"Creating a VPN
Connection" <#creating-a-vpn-connection>`_.
Ensure that the customer gateway is pointed to VPC B. The VPN
connection is shown in the Disconnected state.
#. Enable a VPN connection on VPC B.
Ensure that the customer gateway is pointed to VPC A. Because virtual
router of VPC A, in this case, is in passive mode and is waiting for
the virtual router of VPC B to initiate the connection, VPC B virtual
router should not be in passive mode.
The VPN connection is shown in the Disconnected state.
Creating VPN connection on both the VPCs initiates a VPN connection.
Wait for few seconds. The default is 30 seconds for both the VPN
connections to show the Connected state.
Restarting and Removing a VPN Connection
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#. Log in to the CloudStack UI as an administrator or end user.
#. In the left navigation, choose Network.
#. In the Select view, select VPC.
All the VPCs that you have created for the account is listed in the
page.
#. Click the Configure button of the VPC to which you want to deploy the
VMs.
The VPC page is displayed where all the tiers you created are listed
in a diagram.
#. Click the Settings icon.
For each tier, the following options are displayed:
- Internal LB
- Public LB IP
- Static NAT
- Virtual Machines
- CIDR
The following router information is displayed:
- Private Gateways
- Public IP Addresses
- Site-to-Site VPNs
- Network ACL Lists
#. Select Site-to-Site VPN.
The Site-to-Site VPN page is displayed.
#. From the Select View drop-down, ensure that VPN Connection is
selected.
All the VPN connections you created are displayed.
#. Select the VPN connection you want to work with.
The Details tab is displayed.
#. To remove a VPN connection, click the Delete VPN connection button
|remove-vpn.png|
To restart a VPN connection, click the Reset VPN connection button
present in the Details tab. |reset-vpn.png|
.. |vpn-icon.png| image:: /_static/images/vpn-icon.png
:alt: button to enable VPN.
.. |addvpncustomergateway.png| image:: /_static/images/add-vpn-customer-gateway.png
:alt: adding a customer gateway.
.. |createvpnconnection.png| image:: /_static/images/create-vpn-connection.png
:alt: creating a VPN connection to the customer gateway.
.. |remove-vpn.png| image:: /_static/images/remove-vpn.png
:alt: button to remove a VPN connection
.. |reset-vpn.png| image:: /_static/images/reset-vpn.png
:alt: button to reset a VPN connection
.. |delete.png| image:: /_static/images/delete-button.png
:alt: button to remove a VPN customer gateway.
.. |vpn-edit-icon.png| image:: /_static/images/edit-icon.png
:alt: button to edit.