© 2016

ElasticHosts ConfigurationElasticHosts Setup for VNS3 2016

© 2016

Table of Contents

2

Introduction 3

ElasticHosts Deployment Setup 9

VNS3 Configuration Document Links 20

© 2016

Requirements

3

© 2016

Requirements

4

•You have a ElasticHosts account (For a free ElasticHosts trial, visit: http://www.elastichosts.com/cloud-servers/free-trial/).

•You have the ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.

•You have a compliant IPsec firewall/router networking device:

Preferred  Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta. Best Effort  Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5. *Known Exclusions  Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained.

© 2016

Getting Help with VNS3

5

This guide covers a generic VNS3 setup in ElasticHosts. If you need specific help with project planning, POCs, or audits, contact our professional services team via sales@cohesive.net for details.

This guide uses Cisco’s Adaptive Security Device Controller UI. Setting up your IPsec Extranet device may have a different user experience than what is shown here. All the information entered in this guide will be same regardless of your UI or cmd line setup.

Please review the VNS3 Support Plans and Contacts before sending support inquiries.

© 2016

Firewall Considerations

6

VNS3 Controller instances use the following TCP and UDP ports.

• UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.

• UDP 1195-1203*For tunnels between Controller peers; must be accessible from all peers in a given topology.

• TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

• UDP port 500UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.

• UDP port 4500 or Protocol 50 (ESP)Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.

*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering. ** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500

© 2016

Sizing Considerations

7

Image Size and Architecture

VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the performance will depend on the use-case.

Clientpack Key Size

VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the “clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration.

© 2016

Remote Support

8

Note that TCP 22 (ssh) is not required for normal operations.

Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key.

© 2016

ElasticHosts Deployment Setup

9

© 2016

ElasticHosts Configuration: Select VNS3 Template

10

Login to your ElasticHosts account at the data center where you wish to run VNS3.

Below the “Control Panel” menu item there is a menu for “Add”. Click on “Add” and then select “Server (VM)”.

The “Add Server (VM)” dialogue menu will pop up.

Give your targeted VNS3 instance a name and at least 1gig of memory and 10gig of disk. Choose a type of “Pre-installed system” and then click on the “Image” drop down menu you will find the “Free” edition as well as the “Full” or bring-your-own-license edition.

Select either the free edition or the full edition and click add.

© 2016

ElasticHosts Configuration: Public IP Access

11

In ElasticHosts (ElasticHosts) an instance can have a public IP on eth0 and a private VLAN IP on eth1. When you create a VLAN at ElasticHosts you don’t define a specific subnet mask. Clients launched with “eth1" connected to a VLAN must have addresses in the same subnet in their local configurations. This is very different than most cloud implementations - but incredibly flexible.

As a result VNS3 can be used as an Internet Gateway, sitting at a private VLAN edge, providing NAT-ing and port forwarding for the other devices in the private VLAN.

ElasticHosts instances can have dynamically assigned public IPs or static IPs. This choice is made at instance creation time.

© 2016

Create an ElasticHosts Private VLAN

12

From the “Control panel” page, use the “Add” menu again, selecting “Private VLAN”.

On the “Control panel” page the selection will take you to a text box near a network graphic. The only configuration of the VLAN needed is to give it a “display name” for use when launching instances into it.

In this example the VLAN has been named “MyFavoriteVLAN”.

© 2016

Launch a VNS3 Controller

13

After creating your server your can then configure it.

On the server configuration page you can set the display name of the instance, in this case “MyVNS3Controller”.

You can select from your available static public IPs shown in the pop up menu, or choose “Dynamic IP - Assigned at Boot” to get a public IP that is not static.

In the lower right corner there are “Advanced Options”. In this section you pick the Private VLAN that you want to connect this VNS3 Controller instance to. In the section marked “VLAN” use the drop menu to pick the VLAN for use, in this case “MyFavoriteVLAN”

When complete you should start your VNS3 server. You should allow several minutes for first boot.

© 2016

VNS3 Controller Log in

14

Login to the VNS3 Web UI - https://<Controller IP>:8000

Default username: vnscubed. Default password for AWS deployments: instance id (i-xxxxxxxx) Default password for all other deployments: vnscubed

Reset your passwords:

•Reset the Web UI Password - Even though the instance id is unlikely to be “guessed”, please change it for security purposes.

•NOTE: Your VNS3 Controller answers to API calls on the same port 8000 as the web interface runs on. Ideally make a separate password for the API usage against the Controller.

•Reset the API Password - Even though the instance id is unlikely to be “guessed”, please change it for security purposes, again making it a different password than the web interface is probably best.

•NOTE: Cohesive does not have any key access or remote access to your VNS3 Controllers unless provided by you. If you forget these passwords we cannot recover them for you.

© 2016

Configure VNS3 for the VLAN

15

Before any other configuration steps of your VNS3 Controller you can configure it for the ElasticHosts Private VLAN.

Select the “Private VLAN” menu item under the “Admin” section. (Remember - at ElasticHosts the VLAN is defined “collectively” by the addresses assigned to the instance in the VLAN.) Please note, the instances in the VLAN should be configured to be in the same subnet mask.

In this case we are de facto making the VLAN a 192.168.10.0/24 subnet. This is done by setting an address for the VNS3 Controller’s private IP (192.168.10.1) and then setting a network mask for the entirety of the subnet (255.255.255.0, which translates to a /24).

Hit “Save and Reboot” and the VNS3 Controller will set up its internal “eth1” and reboot to properly initialize the interface and associated internal ACLs.

© 2016

WARNING: Configure VNS3 before ElasticHosts servers

16

Do not configure the other ElasticHosts hosts/servers to use VNS3 as an Internet Gateway until the VNS3 server is fully configured with Private VLAN settings and Firewall rules for NAT-ing installed.

If you have public IPs temporarily assigned to your ElasticHosts VLAN hosts, and create a route to the VNS3 as the gateway to 0.0.0.0/0, you will most likely lose connectivity until the VNS3 configuration is complete, including port forwarding information to SSH or RDP into the VLAN host through the VNS3 Controller.

© 2016

Configure ElasticHosts Hosts to use VNS3 as Internet Gateway

17

This following page at ElasticHosts website describes the process for configuring ElasticHosts VLAN hosts: http://www.elastichosts.com/support/tutorials/set-up-a-vlan/

Using the in-browser VNC tool (the eye icon in the server), log into your other ElasticHosts server (as root in the Ubuntu server in this example).

Configure each server in the group to use the VLAN by running: ip link set eth1 up

Next, edit your interfaces file as follows (using the example addresses on the previous page): cat >> /etc/network/interfaces << EOL

auto eth1

face ethic int static

address 192.168.10.2

netmask 255.255.255.0

network 192.168.10.0

broadcast 192.168.10.255

EOL

© 2016

Configure ElasticHosts Hosts to use VNS3 as Internet Gateway

18

Restart the networking: /etc/init.d/networking restart

Run ifconfig again to see the eth1 output. The 192.168.10.2 address should be set.

© 2016

Controller Initialization: Upload License

19

Paste the encrypted VNS3 license Cohesive emailed you in the first field. This license will configure the generic Controller.

If you are using a Free Edition Controller, you can request a Free Edition License from the Cohesive automated license tool by clicking the Free Edition License button.

Click Submit.

The resulting screen allows you to choose the VNS3 Overlay Network to be used by your cloud-based client servers. Choose between the subnet range that comes preconfigured with the license or a custom subnet defined by your specific topology needs. We recommend defining a custom Overlay Network Subnet that does not conflict or overlap with any subnet you plan on connecting to your VNS3 topology via IPsec VPC.

Click the Custom Radio button to specify a custom subnet range.

The required fields are a Overlay Subnet CIDR (defines the range of addresses that will be available to your Overlay Subnet), Controller IPs (each Controller is a member of the Overlay Subnet on the specific addresses defined), “My Controller” VIP (an Overlay IP address used by the Controllers for peering and syncing), and Client IPs (the actual IPs that will be available for your cloud-based Overlay Subnet client servers).

Once you complete this step, the Controller instance will reboot itself and will come up with your specified topology enabled and running.

Click Submit and reboot.

© 2016

Generate Keys on VNS3 Controller

The Controller is now configured to the License specs (how many Controllers it can peer with, how many clientpacks are available, and how many ipsec links are available).

The first step in Controller configuration is to generate the X.509 cryptographic keys associated with each Overlay Network IP called clientpacks. The clientpacks are used along with an SSL client (OpenVPN is recommended) to connect a client server to the Overlay Network using a specific IP address over an encrypted SSL tunnel.

Click Generate New under Overlay in the left column.

During key generation you can specify a Topology name to be displayed in the Controller UI for a given set of peered Controllers. This can be changed at anytime by clicking on the Topology Name under Admin in the left column menu.

Also specify a security token. This can be anything but record this for future use as Controller peering and configuration fetching will require you to enter this again.

Click Generate keys link. Key generator will be started in the background, and you can refresh screen to observe progress.

20

© 2016

Configure VNS3 as Internet Gateway

In order to configure VNS3 as the Internet Gateway the following Firewall rules need to be entered. (The example continues assuming the VLAN is 192.168.10.0/24)

# Allow traffic to/from the VLAN to this VNS3 Controller INPUT_CUST -s 192.168.10.0/24 -j ACCEPTOUTPUT_CUST -d 192.168.10.0/24 -j ACCEPT

# NAT traffic from the VLAN that is using this VNS3 Controller as Internet GatewayMACRO_CUST -o eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQUERADE

# Port forward traffic to my 192.168.10.2 host PREROUTING_CUST -i eth0 -p tcp -s 0.0.0.0/0 --dport 33 -j DNAT --to 192.168.10.2:22

Assuming your VLAN host is like the example, at 192.168.10.2, and is accessible via SSH, then the firewall is now configured to NAT traffic for any VLAN host configured to use it as the Internet Gateway, and shows how to port forward traffic into the VLAN through the VNS3 Controller.

21

© 2016

Enter a route on the ElasticHosts VLAN server, pointing to the VNS3 Controller’s private ip as the gateway to the Internet.

On the ElasticHosts host enter:ip route add 0.0.0.0/0 via 192.168.10.1

The Ubuntu server can now reach Internet resources even without a public IP attached to the ElasticHosts host.

Depending on the OS used in the cloud hosts, the route will need to be made persistent. This varies by operating system.

Configure ElasticHosts Hosts to Route to VNS3 Controller

22

© 2016

VNS3 Configuration Document Links

23

© 2016

VNS3 Configuration Document Links

24

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Instructions Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.

VNS3 Docker InstructionsExplains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.

VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.