I’ve been testing a new platform at the day job for the last couple of days, as a user. The main part of this, is I do all the tests as if I was the end user (i.e. our Customer). The platform is based on VMware’s Virtual Cloud Director 5.1. I’m working with our product team to get the platform ready to hand over to our customers, and filling in the missing gaps, when it comes to requirements, documentation and any support needs.
One thing I was playing with today, was the inbuilt VPN capabilities. The documentation from VMware here, if I am honest, is quite incomplete. Even as a seasoned VMware user, some elements, are confusing. So the documentation for this element, were, how do I put it… minimal (read: missing all the needed info). I assume it’s because they’re assuming that you’ll be connecting it to another vShield Edge device, so their defaults, would just work.
I was working with my physical test lab to simulate a customer’s existing hosted solution, i.e. a rack of equipment in their data centre. The firewall I was using was an old Fortigate 200A, however this is running the latest v4 FortiOS, so would be the same for any firewall from Fortinet (running V4, V3 would be very very similar, if you still have that out there).
So, let’s assume the following:
vOrg Network: 192.168.15.0/24 VShield Edge IP: 188.8.131.52.1 All devices NATed behind the Edge device.
Legacy Network: 10.30.3.0/24 Fortigate IP: 184.108.40.206.1 All devices NATed behind the Fortigate.
Login to the VCD Portal, and go to your vOrg network preferences, right click on the network you want to configure for VPN access.
Go to the VPN tab, and If not already enabled, enable the VPN service. Then select new.
Change the “Establish VPN to” to External Network.
From the below, we’re going to fill out.
Name: Your choice Description: Your choice Local Networks: LS-Network2 (matches the 192.168.15.0/24) Here I chose the network that matched my requirements. (Yours will differ, and you'll need to make the amendments throughout.) Peer Networks: 10.30.3.0/24 VPN Endpoint: The vShield Edge device you're going to terminate the VPN on. Local ID: Your choice - just needs to match what you configure the firewall with. Peer ID: Your choice - just needs to match what you configure the firewall with. Peer IP: This is going to be your other firewall. So for me it was 220.127.116.11 Encryption Protocol: again, your preference. AES256 is a sane default. Shared Key: Your choice - just needs to match what you configure the firewall with. The rest: I left as default.
Now this left me asking some questions, i.e. what were the other settings going to be, such as Authentication method, DH Group, PFS, Key lifetime..etc None of this is listed in the documentation/user guide.
Anyway, to continue, you need to add a firewall rule in, to allow communication between the two environments. Something like the below, but again, adapt to your requirements.
Moving on to the Fortigate. This took a while to work out, as basically, I had to configure the VPN, wait for the edge device to try and bring up the VPN to see what it was proposing, in order to then set the Fortigate to match these (read: a complete PITA). However now that’s been done, hopefully this will help someone.
Go to your VPN Settings, add a new Phase I
So the settings here:
Name: Your choice. Remote Gateway: Static IP. IP Address: Edge device IP. Mine 18.104.22.168 Local Interface: Your internet facing interface. Mode: I chose Main, but this can be your preference. Pre-shared Key: What you made up in the earlier steps. Enable interface mode (makes life a lot easier for firewall rules.) IKE Version: 1 Local IP: I chose main - your config may differ. Encryption: Whatever you chose earlier. AES256 for me. Authentication: SHA1 (This is one of the settings not documented anywhere) DH Group: 2 (This is one of the settings not documented anywhere) Keylife: 28800 (This is one of the settings not documented anywhere) DPD: Disabled - The edge device didn't seem to respond to these, so the Fortigate tore the tunnel down. (This is one of the settings not documented anywhere)
Name: Your choice. Phase I: Select the one you configured above. Encryption: AES256 (unless chosen different above) Authentication: SHA1 (This is one of the settings not documented anywhere) DH Group: 2 (This is one of the settings not documented anywhere) Keylife: 1800 (This is one of the settings not documented anywhere) Source Address: 10.30.3.0/24 (yours will need to changed to match your network) Destination Address: 192.168.15.0/24 (match your vOrg Network) The Rest: Default.
Next: create the firewall rules. Incoming and outgoing for the VPN interface. I wont go into details here, as if you’re reading this I expect you’ll know how to add a policy in.
Static Route. You’ll need to create a static route for the VPN, in order to route traffic down the interface. Interestingly, you didn’t need to do this on the Edge config.
Go to the Router > Static > Create new. Something like the below, amended to your network.
Once this is done, the VPN should come up.