April 19, 2013 at 09:15Client VPN to VMware vCloud Director 5.1
In VMware vCloud Director, there are two types of external networks - routed network and direct network.
When creating the second type of network on VDS, a port is created to which the machine is forwarded directly.
When creating the second type of network for each organization, a virtual router is created - vShield Edge, which allows you to build a site-to-site VPN, make publications, forward ports to internal virtual machines, be DHCP, NAT, load balancer (despite the fact that in 5.1 it can still put in HA mode) and other useful functions of the router function.
You can read more about it here .
From the vCloud Director interface, you cannot configure a VPN to connect to it from ordinary PCs, but sometimes it is necessary and in order not to install any server inside the organization (be it OpenVPN or MS TMG), you can configure vShield to serve as an access server.
Only the vSphere administrator can configure - the rights of the organization administrator in vCloud Director are not enough. And I will show how to do this.
1) First you need to create Edge GW in your organization:
2) We’ll go to vShield Manager, in it you need to select the Datacenter where the organization is located and select the necessary vShield Edge.
You can see that vShield Manager specifies the id of the organization where vShield Edge is located - this is done so that if you use the same names for Edge - you can determine which organization it belongs to.
In the “interfaces” field you can see the number 3 - this means that 3 grids are connected to the vShield Manager, one external from vSphere and two internal.
In the size field, you can see that it is large - in general, in version 5.1 you can expand two types of compact and large - they differ in consumed resources and, accordingly, the maximum load on them, more details can be read here .
3) Having chosen the desired router, go to the Network virtualization tab, in it we open the VPN tab and the SSL VPN-Plus section
4) In the Server Settings section, you must select the external IP and port for connecting users. You can add several external IPs to vShield Edge - so you need to choose one of them. It is also possible to select the encryption method and certificate, I will use the internal Edge certificate.
5) In the next tab, we configure the IP pool, which will be issued to clients connecting via VPN.
This IP pool must be different from the organization’s internal subnets used in vCloud Director. In the internal network, networks with addresses 10.1.0.0/24 and 10.1.1.0/24 are configured - I will specify for the IP pool 10.1.2.0/24.
Here, the pool to be issued, the mask, and the gateway are the addresses that will be assigned to Edge.
6) In the “Private Networks” tab, add the grid to which the connected clients will have access. In our case, this is a 10.1.1.0/24 network. It is also necessary to choose how the traffic will go, by default it is SSL VPN over Tunnel.
There are three parameters, the first is how the traffic will go - through the tunnel or bypassing the tunnel, with this parameter everything is clear.
The second parameter is responsible for optimizing the TCP protocol - the included parameter will help optimize the data transfer rate.
SSL VPN tunnel sends data at the second (network) level of the TCP / IP stack, which means that data of the fourth (application) level, when passing through the tunnel, is encapsulated and unencapsulated in two streams. This means that global TCP over TCP can happen with packet loss and the transmission speed will drop sharply. the included optimization checkbox is able to solve this problem.
Finally, you need to specify the ports that will be open for VPN users, if you leave the field empty, then all ports will be open.
7) The next step is authentication, you can select local, LDAP, AD, RSA-ACE and Radius. I choose local because I do not want to configure groups in AD. You can also configure the password complexity and other parameters.
8) In the “Installation Package” section, the parameters of the application that will be installed on the local machine to connect to vShield Edge are indicated.
Gateway - the external IP Edge to which you will connect, we selected it in step 4.
You can also choose which OS the applications will be compiled for - Windows, Linux or MacOS.
9) If you specified a local user in the authentication section, you must specify it.
10) The next point is “General settings” - in which you can configure:
"
alt =" image "/>
11) The VPN settings are now finished - now you need to enable the service by clicking Enable on the main tab to enable VPN:
If everything is ok, we will see the inscription “Service enabled successfully!”
12) Follow the linkIP_EDGE / sslvpn-plus and download the client to connect. Where IP_EDGE is the external address of your virtual switch.
We will see the following window:
13) Log in under the account created earlier.
Download the distribution kit:
14) Install and launch the SSL VPN-Plus Client.
15) Enter the username and password to connect.
The connection was successful, check if we got the IP:
as seen above, the IP was received from the pool.
16) Now to access the internal subnet 10.1.0.0/24 you need to configure the rule on vShield Edge.
This completes the setup.
If it will be interesting - in the next post I can tell you how to build a site-to-site VPN between Cisco router and vShield Edge versions 5.0 - 5.1.
Well, if you have any questions, write below.
When creating the second type of network on VDS, a port is created to which the machine is forwarded directly.
When creating the second type of network for each organization, a virtual router is created - vShield Edge, which allows you to build a site-to-site VPN, make publications, forward ports to internal virtual machines, be DHCP, NAT, load balancer (despite the fact that in 5.1 it can still put in HA mode) and other useful functions of the router function.
You can read more about it here .
From the vCloud Director interface, you cannot configure a VPN to connect to it from ordinary PCs, but sometimes it is necessary and in order not to install any server inside the organization (be it OpenVPN or MS TMG), you can configure vShield to serve as an access server.
Only the vSphere administrator can configure - the rights of the organization administrator in vCloud Director are not enough. And I will show how to do this.
1) First you need to create Edge GW in your organization:
2) We’ll go to vShield Manager, in it you need to select the Datacenter where the organization is located and select the necessary vShield Edge.
You can see that vShield Manager specifies the id of the organization where vShield Edge is located - this is done so that if you use the same names for Edge - you can determine which organization it belongs to.
In the “interfaces” field you can see the number 3 - this means that 3 grids are connected to the vShield Manager, one external from vSphere and two internal.
In the size field, you can see that it is large - in general, in version 5.1 you can expand two types of compact and large - they differ in consumed resources and, accordingly, the maximum load on them, more details can be read here .
3) Having chosen the desired router, go to the Network virtualization tab, in it we open the VPN tab and the SSL VPN-Plus section
4) In the Server Settings section, you must select the external IP and port for connecting users. You can add several external IPs to vShield Edge - so you need to choose one of them. It is also possible to select the encryption method and certificate, I will use the internal Edge certificate.
5) In the next tab, we configure the IP pool, which will be issued to clients connecting via VPN.
This IP pool must be different from the organization’s internal subnets used in vCloud Director. In the internal network, networks with addresses 10.1.0.0/24 and 10.1.1.0/24 are configured - I will specify for the IP pool 10.1.2.0/24.
Here, the pool to be issued, the mask, and the gateway are the addresses that will be assigned to Edge.
6) In the “Private Networks” tab, add the grid to which the connected clients will have access. In our case, this is a 10.1.1.0/24 network. It is also necessary to choose how the traffic will go, by default it is SSL VPN over Tunnel.
There are three parameters, the first is how the traffic will go - through the tunnel or bypassing the tunnel, with this parameter everything is clear.
The second parameter is responsible for optimizing the TCP protocol - the included parameter will help optimize the data transfer rate.
SSL VPN tunnel sends data at the second (network) level of the TCP / IP stack, which means that data of the fourth (application) level, when passing through the tunnel, is encapsulated and unencapsulated in two streams. This means that global TCP over TCP can happen with packet loss and the transmission speed will drop sharply. the included optimization checkbox is able to solve this problem.
Finally, you need to specify the ports that will be open for VPN users, if you leave the field empty, then all ports will be open.
7) The next step is authentication, you can select local, LDAP, AD, RSA-ACE and Radius. I choose local because I do not want to configure groups in AD. You can also configure the password complexity and other parameters.
8) In the “Installation Package” section, the parameters of the application that will be installed on the local machine to connect to vShield Edge are indicated.
Gateway - the external IP Edge to which you will connect, we selected it in step 4.
You can also choose which OS the applications will be compiled for - Windows, Linux or MacOS.
9) If you specified a local user in the authentication section, you must specify it.
10) The next point is “General settings” - in which you can configure:
" alt =" image "/>
11) The VPN settings are now finished - now you need to enable the service by clicking Enable on the main tab to enable VPN:
If everything is ok, we will see the inscription “Service enabled successfully!”
12) Follow the linkIP_EDGE / sslvpn-plus and download the client to connect. Where IP_EDGE is the external address of your virtual switch.
We will see the following window:
13) Log in under the account created earlier.
Download the distribution kit:
14) Install and launch the SSL VPN-Plus Client.
15) Enter the username and password to connect.
The connection was successful, check if we got the IP:
as seen above, the IP was received from the pool.
16) Now to access the internal subnet 10.1.0.0/24 you need to configure the rule on vShield Edge.
This completes the setup.
If it will be interesting - in the next post I can tell you how to build a site-to-site VPN between Cisco router and vShield Edge versions 5.0 - 5.1.
Well, if you have any questions, write below.