vCloud Director for the smallest (part 5): VPN setup
Today we will explain how to build a site-to-site VPN connection using vShield Edge in the vCloud Director panel. At the end, we’ll tell you about the new features that have appeared since this week in CloudLITE , summer prices and discounts. Read to the end).
Virtual Private Network , or virtual private network, allows you to build virtual (logical) connections "on top" of networks (the same Internet). To protect data from outsiders (there are ways to intercept messages between VPN nodes), encryption, authentication, public key infrastructure, and means to protect against repetitions and changes sent over a logical network of messages are used. These mechanisms, in turn, use cryptographic algorithms, of which there are now a great many.
')
By type of VPN access can be divided into 2 groups: site-to-site and remote access. The first is used when access from one local network to another is necessary, for example, a connection between the main office, the office and a commercial data center / cloud. The second type implies that a separate host accesses the local network — for example, a separate device connects to the office network. This is a situation where an employee works from home on a mobile device.
Devices and software allows you to build VPN-connections a huge amount. This can be either a Cisco router or a server on FreeBSD. In our case today, two vShield Edge organizations located in different clouds act as VPN nodes.
First, we set up everything on the side of the organization located in the CloudLITE cloud.
1. In the vCloud Director control panel, go to the Administration section, click the mouse on the virtual data center. In the Edge Gateway Services tab, select the desired vShield Edge. Click on it with the right mouse button and select Edge Gateway Services .
2. In the new window, go to the VPN tab and activate VPN in the Enable VPN checkbox. To create a new tunnel, click the Add button.
3. Using the Configure Public IP button, you can change the external IP, which is allocated for the default pool, to another.
4. In the Add a Site-to-Site VPN configuration window, set the name (Name) of the VPN and Description (Description), if required.
In the Establish VPN to field, select a remote network, since the VPN Gateway (second vShield Edge) is located on another local network.
In the Local Networks field, specify the local network that will participate in the VPN connection and that connects to the Edge.
In the Peer Networks field, we indicate in the CIDR CIDR format (for example, 192.168.10.0/24) the internal addressing network connected to the point to which we are setting up VPN.
In the Local Endpoint field, we select an external network (Internet) through which we will connect from our organization to another. In our case it can be cloudlite-Internet or cloudlite-internet 2.
In the Local ID field we specify the external IP address of our vShield Edge, which is used to create a VPN connection.
In the Peer ID field, specify the external IP address of the remote VPN Gateway (gateway).
Scroll and fill further.
In the Peer IP field, set the external IP address of the VPN Gateway (in our case, Edge of another organization).
In the Encryption protocol list, select the encryption protocol (AES-256, AES, 3 DES).
Put a check in the Show key checkbox. Copy this key: we will need it for the settings on the receiving side of the VPN tunnel.
In the MTU field, if necessary, change the default value of the packet size.
5. Click OK, on our side of CloudLITE everything is configured. The created VPN tunnel appears in Edge Gateway Services in the VPN tab.
6. Now similar settings need to be made on the receiving side.
In the settings of the second vShield Edge, located in a different cloud: we do everything the same as in the first stage, only all the parameters that were Peer now become Local, and vice versa.
7. Paste the key that we copied earlier.
Clearly the resulting scheme can be represented as follows:
That's all. Ask your questions in the comments. If you find an inaccuracy or error, please write in a personal.
You can go and try to put the theory into practice in the CloudLITE service (there is a test period for experiments).
From the news service:
1. From this week, you can register and pay for your resources in the status of a legal entity with all the consequences: non-cash bank transfer, originals of closing documents. Read more about how to do this here .
2. We have reduced prices for fixed tariffs (discount over 40%). So far, without a deadline of the action, but I can say for sure, this will not last long :).
3. The action to double your payments ends. In August, it will definitely not be.
4. On the other hand, the action “Bring a friend, get 300 rubles” will continue until August 10. In light of temporarily low prices, it is especially tempting.
Instead of the preface
Virtual Private Network , or virtual private network, allows you to build virtual (logical) connections "on top" of networks (the same Internet). To protect data from outsiders (there are ways to intercept messages between VPN nodes), encryption, authentication, public key infrastructure, and means to protect against repetitions and changes sent over a logical network of messages are used. These mechanisms, in turn, use cryptographic algorithms, of which there are now a great many.
')
By type of VPN access can be divided into 2 groups: site-to-site and remote access. The first is used when access from one local network to another is necessary, for example, a connection between the main office, the office and a commercial data center / cloud. The second type implies that a separate host accesses the local network — for example, a separate device connects to the office network. This is a situation where an employee works from home on a mobile device.
Devices and software allows you to build VPN-connections a huge amount. This can be either a Cisco router or a server on FreeBSD. In our case today, two vShield Edge organizations located in different clouds act as VPN nodes.
Instruction
First, we set up everything on the side of the organization located in the CloudLITE cloud.
1. In the vCloud Director control panel, go to the Administration section, click the mouse on the virtual data center. In the Edge Gateway Services tab, select the desired vShield Edge. Click on it with the right mouse button and select Edge Gateway Services .
2. In the new window, go to the VPN tab and activate VPN in the Enable VPN checkbox. To create a new tunnel, click the Add button.
3. Using the Configure Public IP button, you can change the external IP, which is allocated for the default pool, to another.
4. In the Add a Site-to-Site VPN configuration window, set the name (Name) of the VPN and Description (Description), if required.
In the Establish VPN to field, select a remote network, since the VPN Gateway (second vShield Edge) is located on another local network.
In the Local Networks field, specify the local network that will participate in the VPN connection and that connects to the Edge.
In the Peer Networks field, we indicate in the CIDR CIDR format (for example, 192.168.10.0/24) the internal addressing network connected to the point to which we are setting up VPN.
In the Local Endpoint field, we select an external network (Internet) through which we will connect from our organization to another. In our case it can be cloudlite-Internet or cloudlite-internet 2.
In the Local ID field we specify the external IP address of our vShield Edge, which is used to create a VPN connection.
In the Peer ID field, specify the external IP address of the remote VPN Gateway (gateway).
Scroll and fill further.
In the Peer IP field, set the external IP address of the VPN Gateway (in our case, Edge of another organization).
In the Encryption protocol list, select the encryption protocol (AES-256, AES, 3 DES).
Put a check in the Show key checkbox. Copy this key: we will need it for the settings on the receiving side of the VPN tunnel.
In the MTU field, if necessary, change the default value of the packet size.
5. Click OK, on our side of CloudLITE everything is configured. The created VPN tunnel appears in Edge Gateway Services in the VPN tab.
6. Now similar settings need to be made on the receiving side.
In the settings of the second vShield Edge, located in a different cloud: we do everything the same as in the first stage, only all the parameters that were Peer now become Local, and vice versa.
7. Paste the key that we copied earlier.
Clearly the resulting scheme can be represented as follows:
That's all. Ask your questions in the comments. If you find an inaccuracy or error, please write in a personal.
You can go and try to put the theory into practice in the CloudLITE service (there is a test period for experiments).
From the news service:
1. From this week, you can register and pay for your resources in the status of a legal entity with all the consequences: non-cash bank transfer, originals of closing documents. Read more about how to do this here .
2. We have reduced prices for fixed tariffs (discount over 40%). So far, without a deadline of the action, but I can say for sure, this will not last long :).
3. The action to double your payments ends. In August, it will definitely not be.
4. On the other hand, the action “Bring a friend, get 300 rubles” will continue until August 10. In light of temporarily low prices, it is especially tempting.
Source: https://habr.com/ru/post/263691/
All Articles