© 2016

AWS VPC ConfigurationAWS VPC Setup for VNS3 2016

© 2016

Table of Contents

2

Introduction 3

Step 1: VPC Deployment Setup 9Step 2: Launching a VNS3 Controller Instance

12

VNS3 Configuration Document Links 14

© 2016

Requirements

3

© 2016

Requirements

4

•You have an AWS account that Cohesive can use for enabling your access to the VNS3 Controller AMIs (via DevPay, AWS Marketplace, or private Image permissions).

•Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.

•You have a compliant IPsec firewall/router networking device:

Preferred  Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta. Best Effort  Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5. *Known Exclusions  Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained.

© 2016

Getting Help with VNS3

5

Using VPC with VNS3 adds a layer of complexity. This guide covers a generic VNS3 setup. If you need specific help with project planning, POCs, or audits, contact our professional services team via sales@cohesive.net for details.

This guide uses Cisco’s Adaptive Security Device Controller UI. Setting up your IPsec Extranet device may have a different user experience than what is shown here. All the information entered in this guide will be same regardless of your UI or cmd line setup.

Please review the VNS3 Support Plans and Contacts before sending support inquiries.

© 2016

Firewall Considerations

6

VNS3 Controller instances use the following TCP and UDP ports.

• UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.

• UDP 1195-1203*For tunnels between Controller peers; must be accessible from all peers in a given topology.

• TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

• UDP port 500UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.

• UDP port 4500 or Protocol 50 (ESP)Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.

*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering. ** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500

© 2016

Address Considerations

7

Restrictions The VPC CIDR and VPC Subnets cannot not overlap with the VNS3 Overlay Network Subnet.

VPCVPC deployments are launched in a VPC CIDR. That VPC CIDR can be split up into multiple subnets, private or public. All servers launched in a VPC are launched in one of the subnets created.

VNS3VNS3 provides an encrypted subnet in addition to the VPC subnets. Servers that are configured to join the VNS3 encrypted Overlay Network do so via OpenVPN connections using the VNS3 generated Client Packs. Each Client Pack is tied to a specific Overlay Network Address

When Peering VNS3 Controllers between two VPCs or one VPC and generic EC2, all Client Servers must connect to the Overlay Network via clientpacks and OpenVPN. Contact support@cohesive.net for more information.

VPC Subnets (eth0) Not Encrypted OpenVPN is not required on Client Servers Clients Packs are not required on Client Servers Cannot join generic EC2 directly (public Internet connection required) No Additional Overhead

VNS3 Overlay Network Subnet (tun0) Encrypted OpenVPN is required on Client Servers Client Packs are required on Client Servers Can join generic EC2 services directly (OpenVPN or Peer Controller required) Additional Overhead (minimal)

© 2016

Sizing Considerations

8

Image Size and Architecture

VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the performance will depend on the use-case.

Clientpack Key Size

VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the “clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration.

© 2016

Remote Support

9

Note that TCP 22 (ssh) is not required for normal operations.

Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key.

© 2016

Step 1: VPC Deployment Setup

10

© 2016

Create a VPC From the VPC Wizard

11

Create a VPC from the VPC tab at the top of the AWS Console.

Click Start VPC Wizard or Click Get Started in your VPC Dashboard.

Choose either VPC with a Single Public Subnet Only or VPC with Public and Private Subnets. The other two choices will not work with VNS3.

For this example we choose VPC with a Single Public Subnet Only.

You can leave the default values in for the VPC CIDR and VPC Subnet or edit them to fit your addressing requirements. For this example we use 173.31.2.0/24 for the VPC CIDR and 173.31.2.0/25 for the Public Subnet.

Remember the VPC CIDR and VPC Subnets must not overlap with the VNS3 Overlay Network Subnet.

Click Create VPC.

The VPC Wizard creates the VPC, the Subnet, Network ACL, Internet Gateway, 2 Routing Tables, and a Security Group.

Note: More complex VPC deployments can be setup (more than one VPC Subnet inside a VPC CIDR but the VNS3 Controller must be launched in a Public VPC Subnet.

© 2016

Inbound and Outbound VPC ACL Setup

12

Click Network ACLs in the left column menu under the SECURITY section.

Select the ACL created by the VPC Wizard.

The default settings allow all ports on all protocols from all destinations for both inbound and outbound connections. This due to our selection of a Public Subnet when setting up the VPC. It is recommended you leave the ACLs open during initial configuration of your deployment. Once all connections are established and tested you can lock down the ACL based on the Firewall Considerations outlined on page 6 by deleting the default Rule #100 and adding specific ALLOW rules.

© 2016

VPC Security Group Setup Option 1: Default Group

13

Configure Security Groups from the VPC AWS Console.

Click Security Groups in the left column menu under the SECURITY section. Select the Security Group created by the VPC Wizard.

The default settings allow inbound connections on all ports from servers launched in the VPC security group and allow outbound connections on all ports to all routes (0.0.0.0/0). Again, this due to our selection of a Public Subnet when setting up the VPC. It is your choice to leave the default Outgoing rules or modify based on your use case.

From the Inbound tab, click Edit to update the following exceptions:

•TCP port 8000 from your public IP (you can find your IP address by navigating to http://whatismyip.com)

•UDP port 500 from the IP of your Datacenter-based IPsec Device

•Custom Protocol Rule for ESP (50) from IP of your Datacenter-based IPsec Device

Optional Inbound Exceptions:

•UDP port 4500 from the IP of your Datacenter-based IPsec Device (only required if you will use NAT-Traversal encapsulation)

•TCP port 8000 from the Elastic IP of the Controller in the other VPC deployment (only required for deployments across multiple VPCs or between VPC and EC2)

•UDP ports 1195-1197 from the Elastic IP of the Controller in the other VPC deployment or EC2 (only required for deployments across multiple VPCs or between VPC and EC2)

Click Save.

© 2016

VPC Security Group Setup Option 2: Multiple Security Groups

14

An alternative to just using the default security group setup by the VPC wizard is to separate the Controllers from the Client Servers. To do this we recommend creating two groups inside the already created VPC: vns3-mgr and vns3-client. Note: no rules are needed in the vns3-client group by default.

Select the vns3-mgr group to Edit the following inbound exceptions:

•TCP port 8000 from your public IP (you can find your IP address by navigating to http://whatismyip.com)

•TCP port 8000 from the vns3-mgr Security Group ID (for Peering if needed)

•UDP port 1195-1197 from the vns3-mgr Security Group ID (for Peering if needed)

•UDP port 500 from the IP of your Datacenter-based IPsec Device

•Custom Protocol Rule for ESP/Protocol 50 from the IP of your Datacenter-based IPsec Device

Optional Inbound Exceptions:

•UDP port 1194 from the vns3-client Security Group ID if you plan on using the Overlay Network (see page 6).

•UDP ports 1195-1197 from the Elastic IP of the Controller in the other VPC deployment (required for peering) if you are deploying the Overlay Network across multiple VPCs.

•UDP port 4500 from the IP of your Datacenter-based IPsec Device if you plan on using NAT-Traversal encapsulation for your IPsec connection. In this guide we disable NAT-Traversal on the Controller.

Click Apply Rule Changes.

© 2016

Step 2: Launching a VNS3 Controller Instance

15

© 2016

Launch a VNS3 Controller

16

Switch to the EC2 tab at the top of the AWS Console.

Click AMIs in the left column menu under the IMAGES section.

Launch a VNS3 instance using the AMI ID supplied by Cohesive.

Be sure to launch the Instance in the VPC and the VPC security group that was created using the VPC Wizard.

NOTE: On Step 3: Configure Instance Details, in the Launch Wizard you can specify a particular IP Address for the Controller Instance on the VPC Subnet that was created using the VPC Wizard. AWS will automatically assign an IP inside the VPC Subnet if this field is left blank (as we did for this example).

© 2016

Disable Source/Destination Check on the Controller Instance

17

Once the Controller Instance is launched, you will need to disable the Source/Destination check on the instance. This step is required so the Controller instance is allowed to forward packets to the client servers. If this is not disabled the Controller will not be able to route traffic appropriately.

To Disable select the Controller Instance the click Instance Actions.

Click Change Source/Dest. Check.

Click Yes, Disable.

© 2016

Create a VPC Specific Elastic IP and Assign to the Controller Instance

18

Switch back to the VPC tab at the top of the AWS Console.

Click Elastic IPs in the left column menu under the Network & Security section.

Click Allocate New Address and select the Elastic IP be used in VPC.

Click Yes, Allocate. Click Close.

Associate the Elastic IP Address with your VNS3 Controller Instance by clicking Associate Address.

Select your VNS3 Controller Instance and click Yes, Associate.

Associating an Elastic IP with your VNS3 Controller Instance will make the instance publicly available so you can log into the Controller Web UI to configure your Overlay Network and setup IPsec connections.

Repeat steps outlined on pages 9-14 to create a second VPC deployment. We recommend using different VPC CIDR for each VPC deployment.

© 2016

VNS3 Configuration Document Links

19

© 2016

VNS3 Configuration Document Links

20

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Instructions Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.

VNS3 Docker InstructionsExplains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.

VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.