VPN-Cubed Datacenter Connect Flexiant Trial Edition

possibledisastrousΑσφάλεια

9 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

166 εμφανίσεις

Copyright 2011 - CohesiveFT
VPN-Cubed Datacenter Connect
Flexiant Trial Edition
v201103
1
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Requirements
You have a Flexiscale account or are an Extility licensee.
You have agreed to the terms of service provided for the VPN-Cubed Manager
Server Images.
Ability to configure a client (whether desktop based or cloud based) to use
OpenVPN client software. We will provide pointers and support for the major
distributions.
You have a compliant IPsec firewall/router networking device:
-
Preferred: Cisco ASA
-
Validated: Cisco 1800, Cisco PIX, Juniper JunOS Models, Fortigate (3 years old or less),
Watchguard Firebox (3 years old or less)
-
Best Effort: Any IPsec device that supports: IKE1 or IKE2, AES256 or AES 128 or 3DES,
SHA1 or MD5,
AND NAT-Traversal
-
Will Not Work: Checkpoint
2
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Getting Help with VPN-Cubed
This guide uses Cisco’s Adaptive Security Device Manager UI. Setting up
your IPsec Extranet device may have a different user experience than what
is shown here. All the information entered in this guide will be same
regardless of your UI or cmd line setup.
Use our community forums for all support inquiries:
http://getsatisfaction.com/cohesiveft
For more complex topologies and live support contact
sales@cohesiveft.com
3
Monday, June 11, 2012
Copyright 2011 - CohesiveFT
Your Configuration Begins Here!
4
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
A VPN-Cubed Datacenter Connect Free Edition
topology is built from a VPN-Cubed Manager/
IPsec Gateway appliance in Flexiscale that
provides a secure and controllable overlay
network for your cloud-based servers.
Your datacenter extranet solution (Cisco ASA,
Cisco Pix, Juniper Netscreen) will connect to the
VPN-Cubed Manager in the cloud, containing
the IPsec Gateway module.
If a more complex overlay network is needed,
multiple topologies can be connected to provide
a redundant, geographically distributed network.
Interested in learning more about more complex
VPN-Cubed configurations? Contact us at
sales@cohesiveft.com
.
VPN-Cubed Datacenter Connect allows you to build a virtual overlay network in the
cloud, connected to your datacenter via IPsec.
5
Flexiscale or
Extility
Client Servers
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Firewall Considerations
Flexiscale’s VLAN and Firewalls are setup on a per VDC (virtual datacenter) basis. All servers launched in the same VDC can communicate freely
with one another on all ports. The recommended standard is to use the same VDC for the clients and Manager in a given topology. If you want to
setup multiple VDCs for a single topology, additional firewall rules will have to be added. Contact
support@cohesiveft.com
for more information.
VPN-Cubed Manager instance uses the following TCP and UDP ports.
-
UDP 1194 (handled via VDC setup - no additional firewall rules needed)
For client VPN connections; must be accessible from all servers that will join VPN-Cubed topology as clients.
-
UDP 1195-1197 (handled via VDC setup - no additional firewall rules needed)
For tunnels between manager peers; must be accessible from all peers in a given topology.
-
TCP 8000
HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open
to and from the managers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay
network clients.
-
UDP 500 and 4500
These ports are used for IPsec NAT-TRAVERSAL and need to be configured in your IPsec device. They allow the Manager to be able to initiate
a connection to your IPsec device.
6
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Access Considerations
Note that TCP 22 (ssh) is not required for normal operations.
Each VPN-Cubed Manager is running a restricted SSH daemon, with access limited only to
CohesiveFT for debugging purposes - if remote support from CohesiveFT is desired.
In the event CohesiveFT needs to observe runtime state of a VPN-Cubed Manager in response
to a tech support request, we will ask you to open Security Group access to SSH from our
support IP range and Enable Remote Support via the Web UI. In this scenario CohesiveFT has
credentials to log in, while you control whether network access to the VPN-Cubed manager is
available to CohesiveFT.
7
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Create a New VDC
8
Both the Manager and the Clients will be launched in the same VDC.
Traffic within a VDC VLAN is secure but freely routable, making
firewall setup easier. Contact
support@cohesiveft.com
for more
information on multiple VDC topologies.
Click the
VDCs
tab
Click
New virtual data centre
Name the VDC, in this example we use Overlay Network A
Click
Create virtual data centre
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Create a new Network for the VDC
9
Flexiant provides each customer with their own VLAN which provides
them with their own Virtual network. VLANs can be setup as public or
private and servers can be assigned more that one IP address. This
guide uses a public VLAN in the setup of the Overlay Network. If you
would like more information on private and public VLAN setup,
contact
support@cohesiveft.com
.
Click the
Networks
tab
Click
New VLAN
Select the recently created VDC from the drop down menu, in this
example we use Overlay Network A
Click
Create VLAN
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Launch the VPN-Cubed Datacenter Connect Manager
10
Launch a VPN-Cubed Datacenter Connect Server.
Click the
Servers
tab
Click
New Server
On the resulting page:
-
Name the Server
-
Specify the recently created VDC
-
Specify the recently created VLAN
-
Choose the
CFT VPN-Cubed Datacenter Connect Free Edition

Base Image
-
Choose the CPU/RAM setting for your topology. VPN-Cubed
Datacenter Connect Free Edition currently supports single CPU
configurations only.
Click
Create Server
The server is created but not running.
Click
Start
to launch the Manager
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Create the Manager Firewall
11
Flexiscale firewalls allow for default policy settings for inbound and
outbound connections. This guide describes the steps required when
using REJECT for the inbound/outbound default policies on all
servers in the Overlay Network. This setup starts with the most
secure settings and adds exception rules to open ports as needed.
NOTE: There may be additional rule exceptions needed for a topology
other than those detailed here.
Click the
Firewalls
tab
Click
New Firewall
In the popup window:
-
Choose the Managerʼs VDC
-
Choose the Managerʼs IP Address
-
Select REJECT for the Default Inbound Policy
-
Select REJECT for the Default Outbound Policy
Click
Create Firewall
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Create Exception Rules on the Manager Firewall
12
Exception Rules will need to be added in order to access the Manager
UI via TCP port 8000 and to establish an IPsec connection via UDP
ports 500 and 4500.
Click
Manage
next to the Manager Firewall
Add the following Incoming Rules:
-
Manager UI IN - TCP port 8000 from your IP Address
-
IPsec 1 IN - UDP port 500 from your IPsec Device IP Address
-
IPsec 2 IN - UDP port 4500 from your IPsec Device IP Address
Add the following Outgoing Rules
-
Manager UI OUT - TCP port 8000 from your IP Address
-
IPsec 1 OUT - UDP port 500 from your IPsec Device IP Address
-
IPsec 2 OUT - UDP port 4500 from your IPsec Device IP Address
The Manager is now launched and ready for configuration.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Logging in and Configuring the Manager
13
VPN-Cubed Manager UI -
https://[Manager IP]:8000/
In order to have an encrypted connection to the VPN-Cubed Manager
the manager uses HTTPS with a self-signed certificate generated on
each manager individually on boot. You may need to add a security
exception in your browser.
Login to the Manager using “
vpncubed
” as both the username and
password. Change the default password after the first login.
The VPN-Cubed Datacenter Connect Free Edition comes pre-loaded
with a license. This license restricts the Free Edition Manager to only
allow 5 cloud machines to join the overlay network and restricts the
cloud subnet to 172.31.1.X. If you are interested in additional client
packs (adding more cloud devices to the overlay network) or a
different subnet, please contact us at
sales@cohesiveft.com
.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Generate Keys on VPN-Cubed Manager
The Datacenter Connect Free Edition Manager comes pre-configured
to the purchased specs (
how many managers it can peer with, how
many clientpacks are available, how many ipsec links are available,
and the default subnet in Flexiant of 172.31.1.X).
Click
Generate New
under SSL Certs and Keys in the left column.
Enter a security token in the second field. This can be anything and is
used for client pack generation and manager peering.
Click
Generate keys
link. Key generator will be started in the
background, and you can refresh screen to observe progress.
This process will generate the client credentials that will be loaded
onto the devices you wish to connect to the VPN-Cubed overlay
network.
14
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Peering the Manager - Important Step!
Manager Peering is used in more complex VPN-Cubed deployments
users can peer two VPN-Cubed Managers together to create a
redundant, highly available and secure cloud connectivity solution.
For more information on custom enterprise configurations contact us
at
sales@cohesiveft.com
.
Select
this instance
Click
Save changes
You should then get a status page showing that the managers routing
is configured and started.
15
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
VPN-Cubed Manager Status
16
The VPN-Cubed Manager is ready to setup an IPsec Tunnel. The
VPN-Cubed Manager will show no other links to other managers, no
connected clients, no subnets available, and no detected tunnel data.
Click
IPsec
under Peering left menu heading.
On the resulting IPsec page note the Configuration Settings needed
for configuration.
Click
Define new remote endpoint
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
VPN-Cubed Manager Setup: Define a New Remote Enpoint
17
Enter descriptive name for the Endpoint configuration, this can be
anything.
Occasionally there is another router between the IPsec firewall and
the Internet. Enter the public facing IP address of either the IPsec
device or router between Flexiant and the IPsec device (see picture
below).
Enter a Pre-shared Key and keep a record of that key to be entered
into the IPsec device. In this example we use “VPNCubedRocks” for
obvious reasons.
If your IPsec device is behind a router, enter the external IP interface
of the IPsec device (see picture below).
Click
Create
. One the resulting page click
New subnet
.
Exta Config Parameters:
We recommend connecting to the Manager with tunnels using
AES256 encryption and SHA authentication for both IKE and ESP.
Add the lines shown to the right - ike=aes256-sha1 and esp=aes256-
sha1.
Extra Configuration Parameters information can be found on the
following page.
Flexiscale
Client Servers
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
IPsec Configuration: Extra Parameters
18
VPN-Cubed's IPSec subsystem is good at autodiscovery on IKE and ESP choices with a wide range of boxes. We recommend being as specific as
possible when entering tunnel parameters. Match the algorithm, hash and DiffieH group for your gateway settings by specifying them in the "Extra
Params" text field. We support combinations algorithms 3DES, AES128, or AES256; hashes SHA1 or MD5; and DH groups 2 or 5 (which are
represented by the software we use as "modp1024" and "modp1536" respectively).
Example entries for IKE (Phase 1) and ESP (Phase 2) in the extra params box:
ike=aes128-sha1
ike=aes256-sha1
ike=3des-md5-modp1024
ike=aes256-sha1-modp1536
esp=aes256-sha1
esp=3des-sha1
(can't use a "modpxxxx" in the esp parameter..the second DH group in a IPSec gateway setup is really for PFS settings)
PFS Group
pfsgroup=modp1024 or pfsgroup=modp1536  (for use when PFS is enabled and you still are getting connection complaints that are pfs related,
SOMETIMES you have to be explicit about the DH group, vast majority of times you don't.)
IKE and ESP Lifetimes
ikelifetime=3600 (default setting on VPN-Cubed)
salifetime=28800 (default setting on VPN-Cubed)
Dead Peer Detection - Disabled by default, to enable DPD to attempt to re-connect during periods of no response use the following:
dpdaction=restart
dpddelay=30
dpdtimeout=90
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
VPN-Cubed Manager Setup: Setup a Subnet
19
Enter the subnet to be used for the Flexiant instances. In this
example we used 192.168.3.0/24.
Click “create.”
Your VPN-Cubed Manager IPsec setup is complete. The next steps
will detail setting the IPsec connection from your extranet device.
Once the IPsec connection is live, this guide will detail how to add
clients to the created overlay network.
Note the “Configuration Settings” values, you will need these to
correctly configure your extranet device.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Configuring the IPsec Extranet Device: Adding Network Objects
20
Note: As mentioned earlier these screenshots are from a Cisco ASA
extranet device. Your setup user experience may differ slightly.
The first step in configuring any IPsec extranet device is to add the
appropriate Network Objects. The screenshot to the right shows all
the objects that need to be added. Their details are below:
-
fs_inside: inside NAT of your cloud subnet
-
inside-network: inside interface network of extranet device
-
inside_network_test_client: initial inside test IP for IPsec
connectivity
-
outside_network: outside interface network of extranet device
-
outsideinterface: address of outside interface of extranet device
-
vpncubed_mgr: public IP address of the VPN-Cubed Manager
-
vpncubed_mgr_inside: <your subnet>.1, inside tunnel test for
use before connecting clients (VPN-Cubed IPsec to Flexiant
Test Gateway)
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Configuring the IPsec Extranet Device: VPN Wizard
21
Create a new VPN Tunnel.
The Cisco ASA used in this guide does this through a VPN Wizard. If
you are using another facility to create your IPsec Tunnel, make sure
to enter the same information we enter in the following slides.
Choose a Site-to-Site Tunnel Type.
Click
Next
Tunnel Configuration Considerations
If you want the tunnel to be perpetual and as close to "always on" as
IPSec can do, then:
-
Your gateway should be using its "keepalive" feature, VPN-Cubed
has this enabled by default
-
Your gateway should be using Dead Peer Detection (DPD) with a
"restart" parameter in the event it believes tunnel is dropped
-
Your VPN-Cubed manager has DPD disabled by default, enable it
by adding "dpdaction=restart" in the extra parameters box (no
quotes needed).
-
Your gateway should allow the VPN-Cubed manager to make a
connection "inbound to it", by default the VPN-Cubed manager
allows inbound connections and attempts outbound
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Configuring the IPsec Extranet Device: VPN Wizard
22
Enter the VPN-Cubed Managerʼs IP address in the “Peer IP Address”
field.
Enter the same “Pre-Shared Key” entered from page 17 (our example
used “VPNCubedRocks”).
Click
Next
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Configuring the IPsec Extranet Device: VPN Wizard
23
Choose your Key Exchange Policy (IKE). Make sure it is the same as
the one used in the VPN-Cubed Manager setup. On page 17 we
used “AES-256.”
Click
Next
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Configuring the IPsec Extranet Device: VPN Wizard
24
Select the ecryption and authentication algos for the Encapsulating
Security Payload (ESP). Make sure it is the same as the one used in
the VPN-Cubed Manager setup. Again our recommended setup uses
“AES-256” from page 17.
Click
Next
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Configuring the IPsec Extranet Device: VPN Wizard
25
Setting up Hosts and Networks.
The following information will setup a test tunnel to your VPN-Cubed
Manager. After the tunnel is up and running you can return to this
step and change the Source and Destination information to open up
more traffic between your IPsec extranet device and the cloud.
Setup a test connection using “inside_network_test_client” as the
Source and “vpncubed_mgr_inside” as the Destination.
The screenshot to the right shows how to open up your network to the
overlay network in the cloud, select the “inside-network” in the Source
section and select “ fs_inside” in the Destination section.
Click
Next
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Configuring the IPsec Extranet Device: VPN Wizard
26
Double check that all the information is entered correctly.
Click
Finish
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
IPsec Extranet Device: Session Details
27
Make sure the IPsec VPN session is up and running.
Goto Monitoring > VPN Statistics > Sessions
You should be able to see the session under LAN-to-LAN

Click
Details
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
IPsec Extranet Device: Session Details
28
The Session Details will give you expanded information about your
Key Exchange and IPsec status.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
VPN-Cubed Manager: Check the IPsec Status
29
To check the status of your IPsec connection from the VPN-Cubed
Manager click on
Runtime Status
.
Your should see a “detected” IPsec tunnel under IPsec status.
If you do not see your IPsec Tunnel listed, it is not correctly
configured. Double check that you have entered all the information
correctly in both the VPN-Cubed Manager and your IPsec device. If
you are having difficulties please email
support@cohesiveft.com
.
Now that the IPsec Tunnel is up and running cloud-based clients can
be added to the overlay networkʼs secure VLAN extension of your
Datacenter.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Client Configuration:
Launch Clients
In the context of VPN-Cubed, “Client” means devices which will be configured as members of the
Overlay Network. These network members will usually be servers running in the cloud. In more
advanced editions of VPN-Cubed this includes desktop based client machines. Note the “Client
Download” username and password on Status screen on every manager (username is
“clientpack”).
On any Manager go to Client Packs and pick a client pack. A client pack can run on a single client
at a time. If you shut down or disconnect client from the topology, you can reuse its client pack. You
have access to 5 client packs.
Launch
the Client Servers in the
Same VDC
as the Manager. Follow the steps on pages 8-11.
NOTE: Setup the Client firewalls based on your topology requirements.
CFT recommends a three stage approach to cloud security:
1.
Cloud Provider VLAN
2.
Client Firewall with only rule exceptions required for production and operational access
3.
VPN-Cubed tunneling and intra cloud encryption
30
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Linux Client Configuration:
Install Client Credentials
TWO PHILOSOPHIES FOR INSTALLATION
a) SSH Port 22 Only - Download credentials to your trusted admin machine via the VPN-Cubed
Manager “Client Packs” link. SCP them into the client machines, and then SSH into the client
machines to complete the configuration.
b) Port 22 and Port 8000 - SSH into the client machine and download the credentials from its
command line using the following URL:
wget -no-check-certificate
https://clientpack
:**PASSWORD**@{Manager_IP}:8000/credentials/{name_of_clientpack}.tar.gz
Something like: wget --no-check-certificate
https://clientpack:9c50eb1a78cabfa77663d0429bdd2930c4a3de12@204.51.99.6:8000/credentials/
172_31_1_53.tar.gz
NOTE: The clientpack:password combination is on the status screen of each of the VPN-Cubed
managers.
31
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Linux Client Configuration:
Install OpenVPN
You can either install OpenVPN on physical servers or virtual servers you
already possess to connect those devices to the VPN-Cubed overlay
network.

Extract clientpack contents to /etc/openvpn directory (consult OpenVPN
documentation for your OS if not found).
Edit the vpncubed.conf add the managers you want this client to connect
to in priority at the bottom of the file:
remote MANAGER_IP_ADDRESS 1194
You do not need to configure each client to try all managers in a given
topology. The order of remote commands matters - client will try to connect
to the first remote endpoint, if not successful - to the second, and so on.
You may want to evenly distributed clients among managers by varying the
order of "remote" commands on each client.
32
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Linux Client Configuration:
Launch OpenVPN
Start openvpn. On Linux OSs this is done using the /etc/init.d/openvpn start command.
Your client will get a virtual IP address that corresponds to the clientpack it received.
WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and
on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same
topology at a time.
Adjust local firewall on the client if necessary (on Linux, your tunnel device name will be tun0).
Verify connectivity by pinging 172.31.0.1, 172.31.0.5 for manager ID1 and ID2, respectively. Usually, the manager whose "remote"
line appears first in /etc/openvpn/vpncubed.conf will be pingable first, other managers will become pingable once they learn about
new client.
33
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Windows Client Configuration:
Add RDP Client Access
34
If you created a Firewall that rejects Inbound/Outgoing connections by
default you will need to add a Firewall Rule to allow an RDP
connection, TCP port 3389
Click
Manage
next to the Windows Client Firewall
Add the following Incoming Rule:
-
RDP IN - TCP port 3389 from your IP Address
Add the following Outgoing Rule
-
RDP UI OUT - TCP port 3389 from your IP Address
The Windows Client is available to receive RDP connections.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Windows Client Configuration:
Install Client Credentials
RDP into the Windows Machine using the Administrator credentials specified when launching the
server.
Navigate to https://<Public Manager IP>:8000 in IE.
Login using the default vpncubed for the password and username or the password you changed on
your first login.
Click Client Packs on the left menu.
Download the appropriate client pack zip file to the Windows machine.
35
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Windows Client Configuration:
Install OpenVPN
You can either install OpenVPN on physical servers or virtual servers you
already possess to connect those devices to the VPN-Cubed overlay
network.
XP:
http://openvpn.net/release/openvpn-2.0.9-install.exe
Vista OR Win2k:
http://openvpn.net/release/openvpn-2.1_rc15-install.exe
Win2003/8:
http://openvpn.net/release/openvpn-2.1.1-install.exe
On Vista you will need to have admin privileges to install the software.
You will have to install a client pack on the Windows desktop machine and
put the client pack files in \Program Files\OpenVpn\config\
RENAME vpncubed.conf to vpncubed.ovpn !!!!
Edit the vpncubed.ovpn add the managers you want this client to connect to
in priority at the bottom of the file: remote
MANAGER_PRIVATE_IP_ADDRESS 1194
In the
case of a desktop machine outside of the cloud
you will need to
use the public IP for the managers you are connecting.
You do not need to configure each client to try all managers in a given
topology. The order of remote commands matters - client will try to
connect to the first remote endpoint, if not successful - to the second, and
so on. You may want to evenly distributed clients among managers by
varying the order of "remote" commands on each client.
36
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Windows Client Configuration:
Launch OpenVPN
Start openvpn. On Windows XP and Vista this can be done through the
Services tool or via the command line “openvpn vpncubed.ovpn”.
On Vista if you run it from the command line you will need to know how to start
a command line with administrative privileges. Details here:
http://
www.howtogeek.com/howto/windows-vista/run-a-command-as-administrator-
from-the-windows-vista-run-box/
On Vista, 2000, 2003, and 2008 servers OpenVPN also has a graphical tool -
OpenVPN GUI.
Your client will get a virtual IP address that corresponds to the clientpack it
received.
WARNING
: If you accidentally give the same client credentials to 2
different devices you will notice the two clients popping off and on the overlay
network inside the VPN-Cubed manager Status screen. Only one device can
have a set of credentials in the same topology at a time.
Adjust local firewall on the client if necessary.
Verify connectivity by pinging 172.31.0.1 or 172.31.0.5 for manager ID1,
ID2,respectively. Usually, the manager whose "remote" line appears first in /
etc/openvpn/vpncubed.conf will be pingable first, other managers will become
pingable once they learn about new client.
37
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Windows Client Configuration:
Launch OpenVPN
38
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Windows Client Configuration:
Windows 2008 RegEdit Consideration
39
When setting up OpenVPN as a Service on Windows2008 there can be an issue with the machine
resolving IPv6 instead of IPv4. Follow the steps below to fix the problem.
1.
Go to "regedit"
2.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters
3.
Double-click the ArpRetryCount value, type 0, and then click OK. If it does not exist create of type
REG_DWORD with the value set to 0.
4.
Reboot the machine
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Client Configuration: 3 clients in the overlay network
40
The key elements of the display to look for are
the connections to that managerʼs peer, both
showing the local processes are running and
the link as up. You should see the clients listed
in the client table at the bottom, connected to
the appropriate manager.
If this is not the case please check the items
listed on the “Troubleshooting” page of this
document.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Troubleshooting and FAQ for the Managers
Client appears to be “hopping” on and off the network.
This is usually the result of the same
client keys being installed on two client machines in the network. Only one client machine can use a
set of credentials at a given time.
Fetch Keyset appears to hang or not work.
Check to see if the VDC setup is correct and port
8000 is open between the manager you are getting the keyset from and the manager you are do the
fetch from.
Manager IDs seem correct, VDC setup seems correct, but managers, especially ones
launched via separate launch commands will not “peer”.
Review your worksheet and your
launch commands. Ensure that the managers were all launched with the same alphanumeric string.
41
Monday, June 11, 2012
Copyright 2011 - CohesiveFT
Save Manager Configuration
with Runtime Snapshots
42
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Runtime Snapshots save the Manager Configuration
43
Once your VPN-Cubed Managers and Clients are configured and
running, save the configuration with Runtime Snapshots. Snapshots
can be used to reconfigure a new Manager with the same SSL
Certificates and Keyset with just one file upload.
Click the “Runtime Snapshots” link to take a new snapshot or view/
download available snapshots.
Download the snapshot to your local network. In the event of a
Manager failure or re-provisioning event, you can upload the snapshot
file to a new VPN-Cubed Manager. The new Manager will retain all
the configuration settings as your saved snapshot. Additional
because the client packs are identical your overlay network devices
will automatically connect back with the Managers. Save time on both
Manager and client configuration.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Save and Download a Snapshot
44
Click the “Take New Snapshot Now” button to generate a new
Snapshot.
The resulting screen will have the snapshot download link. Download
the Snapshot and save locally.
Monday, June 11, 2012
cfffff
Copyright 2011 - CohesiveFT
Upload a Snapshot
45
To use a Snapshot to configure a Manager click the “Import Runtime
Snapshot” link.
Browse for your saved Snapshot and upload. The Manager will
reboot with the updated configuration. The same client packs will be
used to redistribution of the credentials to each Overlay Network
Device (OLNDs) is not necessary.
A slight configuration change on each OLND is necessary if you have
not assigned Elastic IPs to your Manager. The OpenVPN
configuration file (
vpncubed.ovpn) on each OLND needs the new IP of
the new Manager referenced in the remote commands section.
To automate this step, you can assign an Elastic IP (see AWS billing
for rates) to the Manager and reference the Elastic IP in each OLNDʼs
OpenVPN configuration file.
Monday, June 11, 2012
Copyright 2011 - CohesiveFT
End
46
Monday, June 11, 2012