Part 45: My vCloud Journey Journal – Org-To-Org VPN
In previous posts (the one’s that all have vApp (220.127.116.11.5) in the title I played about with static routes – one of those examples was adding a static route to enabled communication from one Organization Network to another via the External Network. I did that because I wanted to know more and configuring things (even if they may not be optimal is one way of learning). It strikes me that a SSL VPN connection between Organizations would be more appropriate given that the data stream is encrypted as it moves from one Organization to another. I’m resisting the term site-to-site because in my case the two Organizations (CorpHQ and COIG) actually reside in the same physical location. But I guess the principle of VPN could be used to link to Orgs within and outside of existing vCD cell configuration as well to external providers – in the elastic-burst-on-demand way that everyone speaks of nowadays.
The vCND Edge Gateway supports VPN connectivity via the Organization Network…
The SSL VPN Configuration allows for:
- VPN tunnel between two Organization networks in the SAME Organization
- VPN tunnel between two Organization networks in DIFFERENT Organizations (this is what I’m trying)
- VPN tunnel between Organization Network to external remote network outside the vCD Cell…
It’s worth saying that all that work I did in the vApp Networking posts (1-5) isn’t wasted. Just because there is a VPN connection from one Organization to another – it doesn’t mean that the vApp Network is automagically exposed. There are couple of requirements to be met along the way – in some respects a lot of this configuration has already been done by me over the last couple of months:
- Organization Networks must be external, and NAT-connected to the external network
- The Organization Networks must share the SAME external network
- Both Organization Networks must not have overlapping IP subnets
IF there is a firewall present between the tunnel endpoints then UDP Ports 50,51,500 and 4500 must be opened (these corresponds to the ESP, AH, IKE protocols). Enabling the VPN configuration requires access rights from one Organization to another as it create bi-directional VPN configuration on both sides. You can either use the credentials at the destination Organization setup for the purpose or use the SysAdmin credentials if you have them. This initial configuration documented below would initially allow only vApps on the respective Organization Network to speak to each other… Although vCD push the configuration to both vCNS Edge Gateways in both Organizations. It doesn’t enable it at the “Peer Network” or the destination location…
1. Configure the Services of your Organization Network – in my case I select the CorpHQ Organization Network
2. Select the VPN tab, and enable the VPN option – then click the Add button to create VPN Configuration
3. Type in a name and description – and from the pull down list select “a network in another organization”
4. This should cause the dialog box to refresh to show the “Login into remote vCD” button:
5. Click the “Login into remote vCD” button – this produces a form that allows you to specify the URL, Organization Name, Username and Password to access the other organization. In my case I used the admin credentials, ticking off the option to “Login as System Admin”
Note: Notice how its just the base URL of the vCD instance… nothing more!
6. Click Login – this should (if your authenticated correctly) cause the page to refresh again. It should show the Local Organization Network (the Organization where you started the configuration) and the remote or “Peer Networks” of the Organization you just authenticated to. You use the pull-down list to select which Organization VDC you want to use (COIG – Production Virtual Datacenter in my case) and then which Edge Gateway will be used (in my case this is the single Organization Network called COIG-CorpOrgNetwork). It’s entirely possible for any Organization to have MANY externally NAT-connected Organization Network – so you must select which Organization Network you wish to use as the endpoint for each side of the VPN connection. When you click at the Organization Network’s they are highlighted in dark blue.
7. Next, under this section review your VPN Settings. I found I didn’t have to change anything here to make my configuration work.
8. Click OK.
9. Next login to the Peer Network Organization (in my case that’s the COIG Organization) and enable the VPN link it is side.
10. Once enabled you should find you get nice green ticks next to enabled and its status
Once the VPN is up then you should be able ping from one VM to another VM on different organization network (assuming firewalls are turned off, or the appropriate rules are in place.) So here a ping when from the OrgNetwork 172.168.5.x to the OrgNetwork 172.168.8.x…
You should also a find a ping from vApp behind a vApp Network to another VM on different Organization Network works as well… So here I did a ping/tracert from one of CorpHQweb servers – it crossed its own gateway (192.168.5.1) and on to it own Organization Network (172.168.5.x) and then across the VPN link (* * * Request timed out) and then arrived at VM (18.104.22.168) on the other Organization Network (COIG)