VPN-Cubed 2.x Datacenter Connect Lite Edition

1 Copyright 2011 - CohesiveFTVPN-Cubed Datacenter ConnectLite Editionv2011071 Monday, October 10, 2011cfffffCopyright 2011 - CohesiveFTRequirementsYou have an Amazon AWS account that CohesiveFT can use for enabling your access to the VPN-Cubed Manager to configure a client (whether desktop based or cloud based) to use OpenVPN client to use the Amazon EC2 Command Line tools is have a compliant IPsec firewall/router networking device:-Preferred: Cisco ASA-Validated: Cisco 1800, Cisco PIX, Juniper JunOS Models, Fortigate (3 years old or less), Watchguard Firebox (3 years old or less)-Best Effort: Any IPsec device that supports: IKE1 or IKE2, AES256 or AES 128 or 3 DES, SHA1 or MD5, AND NAT-Traversal-Will Not Work: Checkpoint2 Monday, October 10, 2011cfffffCopyright 2011 - CohesiveFTGetting Help with VPN-Cubed3 This guide uses Cisco s Adaptive Security Device Manager UI.

2 Setting up your IPsec Extranet device may have a different user experience than what is shown here. All the information entered in this guide will be same regardless of your UI or cmd line send all support inquiries to: October 10, 2011 Copyright 2011 - CohesiveFTYour Configuration Begins Here!4 Monday, October 10, 2011cfffffCopyright 2011 - CohesiveFTFirewall ConsiderationsVPN-Cubed Manager instance uses the following TCP and UDP 1194 For client VPN connections; must be accessible from all servers that will join VPN-Cubed topology as 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the managers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network 500 and 4500 These ports are used for IPsec NAT-TRAVERSAL and need to be configured in your IPsec device.

3 If you would like the EC2 IPsec Gateway to be able to initiate a connection (for example in the event of a broken connection) then you need to allow the public IP address of the gateway to Connect to your IPsec device over these ports. If you want your IPsec device to initiate the connection, then these ports need to be opened to the public address of your IPsec device in the EC2 Security Group your gateway AMI was launched in. 5 Monday, October 10, 2011cfffffCopyright 2011 - CohesiveFTRemote Support6 Note that TCP 22 (ssh) is not required for normal operations. Each VPN-Cubed Manager is running a restricted SSH daemon, with access limited only to CohesiveFT for debugging purposes controlled by the user via the Remote Support toggle and key exchange the event CohesiveFT needs to observe runtime state of a VPN-Cubed Manager in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

4 CohesiveFT will send you an encrypted passphrase to generate a private key used by CohesiveFT Support staff to access your Manager. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support , October 10, 2011cfffffCopyright 2011 - CohesiveFTSizing ConsiderationsVPN-Cubed Lite Managers are available as 32bit images. The Enterprise Edition provides 64bit images on request. Contact us at for AMI Cubed Managers currently generate 1024 bit keys for connecting the clients to the overlay network via the clientpacks . Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit).

5 7 Monday, October 10, 2011cfffffCopyright 2011 - CohesiveFTSetting up the Amazon Security Groups Option 1:Use the Amazon EC2 command line toolsDownload the latest Amazon API tools from: a system command line (Mac examples shown here, see the API Doc for Windows):export JAVA_HOME=/usr (Set Java Home directory)export LAUNCH_HOME=/Users/me/Desktop/BYO/ec2 (Set the path to the directory where you unzipped the export)export EC2_HOME=$LAUNCH_HOME/ec2apitools export PATH=$PATH:$EC2_HOME/bin export EC2_PRIVATE_KEY=$LAUNCH_ (point to where you have your EC2 private key stored)export EC2_CERT=$LAUNCH_ (point to where you have your EC2 cert stored)8 Monday, October 10, 2011cfffffCopyright 2011 - CohesiveFTSetting up the Amazon Security Groups Option 1:Command ExamplesFor US-East VPN-Cubed Manager.

6 Export EC2_URL= vpncubed-mgr -d "vpncubed managers"ec2-add-group vpncubed-client -d "vpncubed clients"ec2auth vpncubed-mgr -P udp -p 1194 -o vpncubed-client -u AWS_ACCOUNTec2auth vpncubed-mgr -P udp -p 1195-1197 -o vpncubed-mgr -u AWS_ACCOUNTec2auth vpncubed-mgr -P tcp -p 8000 -o vpncubed-mgr -u AWS_ACCOUNTec2auth vpncubed-mgr -P tcp -p 8000 -s ip_address_of_your_firewall/32ec2auth vpncubed-mgr -P udp -p 500 -s ip_address_of_your_firewall/32ec2auth vpncubed-mgr -P udp -p 4500 -s ip_address_of_your_firewall/32 For US-West VPN-Cubed Manager:export EC2_URL= <ec2 commands from above>For EU-West VPN-Cubed Manager:export EC2_URL= <ec2 commands from above>For APAC-Southeast VPN-Cubed Manager:export EC2_URL= <ec2 commands from above>9 Monday, October 10, 2011cfffffCopyright 2011 - CohesiveFTSetting up the Amazon Security Groups Option 2:Use the AWS ConsoleSelect your desired Security Groups in the left column Create Security Group in the Security Group window pane menu a vpncubed-mgr group (for the VPN-Cubed Managers) and a vpncubed-client group (for the VPN-Cubed Overlay Connected Devices).

7 Note the Security Group ID for the Client Group (sg-xxxxxxxx).10 Monday, October 10, 2011cfffffCopyright 2011 - CohesiveFTSetting up the Amazon Security Groups Option 2:Add Exceptions to the vpncubed-mgr GroupConfigure the vpncubed-mgr group with the following exceptions. Add exceptions to your vpncubed-client group as needed based on your Exceptions:Custom UDP rule: ports 1194-1197 from Source vpncubed-client Security Group ID (sg-xxxxxxxx)Custom UDP rule: port 500 from the IP address of your Firewall/IPsec DeviceCustom UDP rule: port 4500 from the IP address of your Firewall/IPsec DeviceTCP Exceptions:Custom TCP rule: port 8000 from Source vpncubed-client Security Group ID (sg-xxxxxxxx)Custom TCP rule: port 8000 from the IP address of your current location ( ) to allow you to Connect to the VPN-Cubed Manager UIClick Apply Rule , October 10, 2011cfffffCopyright 2011 - CohesiveFTLaunching VPN-Cubed Managers Option 1.

8 From the CMD Line Use the AMI IDs provided by CohesiveFT. Below are some examples of the launch command. Launch your VPN-Cubed Manager in US region, in vpncubed-mgr security group:ec2run -U AMI_ID_US -n 1 -g vpncubed-mgr OR Launch VPN-Cubed Manager in EU region:ec2run -U AMI_ID_EU -n 1 -g vpncubed-mgrIMPORTANT: VPN-Cubed AMIs do not need to be launched with a different kernel or ramdisk parameter as with previous VPN-Cubed AMI , October 10, 2011cfffffCopyright 2011 - CohesiveFTLaunching VPN-Cubed Managers Option 2 : Via ElasticFox 13vpncubed-mgrMonday, October 10, 2011cfffffCopyright 2011 - CohesiveFTRunning VPN-Cubed Manager Instance Details14 Once the Instance is running copy the Instance ID and Public IP Address to your Click the Running Instance in ElasticFox for Details-or-Enter the following command:ec2-describe-instances instance_idNote: the instance_id would have been displayed after launching via the command lineMonday, October 10, 2011cfffffCopyright 2011 - CohesiveFTLogging in and Configuring the Manager15 Login to the VPN-Cubed Web UI - https://<Manager IP>.

9 8000In order to have an encrypted connection to the VPN-Cubed Manager, the web UI uses HTTPS with a self-signed certificate generated on each manager individually on boot. You may need to add a security exception in your in with a username of vpncubed , password is the instance id of this EC2 instance (i-XXXXXXX). You can obtain instance id with ec2-describe-instances command line, ElasticFox or AWS Configuration Options:-License Parameters (choose this when launching the first Manager of a Customer Cloudlet) - Launch a new Manager using the default subnet or use a custom runtime snapshot (choose this when recovering from a Manager failure) - Launch a copy of an old manager using a locally stored snapshot to retain old client remote configuration (choose this when launching a second Manager of a Customer Cloudlet) - Launch a copy of an existing manager by grabbing configuration , October 10, 2011cfffffCopyright 2011 - CohesiveFTLogging in and Configuring the Manager Option 1.

10 License Parameters 16 The resulting screen allows you to choose between the subnet range that comes preconfigured with the license or a customer subnet defined by your specific topo the Custom Radio button to specify a custom subnet addition to selecting a custom subnet range you can specify linear addressing for your Overlay Connected Devices (OLNDs).In this example we use for our custom subnet range. The Manager IP is and the Overlay Connected Device IPs are Your specific license might allow for more or less OLNDs. Once you complete this step, the manager instance will reboot itself and will come up with your specified topology enabled and Submit and reboot.