Author Topic: Working with VPN  (Read 4459 times)

deesloop

  • Member
  • ***
  • Posts: 2
    • View Profile
Working with VPN
« on: March 05, 2014, 04:42:51 PM »
We have 2 office connected to each other via a CISCO firewalled site to site VPN over an MPLS line.
I'm looking for some assistanceon how to set up the virtual machine for this

So we have subnet -> switch  <-gateway (firewall) 172.16.64.10 -> ISP router -> fibre terminaton -> internet.

I'm wondeinrg how to configure the device and is it worthwhile doing so as all traffic goes over the VPN?
Thanks in advance

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Working with VPN
« Reply #1 on: March 05, 2014, 05:47:28 PM »
Hi there,

Ok, first thing to note is that for Wanos to work a device is needed on each side of the VPN. If the ISP-Router is establishing the VPN tunnel, a network topology more or less as the following would work:
Data Center / Server Network > FW > Wanos-Core > ISP-Router > VPN > Remote-Site-Router > Wanos-Edge > Remote-Users

Which Hypervisor will be used and will virtual machines be required on both sides? The best is to dedicate two network interfaces for the VM, then it behaves as a standalone appliance.

Did I understand the requirement right?
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

deesloop

  • Member
  • ***
  • Posts: 2
    • View Profile
Re: Working with VPN
« Reply #2 on: March 05, 2014, 10:55:06 PM »
Sure, I did realise 1 need two wanos vm's.
Both sites are the same setup - they both have have CISCO firewalls - these build the site to site VPN. So each site has a firewall that connects to the 3rd party maintained router.
Each site runs ESX 5.1

So you're saying put the wanos units inline?

Currently my default gateways are the firewalls 172.16.32.10 and 172.16.64.10, do I set DHCP to hand out a new gateway of 172.16.32.11 and 172.16.64.11 - the proposed IPs of the wanos vms and set their gateways as 172.16.32.10 and 172.16.64.10?
That way traffic hits the WANOS then it does it's magic and spurts over the VPN?

Cheers - looking forward to trialling over the next few days...

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Working with VPN
« Reply #3 on: March 06, 2014, 10:07:29 AM »
Ok, got it, so the FW's are establishing the VPN tunnels between the sites. In this case, since the traffic will be encrypted, the Wanos device needs to be between the users and the FW.

Regarding inline deployment: The IP addresses on the machines are for management of the devices and communication between them. The rest of the network is not aware of these IP addresses (e.g. no need for configuring additional gateways). In other words, if the FW is handing out DHCP at the moment to the users, this stays the same when the appliance is placed inline. One physical interface (wan0) connects to the FW and the second to the switch (lan0).


Edit:
For the archive: In this topology, the FW might need configuration to allow IPComp (IP Proto 108) and the auto detection TCP Option 76.
This is the recommended action. Alternatively UDP Encapsulation can be used.
« Last Edit: May 27, 2015, 05:36:08 PM by ahenning »
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs