Category Archives: vShield Edge

VPN Config vShield Edge to CheckPoint

This document is covering vShield to CheckPoint VPN configuration.

vShield defaults are on such article,  for configuration on vShield side you can get reference from this article.

CheckPoint steps and screenshots are below ;

First create the device 

 

Then create an object for remote network which cover xx.xx.xx.xx/24 for example and integrate it with device

 

if you already have some vpn configuration before pls add you local network on related group which is described on Manually defined , if you do not have create one group object and add your local network which will make a vpn configuration with remote site and set it

 

Create a community 

 

Aggregate two firewalls 

Configure Phase 1 & 2

Set encryption and has algorithm for phase 1 & 2

Set DH Group , SPF and timeout values 

 

Set pre-shared key

 

Add a rule(s)….

 

Thats it !

Thanks to Cem , you can find out many useful articles on his blog http://www.cemkayar.com

VM

Advertisements

VPN Config vShield Edge to Fortigate

vShield Edge and VPN with Fortigate

VPN configuration for Fortigate is not documented you can find out all on this article ….

Please go to vShield configuration like below Administration -> Open vDC –> Edge Gateway -> Right click on right edge device –> Click Edge Gateway Services

Related screen show below taken from already configured one , but first you have to Enable VPN which you can see on left site , its a checkbox !
Quick not for you, if edge device is not connected internet and its behind of some networks and outside of this edge ip is private then you can click Configure Public IPs section and make a nat for reach that edge for VPN …
Before start please be careful to write down everything correct after submit config you do not have a chance to edit it, you have to delete and re-enter everything

Please click a “Add” for configure new VPN configuration , for phase1 and phase2 full settings defaults check this article. vCloud Director do not show full configuration like traditional firewall configuration.

Part 1

Give the name and description which will be indicator about VPN to whom or between
Establish VPN to : –> because of i imagine you will do VPN with remote network which is not in your provider vCloud island , selected a remote network
Choose which internal network will be interact with remote network
Peer Network : is remote network block, here we can not set single ip address, because looks like vShield not supporting it, i will provide infer later … Please use xxx.yyy.zz.ttt./24 or xxx.yyy.zz.ttt./29 bla bla ….
Local Endpoint : Leave default or desired one
Local ID : You can set any here, but i generally set ip address of my edge gateway outside ip here , again this could be hostname something which firewall use indicator for that
Peer ID :  You can set any here, but i generally set ip address of my remote firewall outside ip here , again this could be hostname something which firewall use indicator for that

Part 2

Peer IP : Very important, it should be exactly the remote firewall outside ip address which you will establish VPN
Encryption Protocol : Choose agreed one with remote site
Shared Key : like this 123451234512345123451234512345aA

if everything is okay, first screen you have to see check  sign on first screen which you enabled VPN first.
Generally on vCloud Director you need to wait little, everything is updating slow and in 5 mins everything start to seen correctly, do not worry about changes of status not seen correctly

For vCloud Director providers, do many things like debug , log or something else, use vShield Manager

For customers use syslog but looks like some debugs you need a syslog and also vCloud Director GUI still not comfortable for example if you want to change something you need to delete whole config and re-enter everything 😀

A good feature you will get notification about vpn tunnel when its up or down , mail will be like below

You will also get down message like top and also from vCloud Director GUI you can see the error message

Last thing about configuration ;

After over the vpn config you have to do one more thing, from firewall section you have to create rule to remote site access you network via vpn like below …

Fortigate site screen shots are below … i’m not explaining something, forti guys also should have a knowledge, if something you need to learn please comment me or send a mail / tweet from About page …

 

 

 

VM

 

vSheild Edge VPN Defaults

To established VPN between firewalls sometimes not easy, two sites need to be agree on settings and firewall rules need to matched

I would like to describe vShield Edge defaults because not all informations are described and shown on vCloud Director GUI and also on vShield Manager

if you are customer i advise you to have syslog server

if you are admin on provider site pls run with vShield Manager logging

You can little confuse when you start to configure VPN, vShield Edge configuration is not like standard firewalls, you can not see the sections of phase1 and phase2 and don’t configure SA lifetimes or others because of that you have to know default values

I also advise to read http://www.vmware.com/pdf/vshield_51_admin.pdf

vShield Edge use/support

IKEv2

Phase 1

Main Mode (For other modes and explanations pls read this ) No Aggressive Mode
3DES/AES (Choose Encryption)
SHA1 (Integrity Algorithm )
PSK(pre-shared secret key) and Certificate (For Certificate you have to use vShield Manager GUI)(I never use it)
SA Lifetime (28800) no any data kbyets
DH Group 2

Phase2

3DES/AES (Choose Encryption) (From vDirector GUI you will see that selected one will be available for phase1 and 2  )
SHA1 (Integrity Algorithm )
ESP Tunnel Mode
DH Group 2
PFS
SA Lifetime (3600) no any data kbyets
Selectors for all IP protocols, all ports, between the two networks, using IPv4 subsets

DPD (Dead Peer Detection also generally selected on remote site)

Looks like VMware already tested vShield Edge to Cisco Router /ASA, Watchguard

My next articles will be VPN between vShield Edge to Frotigate and vShield Edge to CheckPoint

VM