Category Archives: vShield Edge
VPN Config vShield Edge to CheckPoint
This document is covering vShield to CheckPoint VPN configuration.
vShield defaults are on such article, for configuration on vShield side you can get reference from this article.
CheckPoint steps and screenshots are below ;
First create the device
Then create an object for remote network which cover xx.xx.xx.xx/24 for example and integrate it with device
if you already have some vpn configuration before pls add you local network on related group which is described on Manually defined , if you do not have create one group object and add your local network which will make a vpn configuration with remote site and set it
Create a community
Aggregate two firewalls
Configure Phase 1 & 2
Set encryption and has algorithm for phase 1 & 2
Set DH Group , SPF and timeout values
Set pre-shared key
Add a rule(s)….
Thats it !
Thanks to Cem , you can find out many useful articles on his blog http://www.cemkayar.com
VM
VPN Config vShield Edge to Fortigate
vShield Edge and VPN with Fortigate
VPN configuration for Fortigate is not documented you can find out all on this article ….
Please go to vShield configuration like below Administration -> Open vDC –> Edge Gateway -> Right click on right edge device –> Click Edge Gateway Services
Related screen show below taken from already configured one , but first you have to Enable VPN which you can see on left site , its a checkbox !
Quick not for you, if edge device is not connected internet and its behind of some networks and outside of this edge ip is private then you can click Configure Public IPs section and make a nat for reach that edge for VPN …
Before start please be careful to write down everything correct after submit config you do not have a chance to edit it, you have to delete and re-enter everything
Please click a “Add” for configure new VPN configuration , for phase1 and phase2 full settings defaults check this article. vCloud Director do not show full configuration like traditional firewall configuration.
Part 1
Give the name and description which will be indicator about VPN to whom or between
Establish VPN to : –> because of i imagine you will do VPN with remote network which is not in your provider vCloud island , selected a remote network
Choose which internal network will be interact with remote network
Peer Network : is remote network block, here we can not set single ip address, because looks like vShield not supporting it, i will provide infer later … Please use xxx.yyy.zz.ttt./24 or xxx.yyy.zz.ttt./29 bla bla ….
Local Endpoint : Leave default or desired one
Local ID : You can set any here, but i generally set ip address of my edge gateway outside ip here , again this could be hostname something which firewall use indicator for that
Peer ID : You can set any here, but i generally set ip address of my remote firewall outside ip here , again this could be hostname something which firewall use indicator for that
Part 2
Peer IP : Very important, it should be exactly the remote firewall outside ip address which you will establish VPN
Encryption Protocol : Choose agreed one with remote site
Shared Key : like this 123451234512345123451234512345aA
if everything is okay, first screen you have to see check sign on first screen which you enabled VPN first.
Generally on vCloud Director you need to wait little, everything is updating slow and in 5 mins everything start to seen correctly, do not worry about changes of status not seen correctly
For vCloud Director providers, do many things like debug , log or something else, use vShield Manager
For customers use syslog but looks like some debugs you need a syslog and also vCloud Director GUI still not comfortable for example if you want to change something you need to delete whole config and re-enter everything 😀
A good feature you will get notification about vpn tunnel when its up or down , mail will be like below
You will also get down message like top and also from vCloud Director GUI you can see the error message
Last thing about configuration ;
After over the vpn config you have to do one more thing, from firewall section you have to create rule to remote site access you network via vpn like below …
Fortigate site screen shots are below … i’m not explaining something, forti guys also should have a knowledge, if something you need to learn please comment me or send a mail / tweet from About page …
VM
vSheild Edge VPN Defaults
To established VPN between firewalls sometimes not easy, two sites need to be agree on settings and firewall rules need to matched
I would like to describe vShield Edge defaults because not all informations are described and shown on vCloud Director GUI and also on vShield Manager
if you are customer i advise you to have syslog server
if you are admin on provider site pls run with vShield Manager logging
You can little confuse when you start to configure VPN, vShield Edge configuration is not like standard firewalls, you can not see the sections of phase1 and phase2 and don’t configure SA lifetimes or others because of that you have to know default values
I also advise to read http://www.vmware.com/pdf/vshield_51_admin.pdf
vShield Edge use/support
IKEv2
Phase 1
Main Mode (For other modes and explanations pls read this ) No Aggressive Mode
3DES/AES (Choose Encryption)
SHA1 (Integrity Algorithm )
PSK(pre-shared secret key) and Certificate (For Certificate you have to use vShield Manager GUI)(I never use it)
SA Lifetime (28800) no any data kbyets
DH Group 2
Phase2
3DES/AES (Choose Encryption) (From vDirector GUI you will see that selected one will be available for phase1 and 2 )
SHA1 (Integrity Algorithm )
ESP Tunnel Mode
DH Group 2
PFS
SA Lifetime (3600) no any data kbyets
Selectors for all IP protocols, all ports, between the two networks, using IPv4 subsets
DPD (Dead Peer Detection also generally selected on remote site)
Looks like VMware already tested vShield Edge to Cisco Router /ASA, Watchguard
My next articles will be VPN between vShield Edge to Frotigate and vShield Edge to CheckPoint
VM