EHS VNS3 Setup Guide

© 2016
ElasticHosts
Conﬁguration
ElasticHosts Setup for VNS3
2016

© 2016
Table of Contents
2
Introduction 3
CenturyLink Cloud Deployment Setup 9
VNS3 Conﬁguration Document Links 20

© 2016
Requirements
4
•You have a ElasticHosts account (For a free ElasticHosts trial, visit: http://
www.elastichosts.com/cloud-servers/free-trial/).
•You have the ability to configure a client (whether desktop based or cloud based) to use
OpenVPN client software.
•You have a compliant IPsec firewall/router networking device:
Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear,
Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett
Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.
Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or
MD5.
*Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does
not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable
connection from being maintained.

© 2016
Getting Help with VNS3
5
This guide covers a generic VNS3 setup in ElasticHosts. If you need speciﬁc help with
project planning, POCs, or audits, contact our professional services team via
sales@cohesive.net for details.
This guide uses Cisco’s Adaptive Security Device Controller UI. Setting up your IPsec
Extranet device may have a diﬀerent user experience than what is shown here. All the
information entered in this guide will be same regardless of your UI or cmd line setup.
 
Please review the VNS3 Support Plans and Contacts before sending support inquiries.

© 2016
Firewall Considerations
6
VNS3 Controller instances use the following TCP and UDP ports. 
• UDP port 1194  
For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients. 
• UDP 1195-1203* 
For tunnels between Controller peers; must be accessible from all peers in a given topology.
• TCP port 8000  
HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or conﬁgure peering, also needs to be open to and from
the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.
• UDP port 500 
UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection. 
• UDP port 4500 or Protocol 50 (ESP) 
Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP
port 4500 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.
*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.
** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500

© 2016
Sizing Considerations
7
Image Size and Architecture
VNS3 Controller Images are available as 64bit images to allow the greatest ﬂexibility for your use-case. We
recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the
performance will depend on the use-case.
Clientpack Key Size
VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the
“clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future
releases of VNS3 will provide the user control over key size and cipher during initialization and conﬁguration.

© 2016
Remote Support
8
Note that TCP 22 (ssh) is not required for normal operations.
Each VNS3 Controller is running a restricted SSH daemon,
with access limited only to Cohesive for debugging purposes
controlled by the user via the Remote Support toggle and
key exchange generation.
In the event Cohesive needs to observe runtime state of a
VNS3 Controller in response to a tech support request, we
will ask you to open Security Group access to SSH from our
support IP range and Enable Remote Support via the Web UI.
Cohesive will send you an encrypted passphrase to generate
a private key used by Cohesive Support staﬀ to access your
Controller. Access to the restricted SSH daemon is
completely controlled by the user. Once the support ticket
has been closed you can disable remote support access and
invalidate the access key.

© 2016
ElasticHosts Deployment Setup
9

© 2016
ElasticHosts Conﬁguration: Select VNS3 Template
10
Login to your ElasticHosts account at the data center
where you wish to run VNS3.
Below the “Control Panel” menu item there is a menu
for “Add”. Click on “Add” and then select “Server (VM)”.
The “Add Server (VM)” dialogue menu will pop up.
Give your targeted VNS3 instance a name and at least
1gig of memory and 10gig of disk. Choose a type of
“Pre-installed system” and then click on the “Image”
drop down menu you will ﬁnd the “Free” edition as
well as the “Full” or bring-your-own-license edition.
Select either the free edition or the full edition and
click add.

© 2016
ElasticHosts Configuration: Public IP Access
11
In ElasticHosts (ElasticHosts) an instance can have a public IP on eth0 and a private VLAN
IP on eth1. When you create a VLAN at ElasticHosts you don’t define a specific subnet
mask. Clients launched with “eth1" connected to a VLAN must have addresses in the
same subnet in their local configurations. This is very different than most cloud
implementations - but incredibly flexible.
As a result VNS3 can be used as an Internet Gateway, sitting at a private VLAN edge,
providing NAT-ing and port forwarding for the other devices in the private VLAN.
ElasticHosts instances can have dynamically assigned public IPs or static IPs. This choice
is made at instance creation time.

© 2016
Create an ElasticHosts Private VLAN
12
From the “Control panel” page, use the “Add”
menu again, selecting “Private VLAN”.
On the “Control panel” page the selection will
take you to a text box near a network graphic.
The only conﬁguration of the VLAN needed is
to give it a “display name” for use when
launching instances into it.
In this example the VLAN has been named
“MyFavoriteVLAN”.

© 2016
Launch a VNS3 Controller
13
After creating your server your can then configure it.
On the server configuration page you can set the
display name of the instance, in this case
“MyVNS3Controller”.
You can select from your available static public IPs
shown in the pop up menu, or choose “Dynamic IP -
Assigned at Boot” to get a public IP that is not static.
In the lower right corner there are “Advanced Options”.
In this section you pick the Private VLAN that you want
to connect this VNS3 Controller instance to. In the
section marked “VLAN” use the drop menu to pick the
VLAN for use, in this case “MyFavoriteVLAN”
When complete you should start your VNS3 server.
You should allow several minutes for first boot.

© 2016
VNS3 Controller Log in
14
Login to the VNS3 Web UI - https://<Controller IP>:8000
Default username: vnscubed  
Default password: vnscubed
Reset your passwords:
• Reset the Web UI Password - Even though the instance id is
unlikely to be “guessed”, please change it for security purposes.
• NOTE: Your VNS3 Controller answers to API calls on the same
port 8000 as the web interface runs on. Ideally make a
separate password for the API usage against the Controller.
• Reset the API Password - Even though the instance id is unlikely
to be “guessed”, please change it for security purposes, again
making it a diﬀerent password than the web interface is
probably best.
NOTE: Cohesive does not have any key access or remote access to
your VNS3 Controllers unless provided by you. If you forget these
passwords we cannot recover them for you.

© 2016
Configure VNS3 for the VLAN
15
Before any other configuration steps of your VNS3 Controller
you can configure it for the ElasticHosts Private VLAN.
Select the “Private VLAN” menu item under the “Admin”
section. (Remember - at ElasticHosts the VLAN is defined
“collectively” by the addresses assigned to the instance in the
VLAN.) Please note, the instances in the VLAN should be
configured to be in the same subnet mask.
In this case we are de facto making the VLAN a
192.168.10.0/24 subnet. This is done by setting an address
for the VNS3 Controller’s private IP (192.168.10.1) and then
setting a network mask for the entirety of the subnet
(255.255.255.0, which translates to a /24).
Hit “Save and Reboot” and the VNS3 Controller will set up its
internal “eth1” and reboot to properly initialize the interface
and associated internal ACLs.

© 2016
Configure ElasticHosts Hosts to use VNS3 as Internet Gateway
16
WARNING
Do not configure ElasticHosts VLAN hosts to use VNS3 as an Internet
Gateway until the VNS3 instance is fully configured with Private VLAN
settings and Firewall rules for NAT-ing installed. If you have public
IPs temporarily assigned to your ElasticHosts VLAN hosts, and create
a route to the VNS3 as the gateway to 0.0.0.0/0, you will most likely
lose connectivity until the VNS3 configuration is complete, including
port forwarding information to SSH or RDP into the VLAN host
through the VNS3 Controller.
This following page at ElasticHosts website describes the
process for configuring ElasticHosts VLAN hosts: http://
www.elastichosts.com/support/tutorials/set-up-a-vlan/
Here we show the first steps recommended by the ElasticHosts
document above. In this case the addresses used are based
upon the addresses we used for the VNS3 Controller on the
previous page “Configure VNS3 for the VLAN”.

© 2016
Configure ElasticHosts Hosts to use VNS3 as Internet Gateway
17
WARNING
Do not configure ElasticHosts VLAN hosts to use VNS3 as an Internet
Gateway until the VNS3 instance is fully configured with Private VLAN
settings and Firewall rules for NAT-ing installed. If you have public
IPs temporarily assigned to your ElasticHosts VLAN hosts, and create
a route to the VNS3 as the route to 0.0.0.0/0, you will most likely lose
connectivity until that configuration is complete, including port
forwarding information to SSH or RDP into the VLAN host through
the VNS3 Controller.
After bringing up the “eth1” interface and configuring the
network interface information, the networking can be restarted.
In this instance, using Ubuntu, the command is the one used in
the ElasticHosts documentation. The setup will be comparable
but a bit different on RedHat based hosts.
After the networking is restarted, an “ifconfig” command shows
the instance has an “eth1” with the address of 192.168.10.2 as
specified.

© 2016
Configure VNS3 as Internet Gateway
In order to configure VNS3 as the Internet Gateway the following
Firewall rules need to be entered. (The example continues
assuming the VLAN is 192.168.10.0/24)
# Allow traffic to/from the VLAN to this VNS3 Controller 
INPUT_CUST -s 192.168.10.0/24 -j ACCEPT 
OUTPUT_CUST -d 192.168.10.0/24 -j ACCEPT
# NAT traffic from the VLAN that is using this VNS3 Controller as
Internet Gateway 
MACRO_CUST -o eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -j
MASQUERADE
# Port forward traffic to my 192.168.10.2 host
PREROUTING_CUST -i eth0 -p tcp -s 0.0.0.0/0 --dport 33 -j DNAT
--to 192.168.10.2:22
Assuming your VLAN host is like the example, at 192.168.10.2,
and is accessible via SSH, then the firewall is now configured to
NAT traffic for any VLAN host configured to use it as the Internet
Gateway, and shows how to port forward traffic into the VLAN
through the VNS3 Controller.
18

© 2016
Configure ElasticHosts Hosts to Route to VNS3 Controller
19
WARNING
Do not configure ElasticHosts VLAN hosts to use VNS3 as an Internet Gateway until the VNS3 instance is fully configured with
Private VLAN settings and Firewall rules for NAT-ing installed. If you have public IPs temporarily assigned to your ElasticHosts
VLAN hosts, and create a route to the VNS3 as the route to 0.0.0.0/0, you will most likely lose connectivity until that
configuration is complete, including port forwarding information to SSH or RDP into the VLAN host through the VNS3
Controller.
The last step after all the previous are complete is to enter a route on the ElasticHosts VLAN host, pointing to the VNS3
Controller’s private ip as the gateway to the Internet.
On the ElasticHosts host enter: 
ip route add 0.0.0.0/0 via 192.168.10.1
(The address 192.168.10.1 us used because in this example that is the VNS3 Controller private IP.)
You should now be able to reach Internet resources even without a public IP attached to the ElasticHosts host.
Depending on the operating system used in the cloud hosts, the route will need to be made persistent. This varies by
operating system.

© 2016
VNS3 Configuration Document Links
21
VNS3 Product Resources - Documentation | Add-ons
VNS3 Configuration Instructions 
Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include,
initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to
the Overlay Network.  
VNS3 Administration Document 
Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall,
all administration menu items, upgrade licenses, other routes and SNMP traps. 
VNS3 Docker Instructions 
Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.
VNS3 Troubleshooting 
Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.

EHS VNS3 Setup Guide

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (8)

Similar to EHS VNS3 Setup Guide

Similar to EHS VNS3 Setup Guide (20)

More from Cohesive Networks

More from Cohesive Networks (13)

Recently uploaded

Recently uploaded (20)

EHS VNS3 Setup Guide