Cloud Lab-57: vCloud Director Organizations- “VPN Tunnel Between two Organization networks within the same organization” (Part 1)

In today’s post, i will show you, how to allow communication between two vApps in the same Organization using vCloud Director VPN Service. You are probably thinking about. We had already achieved these type of connectivity with static routing then why need SSL VPN for. The main different between static routing and SSL VPN is, in static routing traffic are passing between organization in unencrypted manner while in the SSL VPN. It creates an encrypted tunnel between organization and vApp to secure the data stream. due to the length of this post, i divided it into two parts. lets see what we will cover in “part 1” .

LAB-57 TASKS (Part 1)

In this Lab, we will perform following tasks

  1. Information required for VPN Configuration
  2. Firewall Settings before VPN Configuration
    • Turn off Firewall on “vApp10”
    • Turn off Firewall on “vApp8”
    • Turn off Firewall on “SkyNet Dev Organization Routed Network”
    • Turn off Firewall on “SkyNet Prod Organization Routed Network”
  3. Test the Firewall before VPN Configuration.

For sake of domestication. i will allow the communication between two vApps named “vApp10” and “vApp8” respectivelywhich, I already deployed in my Organization “SkyNet” .

1-Information required for VPN Configuration.

Following are the information which you should know before proceed for VPN Configuration.

  1. vApp10 VM IP
  2. vApp10 Network IP Range
  3. vApp10 Firewall External IP
  4. vApp8 VM IP
  5. vApp8 Network IP Range
  6. vApp8 Firewall External IP

 1-To find “vApp10 VM IP”

Navigate to Organization “SkyNet” -> MyCloud-> vApp->vApp10-vAppRoutedOrgRouted->Virtual Machine tab.

Note the IP address of “vApp10-Web1” which is “192.168.22.100”

cloudlab56-vCloudOrganization-VPNWithinsameorg01

2-To find the “vApp10 Network IP range”

Navigate to Organization “SkyNet” -> MyCloud-> vApp->vApp8-vAppRoutedOrgRouted->networking tab.

cloudlab56-vCloudOrganization-VPNWithinsameorg02

Right Click on the “vApp10-Network-Routed” VSE (vShied-Edge-Firewall) -> Choose “Properties”.

cloudlab56-vCloudOrganization-VPNWithinsameorg03

In “Network Specification’ Tab-> Note the IP Range. which is “192.168.22.0/24”

cloudlab56-vCloudOrganization-VPNWithinsameorg04

3-To find the “vApp10 External IP”

Right Click on the “vApp10-Network-Routed” VSE (vShied-Edge-Firewall) -> Choose “Configure Services”.

cloudlab56-vCloudOrganization-VPNWithinsameorg05

In “Static Routing” Tab -> Note the “Router External IP”. It is “192.168.32.2”

cloudlab56-vCloudOrganization-VPNWithinsameorg06

4-To find “vApp8 VM IP”

Navigate to Organization “SkyNet” -> MyCloud-> vApp->vApp8-vAppRoutedOrgRouted->Virtual Machine tab.

Note the IP address of “vApp8-VM1” which is “192.168.16.100”

cloudlab56-vCloudOrganization-VPNWithinsameorg07

5-To find the “vApp8 Network IP range”

Navigate to Organization “SkyNet” -> MyCloud-> vApp->vApp8-vAppRoutedOrgRouted->networking tab.

cloudlab56-vCloudOrganization-VPNWithinsameorg08

Right Click on the “vApp8-Network-Routed” VSE (vShied-Edge-Firewall) -> Choose “Properties”.

cloudlab56-vCloudOrganization-VPNWithinsameorg09

In “Network Specification’ Tab-> Note the IP Range. which is “192.168.16.0/24”

cloudlab56-vCloudOrganization-VPNWithinsameorg10

6-To find the “vApp8 External IP”

Right Click on the “vApp8-Network-Routed” VSE (vShied-Edge-Firewall) -> Choose “Configure Services”.

cloudlab56-vCloudOrganization-VPNWithinsameorg11

In “Static Routing” Tab -> Note the “Router External IP”. which is “192.168.42.4”

cloudlab56-vCloudOrganization-VPNWithinsameorg12

Now we have everything which we will need in our routing setup. Let’s summarize it.

Sr. Description IP Address
1 vApp10 VM IP 192.168.22.100
2 vApp10 Network IP Range 192.168.22.0/24
3 vApp10 Network Firewall External IP 192.168.32.2
4 vApp8 VM IP 192.168.16.100
5 vApp8 Network IP Range 192.168.16.0/24
6 vApp8 Network Firewall External IP 192.168.42.4

2-Firewall Settings before VPN Configuration

“vApp Firewall” is on by default and set to deny. It has a default rule available which will allow all outbound traffic from the vApp.

On the other hand “Organization Routed network firewall” is also enabled by default and set to deny.in organization routed network firewall there is no rule defined by default. So any traffic which will in/out from the firewall will be blocked or deny by default.

It is bit easy and my recommendation in lab to turn off the firewall while testing. So we have no problem for traffic to pass through. initially, i will set the the default firewall action from “deny” to “allow” for testing. Then later post, i will show you how to allow only explicit traffic which we want to pass through from our vApp and Organization routed network firewalls.

Enough talking let me walk through, how to turn off the firewalls on my vApps and Organization routed network.

1-Turn off Firewall on “vApp10”

Navigate to Organization “SkyNet” -> MyCloud-> vApp->vApp10-vAppRoutedOrgRouted->networking tab.

“Uncheck” the Firewall check box as highlight and make sure Click on “Apply” button to commit the change which we have made.

cloudlab56-vCloudOrganization-VPNWithinsameorg13

2-Turn off Firewall on “vApp8”

Navigate to Organization “SkyNet” -> MyCloud-> vApp->vApp8-vAppRoutedOrgRouted->networking tab.

“Uncheck” the Firewall check box as highlight and make sure Click on “Apply” button to commit the change which we have made.

cloudlab56-vCloudOrganization-VPNWithinsameorg14

3-Turn off Firewall on “SkyNet Dev Organization Routed Network”

Navigate to Organization “SkyNet”-> Administration-> Virtual Datacenters -> SkyNet-Dev-OrgVDC-> Org VDC Networks.

Right Click on Network “SkyNet-Dev-OrgRouted” ->Choose “Configure Services”.

cloudlab56-vCloudOrganization-VPNWithinsameorg15

Go to “Firewall” tab and uncheck the “Enable firewall” check box-> Click “OK”

cloudlab56-vCloudOrganization-VPNWithinsameorg16

4-Turn off Firewall on “SkyNet Prod Organization Routed Network”

Navigate to Organization “SkyNet”-> Administration-> Virtual Datacenters -> SkyNet-Prod-OrgVDC-> Org VDC Networks.

Right Click on Network “SkyNet-Prod-OrgRouted” ->Choose “Configure Services”.

cloudlab56-vCloudOrganization-VPNWithinsameorg17

Go to “Firewall” tab and uncheck the “Enable firewall” check box-> Click “OK”

cloudlab56-vCloudOrganization-VPNWithinsameorg18

NOTE: you should disable vApp OS firewall as well.

4-Test the Firewall before Static Routing

Go to “vApp8-VM1” and open the console and provide the login credentials. once login, because, its linux machine. use “ipconfig”  to check its IP address which is “192.168.16.100”

cloudlab52-vCloudOrganization-Staticroutingbatweensameorg18

If you ping the “vApp10-Web1” VM IP “192.168.22.100”. Then you will get destination reachable error at the moment.

cloudlab56-vCloudOrganization-VPNWithinsameorg20

Now trace the network path of “vApp10-web1” VM. Run tracert 192.168.22.100 on command prompt.

cloudlab56-vCloudOrganization-VPNWithinsameorg21

As you have noticed we only reach to “192.168.42.1” Organization Edge Gateway (SkyNet-Dev-Edge) and get destination reachable message from his next hop “vApp10-VSE” external IP “192.168.32.2”.

That is for today’s post. In next post, i will show you how to Configure VPN  on two Organization network within the same Organization and test the communication between them.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s