SoftLayer Citrix Netscaler VPX

The NetScaler VPX product line has three family editions available supporting the same feature set as the NetScaler appliances:

  • Standard Edition
  • Enterprise Edition
  • Platinum Edition

Softlayer has provided the following options for Netscaler VPX. Standard and Platinum edition are available from license point of viewSoftlayer Citrix VPX

The features are supported by the Platinum edition are:

Citrix VPX license

The features are supported by the Standard edition are:

Citrix Standard version

The following reference about VPX performance can help you to pick up the rigth edition of VPX.

VPX Performance

VPX Performance1

Upgrade Licenses For NetScaler VPX Virtual Appliance

Customers can upgrade their NetScaler virtual appliance from one family edition to another and from one performance range to another by purchasing an upgrade license.

  • There are two types of upgrades for this product:
    Edition Upgrades—Standard to Enterprise, Standard to Platinum and Enterprise to Platinum. Edition upgrades must be within the same bandwidth.
  • Performance (Bandwidth) Upgrades—10Mbps to 200 Mbps, 10Mbps to 1000Mbps and 200Mbps to 1000Mbps. Performance upgrades can only be performed on the same Edition (Standard, Enterprise,or Platinum).

Configuring IPSec on Juniper SRX for IBM SoftLayer Connectivity(2)

In this blog, I will provide a Juniper route-based VPN reference configuration when customer is using Juniper SRX Firewall for IPSec connectivity to Softlayer.

Softlayer End configuration, please refer to my another blog.

Configuring IPSec on Cisco IOS router for Softlayer Connectivity

Customer end: Juniper SRX Firewall (route based VPN)

 

  1. Create tunnel interface, VPN security zone and bind tunnel interface into VPN security zone

    set interfaces st0 unit 0 family inet

    set security zones security-zone vpn interfaces st0.0

    wKioL1OJsg7hhwNvAAGDe0zugXM586

  2. Phase 1set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
    set security ike proposal ike-phase1-proposal dh-group group2
    set security ike proposal ike-phase1-proposal authentication-algorithm md5
    set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
    set security ike policy ike-phase1-policy mode main
    set security ike policy ike-phase1-policy proposals ike-phase1-proposal
    set security ike policy ike-phase1-policy pre-shared-key ascii-text “$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG”
    set security ike gateway SL ike-policy ike-phase1-policy
    set security ike gateway SL address x.x.x.x
    set security ike gateway SL external-interface ge-0/0/0.0

    Note: x.x.x.x is SoftLayer IPSec Gateway IP

  3. Phase 2

    set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
    set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
    set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
    set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
    set security ipsec vpn SLVPN bind-interface st0.0
    set security ipsec vpn SLVPN ike gateway SL
    set security ipsec vpn SLVPN ike proxy-identity local 192.168.109.0/24
    set security ipsec vpn SLVPN ike proxy-identity remote 10.66.24.0/26
    set security ipsec vpn SLVPN ike proxy-identity service any
    set security ipsec vpn SLVPN ike ipsec-policy ipsec-phase2-policy
    set security ipsec vpn SLVPN establish-tunnels on-traffic

    Note: the proxy ID configuration is very important.

  4. Security Policy 1 (Outbound)

    set security address-book Trust address local_network 192.168.109.0/24
    set security address-book Trust attach zone trust

    set security policies from-zone trust to-zone vpn policy outbound match source-address local_network
    set security policies from-zone trust to-zone vpn policy outbound match destination-address any
    set security policies from-zone trust to-zone vpn policy outbound match application any
    set security policies from-zone trust to-zone vpn policy outbound then permit

     

  5. Security Policy 1 (Inbound)

    set security policies from-zone vpn to-zone trust policy inbound match source-address any
    set security policies from-zone vpn to-zone trust policy inbound match destination-address local_network
    set security policies from-zone vpn to-zone trust policy inbound match application any
    set security policies from-zone vpn to-zone trust policy inbound then permit

    Note: this any-any rule is only for illustration.

  6. Routing

    set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
    set routing-options static route 10.66.24.0/26 next-hop st0.0

  7. Verify IPSec status

    root@SRX1> show security ike sa
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    3878661 UP     4fe84303034a5be3  8674368c9212747f  Main           x.x.x.x
    3878662 UP     417c49e6abd24de3  ad718e32b2c94602  Main           x.x.x.x
    3878675 UP     c74fa9e1cbac457b  8eab37fe32b29aa3  Main           x.x.x.x

    root@SRX1> show security ipsec sa
    Total active tunnels: 1
    ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
    <131073 ESP:3des/md5  c25f6085 704/  unlim   –   root 4500  x.x.x.x
    >131073 ESP:3des/md5  ebf61035 704/  unlim   –   root 4500  x.x.x.x

Configuring IPSec on Juniper SRX for IBM SoftLayer Connectivity (1)

In this blog, I will provide a policy-based VPN reference configuration when customer is using Juniper SRX Firewall for IPSec connectivity to Softlayer.

Softlayer End configuration, please refer to my another blog.

https://davidwzhang.com/2016/07/09/configuring-ipsec-on-cisco-ios-router-for-softlayer-connectivity/

Customer end Configuration: Juniper SRX Firewall (policy based VPN)

 

  1. Phase 1

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys

set security ike proposal ike-phase1-proposal dh-group group2

set security ike proposal ike-phase1-proposal authentication-algorithm md5

set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

set security ike policy ike-phase1-policy mode main

set security ike policy ike-phase1-policy proposals ike-phase1-proposal

set security ike policy ike-phase1-policy pre-shared-key ascii-text “$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG”

set security ike gateway SL ike-policy ike-phase1-policy

set security ike gateway SL address x.x.x.x

set security ike gateway SL external-interface ge-0/0/0.0

2. Phase 2

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96

set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2

set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

set security ipsec vpn SLVPN ike gateway SL

set security ipsec vpn SLVPN ike proxy-identity local 192.168.109.0/24

set security ipsec vpn SLVPN ike proxy-identity remote 10.66.24.0/26

set security ipsec vpn SLVPN ike proxy-identity service any

set security ipsec vpn SLVPN ike ipsec-policy ipsec-phase2-policy

 

3. Security Policy (Inbound)

set security policies from-zone trust to-zone untrust policy outbound_vpn match source-address local_network

set security policies from-zone trust to-zone untrust policy outbound_vpn match destination-address SL-net

set security policies from-zone trust to-zone untrust policy outbound_vpn match application any

set security policies from-zone trust to-zone untrust policy outbound_vpn then permit tunnel ipsec-vpn SLVPN

set security policies from-zone trust to-zone untrust policy outbound_vpn then count

 

4. Security Policy (Outbound)

set security policies from-zone untrust to-zone trust policy inbound_vpn match source-address SL-net

set security policies from-zone untrust to-zone trust policy inbound_vpn match destination-address local_network

set security policies from-zone untrust to-zone trust policy inbound_vpn match application any

set security policies from-zone untrust to-zone trust policy inbound_vpn then permit tunnel ipsec-vpn SLVPN

set security policies from-zone untrust to-zone trust policy inbound_vpn then count
5.Routing

set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1

Configuring IPSec on Cisco IOS router for Softlayer Connectivity

Who is Softlayer

SoftLayer, an IBM Company, provides cloud infrastructure as a service from 13 data centers in the United States, Asia, and Europe, and a global footprint of 17 network points of presence. Our customers range from Web startups to global enterprises.

Softlayer offer IPSec VPN on private network for customer to connect their coporate network to Softlayer Cloud to manage their systems running on Softlayer Cloud.

Softlayer customer can complete Softlayer end’s IPSec configuration through Softlayer customer portal.

I will shows you the capacity of Softlayer IPSec in the series of articles by 3 user cases.

The Network Topology is:

wKiom1OJvy2xIxPYAAHkyO46Y-w481

The IPSec config on Softlayer end is as below:

wKiom1OJpsSxvRKiAANRd1-ed_g173

From the above, you can see the IPSec config on Softlayer end is quite straightforward: Phase 1 and Phase 2 nego parameters then customer subnets and Softlayer subnets.

 

Next-step is the configuration on customer end:

(1) Customer end is Cisco router.

Please note it looks like that Softlayer doesn’t support the Cisco IPSec Virtual Tunnel interface.So you possibly have to use the classical “Crypto Map” method:

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 14400
crypto isakmp key PassW0rd2014 address x.x.x.x (Softlayer end IPSec VPN Gateway IP)
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer x.x.x.x
set transform-set TS
set pfs group2
match address VPN
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.231 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
!
!
ip access-list extended VPN
permit ip 192.168.109.0 0.0.0.255 10.66.24.0 0.0.0.63

 

#192.168.109.0/24 customer end IP range

#10.66.24.0/26 Softlayer VM IP range

#This cisco router is behind a firewall which performs the NAT function

About SoftLayer Standard IPSec offering

Recently, I was called for an application integration issue between Softlayer and customer’s corporate network. The customer uses Softlayer Standard IPSec (the one in customer portal) as the communication path of app integration. But they saw some issue with that.The technical guy on customer end did some troubleshooting and found source NAT is performed on Softlayer VPN gateway. They suggested the fact of all traffic from the same IP (Softlayer VPN Gateway) brings the issue to their applications. So they asked if Softlayer can disable this NAT feature for them.

Unfortunately, the customer misunderstand the Softlayer IPSec offering.

SoftLayer Standard IPSec offering in customer portal is for admin/management purpose only. It is not really for application integration, .e.g. customer VM to server on their corporate network.

If customer wants to establish secure connectivity from their corporate network to Softlayer for application integration purpose. There are two options:

Pick up one of them due to the requirements.

(1) virtual vyatta gateway— for small deployment (e.g. <50 VMs)

(2) Physical HA vyatta gateway– for big scale deployment and has HA and performance requirement ;

SoftLayer Global IP

Global IP’s provide IP flexibility by allowing users to shift workloads between servers (even in different datacenters).  Global IP’s also provide IP persistence by allowing for transitions between servers and CCI’s; for example upgrading from a CCI to a dedicated system without having your IP tied to a particular server or VLAN.

Next will show you how to use this feature in the real world.

In the customer portal: control.softlayer.com

Step 0: Order a global IP and bind to a American server. Please see the traceroute output

traceroute1

Now we are going to move this global IP to a server at Softlayer Singapore DC.

Step 1: Go into Network and Select IP management, then global IP

global IP

Step 2: Route global IP to a server at Singapore(Note: only for SoftLayer Public Network)

global_ip_bind

Step 3: Configure the global IP at the server which you specified at Step 3. Here, my box is Centos.

 

more /etc/sysconfig/network-scripts/ifcfg-eth1:1

DEVICE=eth1:1

IPADDR=108.168.254.147

NETMASK=255.255.255.255

NETWORK=108.168.254.147

ONBOOT=yes

 

Restart network service:

service network restart

 

Step 4: Verify the global IP works well at Singapore DC.

traceroute2

From the above you can see you are using a American IP at Singaport DC sever.

 

Global IP feature gives the possiblity for a simple but manual DR solution for SMB. 

Let us consider the scenario below: 

One web application is on www.example.com. If we configured the DNS to resolve the URL http://www.exmpale.com to a global IP, the global IP is configured on 1 server  at US DC.  When the US server is failed for any reason, you can power up another backup server at Singapore DC to provide the same service. .

Pros

NO NEED to update DNS

NO need to wait for DNS propogation which may take days

Cons

-Global IP’s will not work for local load balancers —However, I think the local LB here means Softlayer offered LB function. 

By itself, Global IP’s are not an automatic failover solution due to the lack of health checks

If you want to know more about global IP. please check the link: http://knowledgelayer.softlayer.com/learning/global-ip-addresses

Softlayer Vyatta and Netscaler VPX Integration

Softlayer provide Vyatta gateway as firewall and Netscaler VPX as load balancer. You can integrate these two functions to provide DMZ load balancing function, which is commonly requested by Enterprise customer.

We have two options to do load balancing in DMZ on Softlayer: load balancing on Softlayer public network or load balancing on Softlayer private network.

When Netscaler VPX is built by Softlayer, 3 IPs are configured:

1 Netscaler IP Address (NSIP): The Netscaler IP is one IP from the private network.

2 Subnet IP Address (SNIP): 1 SNIP for private VLAN and 1 SNIP for public VLAN.

the follow routing is configured by default:

  1. Default routing to gateway IP of Netscaler public VLAN;
  2. static routing (10.0.0.0/8) to gateway IP of Netscaler private VLAN;

In our example, our Netscaler VPX is setting as below:

  • Public VLAN with IP subnet (100.64.0.0/29) and private VLAN with IP subnet (10.118.0.0/26).
  • Netscaler IP (NSIP) is 10.118.0.2/26.
  • Public VLAN SNIP: 100.64.0.2/29
  • Private VLAN SNIP: 10.118.0.3/26

Let us go through option 1 and 2 here using the above Netscaler setting.

Option 1: Load Balancing on Softlayer public network

Step 0: Associate and route Netscaler VPX private and public VLAN to Vyatta gateway;

Step 1: Order a public static block as vIP, let us use 100.64.1.0/28 as our VIP block;

Step 2: Configure static routing for public vIP block on Vyatta and next-hop is Netscaler VPX public VLAN Subnet IP;

set protocols static route 100.64.1.0/28 next-hop 100.64.0.2

Step 3: Configure firewall rules on Vyatta gateway and only allow inbound traffic to the vIP on specific protocol/port;

Netscaler Option1

Option 2: Load Balancing on Softlayer private network

Step 0: Associate and route Netscaler VPX private and public VLAN to Vyatta gateway;

Step 1: Order a private static block as vIP with Target to Netscaler Subnet IP of private VLAN, let us use 10.118.1.0/28 as our VIP block;

Step 2: Order a public static IP for your Internet facing service with Target to Vyatta gateway public VLAN interface IP;

Step 3: Configure static routing for private vIP block on Vyatta and next-hop is Netscaler VPX private VLAN Subnet IP;

set protocols static route 10.118.1.0/28 next-hop 10.118.0.3

Step 4: Configure static NAT to NAT the public IP to the private vIP;

Step 5: Configure firewall rules on Vyatta gateway and only allow inbound traffic to the vIP on specific protocol/port;

Netscaler Option2

I personally I like the option 1 as it is straightforward and less configuration is required. In addition, it offloads the NAT from Vyatta gateway.

Configuring IPSec between Softlayer Vyatta and Juniper SRX

Note: Juniper SRX is behind of the WAN router. Public IP is @WAN router

Below is an example of Configuring IPSec between Softlayer Vyatta and Juniper SRX.

Network topology

juniper SRX

Vyatta@Softlayer configuration

set vpn ipsec esp-group ESP-1W compression ‘disable’
set vpn ipsec esp-group ESP-1W lifetime ‘3600’
set vpn ipsec esp-group ESP-1W mode ‘tunnel’
set vpn ipsec esp-group ESP-1W pfs ‘enable’
set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-1W proposal 1 hash ‘md5’
set vpn ipsec ike-group IKE-1W lifetime ‘14400’
set vpn ipsec ike-group IKE-1W proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘3des’
set vpn ipsec ike-group IKE-1W proposal 1 hash ‘md5’
set vpn ipsec ipsec-interfaces interface ‘eth1’
set vpn ipsec nat-networks allowed-network ‘10.1.1.0/24’
set vpn ipsec nat-networks allowed-network ‘192.168.109.0/24’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret ‘juniper’
set vpn ipsec site-to-site peer 0.0.0.0 connection-type ‘initiate’
set vpn ipsec site-to-site peer 0.0.0.0 default-esp-group ‘ESP-1W’
set vpn ipsec site-to-site peer 0.0.0.0 ike-group ‘IKE-1W’
set vpn ipsec site-to-site peer 0.0.0.0 local-address ‘119.81.x.x’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix ‘10.66.24.0/26’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix ‘192.168.109.0/24’

 

Juniper SRX (policy based)

Phase 1:

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm md5
set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

set security ike policy ike-sl2 mode main
set security ike policy ike-sl2 proposals ike-phase1-proposal
set security ike policy ike-sl2 pre-shared-key ascii-text “$9$1xOhcl7Nb2oGSrb2”

set security ike gateway SL2-ikegw ike-policy ike-sl2
set security ike gateway SL2-ikegw address 119.81.xx.x
set security ike gateway SL2-ikegw external-interface ge-0/0/0.0

Phase 2:

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec vpn SLVPN2 ike gateway SL2-ikegw
set security ipsec vpn SLVPN2 ike proxy-identity local 192.168.109.0/24
set security ipsec vpn SLVPN2 ike proxy-identity remote 10.66.24.0/26
set security ipsec vpn SLVPN2 ike proxy-identity service any
set security ipsec vpn SLVPN2 ike ipsec-policy ipsec-phase2-policy

 

Security Policy

set security address-book Untrust address SL-net 10.66.24.0/26
set security address-book Untrust attach zone untrust
set security address-book Trust address local_network 192.168.109.0/24
set security address-book Trust attach zone trust

set security policies from-zone trust to-zone untrust policy outbound_vpn match source-address local_network
set security policies from-zone trust to-zone untrust policy outbound_vpn match destination-address SL-net
set security policies from-zone trust to-zone untrust policy outbound_vpn match application any
set security policies from-zone trust to-zone untrust policy outbound_vpn then permit tunnel ipsec-vpn SLVPN2
set security policies from-zone trust to-zone untrust policy outbound_vpn then count

set security policies from-zone untrust to-zone trust policy inbound_vpn match source-address SL-net
set security policies from-zone untrust to-zone trust policy inbound_vpn match destination-address local_network
set security policies from-zone untrust to-zone trust policy inbound_vpn match application any
set security policies from-zone untrust to-zone trust policy inbound_vpn then permit tunnel ipsec-vpn SLVPN2
set security policies from-zone untrust to-zone trust policy inbound_vpn then count