How to Use Citrix NetScaler CloudBridge Connector with the SoftLayer Cloud

Very good doc and video about how to use Citrix Netscaler CloudBridge Connector with Softlayer Cloud

How to Use Citrix NetScaler CloudBridge Connector with the SoftLayer Cloud

Points to Consider when Configuring a CloudBridge Tunnel with a NAT Device

For configuring a CloudBridge tunnel, consider the following points:

-You must not deploy any dynamic NAT device before a CloudBridge tunnel end point. At least one of the CloudBridge appliances must be directly connected or behind a static NAT device.

-Make sure that the IP tunnel entity configured on each CloudBridge appliance specifies the correct IP address of the appliance at the other end point. If one of the CloudBridge appliances is behind a static NAT device, the IP tunnel entity on the peer tunnel end point (the peer CloudBridge appliance) must specify the remote tunnel end-point IP as the IP address of the NAT device, not the IP address of the CloudBridge appliance that is behind the NAT device.

Prerequisites for Configuring a Cloudbridge Tunnel

Configure firewalls to allow UDP and ESP traffic – Configure firewalls, deployed on the network edge of each of the CloudBridge tunnel end points, as follows:

-If no NAT device is deployed before each of the CloudBridge tunnel end points, that is, the public IP addresses of both the tunnel end points are directly accessible to each other, you must configure the firewall to allow the following:

Any UDP packets for port 500

Any ESP (IP protocol number 50) packets

-If a NAT device is deployed before any or each of the CloudBridge tunnel end points, that is, the public IP addresses of at least one tunnel end point is not directly accessible to the other, you must configure the firewall to allow the following:

Any UDP packets for port 500

Any UDP packets for port 4500

Any ESP (IP protocol number 50) packets

Step by Step: how to route a VLAN to Vyatta Gateway using Softlayer Customer Portal

The Vyatta Network Gateway device places a customer configurable routing device in front of specific customer configured VLANs.

The primary benefit of using a Network Gateway is control. A Network Gateway provides the customer expanded control over features and functionality, including:

 

  • Terminate public IPSec VPN tunnels on the Network Gateway device.
  • NAT based configurations where “private-network only” servers are reached via NAT on the Network Gateway.
  • Custom routing designs adjustable on the fly by your administration team.
  • Run extra diagnostic commands such as traffic monitoring on the Network Gateway.
  • Firewall capabilities in addition to other benefits

In Softlayer customer portal, you can specify which vlan you want to route to Vaytta gateway so that CCI and bare metal server in that vlan will use Vyatta as default gateway/next-hop.

Below will show you the steps:

Step 1: Network > Gateway Appliances

vyatta1

Step 2: Click the Gateway Name for the desired Network Gateway to access the Gateway Details screen.

vyatta2

Step 3: Select the desired VLAN from the Associate a VLAN drop down list and Click the Associate button to associate the VLAN

vyatta3

Step 4: Locate the desired VLAN in the Associated VLANs section and Select Route VLAN from the Actions drop down menu

vyatta4

Step 5: Log in the Vyatta to configure the gateway interface for vlan 1942

set interfaces bonding bond0 vif 1942 address ’10.x.x.193/26′

If you have HA Vyatta gateway, configure the VRRP as well

NOTE: the VRRP virtual IP is always the 1st usable IP in your subnet.

SoftLayer Citrix Netscaler VPX

The NetScaler VPX product line has three family editions available supporting the same feature set as the NetScaler appliances:

  • Standard Edition
  • Enterprise Edition
  • Platinum Edition

Softlayer has provided the following options for Netscaler VPX. Standard and Platinum edition are available from license point of viewSoftlayer Citrix VPX

The features are supported by the Platinum edition are:

Citrix VPX license

The features are supported by the Standard edition are:

Citrix Standard version

The following reference about VPX performance can help you to pick up the rigth edition of VPX.

VPX Performance

VPX Performance1

Upgrade Licenses For NetScaler VPX Virtual Appliance

Customers can upgrade their NetScaler virtual appliance from one family edition to another and from one performance range to another by purchasing an upgrade license.

  • There are two types of upgrades for this product:
    Edition Upgrades—Standard to Enterprise, Standard to Platinum and Enterprise to Platinum. Edition upgrades must be within the same bandwidth.
  • Performance (Bandwidth) Upgrades—10Mbps to 200 Mbps, 10Mbps to 1000Mbps and 200Mbps to 1000Mbps. Performance upgrades can only be performed on the same Edition (Standard, Enterprise,or Platinum).

Configuring IPSec on Juniper SRX for IBM SoftLayer Connectivity(2)

In this blog, I will provide a Juniper route-based VPN reference configuration when customer is using Juniper SRX Firewall for IPSec connectivity to Softlayer.

Softlayer End configuration, please refer to my another blog.

Configuring IPSec on Cisco IOS router for Softlayer Connectivity

Customer end: Juniper SRX Firewall (route based VPN)

 

  1. Create tunnel interface, VPN security zone and bind tunnel interface into VPN security zone

    set interfaces st0 unit 0 family inet

    set security zones security-zone vpn interfaces st0.0

    wKioL1OJsg7hhwNvAAGDe0zugXM586

  2. Phase 1set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
    set security ike proposal ike-phase1-proposal dh-group group2
    set security ike proposal ike-phase1-proposal authentication-algorithm md5
    set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
    set security ike policy ike-phase1-policy mode main
    set security ike policy ike-phase1-policy proposals ike-phase1-proposal
    set security ike policy ike-phase1-policy pre-shared-key ascii-text “$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG”
    set security ike gateway SL ike-policy ike-phase1-policy
    set security ike gateway SL address x.x.x.x
    set security ike gateway SL external-interface ge-0/0/0.0

    Note: x.x.x.x is SoftLayer IPSec Gateway IP

  3. Phase 2

    set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
    set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
    set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
    set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
    set security ipsec vpn SLVPN bind-interface st0.0
    set security ipsec vpn SLVPN ike gateway SL
    set security ipsec vpn SLVPN ike proxy-identity local 192.168.109.0/24
    set security ipsec vpn SLVPN ike proxy-identity remote 10.66.24.0/26
    set security ipsec vpn SLVPN ike proxy-identity service any
    set security ipsec vpn SLVPN ike ipsec-policy ipsec-phase2-policy
    set security ipsec vpn SLVPN establish-tunnels on-traffic

    Note: the proxy ID configuration is very important.

  4. Security Policy 1 (Outbound)

    set security address-book Trust address local_network 192.168.109.0/24
    set security address-book Trust attach zone trust

    set security policies from-zone trust to-zone vpn policy outbound match source-address local_network
    set security policies from-zone trust to-zone vpn policy outbound match destination-address any
    set security policies from-zone trust to-zone vpn policy outbound match application any
    set security policies from-zone trust to-zone vpn policy outbound then permit

     

  5. Security Policy 1 (Inbound)

    set security policies from-zone vpn to-zone trust policy inbound match source-address any
    set security policies from-zone vpn to-zone trust policy inbound match destination-address local_network
    set security policies from-zone vpn to-zone trust policy inbound match application any
    set security policies from-zone vpn to-zone trust policy inbound then permit

    Note: this any-any rule is only for illustration.

  6. Routing

    set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
    set routing-options static route 10.66.24.0/26 next-hop st0.0

  7. Verify IPSec status

    root@SRX1> show security ike sa
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    3878661 UP     4fe84303034a5be3  8674368c9212747f  Main           x.x.x.x
    3878662 UP     417c49e6abd24de3  ad718e32b2c94602  Main           x.x.x.x
    3878675 UP     c74fa9e1cbac457b  8eab37fe32b29aa3  Main           x.x.x.x

    root@SRX1> show security ipsec sa
    Total active tunnels: 1
    ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
    <131073 ESP:3des/md5  c25f6085 704/  unlim   –   root 4500  x.x.x.x
    >131073 ESP:3des/md5  ebf61035 704/  unlim   –   root 4500  x.x.x.x

Configuring IPSec on Juniper SRX for IBM SoftLayer Connectivity (1)

In this blog, I will provide a policy-based VPN reference configuration when customer is using Juniper SRX Firewall for IPSec connectivity to Softlayer.

Softlayer End configuration, please refer to my another blog.

https://davidwzhang.com/2016/07/09/configuring-ipsec-on-cisco-ios-router-for-softlayer-connectivity/

Customer end Configuration: Juniper SRX Firewall (policy based VPN)

 

  1. Phase 1

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys

set security ike proposal ike-phase1-proposal dh-group group2

set security ike proposal ike-phase1-proposal authentication-algorithm md5

set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

set security ike policy ike-phase1-policy mode main

set security ike policy ike-phase1-policy proposals ike-phase1-proposal

set security ike policy ike-phase1-policy pre-shared-key ascii-text “$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG”

set security ike gateway SL ike-policy ike-phase1-policy

set security ike gateway SL address x.x.x.x

set security ike gateway SL external-interface ge-0/0/0.0

2. Phase 2

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96

set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2

set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

set security ipsec vpn SLVPN ike gateway SL

set security ipsec vpn SLVPN ike proxy-identity local 192.168.109.0/24

set security ipsec vpn SLVPN ike proxy-identity remote 10.66.24.0/26

set security ipsec vpn SLVPN ike proxy-identity service any

set security ipsec vpn SLVPN ike ipsec-policy ipsec-phase2-policy

 

3. Security Policy (Inbound)

set security policies from-zone trust to-zone untrust policy outbound_vpn match source-address local_network

set security policies from-zone trust to-zone untrust policy outbound_vpn match destination-address SL-net

set security policies from-zone trust to-zone untrust policy outbound_vpn match application any

set security policies from-zone trust to-zone untrust policy outbound_vpn then permit tunnel ipsec-vpn SLVPN

set security policies from-zone trust to-zone untrust policy outbound_vpn then count

 

4. Security Policy (Outbound)

set security policies from-zone untrust to-zone trust policy inbound_vpn match source-address SL-net

set security policies from-zone untrust to-zone trust policy inbound_vpn match destination-address local_network

set security policies from-zone untrust to-zone trust policy inbound_vpn match application any

set security policies from-zone untrust to-zone trust policy inbound_vpn then permit tunnel ipsec-vpn SLVPN

set security policies from-zone untrust to-zone trust policy inbound_vpn then count
5.Routing

set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1

Configuring IPSec on Cisco IOS router for Softlayer Connectivity

Who is Softlayer

SoftLayer, an IBM Company, provides cloud infrastructure as a service from 13 data centers in the United States, Asia, and Europe, and a global footprint of 17 network points of presence. Our customers range from Web startups to global enterprises.

Softlayer offer IPSec VPN on private network for customer to connect their coporate network to Softlayer Cloud to manage their systems running on Softlayer Cloud.

Softlayer customer can complete Softlayer end’s IPSec configuration through Softlayer customer portal.

I will shows you the capacity of Softlayer IPSec in the series of articles by 3 user cases.

The Network Topology is:

wKiom1OJvy2xIxPYAAHkyO46Y-w481

The IPSec config on Softlayer end is as below:

wKiom1OJpsSxvRKiAANRd1-ed_g173

From the above, you can see the IPSec config on Softlayer end is quite straightforward: Phase 1 and Phase 2 nego parameters then customer subnets and Softlayer subnets.

 

Next-step is the configuration on customer end:

(1) Customer end is Cisco router.

Please note it looks like that Softlayer doesn’t support the Cisco IPSec Virtual Tunnel interface.So you possibly have to use the classical “Crypto Map” method:

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 14400
crypto isakmp key PassW0rd2014 address x.x.x.x (Softlayer end IPSec VPN Gateway IP)
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer x.x.x.x
set transform-set TS
set pfs group2
match address VPN
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.231 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
!
!
ip access-list extended VPN
permit ip 192.168.109.0 0.0.0.255 10.66.24.0 0.0.0.63

 

#192.168.109.0/24 customer end IP range

#10.66.24.0/26 Softlayer VM IP range

#This cisco router is behind a firewall which performs the NAT function