How to Establish a IPSEC Network Connection between FUJITSU K5 and S5 Virtual Environments

Thanks to the built in IPsec VPN Gateway functionality of both FUJITSU’s Trusted Public S5 and K5 IaaS Cloud platforms, it is relatively easy and straight forward to securely connect virtual networks deployed within each platform together. In this blog I will show you how.

This may be of particular benefit to existing S5 users who are thinking of moving to K5 over a period of time, or need for some reason to merge two environments.

Both S5 and K5 IPSEC gateways use standardised ISAKMP (Internet Security Association and Key Management Protocol) and IPsec tunnelling protocols. Each IPsec VPN gateway encapsulates IP packets received from the local network and sends them securely to the IPSec VPN Peer gateway, where they are then unencapsulated. Once Firewall Rules/ Security Groups have been configured appropriately, Virtual Hosts in each location can then communicate securely with one another, as if on the same network (site-to-site).

For this to work. you will need a K5 and S5 contract, each configured with a basic Internet connected network/system. Ensure the IP subnet range used on each network/site does not overlap in any way, as this will cause havoc with your routing. You will probably want to have a VM on each K5 and S5 network also, so that you can verify the connection has been established with ping commands from both sides.

Within K5:

1. Using the portal or otherwise, deploy a network/subnet connected to a router configured with an external network gateway. In this example I will be using a K5 subnet of 192.168.1.0/24 and a gateway of 192.168.1.1. Then note down the ID numbers for the following 4 resources (the ID’s of my resources are shown below), as these will be required shortly:

  • ROUTER_ID=2f1cc335-e2f7-439e-870b-1eb17b9f4399
  • NETWORK_ID=86d5aef2-45fc-46b7-920b-3d3d904ff174
  • SUBNET_ID=245dba3b-ee29-4004-adea-8d73027d5474
  • VM_PORT_ID =60708c4f-19d3-483d-9d37-4550a53483f9     #1

#1 Within the “Virtual Network details” tab for your network, under ‘Ports’, click the port name for ‘network:router_interface’ to open up the properties to reveal the VM Port ID.

a

2. Next, within ‘Virtual Router Detail’s screen, add a public IP Address to the router_interface via the ‘Global IP Allocation’ option under the ‘Action’ menu. Note down the Global IP Address that is assigned for use later.

b

Note down the Global IP Address that is assigned for use later:

  • K5 Public –    62.60.46.142
  • K5 Gateway – 192.168.1.1

3. Within your API console, configure the following variables,  updating the below values with your IDs and a name of your choosing:

  • VPN_SERVICE_NAME=ipvpn-service_to_S5
  • ADMIN_STATE_UP=true
  • ROUTER_ID=2f1cc335-e2f7-439e-870b-1eb17b9f4399
  • NETWORK_ID=86d5aef2-45fc-46b7-920b-3d3d904ff174
  • SUBNET_ID=245dba3b-ee29-4004-adea-8d73027d5474
  • VM_PORT_ID=60708c4f-19d3-483d-9d37-4550a53483f9
  • AZ=uk-1a

4. Enter the following command to enable IPsec on your K5 router

This should result in output of the form of that shown below:

c

Create a new variable as below, containing the ID from above

  • VPN_SERVICE_ID1=e91bded7-ce3d-4483-a823-c7021ab6ee9e

5. Next create the following new variables, updating the values as required:

  • AUTH_ALGORITHM=sha1
  • ENCRYPTION_ALGORITHM=aes-256
  • IKE_VERSION=v1
  • LIFETIME_UNITS=seconds
  • LIFETIME_VALUE=86400
  • PFS=group5
  • PHASE_NEGOTIATION_MODE=main
  • IKE_POLICY_NAME=ipvpn_ikepolicy_S5

Enter the following command to create the IKE Policy to be used by the IPSEC service:

This should result in output of the form of that shown below:

d

Create a new variable as below, containing the ID from above

  • IKE_POLICY_ID1=def8495c-7108-4c97-a198-6a198ae046dd

6. Next add the following new variables, updating the values as appropriate:

  • ENCAPSULATION_MODE=tunnel
  • ENCRYPTION_ALGORITHM=aes-256
  • TRASFORM_PROTOCOL=esp
  • IPSEC_POLICY_NAME=ip_vpn_ipsecpolicy_S5

Enter the following command to create the IPSEC  Policy to be used by the IPSEC service:

This should result in output of the form of that shown below:

e

Create a new variable as below, containing the ID from above

  • IPSEC_POLICY_ID1=cbd8dc58-6caf-4c8d-bf8c-536eb34855e9

Within S5:

When logged into S5, IPSec VPN configuration is performed under the ‘IPsec VPN Manager’ menu from within ‘My Portal’

1

1. Record the IP address range for each S5 subnet you are wanting to connect to.  As an example, the subnet for the DMZ network would be 172.16.7.0/24, SECURE 1 would be 172.16.8.0/24 and SECURE 2 would be 172.16.9.0/24

K5 Subnet(s)                                                                   S5 Subnet(s)

192.168.1.0/24                                                                DMZ  –       172.16.60.0/24

SECURE1 – 172.16.61.0/24

SECURE2 – 172.16.62.0/24

2. Within the ‘My Portal’ area of the portal, select ‘IPsec VPN Manager’ from the left hand menu.

3. Select ‘Create New GW’ button and in the resulting box, enter a suitable name for the connection that relates to this particular contract and click ‘Next’ e.g. IPsecVPN-service_to_K5

3

4. Note the public IP Address and Local IP Address from this screen for the site, as these are required later.

K5 IP Addresses                                                                    S5 Network Addresses

Public –  62.60.46.142                                                        Public – 62.60.20.119

Gateway – 192.168.1.1                                                         Internal – 172.16.2.99

5. Select ‘On’ and answer ‘Yes’ to start the IPsec VPN. Once it is showing  a status of ‘Running’, select it and click the ‘VPN Settings’ button

6. Click ‘Add Destination GW’ and in the resulting box, enter the required information (see below for guidance):

4

  • ID : Choose 1 (or the next number available if you already have existing Gateways)
  • Destination GW Public IP Address : The public IP address assigned to your K5 router
  • Pre-share key : Any Key/Password up to 128 alphanumeric characters in length to be used on both K5 and S5. Must be identical at both sites
  • Ping Target: The IP Address of your K5 subnet gateway
  • Cipher Suite:Select ‘Cipher Suite A’

7. Click ‘Submit’ and answer ‘Yes’ to register the configuration, then ‘Ok’ when complete.

8. Within VPN Settings, select to highlight the Destination GW just created and click ‘Add Destination NW’. Then enter the CIDR of your K5 subnet e.g. 192.168.1.0/24. Repeat this to if adding more than one subnet.

5

Back with your K5 API console:

1. Add the following variables (amending the value as required):

  • PSK=Fghj6G0hAS              (Same preshared Key Value used on S5)
  • INITIATOR=bi-directional
  • ADMIN_STATE_UP=true
  • PEER_CIDRS1=172.16.0.0/16      (The IP Range in use on S5 contract, use a /16 to                                                                             cover the full range)
  • PEER_CIDRS2=172.16.60.0/24
  • MTU=1500
  • DPD_ACTION=hold
  • DPD_INTERVAL=60
  • DPD_TIMEOUT=240
  • PEER_ADDRESS=62.60.20.119    (Public IP Address of the S5 VPN Service from above)
  • PEER_ID=62.60.20.119                   (Public IP Address of the S5 VPN Service from above)
  • IPSEC_SITE_NAME=ipvpn_ipsec_S5

Enter the following command to create the IPSEC  Site Connection :

This should result in output of the form of that shown below:

f

2. Add the following variables, using the ID from above:

  • IPSEC_SITE_CONNECTION_ID=1b4c35f8-a50f-4446-b122-821730f27102

Enter the following command to view the IPSEC  Site Connection status and other details :

This should result in output of the form of that shown below:

g

3. Within the S5 IPsec VPN Manager, click to select your ‘IPSec VPN’ and click the ‘Monitor Status’ button. This should show a status of ‘Connected’

6

4. Firewall Rules and Security Groups on both S5 and K5 sides need to opened to allow the required traffic to flow between the subnets. As an example the below rules allow SSH and PING between K5 and S5 subnets.

K5 Security Groups (no Firewalls are configured on the Router):

sg

Here the CIDR of the S5 DMZ subnet is used at the source and destination address in the ingres and egress rules.

S5 Firewall Rules:

s5fw

Here the CIDR of the K5 subnet is used as the source and destination address on the Intranet network within the firewall rules.

5. Finally, you can then SSH onto each VM and ping across the IPSEC tunnel to a VM within the other environment…

ping

 

Additional Information:

Use the following commands in order to delete your IPSEC gateway and related components:

#Deletion of IPSec stufff

curl -s $NETWORK/v2.0/vpn/ipsec-site-connections -X GET -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” | jq .
curl -s $NETWORK/v2.0/vpn/ipsec-site-connections/<ID RETURNED FROM PREVIOUS COMMAND> -X DELETE -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”
curl -s $NETWORK/v2.0/vpn/vpnservices -X GET -H “X-Auth-Token:$OS_AUTH_TOKEN” -H “Content-Type:application/json” | jq .

curl -i -X DELETE $NETWORK/v2.0/vpn/vpnservices/<ID RETURNED FROM PREVIOUS COMMAND> -H “X-Auth-Token: $OS_AUTH_TOKEN”
#Delete IKEpolicies
curl -s $NETWORK/v2.0/vpn/ikepolicies -X GET -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” | jq .

curl -s $NETWORK/v2.0/vpn/ikepolicies/<ID RETURNED FROM PREVIOUS COMMAND> -X DELETE -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”
#Delete IPSecpolicies
curl -s $NETWORK/v2.0/vpn/ipsecpolicies -X GET -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” | jq .

curl -s $NETWORK/v2.0/vpn/ipsecpolicies/<ID RETURNED FROM PREVIOUS COMMAND> -X DELETE -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” | jq .

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s