Product SiteDocumentation Site

15.17. VPN

CloudStack account owners can create virtual private networks (VPN) to access their virtual machines. If the guest network is instantiated from a network offering that offers the Remote Access VPN service, the virtual router (based on the System VM) is used to provide the service. CloudStack provides a L2TP-over-IPsec-based remote access VPN service to guest virtual networks. Since each network gets its own virtual router, VPNs are not shared across the networks. VPN clients native to Windows, Mac OS X and iOS can be used to connect to the guest networks. The account owner can create and manage users for their VPN. CloudStack does not use its account database for this purpose but uses a separate table. The VPN user database is shared across all the VPNs created by the account owner. All VPN users get access to all VPNs created by the account owner.

Note

Make sure that not all traffic goes through the VPN. That is, the route installed by the VPN should be only for the guest network and not for all traffic.

15.17.1. Configuring VPN

To set up VPN for the cloud:
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, click Global Settings.
  3. Set the following global configuration parameters.
    • remote.access.vpn.client.ip.range – The range of IP addresses to be allocated to remote access VPN clients. The first IP in the range is used by the VPN server.
    • remote.access.vpn.psk.length – Length of the IPSec key.
    • remote.access.vpn.user.limit – Maximum number of VPN users per account.
To enable VPN for a particular network:
  1. Log in as a user or administrator to the CloudStack UI.
  2. In the left navigation, click Network.
  3. Click the name of the network you want to work with.
  4. Click View IP Addresses.
  5. Click one of the displayed IP address names.
  6. Click the Enable VPN button. AttachDiskButton.png: button to attach a volume
    The IPsec key is displayed in a popup window.

15.17.2. Using VPN with Windows

The procedure to use VPN varies by Windows version. Generally, the user must edit the VPN properties and make sure that the default route is not the VPN. The following steps are for Windows L2TP clients on Windows Vista. The commands should be similar for other Windows versions.
  1. Log in to the CloudStack UI and click on the source NAT IP for the account. The VPN tab should display the IPsec preshared key. Make a note of this and the source NAT IP. The UI also lists one or more users and their passwords. Choose one of these users, or, if none exists, add a user and password.
  2. On the Windows box, go to Control Panel, then select Network and Sharing center. Click Setup a connection or network.
  3. In the next dialog, select No, create a new connection.
  4. In the next dialog, select Use my Internet Connection (VPN).
  5. In the next dialog, enter the source NAT IP from step 1 and give the connection a name. Check Don't connect now.
  6. In the next dialog, enter the user name and password selected in step 1.
  7. Click Create.
  8. Go back to the Control Panel and click Network Connections to see the new connection. The connection is not active yet.
  9. Right-click the new connection and select Properties. In the Properties dialog, select the Networking tab.
  10. In Type of VPN, choose L2TP IPsec VPN, then click IPsec settings. Select Use preshared key. Enter the preshared key from Step 1.
  11. The connection is ready for activation. Go back to Control Panel -> Network Connections and double-click the created connection.
  12. Enter the user name and password from Step 1.

15.17.3. Using VPN with Mac OS X

First, be sure you've configured the VPN settings in your CloudStack install. This section is only concerned with connecting via Mac OS X to your VPN.
Note, these instructions were written on Mac OS X 10.7.5. They may differ slightly in older or newer releases of Mac OS X.
  1. On your Mac, open System Preferences and click Network.
  2. Make sure Send all traffic over VPN connection is not checked.
  3. If your preferences are locked, you'll need to click the lock in the bottom left-hand corner to make any changes and provide your administrator credentials.
  4. You will need to create a new network entry. Click the plus icon on the bottom left-hand side and you'll see a dialog that says "Select the interface and enter a name for the new service." Select VPN from the Interface drop-down menu, and "L2TP over IPSec" for the VPN Type. Enter whatever you like within the "Service Name" field.
  5. You'll now have a new network interface with the name of whatever you put in the "Service Name" field. For the purposes of this example, we'll assume you've named it "CloudStack." Click on that interface and provide the IP address of the interface for your VPN under the Server Address field, and the user name for your VPN under Account Name.
  6. Click Authentication Settings, and add the user's password under User Authentication and enter the pre-shared IPSec key in the Shared Secret field under Machine Authentication. Click OK.
  7. You may also want to click the "Show VPN status in menu bar" but that's entirely optional.
  8. Now click "Connect" and you will be connected to the CloudStack VPN.

15.17.4. Setting Up a Site-to-Site VPN Connection

A Site-to-Site VPN connection helps you establish a secure connection from an enterprise datacenter to the cloud infrastructure. This allows users to access the guest VMs by establishing a VPN connection to the virtual router of the account from a device in the datacenter of the enterprise. Having this facility eliminates the need to establish VPN connections to individual VMs.
The supported endpoints on the remote datacenters are:
  • Cisco ISR with IOS 12.4 or later
  • Juniper J-Series routers with JunOS 9.5 or later

Note

In addition to the specific Cisco and Juniper devices listed above, the expectation is that any Cisco or Juniper device running on the supported operating systems are able to establish VPN connections.
To set up a Site-to-Site VPN connection, perform the following:
  1. Create a Virtual Private Cloud (VPC).
  2. Create a VPN Customer Gateway.
  3. Create a VPN gateway for the VPC that you created.
  4. Create VPN connection from the VPC VPN gateway to the customer VPN gateway.

Note

Appropriate events are generated on the CloudStack UI when status of a Site-to-Site VPN connection changes from connected to disconnected, or vice versa. Currently no events are generated when establishing a VPN connection fails or pending.

15.17.4.1. Creating and Updating a VPN Customer Gateway

Note

A VPN customer gateway can be connected to only one VPN gateway at a time.
To add a VPN Customer Gateway:
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPN Customer Gateway.
  4. Click Add site-to-site VPN.
    addvpncustomergateway.png: adding a customer gateway.
    Provide the following information:
    • Name: A unique name for the VPN customer gateway you create.
    • Gateway: The IP address for the remote gateway.
    • CIDR list: The guest CIDR list of the remote subnets. Enter a CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR list is not overlapped with the VPC’s CIDR, or another guest CIDR. The CIDR must be RFC1918-compliant.
    • IPsec Preshared Key: Preshared keying is a method where the endpoints of the VPN share a secret key. This key value is used to authenticate the customer gateway and the VPC VPN gateway to each other.

      Note

      The IKE peers (VPN end points) authenticate each other by computing and sending a keyed hash of data that includes the Preshared key. If the receiving peer is able to create the same hash independently by using its Preshared key, it knows that both peers must share the same secret, thus authenticating the customer gateway.
    • IKE Encryption: The Internet Key Exchange (IKE) policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and 3DES. Authentication is accomplished through the Preshared Keys.

      Note

      The phase-1 is the first phase in the IKE process. In this initial negotiation phase, the two VPN endpoints agree on the methods to be used to provide security for the underlying IP traffic. The phase-1 authenticates the two VPN gateways to each other, by confirming that the remote gateway has a matching Preshared Key.
    • IKE Hash: The IKE hash for phase-1. The supported hash algorithms are SHA1 and MD5.
    • IKE DH: A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. The 1536-bit Diffie-Hellman group is used within IKE to establish session keys. The supported options are None, Group-5 (1536-bit) and Group-2 (1024-bit).
    • ESP Encryption: Encapsulating Security Payload (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.

      Note

      The phase-2 is the second phase in the IKE process. The purpose of IKE phase-2 is to negotiate IPSec security associations (SA) to set up the IPSec tunnel. In phase-2, new keying material is extracted from the Diffie-Hellman key exchange in phase-1, to provide session keys to use in protecting the VPN data flow.
    • ESP Hash: Encapsulating Security Payload (ESP) hash for phase-2. Supported hash algorithms are SHA1 and MD5.
    • Perfect Forward Secrecy: Perfect Forward Secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised. This property enforces a new Diffie-Hellman key exchange. It provides the keying material that has greater key material life and thereby greater resistance to cryptographic attacks. The available options are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security of the key exchanges increase as the DH groups grow larger, as does the time of the exchanges.

      Note

      When PFS is turned on, for every negotiation of a new phase-2 SA the two gateways must generate a new set of phase-1 keys. This adds an extra layer of protection that PFS adds, which ensures if the phase-2 SA’s have expired, the keys used for new phase-2 SA’s have not been generated from the current phase-1 keying material.
    • IKE Lifetime (seconds): The phase-1 lifetime of the security association in seconds. Default is 86400 seconds (1 day). Whenever the time expires, a new phase-1 exchange is performed.
    • ESP Lifetime (seconds): The phase-2 lifetime of the security association in seconds. Default is 3600 seconds (1 hour). Whenever the value is exceeded, a re-key is initiated to provide a new IPsec encryption and authentication session keys.
    • Dead Peer Detection: A method to detect an unavailable Internet Key Exchange (IKE) peer. Select this option if you want the virtual router to query the liveliness of its IKE peer at regular intervals. It’s recommended to have the same configuration of DPD on both side of VPN connection.
  5. Click OK.
Updating and Removing a VPN Customer Gateway
You can update a customer gateway either with no VPN connection, or related VPN connection is in error state.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPN Customer Gateway.
  4. Select the VPN customer gateway you want to work with.
  5. To modify the required parameters, click the Edit VPN Customer Gateway button edit.png: button to edit a VPN customer gateway
  6. To remove the VPN customer gateway, click the Delete VPN Customer Gateway button delete.png: button to remove a VPN customer gateway
  7. Click OK.

15.17.4.2. Creating a VPN gateway for the VPC

  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC to which you want to deploy the VMs.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ACLs
  6. Select Site-to-Site VPN.
    If you are creating the VPN gateway for the first time, selecting Site-to-Site VPN prompts you to create a VPN gateway.
  7. In the confirmation dialog, click Yes to confirm.
    Within a few moments, the VPN gateway is created. You will be prompted to view the details of the VPN gateway you have created. Click Yes to confirm.
    The following details are displayed in the VPN Gateway page:
    • IP Address
    • Account
    • Domain

15.17.4.3. Creating a VPN Connection

  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you create for the account are listed in the page.
  4. Click the Configure button of the VPC to which you want to deploy the VMs.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ASLs
  6. Select Site-to-Site VPN.
    The Site-to-Site VPN page is displayed.
  7. From the Select View drop-down, ensure that VPN Connection is selected.
  8. Click Create VPN Connection.
    The Create VPN Connection dialog is displayed:
    createvpnconnection.png: creating a vpn connection to the customer gateway.
  9. Select the desired customer gateway, then click OK to confirm.
    Within a few moments, the VPN Connection is displayed.
    The following information on the VPN connection is displayed:
    • IP Address
    • Gateway
    • State
    • IPSec Preshared Key
    • IKE Policy
    • ESP Policy

15.17.4.4. Restarting and Removing a VPN Connection

  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC to which you want to deploy the VMs.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ASLs
  6. Select Site-to-Site VPN.
    The Site-to-Site VPN page is displayed.
  7. From the Select View drop-down, ensure that VPN Connection is selected.
    All the VPN connections you created are displayed.
  8. Select the VPN connection you want to work with.
    The Details tab is displayed.
  9. To remove a VPN connection, click the Delete VPN connection button remove-vpn.png: button to remove a VPN connection
    To restart a VPN connection, click the Reset VPN connection button present in the Details tab. reset-vpn.png: button to reset a VPN connection