Abiquo and NSX-T VPNs
Abiquo 6.0.6 introduces IPSEC VPN support to the NSX-T integration. This is very similar to the VPN feature for NSX-V. For example, you can create a VPN between two Abiquo VDCs, or between an Abiquo VDC and another compatible provider.
In this initial version:
Abiquo supports PSK (pre-shared key) password authentication only; it doesn’t support certificate authentication
In NSX-T, for endpoints, Abiquo supports existing NAT IP addresses; Abiquo doesn’t automatically create endpoints in NSX-T
Abiquo creates a service with one endpoint and one session
You can create and delete VPNs only; you cannot onboard or modify existing VPNs
In NSX-T, Abiquo creates VPNs in Tier1. In NSX-T, the VPN configuration includes an IPSEC profile, digest, local endpoints, and IPSEC sessions.
To create a VPN between two Abiquo virtual datacenters (VDCs), the user should create a private network in each VDC with a different IP range (you can create the VDC with a custom private network).
Then you should obtain a NAT IP for each virtual datacenter.
You will need to create a firewall to allow traffic between the VPNs. For testing, you can create a default firewall that allows all traffic from all sources.
When you create a site in NSX-T, you must supply the addresses of the remote endpoint (NAT IP) and remote network (private network) of the second site, even if you haven’t created them in NSX-T yet. For testing, we created a VPN with no encryption!
Then in another virtual datacenter you should create the second site to connect to the remote endpoint and network, which are the local values of the first site.
When creating a VPN between a VPC and a public cloud provider, the public cloud provider may create the endpoint automatically, so create the public cloud site first to obtain the endpoint and network addresses.
After you create the two peers of the VPN, you can check the status in the VDC. Abiquo checks the status of the IPSEC session to determine if the VPN is up.
Configure VPNs for NSX-T
The VPN integration for NSX-T requires
NSX-T configured. See instructions at Configure the Abiquo NSX-T integration. In Abiquo 6.0.6 there are also changes to NAT firewalls for NSX-T.
NAT IP addresses in NAT networks in infrastructure as described at Manage NAT and Manage NAT for virtual datacenters
The default VPN configuration is shown in the table below.
To configure the integration with values that are not the default values:
On the Remote services server, edit the abiquo.properties file
Add any of the following properties to change them and set new values
Restart the abiquo-tomcat service
abiquo.nsxt.vpn.profile.df | Handle defragmentation bit present in the inner packet. |
abiquo.nsxt.vpn.profile.digest | Algorithm to be used for message digest. Only used when encryption algorithm is not AES_GCM |
abiquo.nsxt.vpn.profile.sa-expire-seconds | SA life time specifies the expiry time of security association in seconds |
abiquo.nsxt.vpn.session.compliance | IPSec session compliance suite |
abiquo.nsxt.vpn.session.connection-mode | Connection initiation mode used by local endpoint to establish IKE connection with peer site. INITIATOR - In this mode local endpoint initiates tunnel setup and will also respond to incoming tunnel setup requests from peer gateway. RESPOND_ONLY - In this mode, local endpoint shall only respond to incoming tunnel setup requests. It shall not initiate the tunnel setup. ON_DEMAND - In this mode local endpoint will initiate tunnel creation once first packet matching the policy rule is received and will also respond to incoming initiation request. |
Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved