Abiquo and NSX-T VPNs

Abiquo 6.0.6 introduces IPSEC VPN support to the NSX-T integration. This is very similar to the VPN feature for NSX-V. For example, you can create a VPN between two Abiquo VDCs, or between an Abiquo VDC and another compatible provider.

In this initial version:

  • Abiquo supports PSK (pre-shared key) password authentication only; it doesn’t support certificate authentication

  • In NSX-T, for endpoints, Abiquo supports existing NAT IP addresses; Abiquo doesn’t automatically create endpoints in NSX-T

  • Abiquo creates a service with one endpoint and one session

  • You can create and delete VPNs only; you cannot onboard or modify existing VPNs

 

In NSX-T, Abiquo creates VPNs in Tier1. In NSX-T, the VPN configuration includes an IPSEC profile, digest, local endpoints, and IPSEC sessions.

To create a VPN between two Abiquo virtual datacenters (VDCs), the user should create a private network in each VDC with a different IP range (you can create the VDC with a custom private network).

Create a virtual datacenter with a custom private network and its own IP range

Then you should obtain a NAT IP for each virtual datacenter.

Purchase a NAT IP for the virtual datacenter

You will need to create a firewall to allow traffic between the VPNs. For testing, you can create a default firewall that allows all traffic from all sources.

When you create a site in NSX-T, you must supply the addresses of the remote endpoint (NAT IP) and remote network (private network) of the second site, even if you haven’t created them in NSX-T yet. For testing, we created a VPN with no encryption!

Then in another virtual datacenter you should create the second site to connect to the remote endpoint and network, which are the local values of the first site.

 

When creating a VPN between a VPC and a public cloud provider, the public cloud provider may create the endpoint automatically, so create the public cloud site first to obtain the endpoint and network addresses.

After you create the two peers of the VPN, you can check the status in the VDC. Abiquo checks the status of the IPSEC session to determine if the VPN is up.

 


Configure VPNs for NSX-T

The VPN integration for NSX-T requires

The default VPN configuration is shown in the table below.

To configure the integration with values that are not the default values:

  1. On the Remote services server, edit the abiquo.properties file

  2. Add any of the following properties to change them and set new values

  3. Restart the abiquo-tomcat service

abiquo.nsxt.vpn.profile.df

Handle defragmentation bit present in the inner packet.
COPY (default) - copies the defragmentation bit from the inner IP packet into the outer packet.
CLEAR - ignores the defragmentation bit present in the inner packet.
Valid values: COPY, CLEAR
Default: COPY

abiquo.nsxt.vpn.profile.digest

Algorithm to be used for message digest. Only used when encryption algorithm is not AES_GCM
Valid values: SHA1, SHA2_256, SHA2_384, SHA2_512
Default: SHA2_512

abiquo.nsxt.vpn.profile.sa-expire-seconds

SA life time specifies the expiry time of security association in seconds
Default: 3600

abiquo.nsxt.vpn.session.compliance

IPSec session compliance suite
Valid values: NONE, CNSA, SUITE_B_GCM_128, SUITE_B_GCM_256, PRIME, FOUNDATION, FIPS
Default: NONE

abiquo.nsxt.vpn.session.connection-mode

Connection initiation mode used by local endpoint to establish IKE connection with peer site.

INITIATOR - In this mode local endpoint initiates tunnel setup and will also respond to incoming tunnel setup requests from peer gateway.

RESPOND_ONLY - In this mode, local endpoint shall only respond to incoming tunnel setup requests. It shall not initiate the tunnel setup.

ON_DEMAND - In this mode local endpoint will initiate tunnel creation once first packet matching the policy rule is received and will also respond to incoming initiation request.
Valid values: INITIATOR, RESPOND_ONLY, ON_DEMAND
Default: INITIATOR

 

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved