Configure VPN tunnel between pfsense appliance and VMware VMC.

  • By :
  • Category : VMware

If you are playing around the VMC soon or later you will need or you would like to configure VPN network connectivity. Direct Connect is fantastic, but I suppose not everyone can afford to buy it for your home/lab connection 🙂 

Especially most of the production implementations are around BGP, network propagation etc. This is something hard to test especially if you (like me) are not the network administrator. 

There are several ways to setup VPN connection between VMC and your lab.

We can use:

  • Route based VPN; this kind of VPN you should associate with BGP
  • Policy based VPN; to remember, this VPN is connected to static route
  • Layer-2 connectio with 3 standard way to provide l2 extension:
    • NSX edge
    • L2 appliance 
    • HCX network extension (not connected to above presented VPN)

In this article I will concentrate on the route based VPN (later just VPN).

We will go through the configuration for both, the VMC site and the pfSense. Next we will set up the tunnel and we will verify that the connection is working fine. 

In the lab I prepared the environment with presented below:

Where the firewall on the left represents physical firewall, with just two forwarding rules which define that all incoming traffic from the internet on port udp/4500 and udp/500 redirect to pfsense WAN interface.

Right side of the image represents VMware infrastructure. Lan interface represents the connectivity to the VMware VM network. Later I will show you how to create VLAN on that interface. 

Configuration:

  1. Let’s start with the VMC configuration. At this stage you will need to know the public IP of your on-prem firewall.
    Open the vmc.vmware.com/console portal then select SDDC you want to work on. Next navigate to the “Networking and security” -> VPN -> Route Based blade.
    Select add VPN, you should see similar configuration window:

Set the following:

  • Local IP address – select Public IP (and note it)
  • Remote Public IP – IP address of on-prem firewall (router)
  • BGP local IP/Prefix – use /30 CIDR from 169.254.0.0/16 with some addresses exclude (see help by clicking “i” in that field for more details)
  • Remote BGP IP – set one IP address (without prefix) that will be used on-prem, for example: 169.254.100.2
  • BGP Neighbor ASN – set the ASN for on-prem pfsense (from the private range: 64512 to 65535)
  • Preshared key – enter non trivial key (but try to avoid special characters)
  • Remote private IP – IP address of the pfsense (WAN interface)

Set the rest of the variables as on the above screenshot.

VPN settings can be set according to the documentation: https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws.networking-security/GUID-5566A021-ECF7-41C4-B899-30924EBCD81F.html

According to this documentation phase1 and phase2 of ipsec can have values presented on the below screen:


Configuration can be downloaded from the same screen after saving the setting:

But keep this file in a secret place as it will contain a password.

Downloaded file should be similar to the following dump:

#
# Enforcement point path    : /infra/sites/default/enforcement-points/vmc-enforcementpoint
# Enforcement point type    : NSXT
#

# Suggestive peer configuration for IPSec VPN Connection
#
# (cutted)
# Internet Key Exchange Configuration [Phase 1]
# Configure the IKE SA as outlined below
IKE version                  : IKE_V2
Connection initiation mode   : INITIATOR
Authentication method        : PSK
Pre shared key               : PASSWORD
Authentication algorithm     : [SHA2_256]
Encryption algorithm         : [AES_256]
SA life time                 : 86400
Negotiation mode             : Not applicable for ikev2
DH group                     : [GROUP14]
Prf Algorithm                : [SHA2_256]
# IPsec_configuration [Phase 2]

# Configure the IPsec SA as outlined below
Transform Protocol              : ESP
Authentication algorithm        : [SHA2_256]
Sa life time                    : 3600
Encryption algorithm            : [AES_256]
Encapsulation mode              : TUNNEL_MODE
Enable perfect forward secrecy  : true
Perfect forward secrecy DH group: [GROUP14]

# IPsec Dead Peer Detection (DPD) settings
DPD enabled         : true
DPD probe interval  : 60

# IPSec VPN Session Configuration
Peer address    : LOCAL_VMC_IP_ADDRESS # Peer gateway public IP.
Peer id         : LOCAL_VMC_IP_ADDRESS #the same as above
Peer Subnet     : 0.0.0.0/0
Local address   : REMOTE_ON-PREM_PUBLIC_IP_ADDRESS # Local gateway public IP.
Local id        :  PFSENSE_WAN_IP
Local Subnet    : 0.0.0.0/0

# Virtual Tunnel Interface
Peer VTI address         : 169.254.100.1
Local VTI address        : 169.254.100.2
Tunnel Interface MTU     :  bytes

#
# BGP Configuration
#

BGP neighbour IP        : 169.254.100.1
BGP neighbour AS number : 65000
BGP local IP            : 169.254.100.2
BGP local AS number     : 65500
BGP hold down timer     : 180
BGP keep alive timer    : 60
BFD Status              : false

Most of the information above we will use in our pfSense configuration. Especially pay attention to the timeouts.
At this stage VPN status will be down.

Verify/set the local ASN:

This should also be from the private range. 

Next part will be for pfsense. If you are running some other router, this article can be good starting point for you: https://vmc.techzone.vmware.com/resource/ipsec-vpn-configuration-reference#introduction

  1. pfSense configuration
    Installation is rather straightforward. Try to use the latest version of this software. After the installation you should be able to login with the default admin/pfsense credentials,
    ​​ 



If this is your first time with pfSense try now to familiarize with that a little bit. The main menu option is on the top


Help doc/book from that menu are just links to the appropriate internet pages. So it will be more comfortable for you to have internet connection from the station you are managing.

APIPA


First optional step I am always enabling in lab is to allow APIPA (169.254.X.X network). We will use this network later.
To do this, you need to go to the

And set the following box

Then save the configuration (save button at the bottom).

pfSense by default do not has any dynamic routing support (we are interesting in BGP and OSPF as this is the protocol supported by nsx-t). For that reason, we need to install (free) addone in pfSense package manager.

FRR

This can be done by using

And search for frr. During installation you can get the following error. Do not bother about that. 

Frr should show as an installed package just after and should look similarly to mine:

Next, let’s concentrate on VPN and IPSEC. For that we will need to know the public IP address of our VPN in VMC. This can be verified in VMC/SDDC configuration page (vmc.vmware.com/console) in Network & Security -> Overview blade. VPN Public should be visible at the top of the network diagram.

Firstly our target is to create phase1 ipsec configuration.

IPsec

Remote Gateway is the public IP of the VMC VPN Public. 

Next you need to set the following:

Where “my identifier” is the IP address of pfsense LAN interface and peer identifier it is again the public IP address of remote (VMC) VPN.

Phase 2 should be configured as follows:

Validate the configuration and apply settings:

Final effect should look like this:

Assign the IPSEC interface

Go to the interfaces -> interface assignments and assign newly available interfaces named ipsec vti. Next edit interface where you have to enable, additionally you can set the interface description

Firewall -allow traffic

Go to firewall -> rules and select IPsec blade. 

Create new rule, as an example you can take values from below screenshots:

At that point you can run some diagnostics. First of all you can go to the status -> ipsec -> overview and verify tunnel status. Should like very similar to the following: 

From VMC console, VPN blade verify also the VPN status. Should be in established state.

Also you can run ping with option from diagnostic menu:

If everything is fine, ipsec tunnel is up and running and we are able to connect to VMC then lets enable BGP on our pfsense. 

BGP 

From service -> frr bgp configure the following settings:

The timers values needs to be the same as you can find in configuration file downloaded from VMC.

Next, add values in neighbors tab:

After a while BGP should propagate the network.

Verify BGP from the status tab. 

BGP state should be: BGP state = Established

Also in the VMC you should see that BGP status is up.

Summation:

Now, hopefully having BGP in place you can create networks on the pfsense level and verify if these networks are visible in the VMC. Also test propagation in the opposite direction. 

Also you can try to configure and test much more complicated scenario and hopefully share them with the community. 

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Free(BSD)
Search for duplicated files

This will be short (but hopefully I will find more time to show entire process to search duplicated files together with some examples). In case you are searching for duplicated files I can recommend two software which actually rocks in openSource world

Azure
NFS issue, cannot be mounted or is not visible

The same kind of issue I have encountered numerous times while working across different environments and with various customers. The problem with NFS mounts connected from remote locations is so common. This issue extends beyond communication solely over WAN and also include connections between datacenters (DC) where we lack control …

Azure
Why Firefox is important and people should use this browser in 2024, my thoughts.

Can you remember the times when everyone was using Internet Explorer? Back in the ’90s and the early part of this century, Internet Explorer dominated the browser market. Software Incompatibility with Other Browsers Incompatibility issues with software and other browsers have been a persistent problem. Even in 2022, this remains …