IPSEC VPN Cluster HowTo

1.- Requirements

To create a working cluster in Viapps, either logical or master-slave, the clustered nodes used must be new and should not have previous configurations.
To follow this tutorial deploy new fw nodes.
This documentation is valid for viapps version: 1.3.1-6
''' Before trying to create a tunnel between to endpoints be sure both ipsec server have ip connectivity between them.

2.- Parts of the lab.

FW Nodes

IPSEC VPN Left node (HA Cluster)
ipsec1 - first node of the ipsec cluster
ipsec2 - second node of the ipsec cluster

IPSEC VPN Right node
ipsec3 - right vpn endpoint

- IPs & Network - - ipsec vpn service vip - internal network vip

3.- Create the nodes

Deploy at least two new fw nodes to create the cluster dedicated to be the left endpoint of the vpn connection (ipsec1/2). In this
lab we also manage the right endpoint of the connection so we create or reuse another fw node (ipsec3).

4.- Defining the new Cluster

Let's create a new cluster. From the CMI node go to the menu Manage>Clusters

and then click on Add_new button to define a new cluster.

This new dialog appears:

Put a meaningful Name and Description for the new cluster and select the flavour fw. This shall configure this cluster accordingly to the particularity of a clustered fw.

The two cluster nodes are in the same CMI and share the same management network ( We chose this network to send hearbeat packages and cluster control.
Select the internal network and not the service interface so all cluster traffic is confined.

Configure the vips needed for the service. In this case, is the service vip where ipsec service will listen and is the vip for the gateway used by the inner networks in BCN HQ networks.

If everything went well you'll see a log like in the following screenshot:

Go to the cluster configuration to see who is the master active node and who is the slave and if it is synchronized. In the cluster configuration select
the cluster and click on details:

You should see the role of every node and its status:

To manage and configure the flavour of the master cluster node select the cluster and click on the manage button:

5.- Configure the ipsec vpn on the master node

The configuration in a cluster environment is the same as in a standalone node. No in the master node go to the menu >Manage>VPN to configure the ipsec vpn:

In the vpn configuration click on Add_new button to create a new vpn configuration:

The ipsec configuration has three tabs related to the two phase tunnel connection between the two endpoints in a ipsec vpn.

First in the phase 1a name the connection and select a IKE version, typically use v2 to force this version or auto. Select the vip facing the internet (216.46 in this lab)
for the left gateway and the ip facing internet of the right gateway (217,46 in this lab).

the authentication method in this version is limited to a preshared key, write the same secret in both endpoints and name left and right node with and identifier (Barcelona and Sao Paulo)

In phase 1b select an encryption and hashing algorithms and the DH Key group according to the right endpoint:
Select the advanced options as required:

In phase two select the networks beyond the tunnel. All traffic that arrives to the vpn server with destination the right network will be encapsulated and routed through the tunnel:
For the SA check the other endpoint configuration, select the ESP full encryption whenever is possible and select also the encryption and hashing protocols and the PFS Key group.

Click on accept button.

You'll see the configuration is created and the connection status is "not connnected".
Also notice that this configuration is not yet replicated to the slave node and the cluster status is "Out of Sync". Click on the "Out of Sync" to
go to the cluster synchronization.

4.- sync cluster

Click on the Synchronize button:

If everything is in order no error will appear and the status will be synchornized both in the cluster status and in each synchronization tasks below:

Return to the configuration of the ipsec vpn and check is synchornized:

5.- Configure IPSec right Endopoint (node ipsec3)

The configuration of the right endpoint is the same we did in the last section. Just keep in ming that you must flip the configuration
as from this side this is the left node (ips, gateway, networks, identifier, etc.)

After the last configuration step and clickin on accept button the ipsec daemon will try to connect. If all the configuration
in the node 2 is correct according to the clusterHA nodes the tunnel will be stablished and the status will be "Connected"

In case of any problem check the /var/log/messages for any error and check that shared secret is the same and and all agreed
encryption and hashing protocol are the same in both sides.

6.- test connectivity through tunnel

To test the tunnel just ping from one gateway to the opposite network in the other side of the tunnel. In this lab we will ping the vip in the internal gatewway
of the left network ( from the right node (ipsec3).

To verify this traffic traverses the tunnel just stop the tunnel

and repeat the ping.

7.- test bouncing the service from nodes.

Leave a ping running so that we can check if the connectiviy is lost when the service shifts.

Now that we proved the tunnel works from a single node let's try the cluster layer and fource a bounce of the service to the slave server.
Return to the CMI. Clic on the node marked as Running-passive synchornized (make sure the cluster ir synchornized) and click on the takeover button:

A warning should appear reminding to synchronize the cluster:

After a brief moments go back to the cluster details in and check that the service has moved to the passive node:

You can also verify that ipsec3 node has now the two vips configured.

And check the running ping. The service transition goes smoothly and only few packets are lost (5 in the lab environment) and the service kepps running: