Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Static and dynamic routing on a VPN

Following is an example of a VPN configuration performed on Amazon Web Services (AWS). Although your configuration might be different, this example might help you as you plan your VPN configuration.

This example uses an isolated environment with a border gateway protocol (BGP) routing configuration. One network uses a BGP autonomous system number (ASN). The VPN server created in AWS creates another gateway of BGP with its own BGP ASN.

For the enterprise gateway, on the network blueprint, select the Dynamic Routing check box. (If you want to use static routing, clear the check box.) Similarly, when creating VPN gateway, select or clear the check box according to your preferences.

This topic includes the following sections:

Creating the network blueprint

The following procedure outlines how to create a network blueprint with an Enterprise Gateway/Edge Gateway/Network combination and how to connect these components. You can use a gold-based network blueprint to add more components for a VPN-related network blueprint.

  1. In BMC Cloud Lifecycle Management, create a new blueprint.
  2. Select Enterprise Gateway.
  3. In the Details section, select the Dynamic Routing check box.
  4. In the IP Address field, enter the VPN server’s IP address.
  5. Enter the ASN that was created for the BGP in your infrastructure.
  6. Make sure that the Dynamic Routing check box is selected for the VPN tunnel created between the Enterprise Gateway and Edge Gateway.
  7. Select Edge Gateway.
  8. In the Details section, select VPN Gateway for the Gateway Type.
  9. When adding the network address for the network, do not select Public for private network.
  10. Save and check in the network blueprint.

Infrastructure and configuration

To test routing in this example, Quagga network routing software and the Raccoon software-based VPN solution are used for BGP configuration and internet protocol security (IPSec) tunneling to establish a secured tunnel from BMC Cloud Lifecycle Management.

To connect to a VPN server and to a private network, use a VPN client on the BMC Cloud Lifecycle Management stack. To enroll the provisioning on a private subnet, install a VPN client on BMC Cloud Lifecycle Management where BMC Server Automation and BMC Atrium Orchestrator reside.

An Ubuntu server is provisioned on the Amazon default virtual private cloud (VPC) from any region with public IP and elastic IP.  This server is used as a VPN server.  The public DNS created for the server is used to connect to the VPN server from a VPN client.

For logging in, you must configure IPSec. For this example, a point-to-point tunneling protocol dynamic (PPTPD) VPN server is used. Videos on www.youtube.com might help you learn how to configure a PPTPD VPN server. Keywords in your search might include Personal VPN Server on Amazon.”

The following screenshot lists the files that you must configure to use a PPTPD VPN server.  The last file (chap-secrets) is used to add authentication to connect to the VPN server.

FilesToConfigure.png

The chap-secrets file looks like this:

chap-secrets.png

In the example file, demo is the login name, and demo-password is the password to log in to the VPN server. After the VPN server is up, you must configure IPSec for secure connection.

To configure IPSec on the VPN server:

  1. Install the StrongSwan application using the apt-get tool first.
  2. Configure the following files:
    • ipsec.sh
    • ipsec.conf
    • ipsec.secrets

See https://docs.openvpn.net for tutorials about extending VPN connectivity.

Installing the VPN client

With the configuration described here, your VPN server is ready to use. The next step is to install a VPN client on your CLM environment with the login credentials created above and using the following properties in VPN client configuration.

VPNclient.png

This configuration is common for both static and dynamic routing.

Additionally, if you want to use dynamic routing, configure the BGP in your environment. In this example, Raccoon and Quagga are used for BGP routing. After configuring the BGP, install and configure Raccoon and Quagga on the Ubuntu server.

Videos on www.youtube.com might help you learn how to configure a Raccoon and Quagga. Keywords in your search might include VPN, Raccoon, Quagga, software.

Testing the VPN connection

To validate whether a VPN is established, perform these tests:

  • On the virtual private cloud (VPC) with a private subnet, launch an instance with a private IP, and make sure you have an RSCD agent running on the instance.
  • Ping the server’s private IP address from the Ubuntu server.
  • Ping the server’s private IP address from BMC Cloud Lifecycle Management where BMC Server Automation and BMC Atrium Orchestrator reside.
  • Make sure that the agentinfo command from BMC Cloud Lifecycle Management to the server’s private IP address works properly. (Make sure that port 4750 is open.)

After configuring Raccoon and Quagga, connect to the VPN server using the VPN client and provision a service offering instance (SOI) on the private network.

The following window displays Amazon Web Services when the VPN tunneling is up and running with BGP configuration.

VPNandBGPconfig.png

Related topic

Enabling-IPAM-and-DNS-registration-with-AWS

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*