IPsec interconnection between two sites

Setting up an IPsec VPN between two remote Nutanix clusters

Last updated 29th June 2022

Objective

This guide will show you how to interconnect two Nutanix clusters, provided by OVHcloud through an IPsec VPN. To do this, we will replace the OVHgateway virtual machines that provide internet access with a gateway under the pfSense operating system.

OVHcloud provides services for which you are responsible, with regard to their configuration and management. It is therefore your responsibility to ensure that they they function correctly.

This guide is designed to assist you in common tasks as much as possible. Nevertheless, we recommend contacting a specialist service provider or reaching out to our community if you experience any issues.

Requirements

  • Two Nutanix clusters provided by OVHcloud, on different sites
  • Access to the OVHcloud Control Panel
  • Access to your clusters via Prism Central
  • A different private IP addressing scheme applied per cluster
  • Being familiar with uses for an IPsec VPN using the Nutanix Disaster Recovery Plan guide

Instructions

In this guide, we will carry out part of the installation on the cluster in Canada, and another part in France. Below is the list of tasks to be performed in stages on each cluster:

Step 1 Solution Overview
Step 2 Gateway Replacement in Canada
Step 2.1 Downloading sources for pfSense installation
Step 2.2 Creating the virtual machine GW-PFSENSE
Step 2.3 Shutting down the virtual machine OVH-GATEWAY
Step 2.4 Retrieving the public address in the OVHcloud Control Panel
Step 2.5 Starting the virtual machine GW-PFSENSE
Step 2.6 Installing pfSense
Step 2.7 Ejecting pfSense CDROM from virtual machine GW-PFSENSE
Step 2.8 Configuring pfSense IP addresses through the console
  Step 2.9 Configuring certain options through the Web interface
  Step 2.9.1 Changing the default password for pfSense
  Step 2.9.2 Adding a rule to allow remote administration from a public address
Step 3 Gateway configuration in France
  Step 3.1 Downloading sources for pfsense installation
Step 3.2 Creating the virtual machine GW-PFSENSE
Step 3.3 Shutting down the virtual machine OVH-GATEWAY
Step 3.4 Retrieving the public address on the OVHcloud Control Panel
Step 3.5 Starting the virtual machine GW-PFSENSE
Step 3.6 Installing pfSense
Step 3.7 Ejecting pfSense CDROM from virtual machine GW-PFSENSE
Step 3.8 Configure pfSense IP addresses through the console
  Step 3.9 Configuring certain options through the Web interface
  Step 3.9.1 Changing the default password for pfSense
  Step 3.9.2 Adding a rule to allow remote administration from a public address
Step 4 Setting up IPsec VPN
Step 4.1 Setting Up the site in Canada
  Step 4.1.1 Setting up IPsec VPN in France
  Step 4.1.2 Adding a firewall rule to allow network flow through IPsec VPN between Canada and France
Step 4.2 Setting up your website in France
  Step 4.2.1 Setting up IPsec VPN to Canada
  Step 4.2.2 Adding a firewall rule to allow network flow through IPsec VPN between Canada and France

Step 1 Solution Overview

We will interconnect two Nutanix clusters, one in Canada and the other in France, both in OVHcloud data centres.
They each use a different IP address scheme, as follows:

  • Cluster in Canada: 192.168.10.0/24
  • Cluster in France: 192.168.0.0/24

To allow this configuration, we will replace the OVHgateway virtual machine on each site with a virtual machine with the pfSense operating system, which will continue to provide outbound internet access and manage the VPN tunnel using IPsec.

Step 2 Bridge replacement in Canada

Step 2.1 Downloading sources for pfSense installation

Download an ISO image for the pfSense installation from this link: Downloading pfSense.

Using this documentation, add the pfSense ISO image to your Nutanix cluster.

Step 2.2 Creating the GW-PFSENSE virtual machine

Create a virtual machine with these settings:

  • Name: GW-PFSENSE
  • Storage1: 60 GB HDD
  • Storage2: DVD drive connected to the pfSense ISO file
  • RAM: 4 GB
  • CPU: 2 vCPU
  • Network: two network cards on the AHV network: **Base**

You can use our guide on virtual machine management to create this virtual machine.

Create VM 01

Step 2.3 Shutting down the OVH-GATEWAY virtual machine

To avoid duplicate IP addresses on the network, stop the OVHgateway virtual machine before starting the new virtual machine on pfSense.

Via Prism Central, click in the top left on the main menu.

OVHGateway 01

Click VMs.

OVHGateway 02 stop

Click on the OVHgateway virtual machine.

OVHGateway 03

From the More menu at the top, click Soft Shutdown.

OVHGateway 04

Step 2.4 Retrieving the public address in the OVHcloud Control Panel

Retrieve information about the OVHcloud gateway network settings.

Log in to the OVHcloud Control Panel, select your Nutanix cluster, and find the information in the FOIP field.

Get IP Fail OVER

What is called FOIP is a range of 4 addresses. The first and last are reserved, the third is on OVHcloud hardware and serves as an internet gateway. The only usable IP address is the second address in the range.

During installation, we will reuse this information to assign it to the new GW-PFSENSE virtual machine

XX.XX.XX.N Reserved network address that appears on the OVHcloud client site
XX.XX.XX.N+1 IP address to be assigned to the GW-PFSENSE virtual machine WAN interface
XX.XX.XX.N+2 Address to be used as a gateway on the GW-PFSENSE VM WAN interface
XX.XX.XX.N+3 Reserved broadcast IP address

For example, if the FOIP address displayed on the client site is 123.123.123.4/30, use:

  • 123.123.123.5 for the WAN interface address.
  • 123.123.123.6 for the gateway on the WAN interface.

Step 2.5 Start the GW-PFSENSE virtual machine

Go back to virtual machine management in Prism Central and click on GW-PFSENSE.

Start GATEWAY pfsense

Select Power On from the More menu.

Start GATEWAY pfsense

Click Launch console.

Start GATEWAY pfsense

Step 2.6 Installing pfSense

Review the pfSense licence information and press the Enter key to accept it.

pfsense Installation 01

Choose Install, switch to OK with the Tab key and press Enter.

pfsense Installation 02

Select Continue with default keymap, go to Select with the Tab key and press the Enter key.

pfsense Installation 03

Select Auto (ZFS), switch to OK with the Tab key, and then press the Enter key.

pfsense Installation 04

Go to Select with the Tab key and press Enter.

pfsense Installation 05

Select Stripe, switch to OK with the Tab key, and then press Enter.

pfsense Installation 06

Select NUTANIX VDISK with the Space bar. Then go to OK with the Tab key and press Enter.

pfsense Installation 07

Go to YES with the Tab key and press the Enter key.

pfsense Installation 08

Choose NO with the Tab key and press the Enter key.

pfsense Installation 09

Select Reboot and press the Enter key.

pfsense Installation 10

Step 2.7 Eject the pfSense CDROM from the GW-PFSENSE virtual machine

From Prism Central, go back to GW-PFSENSE virtual machine management and perform the following steps to eject the CDROM.

Click on Soft Shutdown in the More menu on the GW-PFSENSE virtual machine to stop this virtual machine.

Remove CDROM 01

Click Update.

Remove CDROM 02

Click Next.

Remove CDROM 03

Click the Eject icon next to the CDROM.

Remove CDROM 04

Click Next.

Remove CDROM 05

Click Next.

Remove CDROM 06

Click Save.

Remove CDROM 07

Click Power On in the More menu.

Remove CDROM 08

Click Launch Console to continue the installation after startup.

Remove CDROM 09

Step 2.8 Configure pfSense IP Addresses Through the Console

We will configure the pfSense gateway IP addresses as follows:

  • WAN interface: Use this part of the guide “Retrieving a public address in the OVHcloud Control Panel” to assign the IP address and gateway on this interface.
  • LAN Interface: 192.168.10.254/24 which is the gateway address of the Nutanix cluster private network followed by the subnet mask.

Accept the licence by pressing the Enter key.

Configure pfsense 01

Type n and press the Enter key when asked if you need VLANs.

Configure pfsense 02

Type vtnet0 as the interface name for the WAN and press Enter.

Configure pfsense 03

Type vtnet1 as the interface name for the LAN and press Enter.

Configure pfsense 04

Confirm the changes by entering y, then press the Enter key.

Configure pfsense 05

Type 2 to choose Set interface(s) IP address and press Enter.

Configure pfsense 06

Select the WAN interface by typing 1 and pressing Enter.

Configure pfsense 07

Type n and press Enter when prompted to configure the address by DHCP.

Configure pfsense 08

Type the public IP address with the mask and press the Enter key, for example: 123.123.123.5/30.

Then enter the public gateway IP address and press the Enter key, for example: 123.123.123.6.

Configure pfsense 09

Type n and press the Enter key when the wizard offers you the configuration of the IPv6 address WAN interface via DHCP6.

Configure pfsense 10

When requested to revert to HTTP as the webConfigurator protocol, type n and press Enter.

Configure pfsense 11

Press Enter to validate the registration of the IP address of the WAN.

Configure pfsense 12

Type 2 and press the Enter key to configure IP addresses.

Configure pfsense 13

Take option 2 and press the Enter key to change the LAN IP address.

Configure pfsense 14

Type the private IP address followed by the mask 192.168.10.254/24 and press the Enter key.

Configure pfsense 15

Press the Enter key to not put a gateway on the LAN interface.

Configure pfsense 16

Press the Enter key to disable IPv6 usage.

Configure pfsense 17

Type n and press the Enter key on the DHCP server activation request.

Configure pfsense 18

Answer n and press the Enter key when prompted to revert to HTTP as the webConfigurator protocol.

Configure pfsense 19

You can now manage the HTTPS gateway on the private network of the Nutanix cluster.

Press the Enter key to complete the command line configuration.

Configure pfsense 20

Step 2.9 Configure some options through the web interface

Connect to the pfSense Web Console with the URL https://192.168.10.254 from a cluster virtual machine on the AHV LAN: Base.

Enter the following information:

  • User account: admin
  • Default password: pfsense

Then click on SIGN IN.

WEB Configure pfsense 01

Step 2.9.1 Change the pfSense default password

From the System menu, choose User Manager.

Change Password 01

Click the Pen icon.

Change Password 02

Enter and confirm the password to the right of Password.

Change Password 03

Confirm the changes by clicking Save at the bottom of the menu.

Change Password 03.

Step 2.9.2 Add a rule to allow remote administration from a public address

Go to the Firewall menu and choose Rules.

Authorisation admin from public ADDRESS

Check that you are on the WAN tab, then click the Add button (at the bottom with the up arrow) to create a firewall rule.

Authorisation admin from public ADDRESS

Set these options in the Edit Firewall Rule section:

  • Action: Pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: TCP

Select Single host or alias from the Source drop-down menu and enter the public address that can connect to the pfSense firewall.

Authorisation admin from public ADDRESS 03

Then set these options in the Destination section:

  • Destination: WAN address
  • Destination Port Range From: HTTPS
  • Destination Port Range To: HTTPS

Click Save.

Authorisation admin from public ADDRESS 04

Click Apply Changes to activate the rule.

Authorisation admin from public ADDRESS 05

The pfSense administration interface is then accessible from the Internet, only from the authorised network in HTTPS, here https://123.123.123.5.

Step 3 Configuring the gateway in France

We will install the GW-PFSENSE gateway in France on the IP plan 192.168.0.0/24.

Step 3.1 Downloading sources for pfSense installation

Download the ISO image of pfSense installation from this link: Downloading pfSense.

Using this documentation, add the pfSense ISO image to your Nutanix cluster.

Step 3.2 Creating the GW-PFSENSE virtual machine

Create a virtual machine with these settings:

  • Name: GW-PFSENSE
  • Storage1: 60 Go HDD
  • Storage2: DVD drive connected to pfSense ISO image
  • RAM: 4 GB
  • CPU: 2 vCPU
  • Network: two network cards on the AHV network: **Base**

You can use our guide on virtual machine management to create this virtual machine.

Create VM 01

Step 3.3 Shutting down the OVH-GATEWAY virtual machine

To avoid duplicate IP addresses on the network, stop the OVHgateway virtual machine before starting the new virtual machine on pfSense.

Via Prism Central, click in the top left on the main menu.

OVHGateway 01

Click VMs.

OVHGateway 02 stop

Click the OVHgateway virtual machine.

OVHGateway 03

From the More menu at the top, click Soft Shutdown.

OVHGateway 04

Step 3.4 Retrieving the public address in the OVHcloud Control Panel

Retrieve information about the OVHcloud gateway network settings.

Log in to the OVHcloud Control Panel, select your Nutanix cluster, and find the information in the FOIP field.

Get IP Fail OVER

What is called FOIP is a range of 4 addresses. The first and last are reserved, the third is on OVHcloud hardware and serves as an Internet gateway. The only usable IP address is the second address in the range.

During installation, we will reuse this information to assign it to the new GW-PFSENSE virtual machine

XX.XX.XX.N Reserved network address that appears on the OVHcloud client site.
XX.XX.XX.N+1 IP address to be assigned to the GW-PFSENSE virtual machine WAN interface.
XX.XX.XX.N+2 Address to be used as a gateway on the GW-PFSENSE virtual machine WAN interface. 
XX.XX.XX.N+3 Reserved broadcast IP address.

For example, if the FOIP address displayed on the client site is 123.123.123.4/30, use:

  • 123.123.123.5 for the WAN interface address;
  • 123.123.123.6 for the gateway on the WAN interface.

Step 3.5 Start the GW-PFSENSE virtual machine

Go back to virtual machine management in Prism Central and click on GW-PFSENSE.

Start GATEWAY pfsense

From the More menu, click Power On.

Start GATEWAY pfsense

Click Launch console.

Start GATEWAY pfsense

Step 3.6 Installing pfSense

Review the pfSense licence information and press the Enter key to accept it.

pfsense Installation 01

Choose Install, click OK with the Tab key, and then press Enter.

pfsense Installation 02

Select Continue with default keymap, go to Select with the Tab key and press the Enter key.

pfsense Installation 03

Select Auto (ZFS), click OK with the Tab key, and then press the Enter key.

pfsense Installation 04

Press Select with the Tab key and press Enter.

pfsense Installation 05

Select Stripe, press OK with the Tab key, and then press Enter.

pfsense Installation 06

Select NUTANIX VDISK with the Space bar. Then click OK with the Tab key and press Enter.

pfsense Installation 07

Go to YES with the Tab key and press the Enter key.

pfsense Installation 08

Choose NO with the Tab key and press the Enter key.

pfsense Installation 09

Select Reboot and press the Enter key.

pfsense Installation 10

Step 3.7 Eject the pfSense CDROM from the GW-PFSENSE virtual machine

From Prism Central, go back to GW-PFSENSE virtual machine management and perform the following steps to eject the CDROM.

Click Soft Shutdown via the More menu on the GW-PFSENSE virtual machine to stop this virtual machine.

Remove CDROM 01

Click Update.

Remove CDROM 02

Click Next.

Remove CDROM 03

Click the Eject icon next to the CDROM.

Remove CDROM 04

Click Next.

Remove CDROM 05

Click Next.

Remove CDROM 06

Click Save.

Remove CDROM 07

Click Power On in the More menu.

Remove CDROM 08

Click Launch Console to continue the installation after startup.

Remove CDROM 09

Step 3.8 Configure pfSense IP Addresses Through the Console

We will configure the pfSense gateway IP addresses as follows:

Accept the licence by pressing the Enter key.

Configure pfsense 01

Type n and press the Enter key when querying for VLANs.

Configure pfsense 02

Type vtnet0 as the interface name for the WAN and press Enter.

Configure pfsense 03

Type vtnet1 as the interface name for the LAN and press Enter.

Configure pfsense 04

Confirm the changes by entering y and press the Enter key.

Configure pfsense 05

Type 2 to choose Set interface(s) IP address and press Enter.

Configure pfsense 06

Select the WAN interface by typing 1 and press Enter.

Configure pfsense 07

Type n and press Enter when prompted to configure the address by DHCP.

Configure pfsense 08

Type the public IP address with the mask and press the Enter key. For example, 123.123.123.5/30.

Then enter the public gateway IP address and press the Enter key. For example, 123.123.123.6.

Configure pfsense 09

Answer n and press the Enter key when prompted to configure the IPv6 address WAN interface via DHCP6.

Configure pfsense 10

When prompted to revert to HTTP as the webConfigurator protocol, type n and press Enter.

Configure pfsense 11

Press Enter to validate the registration of the IP address of the WAN.

Configure pfsense 12

Type 2 and press the Enter key to configure IP addresses.

Configure pfsense 13

Take option 2 and press the Enter key to change the LAN IP address.

Configure pfsense 14

Type the private IP address followed by the mask 192.168.0.254/24 and press the Enter key.

Configure pfsense 15

Press the Enter key to avoid putting a gateway on the LAN interface.

Configure pfsense 16

Press the Enter key to disable IPv6 on the LAN interface.

Configure pfsense 17

Type n and press the Enter key on the DHCP server activation request.

Configure pfsense 18

Answer n and press the Enter key when prompted to revert to HTTP as the webConfigurator protocol.

Configure pfsense 19

You can now manage the gateway in HTTPS on the private network.

Press the Enter key to complete the command line configuration.

Configure pfsense 20

Step 3.9 Configure some options through the web interface

Connect to the pfSense Web Console with this URL https://192.168.0.254 from a virtual machine on the AHV LAN: Base.

Enter this information:

  • User account: admin
  • Default password: pfsense

Then click SIGN IN.

WEB Configure pfsense 01

Step 3.9.1 Change the pfSense default password

From the System menu, choose User Manager.

Change Password 01

Click the Pen icon.

Change Password 02

Enter and confirm the password to the right of Password.

Change Password 03

Confirm the changes by clicking Save at the bottom of the menu.

Change Password 03.

Step 3.9.2 Add a rule to allow remote administration from a public address.

Go to the Firewall menu and choose Rules.

Authorisation admin from public ADDRESS

Check that you are on the WAN tab, then click the Add button (at the bottom with the up arrow) to create a firewall rule.

Authorisation admin from public ADDRESS

Choose these options from Edit Firewall Rule:

  • Action: Pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: TCP

Select Single host or alias from the Source drop-down menu and enter the public address that can connect to the pfSense firewall.

Authorisation admin from public ADDRESS 03

Add these options in Destination:

  • Destination: WAN address
  • Destination Port Range From: HTTPS
  • Destination Port Range To: HTTPS

Click Save.

Authorisation admin from public ADDRESS 04

Click Apply Changes to activate the rule.

Authorisation admin from public ADDRESS 05

The administration interface of pfSense is then accessible from the Internet, on the authorised network via this URL https://WANaddress, here https://123.123.123.5.

Step 4 Setting up the IPsec VPN

Now that the two gateways have been replaced, we will configure the IPsec VPN to allow communication between the two clusters.

Step 4.1 Setting Up the Site in Canada

Step 4.1.1 Set up IPsec VPN in France

Connect from an authorised network to Canada's public address in HTTPS with this URL https://publicaddress-pfsense-canada.

Go to the VPN menu and choose IPsec.

Create VPN from Canada 01

Click Add P1 to create IPsec VPN Phase 1.

Create VPN from Canada 02

Enter this information:

  • Description: VPN TO FRANCE
  • Key Exchange version: IKEv2
  • Internet Protocol: IPv4
  • Interface: WAN
  • Remote Gateway: Public address of the pfSense virtual machine in France

Create VPN from Canada 03

Click Generate new Pre-Shared Key to generate a pre-shared key in the Pre-Share Key field.

Write down or copy the key, it will be used for the VPN configuration on the gateway in France.

Keep the information in Encryption Algorithm.

Create VPN from Canada 04

Click Save at the bottom of the menu.

Create VPN from Canada 05

Click Apply Changes.

Create VPN from Canada 06

Click Show Phase 2 Entries.

Create VPN from Canada 07

Click Add P2 to add IPsec VPN Phase 2.

Create VPN from Canada 08

Enter this information:

  • Description: TO LAN 192.168.0.0/24 France
  • Local Network: Subnet LAN
  • Remote Network: Type Network, Address 192.168.0.0/24

Create VPN from Canada 09

Take note of the encryption settings.

Create VPN from Canada 10

Click Save.

Create VPN from Canada 11

Click Apply Changes to complete the creation of the IPsec VPN on Canada's pfSense virtual machine.

Create VPN from Canada 12

Step 4.1.2 Adding a firewall rule to allow network flow through the IPsec VPN between Canada and France

Click Rules in the Firewall menu.

Create IPsec firewall rule Canada 01

Go to the IPsec tab and click the Add button (at the bottom with the up arrow).

Create IPsec firewall rule Canada 02

Modify these options:

  • Source: Net LAN
  • Destination: Network and 192.168.0.0/24

Then click Save.

Create IPsec firewall rule Canada 03

Click the same Add button again (at the bottom with the up arrow) to add a second rule.

Create IPsec firewall rule Canada 04

Modify these options:

  • Source: Network et 192.168.0.0/24
  • Destination: Net LAN

Click Save.

Create IPsec firewall rule Canada 05

Click Apply Changes.

Create IPsec firewall rule Canada 06

The setting on the bridge in Canada is then completed.

Step 4.2 Website configuration in France

Step 4.2.1 Set up IPsec VPN to Canada

Log in to the public address of the France gateway in HTTPS via: https://publicaddress-pfsense-france

Go to the VPN menu and choose IPsec.

Create VPN from France 01

Click Add P1 to create IPsec VPN Phase 1.

Create VPN from France 02

Choose this information:

  • Description: VPN TO CANADA
  • Key Exchange version: IKEv2
  • Internet Protocol: IPv4
  • Interface: WAN
  • Remote Gateway: Public address of the pfSense virtual machine in Canada

Create VPN from France 03

Paste the pre-shared key that was generated on the gateway in Canada into Pre-shared Key.

Compare and match the parameters in Encryption Algorithm with the gateway of Canada.

Create VPN from France 04

Click Save.

Create VPN from France 05

Click Apply Changes.

Create VPN from France 06

Click Show Phase 2 Entries.

Create VPN from France 07

Click Add P2 to add IPsec VPN Phase 2.

Create VPN from France 08

Enter the following information:

  • Description: TO LAN 192.168.10.0/24 CANADA
  • Local Network: Subnet LAN
  • Remote Network: Type Network, Address 192.168.10.0/24

Create VPN from France 09

Check the encryption settings and make them identical with the ones set on the Canada gateway.

Create VPN from France 10

Click Save.

Create VPN from France 11

Click Apply Changes to finish creating the IPsec VPN.

Create VPN from France 12

Step 4.2.2 Adding a firewall rule to allow network flow through IPsec VPN between Canada and France

Click Rules in the Firewall menu.

Create IPsec firewall rule France01

Go to the IPsec tab and click the Add button (at the bottom with the up arrow).

Create IPsec firewall rule France02

Modify these options:

  • Source: Net LAN
  • Destination: Network and 192.168.10.0/24

Then click Save.

Create IPsec firewall rule France03

Click Add again (at the bottom with the up arrow) to add a second rule.

Create IPsec firewall rule France04

Modify these options:

  • Source: Network with this network 192.168.10.0/24 which corresponds to the private network of Canada
  • Destination: Net LAN

Click Save.

Create IPsec firewall rule France05

Click Apply Changes.

Create IPsec firewall rule France06

VPN setup is complete on both clusters. It is now possible to set up replicas through the secure VPN tunnel.

Go further

Disaster Recovery Plan on Nutanix

Asynchronous or NearSync replication through Prism Element

Join our community of users on https://community.ovh.com/en/.


Did you find this guide useful?

Please feel free to give any suggestions in order to improve this documentation.

Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.

Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.

Thank you. Your feedback has been received.


These guides might also interest you...

OVHcloud Community

Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Discuss with the OVHcloud community