{"id":994,"date":"2021-12-20T15:06:00","date_gmt":"2021-12-20T15:06:00","guid":{"rendered":"https:\/\/labiol.xyz\/?p=994"},"modified":"2022-01-07T20:56:12","modified_gmt":"2022-01-07T20:56:12","slug":"configure-vpn-tunnel-between-pfsense-appliance-and-vmware-vmc","status":"publish","type":"post","link":"https:\/\/www.labiol.xyz\/index.php\/2021\/12\/20\/configure-vpn-tunnel-between-pfsense-appliance-and-vmware-vmc\/","title":{"rendered":"Configure VPN tunnel between pfsense appliance and VMware VMC."},"content":{"rendered":"\n<p>If you are playing around the VMC soon or later you will need or you would like to configure VPN network connectivity. Direct Connect is fantastic, but I suppose not everyone can afford to buy it for your home\/lab connection \ud83d\ude42&nbsp;<\/p>\n\n\n\n<p>Especially most of the production implementations are around BGP, network propagation etc. This is something hard to test especially if you (like me) are not the network administrator.&nbsp;<\/p>\n\n\n\n<p>There are several ways to setup VPN connection between VMC and your lab.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/5zkL9xIeGHFlp8k5FerFWN7XyouHNBUYiejCsHuLeuaU4VQl0vFWm82-s6bocwKsjXG3AXgU40VuWYlKqnRrmVTPWTLSxElPzalL5kw4ZaX6GJZNE9YOYglyxBHARquv9BPez9Xd\" alt=\"\"\/><\/figure>\n\n\n\n<p>We can use:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Route based VPN; this kind of VPN you should associate with BGP<\/li><li>Policy based VPN; to remember, this VPN is connected to static route<\/li><li>Layer-2 connectio with 3 standard way to provide l2 extension:<ul><li>NSX edge<\/li><li>L2 appliance&nbsp;<\/li><li>HCX network extension (not connected to above presented VPN)<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>In this article I will concentrate on the route based VPN (later just VPN).<\/p>\n\n\n\n<p>We will go through the configuration for both, the VMC site and the pfSense. Next we will set up the tunnel and we will verify that the connection is working fine.&nbsp;<\/p>\n\n\n\n<p>In the lab I prepared the environment with presented below:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/ATuGjqezgouXl0M2AH0eHHd-MZRcCBve9qaUlIH3o5eanBk8d_OkZXz_SJFAAYYh4wbWz0S0BuCqj1ecWlGbPejPQhALuIuLp-wX4aj9fibOr2G6UftkE_KHfubAPo7TMgqjPXPk\" alt=\"\"\/><\/figure>\n\n\n\n<p>Where the firewall on the left represents physical firewall, with just two forwarding rules which define that all incoming traffic from the internet on port udp\/4500 and udp\/500 redirect to pfsense WAN interface.<\/p>\n\n\n\n<p>Right side of the image represents VMware infrastructure. Lan interface represents the connectivity to the VMware VM network. Later I will show you how to create VLAN on that interface.&nbsp;<\/p>\n\n\n\n<p>Configuration:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Let\u2019s start with the VMC configuration. At this stage you will need to know the public IP of your on-prem firewall.<br>Open the vmc.vmware.com\/console portal then select SDDC you want to work on. Next navigate to the \u201cNetworking and security\u201d -&gt; VPN -&gt; Route Based blade.<br>Select add VPN, you should see similar configuration window:<br><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/TQF7naOqzL7oVYAyQ5JUPqxmzJZJHf97wUD78cqxv-jbeAlXIOVbdw7qN1_RxRS79sErNAyrkthiqsc_RcFnIhDiDiw_xrr-Piixv1zLIN-fsw-aPvu3MGW3Ds6fhup0GZPgezXK\" width=\"624\" height=\"272\"><br><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/1pysdtnaOmMlTOnQnTFVV7lnQQb5H_0tJ3buU8X7kUeybanp_pqgdtuF0I1Kxstuy73fYpShQ8fX5eGQeQBfMObU5S2f3Gni2fsJhpiv7fvsKqYWmYOA_RZyOxabwlbm-QDFte0U\" width=\"624\" height=\"76\"><\/li><\/ol>\n\n\n\n<p>Set the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Local IP address &#8211; select Public IP (and note it)<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Remote Public IP &#8211; IP address of on-prem firewall (router)<\/li><li>BGP local IP\/Prefix &#8211; use \/30 CIDR from 169.254.0.0\/16 with some addresses exclude (see help by clicking \u201ci\u201d in that field for more details)<\/li><li>Remote BGP IP &#8211; set one IP address (without prefix) that will be used on-prem, for example: 169.254.100.2<\/li><li>BGP Neighbor ASN &#8211; set the ASN for on-prem pfsense (from the private range: 64512 to 65535)<\/li><li>Preshared key &#8211; enter non trivial key (but try to avoid special characters)<\/li><li>Remote private IP &#8211; IP address of the pfsense (WAN interface)<br><\/li><\/ul>\n\n\n\n<p>Set the rest of the variables as on the above screenshot.<\/p>\n\n\n\n<p>VPN settings can be set according to the documentation: <a href=\"https:\/\/docs.vmware.com\/en\/VMware-Cloud-on-AWS\/services\/com.vmware.vmc-aws.networking-security\/GUID-5566A021-ECF7-41C4-B899-30924EBCD81F.html\">https:\/\/docs.vmware.com\/en\/VMware-Cloud-on-AWS\/services\/com.vmware.vmc-aws.networking-security\/GUID-5566A021-ECF7-41C4-B899-30924EBCD81F.html<\/a><\/p>\n\n\n\n<p>According to this documentation phase1 and phase2 of ipsec can have values presented on the below screen:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/yalpYWoO3dQkd8-CUu7Gj9UB4PdnmMXdOaW7fIMKNzwNDxeAC5FAWuAS-wYVxFpeSMb-Ejl8gWos7D0TO_r-IRh6P0cEpTF0zqmVbV3PHr4GoCzGbLNUKZYho9IkfTWyEHdlH0p3\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/xeYHoMqeoyx9gdthRdtGoIZVQ2XjRK2qRmy6C9GXRdUgbU6K4_DR_LFR8B_G7AuaumDpnQ6MLnD05ofIYtmI915kjAiW4oQ-9UkHELRWVBkw1hi6Q7XkLvLB38fr5KlwnSYyXYAw\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/Li54yeyM0zT_13Lcxg1Bl8fp3JUiFWPUJzAgomARQ9gcEzOF8X5bKLHpyCMy6VGzp854UsCBvca_wI8p9RcEj8iSP6f-UXwR5WN52mWAOwL1z4xV4warGHEz9dr4gILqxBASy52p\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/GKG8QKZmUEDA0AnmW0YvS5d-E8Jm4iOHxI2SC3t4QhOJ8BzDmxH1bOfnxhlgApw2xcL0WScbGWAVSwRr6Bf0UpDhWnbXPOYe6ZxeVgPlWiIDnVGrrL6_hSEovKxGmcVmwi8c9jjr\" alt=\"\"\/><\/figure>\n\n\n\n<p><br>Configuration can be downloaded from the same screen after saving the setting:<br><br><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/VjUWUm6TVHaBIQ0gdq9h74t1Q-sBw616064Gt2894ja09Vkb34tOLaTCKo_W8jCkBQxc9_BZk6Yi0DV5p1dC9XfZhTfuQ0d8_ReMMoUrFDG5VaCnQ-dRVK7T0DzJNMU6cWSDIJg-\" width=\"624\" height=\"104\"><\/p>\n\n\n\n<p>But keep this file in a secret place as it will contain a password.<\/p>\n\n\n\n<p>Downloaded file should be similar to the following dump:<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><code>#<\/code><br><code># Enforcement point path\u00a0 \u00a0 : \/infra\/sites\/default\/enforcement-points\/vmc-enforcementpoint<\/code><br><code># Enforcement point type\u00a0 \u00a0 : NSXT<\/code><br><code>#<\/code><\/p><p><code># Suggestive peer configuration for IPSec VPN Connection<\/code><br><code>#<\/code><br><code># (cutted)<\/code><br><code># Internet Key Exchange Configuration [Phase 1]<\/code><br><code># Configure the IKE SA as outlined below<\/code><br><code>IKE version\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : IKE_V2<\/code><br><code>Connection initiation mode \u00a0 : INITIATOR<\/code><br><code>Authentication method\u00a0 \u00a0 \u00a0 \u00a0 : PSK<\/code><br><code>Pre shared key \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : PASSWORD<\/code><br><code>Authentication algorithm \u00a0 \u00a0 : [SHA2_256]<\/code><br><code>Encryption algorithm \u00a0 \u00a0 \u00a0 \u00a0 : [AES_256]<\/code><br><code>SA life time \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : 86400<\/code><br><code>Negotiation mode \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : Not applicable for ikev2<\/code><br><code>DH group \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : [GROUP14]<\/code><br><code>Prf Algorithm\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : [SHA2_256]<\/code><br><code># IPsec_configuration [Phase 2]<\/code><\/p><p><code># Configure the IPsec SA as outlined below<\/code><br><code>Transform Protocol\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : ESP<\/code><br><code>Authentication algorithm\u00a0 \u00a0 \u00a0 \u00a0 : [SHA2_256]<\/code><br><code>Sa life time\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : 3600<\/code><br><code>Encryption algorithm\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : [AES_256]<\/code><br><code>Encapsulation mode\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : TUNNEL_MODE<\/code><br><code>Enable perfect forward secrecy\u00a0 : true<\/code><br><code>Perfect forward secrecy DH group: [GROUP14]<\/code><\/p><p><code># IPsec Dead Peer Detection (DPD) settings<\/code><br><code>DPD enabled \u00a0 \u00a0 \u00a0 \u00a0 : true<\/code><br><code>DPD probe interval\u00a0 : 60<\/code><\/p><p><code># IPSec VPN Session Configuration<\/code><br><code>Peer address\u00a0 \u00a0 : LOCAL_VMC_IP_ADDRESS # Peer gateway public IP.<\/code><br><code>Peer id \u00a0 \u00a0 \u00a0 \u00a0 : LOCAL_VMC_IP_ADDRESS #the same as above<\/code><br><code>Peer Subnet \u00a0 \u00a0 : 0.0.0.0\/0<\/code><br><code>Local address \u00a0 : REMOTE_ON-PREM_PUBLIC_IP_ADDRESS # Local gateway public IP.<\/code><br><code>Local id\u00a0 \u00a0 \u00a0 \u00a0 :\u00a0 PFSENSE_WAN_IP<\/code><br><code>Local Subnet\u00a0 \u00a0 : 0.0.0.0\/0<\/code><\/p><p><code># Virtual Tunnel Interface<\/code><br><code>Peer VTI address \u00a0 \u00a0 \u00a0 \u00a0 : 169.254.100.1<\/code><br><code>Local VTI address\u00a0 \u00a0 \u00a0 \u00a0 : 169.254.100.2<\/code><br><code>Tunnel Interface MTU \u00a0 \u00a0 :\u00a0 bytes<\/code><\/p><p><code>#<\/code><br><code># BGP Configuration<\/code><br><code>#<\/code><\/p><p><code>BGP neighbour IP\u00a0 \u00a0 \u00a0 \u00a0 : 169.254.100.1<\/code><br><code>BGP neighbour AS number : 65000<\/code><br><code>BGP local IP\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : 169.254.100.2<\/code><br><code>BGP local AS number \u00a0 \u00a0 : 65500<\/code><br><code>BGP hold down timer \u00a0 \u00a0 : 180<\/code><br><code>BGP keep alive timer\u00a0 \u00a0 : 60<\/code><br><code>BFD Status\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 : false<\/code><\/p><\/blockquote>\n<\/div><\/div>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<p>Most of the information above we will use in our pfSense configuration. Especially pay attention to the timeouts.<br>At this stage VPN status will be down.<\/p>\n\n\n\n<p>Verify\/set the local ASN:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/rZcDKSexnpujssJRFVJ9bLAg5rBnsreQF-95PiPSGIfA1NH2ANyaXKFJgnpdHprbmPhDwXnuab_iiSRdOBNWlzsZxUFCZA3DVHBLEyD4jQTNmh2TdsTWHXKXi3No1N9bjRWFaqSc\" alt=\"\"\/><\/figure>\n\n\n\n<p>This should also be from the private range.&nbsp;<\/p>\n\n\n\n<p>Next part will be for pfsense. If you are running some other router, this article can be good starting point for you: <a href=\"https:\/\/vmc.techzone.vmware.com\/resource\/ipsec-vpn-configuration-reference#introduction\">https:\/\/vmc.techzone.vmware.com\/resource\/ipsec-vpn-configuration-reference#introduction<\/a><\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\"><li>pfSense configuration<br>Installation is rather straightforward. Try to use the latest version of this software. After the installation you should be able to login with the default admin\/pfsense credentials,<br>\u200b\u200b&nbsp;<\/li><\/ol>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/bd4s-dRmtw18shAaGp2Hy3L_7LAlRhl9IpXl3ox7-IKwy1a29d8_GPpznjiZ78FEKoGJC-oLBXtmtRsN5FEjRWCF-zYS_j9q5wHGnxYc8_mjGIB7kL9Vji6nLl0GdmszdDOJe_s2\" width=\"624\" height=\"404\"><br><br>If this is your first time with pfSense try now to familiarize with that a little bit. The main menu option is on the top<br><br><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/BN902MSO1s8f5PQ2mUmivtrqxnlzEwIHqqRb2tl1V4vyEuCiqQXQ3hZxkhgz2tTm0qfbY6XEmCvsQc5W6fkt__jNOFivi60cSsznHLmbjoQgF3zVmazABaTimz0Nu71SPmUReA67\" width=\"624\" height=\"39\"><br>Help doc\/book from that menu are just links to the appropriate internet pages. So it will be more comfortable for you to have internet connection from the station you are managing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">APIPA<\/h2>\n\n\n\n<p><br>First optional step I am always enabling in lab is to allow APIPA (169.254.X.X network). We will use this network later.<br>To do this, you need to go to the <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/vOjrKVoAsoN1wPemVcmnnzf9UDs21_iA0jVmrnxG3vVC1bvif01_PpH5uZ3AIkp-NnREhYgULSV7qchc4xLQSL4ubvDCvwC1IYeQ90WMk_xSfsO7QIQDCFxA8Z734zmSl1q48uRl\" width=\"624\" height=\"75\"><\/p>\n\n\n\n<p>And set the following box<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/rXuvp4lEXorYB_Xm2ZYO46eQkCUMJaZA1jKDu4Nt5Q_K4OCDrG0EXBJTivuqhClt9cUCOzK8RpEikWsiuQmfu7uVRuBwlHX6UpMF80989vs9CKxV_n-Lkn4U5E9kqGU_ZUsnT9SQ\" alt=\"\"\/><\/figure>\n\n\n\n<p>Then save the configuration (save button at the bottom).<\/p>\n\n\n\n<p>pfSense by default do not has any dynamic routing support (we are interesting in BGP and OSPF as this is the protocol supported by nsx-t). For that reason, we need to install (free) addone in pfSense package manager.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FRR<\/h2>\n\n\n\n<p>This can be done by using<br><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/Zx9marOLp_eu9_GYjK_hlpqWuTsCXN30NP2AyMoE337mlbSpU5HTZEVpVLoN5GHt_i6IO2uK9jCQX9Y0ZHYREy0zbCyTX3NaWym9nl1zVVX341JcDOg712OgYvnKAzuYpyeGkqGq\" width=\"624\" height=\"57\"><\/p>\n\n\n\n<p>And search for frr. During installation you can get the following error. Do not bother about that.&nbsp;<br><br><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/JEVVui8oQqJsHEKYKlu7G-z-OmXWBG0tMBxe5VKQaQotqtjqEr69fCb24XnglHw0ZHuBhI3ncu36KVVpubWvuLCsEf1cbFO4xDEzlky8cB72KM393Bo7pkgSWyPVlz5Rw-g91ELL\" width=\"624\" height=\"163\"><\/p>\n\n\n\n<p>Frr should show as an installed package just after and should look similarly to mine:<br><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/JNceRny7BKAPbKVyccCSeGp63DXNCe-JooEqHNtQElxX6eRH4oIu5pkq0q7nE1he1VbTJjAerGuvCH5PLEWc8Fg6At9ru0ACHH3H-sj7JrQR4yehm1aClRLLF1z8FBleXR7VsLAQ\" width=\"624\" height=\"133\"><\/p>\n\n\n\n<p>Next, let&#8217;s concentrate on VPN and IPSEC. For that we will need to know the public IP address of our VPN in VMC. This can be verified in VMC\/SDDC configuration page (vmc.vmware.com\/console) in Network &amp; Security -&gt; Overview blade. VPN Public should be visible at the top of the network diagram.<br><\/p>\n\n\n\n<p>Firstly our target is to create phase1 ipsec configuration.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IPsec<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/JLeRhQ3YWtPKUAZwHLiinxObAEOjqy47sVsWLAxpm6WhVp8BH5kYrfL_rV9GESf62ai1EHIbNaQPzNr2klyMEUVdP7tf_BkPTAQ8IBqxW4EmCTO-voFcvRXrpPjTmVtnyUGOXCpw\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/w32b8hwgmYznW10z144KNdv4EHY8MckQ1yr2Ewm2uMsAC3-XNy8F2jx_qG3P3RoIUShpGnNYiuDO6iN4OSkaF7zujGnlOOgRDq7eZlhdRRyOk6TmLFcIkC-7YKI-Tdnr18WdC-gm\" alt=\"\"\/><\/figure>\n\n\n\n<p>Remote Gateway is the public IP of the VMC VPN Public.&nbsp;<\/p>\n\n\n\n<p>Next you need to set the following:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/Eq4RUukz_h-jSTQC4rcgtXB0-KnpJW1lZf5W6WVMSJKNhjj8g_oOxZ0rBSCzp06-3qWXmsr39nmyGPocqbTvwQPQKrZpzTCnDR0PMUKbJ6uM5Sw8Hr3k3ZuS7BiQKTeHmjAtFvRB\" alt=\"\"\/><\/figure>\n\n\n\n<p>Where \u201cmy identifier\u201d is the IP address of pfsense LAN interface and peer identifier it is again the public IP address of remote (VMC) VPN.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/ydPUkc0ha0GJDDt00JoCd3qMowbJ8jlty8O5nVz1u2wA8wM0BdchwT1iHXd6kOh1PV2vf5VQnLe5MA90pJDt_nDKwwqTg7vW6HWorAbUXi103WhuApEifxu4_kEe_iNZb-LrNJeC\" alt=\"\"\/><\/figure>\n\n\n\n<p>Phase 2 should be configured as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/x5GLKYv8luAk74whgmkDYyP-4R8Wq-kdbl1U54Lduj2Tlkfglb3dZOZ8Bm280GHnp7TPLpGR4B4LMztughh5cuFbRmTAu8QF8mssTxKbYy2z_KosoTP-R1Zp6XNecd-mDqmVLzSv\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/OLi5zsIrJ6g44faH5IZMGyTRrXO0dNl2m4fefgaY0lQlpnqTNy1EoYGeFrm7lWNpCqYRzAb0aaFTRMqBzF6nMAFFPNaIqJFvD7AIMecel9dco_KALzWwSa63NMLeFFUmyQkYXTX0\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/qSAEi3k_PpzaK9aUsZqBolP1TcFosQ1LeIDoQQuKjW21nBQ_n2mDejwwQc-dYprbGzw2B82jZd5ABOEPV2MjYg5ugDp1q-KxtVy9DnSrWOTRRly4z3e_ByzUdwPKXGjIML21gkAX\" alt=\"\"\/><\/figure>\n\n\n\n<p>Validate the configuration and apply settings:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/2MyIQTUJ0aFRw8_ho_YbKCks_K2LDOyt21ncvE9GKWJq2-49CLe3NOy4_RrzW7y-lW7hjfOGIQ6gVMWlgz7sgKf3zsLxB65NMq7hseK3u0Ix9bxZjK5LQRTsZLKeHSiDdC097Jdf\" alt=\"\"\/><\/figure>\n\n\n\n<p>Final effect should look like this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/q6L1VJ_AioSbi2sUbuciyUCZemIZDnZGn_c9qnxefobYKX4hY5hEQZ0-E5PxHcwzqoPg85ry48L67GnHqoxfwpuOKvdJhV4go1Wbr1HJ-98TeWsM0g-JYc4JteCk6g9fCFtDDZOb\" alt=\"\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Assign the IPSEC interface<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/hhNLMp81U7sZ96eY7WP-c8VbLOXOZeTvM6qFmVO25-DItimTpovsUE-v8MBYxGXcwPDIebOse2uQHekKj6D5vp46gQOur3OHaWzbtUQXxfNMnym8d1X1aVQP5qqtAaw4mj7FPR8H\" alt=\"\"\/><\/figure>\n\n\n\n<p>Go to the interfaces -&gt; interface assignments and assign newly available interfaces named ipsec vti. Next edit interface where you have to enable, additionally you can set the interface description<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Firewall -allow traffic<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/OByTMrNRR9PaV-4KHBXd40OYHXVo7dpVCGk9QA7TlzMFC7QqyKHwhScdLTttLkaBqaQD-7hFdyXGSa_cjVvDk6wtewF3yXTcu7gEfl4xwMLzvaXDIoJaeYa-MfCn58NI8RYkoT4k\" width=\"624\" height=\"128\"><\/h2>\n\n\n\n<p>Go to firewall -&gt; rules and select IPsec blade.&nbsp;<\/p>\n\n\n\n<p>Create new rule, as an example you can take values from below screenshots:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/L1qePoifTZOKVttyFcKZok7jKSAl73xkXuqqcpxT3F7voVbccel082AURauQ0cK-1WOENXH_tSt4OXQD-0bufA0vvtyrG_LlnEcNoFGzfH2prS7VC1vy3LJtxaRqREisUtaO-3LU\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/U0NOgVNXRFmI_ICdF8SPuCuLSBMALKpRkKs7UE9xKDGeYJMDcRY2wf_olqPY2GgiDs7zqirTKd0xRxnIgvUAkrx_A4YgJBo32EiWtRogb_MfXDiaXlF1K0u_zl2gPXu0CD1P-gsx\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/dAa3eIjt2gRKduDv8CFJ6gg-grXdH-g0JAyRJVNbwP0iFYvvzC0w48-KHNMQ_0qxrc1K0Mxn67Xc4_EdSTwHnV9WQn-l2Fal6eMWtWtxiZHXI5mrC7itbZYHQz7eBwT5a6wTec01\" alt=\"\"\/><\/figure>\n\n\n\n<p>At that point you can run some diagnostics. First of all you can go to the status -&gt; ipsec -&gt; overview and verify tunnel status. Should like very similar to the following:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/x1Yer1N5mllN43if0nMYn-cCiRYrdn3r4yC0Q7UkVlHxxHVaJCRn_L_G2IbqeG-UUqJB-lHH-mViOgfcvj2A1dZRFuxzBDgJ084CHNuV5rfDoQ8USHh88pKRT-iIJp5SIxu7UzRF\" alt=\"\"\/><\/figure>\n\n\n\n<p>From VMC console, VPN blade verify also the VPN status. Should be in established state.<\/p>\n\n\n\n<p>Also you can run ping with option from diagnostic menu:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/gyFaQUfCgt9P1vFlDkjW_2xohICcsJ1Vgr5ppnyl33PFjWpLjeGO_7Z9PlFPHv3X648kg933pwuxlKdEz6vxQvC2lYCEaPMHBr700GyCgR1CpcaEUcUfQKzlDsFAqYuaU2l-FsQR\" alt=\"\"\/><\/figure>\n\n\n\n<p>If everything is fine, ipsec tunnel is up and running and we are able to connect to VMC then lets enable BGP on our pfsense.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">BGP&nbsp;<\/h2>\n\n\n\n<p>From service -&gt; frr bgp configure the following settings:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/-G1hGecIXIPQPREN8EQgjuaVmvZDmqYqbmAASJVew-mDOjCXrPSlbr2sPDpDROUonCcKlsSw7UBLqR1vHl14joy9csi22KDCO3pwNmJU2UdSoH5SUNmsuCnIgp-1i4h6Z5LhBuD3\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/Fg-SV_kaox4SRZTy-pcyTexda3dYPKPnOjq0-OyweGvweErgZCmOTz_z9UKaTXRTPJq10g22p9JKbQB4vF2Ckp4YU59af9YMlGEfuQ5uRV791MOQilUCHrM06EfSQkRm-TvQaDp9\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/KG-DtXxmqvpbfUnkECbq3aQL4EkF0EBzwu2nxDFWUUcmHi0oQ_MzzNtplCHyUHhJNYvb5KoSLNlQd5MrayWdF8TIkv-8CUeCgM5Spx-YwuTzYxLrfTXFx4QWywTGE5JeQARbc1v6\" alt=\"\"\/><\/figure>\n\n\n\n<p>The timers values needs to be the same as you can find in configuration file downloaded from VMC.<\/p>\n\n\n\n<p>Next, add values in neighbors tab:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/K7bdEbGZsoxlxPUAp9hK3amtbcBkUfykH9TbbZaPv7xBS-O3TjJc1-DUkdDydNZUntUp65QAo2jNeQI0C2yADcfAOcGjuSvjZBck_T45ny0IOYWOt6I1Ag_W3QJN-z8paiXmu3hc\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/rvzvtGkld6Oy5EgFMJkWUIyIIepIPtv_uk7GyWejxmubkTm7YC9q9-ZoVoMvOoT7lCLSPqAwvQ34hJsou9rZKT33Qrqjt4NoxRoNFUyWnj4vYVSV1g_gp9owcn60RmI5C-Co1X8s\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/XMin6uJeIlLtvDDBOapuSaXhV-TSKiOV5ApQNeZp0kudhCniucJH37tjQYAOiviu_Nz3qP8Rgg-GdloWYidtCYIbMelq9jtR-5ds7VN37wKV_EyCYWtud7MCABR9T8n57M22LYTg\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/VBUAQx0nyNJ1A9KGilXqJdb9b1zZJz3jhgqrsteugwQxG-kiQ6vhBD17tZeo2rwrqBzCK_i0-7rMyndGaCGEi_nzTviBKnXKPFFLfjjRPZApk94PQewXVRkeHj3WQPkBznKRNHAD\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/BVhWvZkO2e07V0zeFZDzVw0vRd82Lk3ILq40tQEX86r5AMVHmX_FByJcc8fabG5KPInrzfojFzxPLSY73jR3oNEDXsfC1rsgKMuspVycn4Kz5_Th6s_eM0Dsa2rzR9zXYMMLM4wN\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/FbKU6S4aswUfKf6-ZJsxYVObeVlFvbMzy2UUeunim0K38ARt0F9aMzGh0YKDr6FxS4srn-lcYdxJONaJNF3YaClcqa36pYWx4f1YycEGIYgQU9ubg58dCzhPuR03cPAbgrHIVAFc\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/5THsPM4kVGUOYjEwqzpN9VXLYU34lIWL7iRswU59mr_NTApVrSXKuPL9T153AgfnJ6btoLkqpswIDsLxT9n7HcbO_ElqtsncksIVaBkwOY1NsLxc8kyXgCEteFRrHylgjjva3Z36\" alt=\"\"\/><\/figure>\n\n\n\n<p>After a while BGP should propagate the network.<\/p>\n\n\n\n<p>Verify BGP from the status tab.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/65SsiZLz3HtA3eCZxnJffW-hpoVGKSCo_NJzWRRpfRlTVKnwTZ-paFb-_P-whBQsPNyOdogGTC59qTX4JglA_BUgUZ_kbB4dqea_eS1JKghkHufgj23vMYswEIZBovdbqTP_t19W\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/Gw9Cxr_nXvBmikK6jTSVRnGSfnL3XWMkVoo46jDHx4-2Z6eebuEpqlLQ4FfIGHpSYMKMpV-sZdZhfGOJBnd_tibOq53pblRZbyoSlLQYKkCBCQ8D0FhI5LSBD4vMfI8ATlJdw6Ii\" alt=\"\"\/><\/figure>\n\n\n\n<p>BGP state should be: BGP state = Established<\/p>\n\n\n\n<p>Also in the VMC you should see that BGP status is up.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/ThJaLXMJyxaFNVZcHBFo-YFEGwYKhlyid0TCrd-FL8USpw0R4VdHFQaS_TO6Ls9VJ3Au0xrg-7cK948RmUMU3_P8ZTTEjHkVPqA1UvxtPVS43EraxBRiB_VPkFrw7qolR9RYzkkj\" alt=\"\"\/><\/figure>\n\n\n\n<p>Summation:<\/p>\n\n\n\n<p>Now, hopefully having BGP in place you can create networks on the pfsense level and verify if these networks are visible in the VMC. Also test propagation in the opposite direction.&nbsp;<\/p>\n\n\n\n<p>Also you can try to configure and test much more complicated scenario and hopefully share them with the community.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are playing around the VMC soon or later you will need or you would like to configure VPN network connectivity. Direct Connect is fantastic, but I suppose not everyone can afford to buy it for your home\/lab connection \ud83d\ude42&nbsp; Especially most of the production implementations are around BGP, &hellip; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-994","post","type-post","status-publish","format-standard","hentry","category-vmware"],"_links":{"self":[{"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/posts\/994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=994"}],"version-history":[{"count":9,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/posts\/994\/revisions"}],"predecessor-version":[{"id":1003,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/posts\/994\/revisions\/1003"}],"wp:attachment":[{"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}