NCD – Troubleshooting Third Party VPN Connections
Navisite Cloud Director® (NCD) allows you to configure Virtual Private Networks (VPNs) that allow secure traffic between your own on-premise "peer site" networks and your Virtual DataCenter (vDC) "local site" networks.
This article provides information on troubleshooting such VPN connections, as well as Edge Gateway settings that must be matched when configuring on-premise devices (firewall or other VPN endpoint) at the customer ("peer site") connection to the VPN.
See Configuring VPNs Between On-Premise Networks and vDataCenters for instructions on defining this type of VPN connection in Navisite Cloud Director.
Troubleshooting a Third Party VPN Connection
Important: On-premise networks must be configured to explicitly allow VPN traffic, including properly defined access control lists (ACLs), routing, etc. in order for a VPN connection to function.
When troubleshooting a VPN connection between on-premise networks and vDC networks, it can be beneficial to temporarily disable the firewalls at the Navisite Cloud Director vDC Edge Gateway and vApp network, in order to isolate them as potential problems.
Refer to this article for information on configuring these firewalls.
After disabling the firewalls, you can create a test virtual machine (VM) within the Navisite Cloud Director vApp, and execute continuous bidirectional ping requests between the test VM and a machine on the on-premise network. When your settings are correct at each end of the VPN connection, the ping will be successful.
You should then re-enable your firewalls and verify proper communication.
Note: When configuring a bidirectional ping request to test the VPN connection, the ping request directed to the Navisite Cloud Director test VM should be sent to the vDC Edge Gateway IP address, and not the vApp Edge Gateway address.
Shared Key Mismatches
Shared key mismatches are a common error encountered when configuring VPN connections, and are normally logged as "psk mismatch" errors. Remember to verify the Shared Key value when troubleshooting a VPN connection.If you continue to encounter shared key mismatch errors after verifying the Shared Key value, it can be helpful to disable and re-enable the VPN to re-authenticate the key.
Network Addresses
The routing prefix specification for provided on-premise network addresses must match that of the connected vDC network addresses in order for the VPN to function. Routing prefix specifications defined in Navisite Cloud Director are required to be "/24"Isolated Networks
A VPN connection can fail to function because of an isolated vDC/vApp network. Refer to Identifying Isolated Networks for more information.Unsupported VPN Types
The following types of VPNs are not supported for VPN connections between on-premise networks and vDataCenters:- NAT Traversal (NAT-T) – the on-premise "peer site" network cannot be behind a Network Address Translation (NAT) device.
- The source of an encryption domain cannot be a NAT address. Networks inside the Local site "link networks" in the encryption domain must be behind (or inside) the Navisite Cloud Director firewall.
On-Premise Device Configuration
Below are Navisite Cloud Director Edge Gateway settings that must be matched when configuring on-premise devices (firewall or other VPN endpoint) at the customer ("peer site") connection to the third party VPN being added. If these settings are not matched exactly, the VPN connection will not function.
Important: You should verify that these settings are correctly configured, and remember to consider them when troubleshooting a VPN connection.
IKE Phase 1 Parameters
- Main mode
- AES/ AES 256 Preferred/ TripleDES /
- SHA-1
- MODP (DH) group 2 (MODP1024 bits)
- pre-shared secret [Configurable]
- SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
- ISAKMP aggressive mode disabled
IKE Phase 2 Parameters
- AES/ AES 256 Preferred/ TripleDES /[Will match the Phase 1 setting]
- SHA-1
- ESP tunnel mode
- Perfect forward secrecy for rekeying
- MODP (DH) group 2 (MODP1024 bits)
- SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
- Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets
Note: Perfect forward secrecy (PFS) must be enabled.
Contacting Support
The following information should be supplied when contacting Navisite Support while troubleshooting third party VPN connections:
- The log file from the network device at the customer ("peer site") connection at which the VPN terminates.
- Screenshots or command line output from the from the network device at the customer ("peer site") connection showing the VPN configuration, confirming that the settings are applied as specified.
- Any other specific screenshots or error messages that might help troubleshoot the issue.