Use PowerCLI to set your SDDC Policy Based VPN
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
In the previous post, we talked about using PowerCLI to setup a route-based VPN. This post will show how to setup a policy based VPN.
For that I will use a new AWS VPC and a Customer Gateway with a Virtual Gateway in AWS natively.
This sets up 2 VPN tunnels with static routes compared to the BGP routes with the route-based VPN.
The Java Script Object Notation (JSON) is mostly used with APIs and our NSX-T Policy APIs are not any exception. When we write a PowerCLI function we need to map the JSON notation to PowerShell.
For example, [...] in JSON will be represented by @{...} in PowerShell. The ":" will be "=" and an array will be represented by @(...).
Let's take a simple example. The PowerShell below . . .
The following PS notation . . .
Step 6 - Prepare and plan the Tunnels IP addresses, encryption methods, DH Group and password as follow:
-PublicIP This is the VPN Public IP retrieved above
-RemotePublicIP This is the remote site Public IP
-RemotePrivateIP This is the tunnel private IP
-TunnelEncryption Tunnel encryption method
-TunnelDigestEncryption Tunnel Encryption Digest
-IKEEncryption Key Exchange encryption method
-IKEDigestEncryption Key Exchange Digest
-DHGroup Diffie Hellman Group
-IKEVersion IKE Version
-PresharedPassword Tunnel password
Step 7 - Choose a name for the Tunnel and run the function
Lead VMware Cloud on AWS Specialist
---
In the previous post, we talked about using PowerCLI to setup a route-based VPN. This post will show how to setup a policy based VPN.
For that I will use a new AWS VPC and a Customer Gateway with a Virtual Gateway in AWS natively.
This sets up 2 VPN tunnels with static routes compared to the BGP routes with the route-based VPN.
PowerCLI Functions
- New-NSXTPolicyBasedVPN
- Get-NSXTPolicyBasedVPN
- Remove-NSXTPolicyBasedVPN
JSON and PSObjects
In this post I want to go a bit deeper on the relation between JSON and the PowerShell Objects. To set the VPN Tunnels, we use API calls and with that we need to pass a payload that will carry our multiple parameters like IP addresses, passwords, IKE and Tunnel encryption digest / algorithms.The Java Script Object Notation (JSON) is mostly used with APIs and our NSX-T Policy APIs are not any exception. When we write a PowerCLI function we need to map the JSON notation to PowerShell.
For example, [...] in JSON will be represented by @{...} in PowerShell. The ":" will be "=" and an array will be represented by @(...).
Let's take a simple example. The PowerShell below . . .
@{
display_name = "name";
enabled = "true";
local_address = "public_ip";
remote_private_address = "169.254.60.5";
remote_public_address = "52.58.160.117";
}
. . . is converted to JSON with the "ConverTo-Json" function and gives the output:{
"display_name": "name",
"enabled": "true",
"local_address": "public_ip",
"remote_private_address": "169.254.60.5",
"remote_public_address": "52.58.160.117"
}
That's a simple mapping. Let's go a bit more in depth:@{
tunnel_digest_algorithms = @("SHA2_256");
tunnel_encryption_algorithms =@("AES_256");
ike_digest_algorithms =@("SHA2_256");
ike_encryption_algorithms = @("AES_256");
}
is converted to:{
"tunnel_digest_algorithms": [
"SHA2_256"
],
"tunnel_encryption_algorithms": [
"AES_256"
],
"ike_digest_algorithms": [
"SHA2_256"
],
"ike_encryption_algorithms": [
"AES_256"
]
}
We are getting there. Let's check about the subnets.The following PS notation . . .
@{
l3vpn_session = @{
resource_type = "PolicyBasedL3VpnSession";
rules = @(
@{
id = "policy-1";
display_name = "policy-1";
sequence_number = 0;
sources = @(
@{ subnet = "1.1.1.1";},
@{ subnet = "2.2.2.2";}
)
destinations = @(
@{ subnet = "8.8.8.8";},
@{ subnet = "9.9.9.9";}
)
}
)
}
}
. . . is converted to JSON as:{
"l3vpn_session": {
"resource_type": "PolicyBasedL3VpnSession",
"rules": [
{
"id": "policy-1",
"display_name": "policy-1",
"sequence_number": 0,
"sources": [
{
"subnet": "1.1.1.1"
},
{
"subnet": "2.2.2.2"
}
],
"destinations": [
{
"subnet": "8.8.8.8"
},
{
"subnet": "9.9.9.9"
}
]
}
]
}
}
This is now almost matching the payload of our API call.Create Policy Base VPN
Step 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC. Import-Module ./VMware.VMC.NSXT.psd1
Import-Module ./VMware.VMC.psd1
Step 2 - Get the Refresh-Token, Org name and SDDC name and assign them to variables $RefreshToken = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
$OrgName = "VMC-SET-EMEA"
$SDDCName = "GC-API-SDDC"
Step 3 - Connect to your VMC environment Connect-Vmc -RefreshToken $RefreshToken
Step 4 - Get the NSX-T Proxy URL for all API calls Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 - Get the VPN Public IP of your SDDC Get-NSXTOverviewInfo
On the GUI, the VPN Public IP is displayed below:Step 6 - Prepare and plan the Tunnels IP addresses, encryption methods, DH Group and password as follow:
-PublicIP This is the VPN Public IP retrieved above
-RemotePublicIP This is the remote site Public IP
-RemotePrivateIP This is the tunnel private IP
-TunnelEncryption Tunnel encryption method
-TunnelDigestEncryption Tunnel Encryption Digest
-IKEEncryption Key Exchange encryption method
-IKEDigestEncryption Key Exchange Digest
-DHGroup Diffie Hellman Group
-IKEVersion IKE Version
-PresharedPassword Tunnel password
Step 7 - Choose a name for the Tunnel and run the function
Successfully created Policy Based VPNNew-NSXTPolicyBasedVPN -Name Policy1 ` -LocalIP 18.197.x.x ` -RemotePublicIP 52.58.x.x ` -RemotePrivateIP 169.254.90.1 ` -SequenceNumber 0 ` -SourceIPs @("192.168.5.0/24", "192.168.6.0/24") ` -DestinationIPs @("172.204.10.0/24", "172.204.20.0/24") ` -TunnelEncryption AES_256 ` -TunnelDigestEncryption SHA2_256 ` -IKEEncryption AES_256 ` -IKEDigestEncryption SHA2_256 ` -DHGroup GROUP14 ` -IKEVersion IKE_V1 ` -PresharedPassword xxxx ` -Troubleshoot
Get Policy Based VPN info
The following function gets the Policy based VPNs info and displays the following:Get-NSXTPolicyBasedVPN
Delete Policy Based VPN
The delete function must apply to a tunnel name like:Remove-NSXTPolicyBasedVPN -Name "Policy1"
Successfully removed NSX-T VPN Tunnel: Policy1
Thanks.
Comments
Post a Comment