Re: VPN between two ESX hosts

ericsl · ‎01-01-2014

Hello All,

I need connect two (or more) ESXi hosts in different locations without access to the firewalls on at least one end (the client end).

It seems to me that there would need to be a site-to-site vpn setup (like OpenVPN) and the ESXi hosts would need to have a separate VMkernel setup for the VPN connection through the VPN.

Another option would be to setup the vpn as a gateway/router and change the gateway in the hosts.

Does either of these make sense? Is there a better way to do it? Have you done it?

Thanks in advance,

~eric

weinstein5 · ‎01-01-2014

Just to be clear are you looking at connecting to the ESXi hosts? Are you able to ping the hosts from your workstation? What error do you get when you try to connect the hosts?

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

tomtom901 · ‎01-02-2014

That's possible, I've done this in the past. The advantage I had was that my default gateway for the management subnet was a device that was capable of IPSec VPN so I didn't have the need to add any additional routes or change the gateway on the ESXi hosts.

You don't perse need to setup an extra VMkernel port for the VPN connection. Just add a route on the ESXi host(s) towards the other host / subnet and add the next hop IP address.

lamarty3 · ‎01-02-2014

hi,

i don't think you really need a seperate VMkernel, on which network are your ESXi ?

ericsl · ‎01-03-2014

weinstein5, just to clarify there is no error involved here. I am just trying to determine how to get WAN networking setup between sites (including ESXi hosts) without having access to the firewall on end. It's not ESXi specific as it does not matter what type of host is involved.

tomtom901, interesting, I did not know that you could add routes to an ESXi host. Can that be accomplished throught the vSphere client or does it have to be via command line?

My setup would look like this:

Owned site:

Firewall with full access and some type of IPsec VPN, such as OpenVPN

ESXi hosts and vCenter accessible from remote site.

Client site:

No firewall access. No port forwarding available. Client must initiate VPN.

Some type of IPsec VPN that can initiate a connection to the Owned site through the local firewall's NAT.

Routing to send data from the local ESXi host and other necessary clients, such a vSphere Client, backup agents, etc.., to the remote site. This router would need to send all Internet traffic to the local gateway and all VPN traffic to the Owned site.

ESXi host and other clients accessible from Owned site.

The bugger is not having control over the client firewall so we have to traverse NAT locally.

This creates another gateway on the network that does the routing.

Does this make sense?

~eric

tomtom901 · ‎01-03-2014

The vSphere client cannot do static routes, you must do this via CLI.

To list the current routes (either directly connected or static):

~ # esxcli network ip route ipv4 list

Network Netmask Gateway Interface Source

----------- ------------- ----------- --------- ------

default 0.0.0.0 192.168.1.1 vmk0 MANUAL

192.168.1.0 255.255.255.0 0.0.0.0 vmk0 MANUAL

192.168.2.0 255.255.255.0 0.0.0.0 vmk3 MANUAL

192.168.3.0 255.255.255.0 0.0.0.0 vmk1 MANUAL

To add a static route for the 192.168.4.0/24 subnet, routed via 192.168.1.2

~ # esxcli network ip route ipv4 add -g 192.168.1.2 -n 192.168.4.0/24

ericsl · ‎01-03-2014

tomtom901, this looks promising.

I am looking at PHD Virtual for backup. They are using an appliance model to run the backups and replication. I would have to be able to add static routes on their appliance as well.

It's pretty easy to do it for the Windows servers that would be running vSphere Clients or other agents, such as Veeam.

~eric

ericsl · ‎01-03-2014

After more research I have found the following about my original statements:

My setup would look like this:

Owned site:

Firewall with full access and some type of IPsec VPN, such as OpenVPN

<Update: IPsec and OpenVPN are similar but different. The biggest difference is that OpenVPN works on a Client to Server basis VPN initiation basis, not mutual as most IPsec VPN's are. Because of this OpenVPN is what I need since I can install OpenVPN behind a client's NAT'd firewall and still make a connection to my OpenVPN server, which will stay alive. I can then route through the client both ways between networks.

ESXi hosts and vCenter accessible from remote site.

Client site:

No firewall access. No port forwarding available. Client must initiate VPN.

Update: OpenVPN does this by default.

Some type of IPsec VPN that can initiate a connection to the Owned site through the local firewall's NAT.

Routing to send data from the local ESXi host and other necessary clients, such a vSphere Client, backup agents, etc.., to the remote site. This router would need to send all Internet traffic to the local gateway and all VPN traffic to the Owned site.

Update: Routing is available in conjunction with pfSense.

ESXi host and other clients accessible from Owned site.

Now on to testing!