Re: Site-to-Site VPN to Opnsense

[Nux]

Thanks for solving this and sharing the solution!

BTW, the pictures were not sent, perhaps try to "paste" them in rather 
than "attach" them to the email.



On 2024-02-19 20:42, Wally B wrote:

Got this resolved!

The issue is the way StrongSwan (OPNSense IPSec Provider) manages
Phase 2 selectors. For the future if anyone runs into this. Just add
your networks into CloudStack like the documentation says to do. Then
in your OPNSense config add additional networks to Manual SPD entries
under Advanced options on the Phase 2 Settings.

CloudStack VPN Customer Gateway

OPNSense Phase 2:

Thanks!
Wally

On Mon, Feb 19, 2024 at 1:27 PM Wally B 
wrote:


Tried to change the phase 2 selector at 172.16.192.0/16 [5] to a
network on the firewall directly (not just a route the firewall
knows). Getting the same error.

 cat /var/log/daemon.log | grep 10.2.200.0/23 [6]
===

Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install
policy 10.2.200.0/23 [6] === 10.241.0.0/16 [4] in for reqid 4, the
same policy for reqid 3 exists
Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install
policy 10.2.200.0/23 [6] === 10.241.0.0/16 [4] fwd for reqid 4, the
same policy for reqid 3 exists
Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install
policy 10.241.0.0/16 [4] === 10.2.200.0/23 [6] out for reqid 4, the
same policy for reqid 3 exists

=== ipsec statusall =

vpn-xxx.xxx.xxx.171:  xxx.xxx.xxx.154...xxx.xxx.xxx.171  IKEv1,
dpddelay=30s
vpn-xxx.xxx.xxx.171:   local:  [xxx.xxx.xxx.154] uses pre-shared key
authentication
vpn-xxx.xxx.xxx.171:   remote: [xxx.xxx.xxx.171] uses pre-shared key
authentication
vpn-xxx.xxx.xxx.171:   child:  10.241.0.0/16 [4] ===
192.168.251.0/26 [2] 10.2.200.0/23 [6] TUNNEL, dpdaction=restart
L2TP-PSK:  172.26.0.151...%any  IKEv1/2
L2TP-PSK:   local:  [172.26.0.151] uses pre-shared key
authentication
L2TP-PSK:   remote: uses pre-shared key authentication
L2TP-PSK:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp] [7]
TRANSPORT
Routed Connections:
L2TP-PSK{517}:  ROUTED, TRANSPORT, reqid 4
L2TP-PSK{517}:   0.0.0.0/0[udp/l2f] [8] === 0.0.0.0/0[udp] [7]
vpn-xxx.xxx.xxx.171{516}:  ROUTED, TUNNEL, reqid 3
vpn-xxx.xxx.xxx.171{516}:   10.241.0.0/16 [4] === 10.2.200.0/23 [6]
192.168.251.0/26 [2]

Any help would be appreciated, currently stuck.

Thanks Again
-Wally

On Sun, Feb 18, 2024 at 12:17 AM Wally B 
wrote:


I'm working on a site to site connection from my VPC to my on prem
OPNsense VPN.

Cloudstack Version 4.19.0
OPNSense Version 23.4.2

I have two P2 selectors setup in OPNsense and i've got a VPN
customer gateway setup with two subnets (
192.168.251.0/26,172.16.192.0/20 [1] ) in Cloudstack.

The issue im running into is, only the first address in my  VPN
customer gateway gets added to the SAD. So, In the above example,
since 192.168.251.0/26 [2] is first I can pass traffic to and from
the VPC to that subnet on prem. However, 172.16.192.0/20 [3] is
not added.

I checked the logs on my VPC VR and found the following.

Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
172.16.192.0/20 [3] === 10.241.0.0/16 [4] in for reqid 3, the same
policy for reqid 5 exists
Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
172.16.192.0/20 [3] === 10.241.0.0/16 [4] fwd for reqid 3, the
same policy for reqid 5 exists
Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
10.241.0.0/16 [4] === 172.16.192.0/20 [3] out for reqid 3, the
same policy for reqid 5 exists

Wondering if i'm just formatting my  VPN customer gateway CIDRs
wrong?

Thanks!
Wally



Links:
--
[1] http://192.168.251.0/26,172.16.192.0/20
[2] http://192.168.251.0/26
[3] http://172.16.192.0/20
[4] http://10.241.0.0/16
[5] http://172.16.192.0/16
[6] http://10.2.200.0/23
[7] http://0.0.0.0/0%5Budp%5D
[8] http://0.0.0.0/0%5Budp/l2f%5D

Re: Site-to-Site VPN to Opnsense

[Wally B]

Got this resolved!

The issue is the way StrongSwan (OPNSense IPSec Provider) manages Phase 2
selectors. For the future if anyone runs into this. Just add your networks
into CloudStack like the documentation says to do. Then in your OPNSense
config add additional networks to Manual SPD entries under Advanced options
on the Phase 2 Settings.

CloudStack VPN Customer Gateway

[image: image.png]

OPNSense Phase 2:

[image: image.png]

Thanks!
Wally

On Mon, Feb 19, 2024 at 1:27 PM Wally B  wrote:

> Tried to change the phase 2 selector at 172.16.192.0/16 to a network on
> the firewall directly (not just a route the firewall knows). Getting the
> same error.
>
>  cat /var/log/daemon.log | grep 10.2.200.0/23 ===
>
> Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy
> 10.2.200.0/23 === 10.241.0.0/16 in for reqid 4, the same policy for reqid
> 3 exists
> Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy
> 10.2.200.0/23 === 10.241.0.0/16 fwd for reqid 4, the same policy for
> reqid 3 exists
> Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy
> 10.241.0.0/16 === 10.2.200.0/23 out for reqid 4, the same policy for
> reqid 3 exists
>
>
>
>
>
> === ipsec statusall =
>
> vpn-xxx.xxx.xxx.171:  xxx.xxx.xxx.154...xxx.xxx.xxx.171  IKEv1,
> dpddelay=30s
> vpn-xxx.xxx.xxx.171:   local:  [xxx.xxx.xxx.154] uses pre-shared key
> authentication
> vpn-xxx.xxx.xxx.171:   remote: [xxx.xxx.xxx.171] uses pre-shared key
> authentication
> vpn-xxx.xxx.xxx.171:   child:  10.241.0.0/16 === 192.168.251.0/26
> 10.2.200.0/23 TUNNEL, dpdaction=restart
> L2TP-PSK:  172.26.0.151...%any  IKEv1/2
> L2TP-PSK:   local:  [172.26.0.151] uses pre-shared key authentication
> L2TP-PSK:   remote: uses pre-shared key authentication
> L2TP-PSK:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp]
>  TRANSPORT
> Routed Connections:
> L2TP-PSK{517}:  ROUTED, TRANSPORT, reqid 4
> L2TP-PSK{517}:   0.0.0.0/0[udp/l2f] 
> === 0.0.0.0/0[udp] 
> vpn-xxx.xxx.xxx.171{516}:  ROUTED, TUNNEL, reqid 3
> vpn-xxx.xxx.xxx.171{516}:   10.241.0.0/16 === 10.2.200.0/23
> 192.168.251.0/26
>
>
>
>
> Any help would be appreciated, currently stuck.
>
> Thanks Again
> -Wally
>
> On Sun, Feb 18, 2024 at 12:17 AM Wally B  wrote:
>
>> I'm working on a site to site connection from my VPC to my on prem
>> OPNsense VPN.
>>
>>
>> Cloudstack Version 4.19.0
>> OPNSense Version 23.4.2
>>
>> I have two P2 selectors setup in OPNsense and i've got a VPN customer
>> gateway setup with two subnets (  192.168.251.0/26,172.16.192.0/20 ) in
>> Cloudstack.
>>
>> The issue im running into is, only the first address in my  VPN customer
>> gateway gets added to the SAD. So, In the above example, since
>> 192.168.251.0/26 is first I can pass traffic to and from the VPC to that
>> subnet on prem. However, 172.16.192.0/20 is not added.
>>
>> I checked the logs on my VPC VR and found the following.
>>
>>
>> Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
>> 172.16.192.0/20 === 10.241.0.0/16 in for reqid 3, the same policy for
>> reqid 5 exists
>> Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
>> 172.16.192.0/20 === 10.241.0.0/16 fwd for reqid 3, the same policy for
>> reqid 5 exists
>> Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
>> 10.241.0.0/16 === 172.16.192.0/20 out for reqid 3, the same policy for
>> reqid 5 exists
>>
>>
>> Wondering if i'm just formatting my  VPN customer gateway CIDRs wrong?
>>
>>
>> Thanks!
>> Wally
>>
>>
>>

Re: Site-to-Site VPN to Opnsense

[Wally B]

Tried to change the phase 2 selector at 172.16.192.0/16 to a network on the
firewall directly (not just a route the firewall knows). Getting the same
error.

 cat /var/log/daemon.log | grep 10.2.200.0/23 ===

Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy
10.2.200.0/23 === 10.241.0.0/16 in for reqid 4, the same policy for reqid 3
exists
Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy
10.2.200.0/23 === 10.241.0.0/16 fwd for reqid 4, the same policy for reqid
3 exists
Feb 19 03:45:10 r-407-VM ipsec[174957]: 07[CFG] unable to install policy
10.241.0.0/16 === 10.2.200.0/23 out for reqid 4, the same policy for reqid
3 exists





=== ipsec statusall =

vpn-xxx.xxx.xxx.171:  xxx.xxx.xxx.154...xxx.xxx.xxx.171  IKEv1, dpddelay=30s
vpn-xxx.xxx.xxx.171:   local:  [xxx.xxx.xxx.154] uses pre-shared key
authentication
vpn-xxx.xxx.xxx.171:   remote: [xxx.xxx.xxx.171] uses pre-shared key
authentication
vpn-xxx.xxx.xxx.171:   child:  10.241.0.0/16 === 192.168.251.0/26
10.2.200.0/23 TUNNEL, dpdaction=restart
L2TP-PSK:  172.26.0.151...%any  IKEv1/2
L2TP-PSK:   local:  [172.26.0.151] uses pre-shared key authentication
L2TP-PSK:   remote: uses pre-shared key authentication
L2TP-PSK:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp] TRANSPORT
Routed Connections:
L2TP-PSK{517}:  ROUTED, TRANSPORT, reqid 4
L2TP-PSK{517}:   0.0.0.0/0[udp/l2f] === 0.0.0.0/0[udp]
vpn-xxx.xxx.xxx.171{516}:  ROUTED, TUNNEL, reqid 3
vpn-xxx.xxx.xxx.171{516}:   10.241.0.0/16 === 10.2.200.0/23 192.168.251.0/26




Any help would be appreciated, currently stuck.

Thanks Again
-Wally

On Sun, Feb 18, 2024 at 12:17 AM Wally B  wrote:

> I'm working on a site to site connection from my VPC to my on prem
> OPNsense VPN.
>
>
> Cloudstack Version 4.19.0
> OPNSense Version 23.4.2
>
> I have two P2 selectors setup in OPNsense and i've got a VPN customer
> gateway setup with two subnets (  192.168.251.0/26,172.16.192.0/20 ) in
> Cloudstack.
>
> The issue im running into is, only the first address in my  VPN customer
> gateway gets added to the SAD. So, In the above example, since
> 192.168.251.0/26 is first I can pass traffic to and from the VPC to that
> subnet on prem. However, 172.16.192.0/20 is not added.
>
> I checked the logs on my VPC VR and found the following.
>
>
> Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
> 172.16.192.0/20 === 10.241.0.0/16 in for reqid 3, the same policy for
> reqid 5 exists
> Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
> 172.16.192.0/20 === 10.241.0.0/16 fwd for reqid 3, the same policy for
> reqid 5 exists
> Feb 18 06:11:56 r-407-VM charon: 07[CFG] unable to install policy
> 10.241.0.0/16 === 172.16.192.0/20 out for reqid 3, the same policy for
> reqid 5 exists
>
>
> Wondering if i'm just formatting my  VPN customer gateway CIDRs wrong?
>
>
> Thanks!
> Wally
>
>
>

Re: Site 2 Site VPN on VPC not working after upgrading ACS from 4.2 to 4.8.1.1

[Cloud List]

Hi,

[RESOLVED] Would like to share that I managed to find the workaround to the
problem by emptying the password ipsec_psk field on the entry inside
s2s_customer_gateway table, delete the VPN connection, modify the VPN
customer gateway with the new password (we will notice that the encrypted
format of the password will be populated into the ipsec_psk field), and
then recreate the VPN connection. The VPN connection will then be
established.

Hope the above can help others.

Thank you.

On Sun, Nov 6, 2016 at 6:16 PM, Cloud List  wrote:

> Hi,
>
> Another issue we noted after upgrading ACS from 4.2 to 4.8.1.1 is that
> site-to-site VPN is not working. From GUI, I cannot even go to Home >
> Network > Select view: VPN customer gateway with below error messages shown
> on the GUI:
>
> 
> Caught: com.mysql.jdbc.JDBC4PreparedStatement@45ae1e69: SELECT
> s2s_customer_gateway.id, s2s_customer_gateway.uuid,
> s2s_customer_gateway.name, s2s_customer_gateway.gateway_ip,
> s2s_customer_gateway.guest_cidr_list, s2s_customer_gateway.ipsec_psk,
> s2s_customer_gateway.ike_policy, s2s_customer_gateway.esp_policy,
> s2s_customer_gateway.ike_lifetime, s2s_customer_gateway.esp_lifetime,
> s2s_customer_gateway.dpd, s2s_customer_gateway.force_encap,
> s2s_customer_gateway.domain_id, s2s_customer_gateway.account_id,
> s2s_customer_gateway.removed FROM s2s_customer_gateway INNER JOIN account
> ON s2s_customer_gateway.account_id=account.id WHERE
> s2s_customer_gateway.removed IS NULL AND (account.type != 5 ) ORDER BY
> s2s_customer_gateway.id DESC LIMIT 0, 20
> 
>
> This is the error messages on CloudStack management server:
>
> 
> 2016-11-06 18:00:30,218 DEBUG [c.c.u.c.DBEncryptionUtil]
> (http-8080-2:ctx-da483727 ctx-695addac) (logid:3d3a6225) Error while
> decrypting: 
> 2016-11-06 18:00:30,218 ERROR [c.c.a.ApiServer] (http-8080-2:ctx-da483727
> ctx-695addac) (logid:3d3a6225) unhandled exception executing api command:
> [Ljava.lang.String;@
> 6ad8a1d4
> com.cloud.utils.exception.CloudRuntimeException: Caught: com.mysql.jdbc.
> JDBC4PreparedStatement@55edbe9c: SELECT s2s_customer_gateway.id,
> s2s_customer_gateway.uuid, s2s_
> customer_gateway.name, s2s_customer_gateway.gateway_ip,
> s2s_customer_gateway.guest_cidr_list, s2s_customer_gateway.ipsec_psk,
> s2s_customer_gateway.ike_policy, s2s_custo
> mer_gateway.esp_policy, s2s_customer_gateway.ike_lifetime,
> s2s_customer_gateway.esp_lifetime, s2s_customer_gateway.dpd,
> s2s_customer_gateway.force_encap, s2s_customer_g
> ateway.domain_id, s2s_customer_gateway.account_id,
> s2s_customer_gateway.removed FROM s2s_customer_gateway  INNER JOIN account
> ON s2s_customer_gateway.account_id=account
> .id WHERE s2s_customer_gateway.removed IS NULL  AND  (account.type != 5 )
> ORDER BY s2s_customer_gateway.id DESC  LIMIT 0, 20
> 
>
> Note that on "Error while decrypting: ", I checked that 
> is the cleartext IPsec preshared key (ipsec_psk field on
> s2s_customer_gateway table on the database). It seems that CloudStack tries
> to decrypt a clear-text / non-encrypted password? Does the ipsec_psk field
> on the database supposed to store the encrypted IPsec pre-shared key for
> the VPN connection under CloudStack version 4.8.1.1?
>
> I am able to execute the SELECT command on the database directly without
> any issues.
>
> Any help is greatly appreciated.
>
> Thank you.
>

Re: SITE TO SITE VPN ERROR IN OUR ENVIRONMENT with CLOUDSTACK-4.3.1 AND XENSERVER 6.2

[Marc-Andre Jutras]

Hi Venkat,

You can also check on your VPC if there's any IPSEC negociation errors 
there...


log on your VPC and check in :
/var/log/cloud.log
/var/log/daemon.log

Marcus
On 2016-06-01 9:45 AM, Timothy Lothering wrote:

Hi Venkat,

IPSEC VPN is established with the VPC (in your case the /16). Your Tier
(/24) is in this supernet, so you should be able to route to it once the
tunnel is up.

Make sure to specify the supernet (/16) on the remote VPN appliance as the
destination.



-Original Message-
From: Venkat Boggarapu [mailto:venka...@axiomio.com]
Sent: Wednesday, 01 June 2016 2:50 PM
To: users@cloudstack.apache.org
Subject: SITE TO SITE VPN ERROR IN OUR ENVIRONMENT with CLOUDSTACK-4.3.1 AND
XENSERVER 6.2

Hi Team,

In our environment we are using cloudstack-4.3.1 and xenserver 6.2

We have created  VPC router with  SUPER-CIDR value as X.X.X.X/16.

After creating VPC router, created a new TIER with X.X.X.X/24 with the same
network, gateway.

Finally we are unable to configure the IPSEC with the X.X.X.X/24, but we
have successful configured IPSEC with X.X.X.X/16.

Please help me guys, I was wonder why it's working with SUPER-CDIR
(X.X.X.X/16) with IPSEC.

Thanks,
Venkat Boggarapu

RE: SITE TO SITE VPN ERROR IN OUR ENVIRONMENT with CLOUDSTACK-4.3.1 AND XENSERVER 6.2

[Timothy Lothering]

Hi Venkat,

IPSEC VPN is established with the VPC (in your case the /16). Your Tier
(/24) is in this supernet, so you should be able to route to it once the
tunnel is up.

Make sure to specify the supernet (/16) on the remote VPN appliance as the
destination.



-Original Message-
From: Venkat Boggarapu [mailto:venka...@axiomio.com] 
Sent: Wednesday, 01 June 2016 2:50 PM
To: users@cloudstack.apache.org
Subject: SITE TO SITE VPN ERROR IN OUR ENVIRONMENT with CLOUDSTACK-4.3.1 AND
XENSERVER 6.2

Hi Team,

In our environment we are using cloudstack-4.3.1 and xenserver 6.2

We have created  VPC router with  SUPER-CIDR value as X.X.X.X/16.

After creating VPC router, created a new TIER with X.X.X.X/24 with the same
network, gateway.

Finally we are unable to configure the IPSEC with the X.X.X.X/24, but we
have successful configured IPSEC with X.X.X.X/16.

Please help me guys, I was wonder why it's working with SUPER-CDIR
(X.X.X.X/16) with IPSEC.

Thanks,
Venkat Boggarapu

Re: Site-To-Site VPN

[Erik Weber]

On Wed, Jan 20, 2016 at 9:07 AM, Sonali Jadhav 
wrote:

> Hi,
>
> In order to setup Site-To-Site VPN, do I need to add VPC first?
>
>
Yes, Site to Site VPN is a VPC feature.

-- 
Erik

RE: Site-To-Site VPN

[Sonali Jadhav]

Aha! thx

/Sonali

-Original Message-
From: Erik Weber [mailto:terbol...@gmail.com] 
Sent: Wednesday, January 20, 2016 1:47 PM
To: users@cloudstack.apache.org
Subject: Re: Site-To-Site VPN

On Wed, Jan 20, 2016 at 9:07 AM, Sonali Jadhav <son...@servercentralen.se>
wrote:

> Hi,
>
> In order to setup Site-To-Site VPN, do I need to add VPC first?
>
>
Yes, Site to Site VPN is a VPC feature.

-- 
Erik

Re: site-to-site vpn

[Paul Angus]

Thanks Dean,

I was trying not to use a client's actual range and made a mess of it.  The 
real cidrs don't overlap, they're more like 10.14.0.0/16 and 10.17.0.0/16

The message I get back is that the cidr 10.14.0.0/16,10.17.0.0/16 is not a 
valid cidr. It appears not to be using the comma to separate.


Regards,

Paul Angus
S: +44 20 3603 0540tel:+44%2020%203603%200540 | M: 
+447711418784tel:+447711418784
T: @CloudyAngus
paul.an...@shapeblue.commailto:paul.an...@shapeblue.com


 Original message 
From: Daan Hoogland
Date:14/05/2014 07:55 (GMT+00:00)
To: users@cloudstack.apache.org
Subject: Re: site-to-site vpn

Paul,

I don't think this is the answer but did you notice that 192.168.1.0/16 and
192.168.2.0/16 are actually the same cidr? You are passing the same address
space twice.


On Tue, May 13, 2014 at 7:42 PM, Paul Angus paul.an...@shapeblue.comwrote:

  Hi,



 I’m trying to create a site-to-site VPN but the CIDR entry:
 192.168.1.0/16,192.168.2.0/16  is being returned as invalid.



 The documentation says that CIDRs should be comma separated, does anyone
 know why this isn’t working? Just using one or the other works fine.



 Regards



 Paul Angus

 *Senior Consultant / Cloud Architect*



 [image: cid:image002.png@01CE1071.C6CC9C10]



 S: +44 20 3603 0540 +442036030540 | M: +4 +44796816158147711418784 |
 T: @CloudyAngus

 paul.an...@shapeblue.com | www.shapeblue.comhttp://www.shapeblue.com | 
 Twitter:@shapebluehttps://twitter.com/

 ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS


  Find out more about ShapeBlue and our range of CloudStack related
 services

 IaaS Cloud Design  Buildhttp://shapeblue.com/iaas-cloud-design-and-build//
 CSForge – rapid IaaS deployment framework http://shapeblue.com/csforge/
 CloudStack Consulting http://shapeblue.com/cloudstack-consultancy/
 CloudStack Infrastructure 
 Supporthttp://shapeblue.com/cloudstack-infrastructure-support/
 CloudStack Bootcamp Training 
 Courseshttp://shapeblue.com/cloudstack-training/

 This email and any attachments to it may be confidential and are intended
 solely for the use of the individual to whom it is addressed. Any views or
 opinions expressed are solely those of the author and do not necessarily
 represent those of Shape Blue Ltd or related companies. If you are not the
 intended recipient of this email, you must neither take any action based
 upon its contents, nor copy or show it to anyone. Please contact the sender
 if you believe you have received this email in error. Shape Blue Ltd is a
 company incorporated in England  Wales. ShapeBlue Services India LLP is a
 company incorporated in India and is operated under license from Shape Blue
 Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
 and is operated under license from Shape Blue Ltd. ShapeBlue is a
 registered trademark.




--
Daan
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design  Buildhttp://shapeblue.com/iaas-cloud-design-and-build//
CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/
CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/
CloudStack Infrastructure 
Supporthttp://shapeblue.com/cloudstack-infrastructure-support/
CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England  Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

RE: site-to-site vpn

[Paul Angus]

Thanks Pierre,

I was trying not to use a client's actual range and made a mess of it.  The 
real cidrs don't overlap, they're more like 10.14.0.0/16 and 10.17.0.0/16

The message I get back is that the cidr 10.14.0.0/16,10.17.0.0/16 is not a 
valid cidr. It appears not to be using the comma to separate.

Regards

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
paul.an...@shapeblue.com

-Original Message-
From: Pierre-Luc Dion [mailto:pd...@cloudops.com]
Sent: 14 May 2014 12:27
To: users@cloudstack.apache.org
Subject: Re: site-to-site vpn

Hi Paul,

192.168.1.0/16 and 192.168.2.0/16 are not valid CIDR. 192.168.1.0/24 and
192.168.2.0/24 will work


Le mardi 13 mai 2014, Paul Angus paul.an...@shapeblue.com a écrit :

  Hi,



 I’m trying to create a site-to-site VPN but the CIDR entry:
 192.168.1.0/16,192.168.2.0/16  is being returned as invalid.



 The documentation says that CIDRs should be comma separated, does
 anyone know why this isn’t working? Just using one or the other works fine.



 Regards



 Paul Angus

 *Senior Consultant / Cloud Architect*



 [image: cid:image002.png@01CE1071.C6CC9C10]



 S: +44 20 3603 0540 +442036030540 | M: +4 +44796816158147711418784
 |
 T: @CloudyAngus

 paul.an...@shapeblue.comjavascript:_e(%7B%7D,'cvml','paul.angus@shape
 blue.com');| www.shapeblue.com | Twitter:@shapeblue
 https://twitter.com/

 ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS


  Find out more about ShapeBlue and our range of CloudStack related
 services

 IaaS Cloud Design 
 Buildhttp://shapeblue.com/iaas-cloud-design-and-build//
 CSForge – rapid IaaS deployment framework
 http://shapeblue.com/csforge/ CloudStack Consulting
 http://shapeblue.com/cloudstack-consultancy/
 CloudStack Infrastructure
 Supporthttp://shapeblue.com/cloudstack-infrastructure-support/
 CloudStack Bootcamp Training
 Courseshttp://shapeblue.com/cloudstack-training/

 This email and any attachments to it may be confidential and are
 intended solely for the use of the individual to whom it is addressed.
 Any views or opinions expressed are solely those of the author and do
 not necessarily represent those of Shape Blue Ltd or related
 companies. If you are not the intended recipient of this email, you
 must neither take any action based upon its contents, nor copy or show
 it to anyone. Please contact the sender if you believe you have
 received this email in error. Shape Blue Ltd is a company incorporated
 in England  Wales. ShapeBlue Services India LLP is a company
 incorporated in India and is operated under license from Shape Blue
 Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
 Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a 
 registered trademark.



--

Pierre-Luc Dion
Architecte de Solution Cloud | Cloud Solutions Architect 855-OK-CLOUD 
(855-652-5683) x1101
- - -

*CloudOps*420 rue Guy
Montréal QC  H3J 1S6
www.cloudops.com
@CloudOps_
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design  Buildhttp://shapeblue.com/iaas-cloud-design-and-build//
CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/
CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/
CloudStack Infrastructure 
Supporthttp://shapeblue.com/cloudstack-infrastructure-support/
CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England  Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: site-to-site vpn

[Pierre-Luc Dion]

Hi Paul,

192.168.1.0/16 and 192.168.2.0/16 are not valid CIDR. 192.168.1.0/24 and
192.168.2.0/24 will work


Le mardi 13 mai 2014, Paul Angus paul.an...@shapeblue.com a écrit :

  Hi,



 I’m trying to create a site-to-site VPN but the CIDR entry:
 192.168.1.0/16,192.168.2.0/16  is being returned as invalid.



 The documentation says that CIDRs should be comma separated, does anyone
 know why this isn’t working? Just using one or the other works fine.



 Regards



 Paul Angus

 *Senior Consultant / Cloud Architect*



 [image: cid:image002.png@01CE1071.C6CC9C10]



 S: +44 20 3603 0540 +442036030540 | M: +4 +44796816158147711418784 |
 T: @CloudyAngus

 paul.an...@shapeblue.comjavascript:_e(%7B%7D,'cvml','paul.an...@shapeblue.com');|
 www.shapeblue.com | Twitter:@shapeblue https://twitter.com/

 ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS


  Find out more about ShapeBlue and our range of CloudStack related
 services

 IaaS Cloud Design  Buildhttp://shapeblue.com/iaas-cloud-design-and-build//
 CSForge – rapid IaaS deployment framework http://shapeblue.com/csforge/
 CloudStack Consulting http://shapeblue.com/cloudstack-consultancy/
 CloudStack Infrastructure 
 Supporthttp://shapeblue.com/cloudstack-infrastructure-support/
 CloudStack Bootcamp Training 
 Courseshttp://shapeblue.com/cloudstack-training/

 This email and any attachments to it may be confidential and are intended
 solely for the use of the individual to whom it is addressed. Any views or
 opinions expressed are solely those of the author and do not necessarily
 represent those of Shape Blue Ltd or related companies. If you are not the
 intended recipient of this email, you must neither take any action based
 upon its contents, nor copy or show it to anyone. Please contact the sender
 if you believe you have received this email in error. Shape Blue Ltd is a
 company incorporated in England  Wales. ShapeBlue Services India LLP is a
 company incorporated in India and is operated under license from Shape Blue
 Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
 and is operated under license from Shape Blue Ltd. ShapeBlue is a
 registered trademark.



-- 

Pierre-Luc Dion
Architecte de Solution Cloud | Cloud Solutions Architect
855-OK-CLOUD (855-652-5683) x1101
- - -

*CloudOps*420 rue Guy
Montréal QC  H3J 1S6
www.cloudops.com
@CloudOps_

Re: Site to Site VPN

[Dean Kamali]

Well if you could take screen shots of your config, it will be helpful, you
may hide your secret keys, just so that it will make us easy for us to
setup :)

Thanks


On Fri, Aug 30, 2013 at 12:17 PM, Chiradeep Vittal 
chiradeep.vit...@citrix.com wrote:

 Can you share the config (with sensitive data changed of course)

 On 8/29/13 11:07 PM, Yong Chen y...@coredesktop.com wrote:

 We have 10 sonicwall IPsec VPNs running at the same time in our setup. So
 far it works fine.
 
 Yong
 
 -Original Message-
 From: CSG - Ashley Lester [mailto:ash...@computer-services.com.au]
 Sent: Thursday, 29 August 2013 11:13 AM
 To: users@cloudstack.apache.org
 Subject: RE: Site to Site VPN
 
 Hi Dean,
 
 If you have some time to test this that would be fantastic,  I have spent
 a few hours on it myself and I believe that it should work but I'm unsure
 on the VPC config and maybe im not getting that correct
 
 -Original Message-
 From: Dean Kamali [mailto:dean.kam...@gmail.com]
 Sent: August-29-13 9:28 AM
 To: users@cloudstack.apache.org
 Subject: Re: Site to Site VPN
 
 I have 2 sonicwalls in production, I guess I can give it try and let you
 guys know, I went over Dell docs and its seems possible but I still need
 see it working to confirm.
 
 
 On Wed, Aug 28, 2013 at 7:07 PM, CSG - Ashley Lester 
 ash...@computer-services.com.au wrote:
 
  Hello,
 
  Has anyone had any success using Sonicwalls IPSEC to connect to
  cloudstack Site to Site VPN ?
 
  I'm aware that only Cisco and Juniper are officially supported. Any
  other devices work with this ?
 
  Ashley
 
 

Re: Site to Site VPN

[Dean Kamali]

I have 2 sonicwalls in production, I guess I can give it try and let you
guys know, I went over Dell docs and its seems possible but I still need
see it working to confirm.


On Wed, Aug 28, 2013 at 7:07 PM, CSG - Ashley Lester 
ash...@computer-services.com.au wrote:

 Hello,

 Has anyone had any success using Sonicwalls IPSEC to connect to cloudstack
 Site to Site VPN ?

 I'm aware that only Cisco and Juniper are officially supported. Any other
 devices work with this ?

 Ashley

RE: Site to Site VPN

[CSG - Ashley Lester]

Hi Dean,

If you have some time to test this that would be fantastic,  I have spent a few 
hours on it myself and I believe that it should work but I'm unsure on the VPC 
config and maybe im not getting that correct

-Original Message-
From: Dean Kamali [mailto:dean.kam...@gmail.com] 
Sent: August-29-13 9:28 AM
To: users@cloudstack.apache.org
Subject: Re: Site to Site VPN

I have 2 sonicwalls in production, I guess I can give it try and let you guys 
know, I went over Dell docs and its seems possible but I still need see it 
working to confirm.


On Wed, Aug 28, 2013 at 7:07 PM, CSG - Ashley Lester  
ash...@computer-services.com.au wrote:

 Hello,

 Has anyone had any success using Sonicwalls IPSEC to connect to 
 cloudstack Site to Site VPN ?

 I'm aware that only Cisco and Juniper are officially supported. Any 
 other devices work with this ?

 Ashley