Have a private cloud? Provider not on the list? Use this VNS3 set up guide to get started in generic IaaS environments. About VNS3: VNS3 delivers cloud networking and NFV functionality for virtual and cloud environments. The VNS3 virtual network security appliance includes a router, switch, stateful firewall, VPN support (IPsec and SSL), and protocol redistributor, and extensible NFV optimized for all major cloud providers. VNS3 cloud networks are configured and managed through the VNS3 Manager web-based UI or resetful API. VNS3 is available in: Amazon Web Services EC2, Amazon Web Services VPC, Microsoft Azure, CenturyLink Cloud, Google Compute Engine (GCE), Rackspace, IBM SoftLayer, ElasticHosts, Verizon Terremark vCloud Express, InterRoute, Abiquo, Openstack, Flexiant, Eucalyptus, Abiquo, HPE Helion, VMware (all formats), Citrix, Xen, KVM, and more. VNS3 supports most IPsec data center solutions, including: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, Vyatta, and any IPsec device that supports IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.

1. © 2016
IaaS Configuration
Private Cloud IaaS Deployment Setup for VNS3
2016

2. © 2016
Table of Contents
2
Requirements 3
Remote Support Operations 12
IaaS Deployment Setup 13
VNS3 Configuration Document Links 19

3. © 2016
Requirements
3

4. © 2016
Requirements
4
•You have an IaaS account or local IaaS infrastructure (Citrix, RedHat, VMware, OpenStack,
Eucalyptus, etc) where you can run a Virtual Machine instance via an image template provided by
Cohesive Networks.
•You have the ability to deploy image templates to the IaaS infrastructure and create instances of
them.
•Instance Requirements include:
10gig+ ephemeral or block storage-backed image capacity per image template needed
2gig memory and 2 virtual cores are practical production minimum
When using L4-L7 plugins, more cores and memory may be needed
AES-NI available via hardware - to hypervisor - to VM guests is ideal
"Jumbo" ethernet frames in the underlying network (9000 MTU) vs. standard 1500 MTU is ideal
Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.

5. © 2016
Additional Elements
5
VNS3:ms - When running multiple (more than a handful) virtual VNS3 Controllers it is
recommended that VNS3:ms (management system is used). It makes managing virtual
networks at scale much easier.
VNS3 Routing Agent - When running more than the simplest topologies, especially ones
where different network paths (routes) may come and go, it is recommended that you use
the VNS3 routing agent on each of the virtual hosts connecting to VNS3 as their network
overlay controller. VNS3 overlay uses TLS tunneling technology, for which there is not a
standard routing protocol. The VNS3 routing agent allows hosts on an overlay to receive
dynamic route updates, eliminating a need for tunneling agent restarts.

6. © 2016
IPsec Requirements
6
In order to be interoperable with other data centers via IPsec, VNS3 supports a wide
range of systems and standards.
Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL,
Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix
Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense,
and Vyatta.
Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES,
SHA1 or MD5.
*Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint
does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a
stable connection from being maintained.

7. © 2016
Getting Help with VNS3
7
Custom IaaS deployments will require interaction with the Cohesive team around basics of
your deployment. This is required to ensure the product shipped is compatible with your
environment. If you are interested in more custom use cases and would like Cohesive to
advise and help setup the topology contact sales@cohesive.com for services pricing.
This guide covers a very generic VNS3 setup. If you need specific help with project
planning, POCs, or audits, contact our professional services team via sales@cohesive.net
for details.
Please review the VNS3 Support Plans and Contacts before sending support inquiries.

8. © 2016
Firewall Considerations
8
VNS3 Controller instances use the following TCP and UDP ports.
• UDP port 1194
For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.
• UDP 1195-1203*
For tunnels between Controller peers; must be accessible from all peers in a given topology.
• TCP port 8000
HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from
the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.
• UDP port 500
UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.
• ESP Protocol 50 and possibly UDP port 4500
Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP
port 4500** is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.
*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.
** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500

9. © 2016
Sizing Considerations
9
Image Size and Architecture
VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We
recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the
performance will depend on the use-case.
Clientpack Key Size
VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the
“clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future
releases of VNS3 will provide the user control over key size and cipher during initialization and configuration.

10. © 2016
Network Considerations
10
Docker for Layer 4-7 Network Function Services
VNS3 3.5 provides the ability for users to import and launch Docker and/or LXC application containers inside VNS3
Managers. This allows customization of the VNS3 NFV appliance and adds options for how an application can be
deployed to the clouds.
In order to provide this functionality, the Docker system needs a subnet to run and communicate to/from the running
application containers. Users can edit this subnet but the default is 198.51.100.0/28. If you plan on using the default
make sure there is no network overlap with the environments you plan to connect using VNS3.

11. © 2016
Address Considerations
11
Restrictions
Your VLAN CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet.
VLANs
Virtual machine deployments are launched in VLAN CIDRs.
VNS3
VNS3 provides an encrypted subnet in addition to the VLAN subnets. Servers that are configured to join the VNS3 encrypted Overlay
Network do so via OpenVPN connections using the VNS3 generated Client Packs. Each Client Pack is tied to a specific Overlay
Network Address
VLAN Subnets (eth0)
Not Encrypted
OpenVPN is not required on Client Servers
Clients Packs are not required on Client Servers
Cannot join generic EC2 directly (public Internet
connection required)
No Additional Overhead
VNS3 Overlay Network Subnet (tun0)
Encrypted
OpenVPN is required on Client Servers
Client Packs are required on Client Servers
Can join generic EC2 services directly (OpenVPN or
Peer Controller required)
Additional Overhead (minimal)

12. © 2016
Remote Support
12
Note that TCP 22 (ssh) is not required for normal operations.
Each VNS3 Controller is running a restricted SSH daemon, with
access limited only to Cohesive for debugging purposes controlled
by the user via the Remote Support toggle and key exchange
generation.
In the event Cohesive needs to observe runtime state of a VNS3
Controller in response to a tech support request, we will ask you to
open Security Group access to SSH from our support IP range and
Enable Remote Support via the Web UI.
Cohesive will send you an encrypted passphrase to generate a
private key used by Cohesive Support staff to access your
Controller. Access to the restricted SSH daemon is completely
controlled by the user. Once the support ticket has been closed
you can disable remote support access and invalidate the access
key.

13. © 2016
IaaS Deployment Setup
13

14. © 2016
Get Access to the current release
14
Cohesive Networks will make an OVF / OVA file applicable for your virtual infrastructure
available to you. This should be used to create your standard VNS3 image template in your
virtual infrastructure library.
Before providing you with the image, Cohesive will need to know if your VNS3 Controllers
will have a public Internet edge; regardless of whether directly of via NAT-ing and port/
protocol forwarding. If the VNS3 Controllers will be connectable via the Internet there is a
slight, but significant distinction in their boot up sequence.
If your controllers will be wholly “on-prem” wrapping a local application and not providing
public edge services you will need a different image. We call this the “running local private”
configuration.

15. © 2016
Initial Network Configuration
15
Many private virtual infrastructures do not have the dynamic association of static IP
addresses (like Amazon does).
They also do not have a way to assign an IP address to a virtual adapter (vSphere for
example).
As a result the Virtual Infrastructure edition ships with a VERY simple configuration script
for setting the initial ETH0 address via the virtual infrastructure console.
When using VNS3 “on prem” assume the ETH0 is the “outer address” of the VNS3
Controller and “ETH1” is the “inner address” of the controller.

16. © 2016
Running the “set_net.sh” script
16
Once you create a VNS3 instance, you then need to access it via the virtual infrastructure console.
From the console you log in as a simple user which is locked to a single script; the set-net.sh
script.
The username is “ctlio”
The password is “ctlio”
Run “sudo ./set_net.sh”.
It will prompt you to “Add” or “Create”. Use the create option and enter the address you will use to
do initial administration of the instance via its Web UI or API via ETH0. Enter the address, CIDR,
and gateway.
Then Add DNS entry - you can only add one DNS entry. If your controller will have a public edge,
this DNS needs to be able to resolve public names.
DO NOT ATTEMPT TO SET ETH1 with this script. That is done via WEB UI/API.

17. © 2016
Create port access for your instance
17
VNS3 uses the ports listed on the previous page discussing ports.
Use the IaaS firewall and/or hypervisor firewall utilities to ensure that access to those
ports are set.
You should then be able to reach the Web UI for configuration via:
https://<vns3 instance ETH0 ip>:8000

18. © 2016
VNS3 Configuration Document Links
18

19. © 2016
VNS3 Configuration Document Links
19
VNS3 Product Resources - Documentation | Add-ons
VNS3 Configuration Instructions
Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include,
initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to
the Overlay Network.
VNS3 Administration Document
Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall,
all administration menu items, upgrade licenses, other routes and SNMP traps.
VNS3 Docker Instructions
Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.
VNS3 Troubleshooting
Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.