Get started
Security in Yandex Cloud

ViPNet Coordinator VA in Yandex Cloud

Written by
,
improved by

You can install ViPNet Coordinator VA in your cloud and use it as a VPN gateway for site-to-site VPN between cloud and on-premises resources.

ViPNet Coordinator VA is installed on a VM along with four network interfaces. One interface is assigned a public IP address for a tunnel to an on-premises gateway. The other interfaces can have internal addresses and be connected to different subnets of the same availability zone.

Used in the cloud, ViPNet Coordinator VA doesn't support the following functions:

  • Export and import of keys and settings in vbe.
  • Failover cluster.
  • Interface aggregation.
  • DHCP server.
  • VLAN.
  • L2OverIP.
  • Export of a system log and IP packet log to a USB flash drive or over TFTP.
  • Adding a backup set of personal keys.
  • Local software updates.
  • Certificate import using a USB flash drive.
  • Authentication using a token.

To deploy ViPNet Coordinator VA in Yandex Cloud:

  1. View a solution description.
  2. Before you start.
  3. Prepare the environment.
  4. Create images of ViPNet Coordinator VA disks.
  5. Create a VM with ViPNet Coordinator VA in the cloud.
  6. Configure ViPNet Coordinator VA.

If you no longer need these resources, delete them.

Solution description

A VPN tunnel works between two ViPNet solutions: Coordinator VA on the cloud infrastructure's side and Coordinator HW on the on-premises site.

Cloud configuration:

  • ViPNet Coordinator VA:

    Interface Internal address Public address Subnet Comment
    eth0 10.1.0.8 Automatically public-subnet A public address is mapped to the internal one over One-to-One NAT.
    eth1 10.1.1.8 No address segment1-subnet -
    eth2 10.1.2.8 No address segment2-subnet -
    eth3 10.1.3.8 No address segment3-subnet -

  • All the traffic to the on-premises resources is routed to the ViPNet Coordinator VA internal interfaces using static routes:

    Subnet Destination prefix Next hop
    segment1-subnet 192.168.200.0/24 10.1.1.8
    segment2-subnet 192.168.200.0/24 10.1.2.8
    segment3-subnet 192.168.200.0/24 10.1.3.8

On the on-premises site:

  • ViPNet Coordinator HW:

    Interface Address Subnet
    eth0 Public address -
    eth1 192.168.200.5 192.168.200.0/24

  • The traffic to the cloud resources is routed to the ViPNet Coordinator HW internal interface using a static route:

    Subnet Destination prefix Next hop
    192.168.200.0/24 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24 192.168.200.5

Before you begin

Before working, you need to register in Yandex Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

To create a VM with several network interfaces, have technical support enable the MULTI_INTERFACE_INSTANCES_ALPHA parameter for the cloud.

The cost of the infrastructure includes:

Prepare the environment

Install the solution on a local machine

Create a cloud network

If you don't have a cloud network yet, create one in the folder for ViPNet Coordinator VA, such as vipnet-folder:

  1. In the management console, go to vipnet-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Click Create network.
  4. Enter a network name, such as vipnet-network.
  5. Disable the Create subnets option.
  6. Click Create network.

To create a cloud network, run the command:

yc vpc network create --name vipnet-network --folder-id <ID_of_vipnet-folder>

Where:

  • name: Name of the cloud network.
  • folder-id: ID of the folder where the network will be created.

Create subnets

Create a subnet named public-subnet for the ViPNet Coordinator VA external interface:

  1. In the management console, go to vipnet-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Choose the vipnet-network cloud network.
  4. Click Add subnet.
  5. Name the subnet, such as public-subnet.
  6. Select an availability zone, such as ru-central1-a.
  7. Enter the subnet CIDR, such as 10.1.0.0/24.
  8. Click Create subnet.

Similarly, create subnets for vipnet-network or any other network:

  • segment1-subnet, CIDR – 10.1.1.0/24;
  • segment2-subnet, CIDR – 10.1.2.0/24;
  • segment3-subnet, CIDR – 10.1.3.0/24.

Note

All the subnets must be in the same availability zone.

  1. Create public-subnet:

    yc vpc subnet create \
--name public-subnet \
--folder-id <ID_of_vipnet-folder> \
--network-name vipnet-network \
--zone <availability_zone> \
--range 10.1.0.0/24

    Where:

    • name: Name of the subnet.
    • folder-id: ID of the folder where the cloud network is located.
    • network-name: Cloud network name.
    • zone: Availability zone, for example ru-central1-a.
    • range: The subnet CIDR.

  2. Similarly, create subnets for cloud resources:

    • segment1-subnet, CIDR – 10.1.1.0/24;
    • segment2-subnet, CIDR – 10.1.2.0/24;
    • segment3-subnet, CIDR – 10.1.3.0/24.

Note

All the subnets must be in the same availability zone.

Create route tables

Create the segment1-rt, segment2-rt, and segment3-rt route tables:

  1. In the management console, go to vipnet-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Choose the vipnet-network cloud network.
  4. On the left-hand panel, select Route tables.
  5. Click Create.
  6. Set the name: segment1-rt.
  7. Click Add route and specify:
    • Destination prefix: 192.168.200.0/24.
    • Next hop: IP address.
    • IP address: 10.1.1.8.
  8. Click Add.
  9. Click Create route table.

Similarly, create the segment2-rt and segment3-rt tables, specifying the IP addresses 10.1.2.8 and 10.1.3.8, respectively.

Link the route tables to the subnets:

  1. In the management console, go to vipnet-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Choose the vipnet-network cloud network.
  4. On the left-hand panel, select Route tables.
  5. Select the segment1-subnet subnet and click Link routing table.
  6. Select the segment1-rt table.
  7. Click Link.

Similarly, link the segment2-rt and segment3-rt tables to the segment2-subnet and segment3-subnet subnets, respectively.

Create disk images for the VM with ViPNet Coordinator VA

Create a VM with ViPNet Coordinator VA on a local machine

The VM is created from the disk image prepared for Compute Cloud. Image requirements:

  • Keys are installed in the system.
  • Key authentication type: Password.
  • Image format: qcow2.

Download a ViPNet Coordinator VA image

  1. Request a ViPNet Coordinator VA image on the infotecs page.

    1. Under Downloads on the Software tab, choose the demo version of ViPNet Coordinator VA (for the VMWare ESX and Oracle VM environments).
    2. On the page that opens, specify your details.
    3. Agree to the personal data processing policy and click SUBMIT REQUEST.

  2. Wait for an email with the download link to ViPNet Coordinator VA, file size details, and the MD5 checksum. The link expires five days after you complete the form on the website.

  3. Download the ViPNet Coordinator VA archive and check its integrity:

    1. Create the vipnet folder and upload the archive:

      mkdir vipnet
cd vipnet
curl -O <download_link_to_ViPNet_Coordinator_VA>

    2. Find out the archive name:

      ls -la

      Result:

      -rw-r--r--   1 user  457853789 Aug 21 12:28 va_vipnet_base_x86_64_4.5.1-5668.ova.zip

    3. Find out the archive MD5 checksum:

      md5 <archive_name>

      Result:

      MD5 (va_vipnet_base_x86_64_4.5.1-5668.ova.zip) = 42c0f1401aa77fc5366e7eff8cc8ed4a

      Compare the checksum against the one in the email: If the values differ, repeat the download.

    4. Unpack the archive:

      unzip <filename>

      Result:

      Archive:  va_vipnet_base_x86_64_4.5.1-5668.ova.zip
  inflating: va_vipnet_base_x86_64_4.5.1-5668.ova

    1. Create the vipnet folder and upload the archive:

      mkdir vipnet
cd vipnet
curl.exe -O <download_link_to_ViPNet_Coordinator_VA>

    2. Find out the archive name:

      Get-ChildItem

      Result:

      Mode            LastWriteTime       Length    Name
----            -------------       ------    ----
------    8/24/2022   2:07 PM    457853789    va_vipnet_base_x86_64_4.5.1-5668.ova.zip

    3. Find out the archive MD5 checksum:

      Get-FileHash <archive_name> -Algorithm MD5

      Result:

      Algorithm    Hash                                Path
---------    ----                                ----
MD5          42C0F1401AA77FC5366E7EFF8CC8ED4A    C:\Users\User1\vipnet\va_vipnet_base_x86_64_4.5.1-5668.ova.zip

      Compare the checksum against the one in the email: If the values differ, repeat the download.

    4. Unpack the archive:

      Expand-Archive <archive_name>

Prepare a USB flash drive with the keys

The tutorial uses the demo versions of the keys.

  1. Insert your USB flash drive in a port on a computer and format it using the operating system tools. Format the USB flash drive to FAT32.

  2. Upload the file with the keys to the USB flash drive:

    curl -O https://files.infotecs.ru/_dl/sess/vipnet_demokeys/vipnet_demokeys.zip
unzip vipnet_demokeys.zip
cp Coordinator\ 4\ MOBILE/Coordinator\ 4\ MOBILE/abn_0004.dst <path_to_root_on_USB_flash_drive>

  3. Make sure the keys are written to the USB flash drive:

    ls <path_to_root_on_USB_flash_drive>

    Result:

    abn_0004.dst

  4. Using operating system tools, disconnect the USB flash drive from the computer but don't remove it from the USB port.

  1. Insert your USB flash drive in a port on a computer and format it using the operating system tools. Format the USB flash drive to FAT32.

  2. Upload the file with the keys to the USB flash drive:

    curl.exe -O https://files.infotecs.ru/_dl/sess/vipnet_demokeys/vipnet_demokeys.zip
Expand-Archive vipnet_demokeys.zip
Copy-Item -Path "<path_to_vipnet_directory>\vipnet_demokeys\Coordinator 4 MOBILE\Coordinator 4 MOBILE\abn_0004.dst" -Destination <path_to_root_on_USB_flash_drive>

  3. Make sure the keys are written to the USB flash drive:

    Get-ChildItem <path_to_root_on_USB_flash_drive>

    Result:

    Mode            LastWriteTime    Length Name
----            -------------    ------ ----
-a----    1/26/2022   5:38 PM     27456 abn_0004.dst

  4. Using operating system tools, disconnect the USB flash drive from the computer but don't remove it from the USB port.

Create a VM with ViPNet Coordinator VA in VirtualBox

  1. Using Oracle VM VirtualBox, open the ViPNet Coordinator VA image file in ova.
  2. In the window that opens, click Import and wait for the setting import to finish.
  3. Choose a VM called vm and click Start.

Configure ViPNet Coordinator VA on a local VM

  1. In the VM startup selection window, select VA.
  2. Wait for the va login: invitation to appear in the VM console.
  3. Add the USB flash drive with the keys to the VM: at the top left, open Devices