Archive

Connect your cloud to IBM SoftLayer in 2 steps

Share this post:

Do you have a few minutes? If so, this post can show how to connect your data center to SoftLayer resources. More precisely, I’ll show you how to connect a VMware ESX server hosted in IBM SoftLayer to your local vCenter server thanks to an OpenVPN server also hosted in SoftLayer.

If you are just joining us, feel free to check out my previous posts that cover how to get your ESX server in SoftLayer and how to get your OpenVPN server in SoftLayer.

Step 1: Configure your OpenVPN

Connected cloudFor this step, you have two choices: you can create a LAN-to-LAN connection for an Internet Protocol Security (IPSec) Virtual Private Network (VPN) by yourself, or you can ask a network guy to do it for you. I chose the second option.

My favorite network specialist and colleague Benoit Raymond and I are both nice guys, so we’ve agreed to share Benoit’s knowledge with you.

Here’s how you can create an IPSec VPN LAN-to-LAN connection on the Vyatta router:

1. Create an esp-group and ike-group. The esp-group will let you set the Encapsulating Security Payload (ESP) parameters required for ike-group creation and for the lifetime of the resulting IPSec security association. The ike-group will let you set the required Internet Key Exchange (IKE) parameters.

set vpn ipsec esp-group esp-sl-sl compression 'disable'
set vpn ipsec esp-group esp-sl-sl lifetime '3600'
set vpn ipsec esp-group esp-sl-sl mode 'tunnel'
set vpn ipsec esp-group esp-sl-sl pfs 'disable'
set vpn ipsec esp-group esp-sl-sl proposal 1 encryption '3des'
set vpn ipsec esp-group esp-sl-sl proposal 1 hash 'md5'
set vpn ipsec ike-group ike-sl-sl lifetime '3600'
set vpn ipsec ike-group ike-sl-sl proposal 1 dh-group '2'
set vpn ipsec ike-group ike-sl-sl proposal 1 encryption '3des'
set vpn ipsec ike-group ike-sl-sl proposal 1 hash 'md5'

You can set multiple esp or ike groups if you use several VPN IPSec or share these parameters between IPSec tunnels.

2. Specify on which network interface you want to apply the tunnel.

set vpn ipsec ipsec-interfaces interface 'eth0'

You can specify several network interfaces if you have several VPN IPSec tunnels.

3. Add a new VPN IPSec site-to-site by defining the peer IP address and setting all the following parameters.

set vpn ipsec site-to-site peer <peer ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <peer ip> authentication pre-shared-secret 'password-shared'
set vpn ipsec site-to-site peer <peer ip> connection-type 'initiate'
set vpn ipsec site-to-site peer <peer ip> default-esp-group 'esp-sl-sl'
set vpn ipsec site-to-site peer <peer ip> description 'My link to SoftLayer'
set vpn ipsec site-to-site peer <peer ip> ike-group 'ike-sl-sl'
set vpn ipsec site-to-site peer <peer ip> local-address <local ip>

4. Configure one tunnel (or more) inside the site-to-site VPN IPSec. Finally, configure the tunnel to define which range of IP addresses are allowed in the tunnel.

set vpn ipsec site-to-site peer <peer ip> tunnel 1 esp-group 'esp-sl-sl'
set vpn ipsec site-to-site peer <peer ip> tunnel 1 local prefix <network A>
set vpn ipsec site-to-site peer <peer ip> tunnel 1 remote prefix <network B>
set vpn ipsec site-to-site peer <peer ip> tunnel 2 esp-group 'esp-sl-sl'
set vpn ipsec site-to-site peer <peer ip> tunnel 2 local prefix <network A>
set vpn ipsec site-to-site peer <peer ip> tunnel 2 remote prefix <network B>
set vpn ipsec site-to-site peer <peer ip> tunnel 3 esp-group 'esp-sl-sl'
set vpn ipsec site-to-site peer <peer ip> tunnel 3 local prefix <network A>
set vpn ipsec site-to-site peer <peer ip> tunnel 3 remote prefix <network B>

With Vyatta routers, you have to define several tunnels under the same site-to-site connection if you want to have multiple ranges of IP addresses allowed.

The hardest part is now done. Are you still with us? Good, then let’s go to an easier step!

Your OpenVPN server is now provisioned and properly configured, so you can register your ESX server in your vCenter inventory.

Step 2: Add your ESX to your vCenter

First of all, you have to add a static route on the new external ESX. For ESX 4.x, run the following command:

route add -net <network> netmask <netmask> gw <router>

For ESXi 5.x, run the following command:

esxcfg-route -a <network> <router>

You are now able to register this ESX as a new host in your vCenter. Right-click on the cluster corresponding to the data center where this ESX is hosted, select “Add Host” and fill in the wizard fields as you would with one of your ESX in local.

Lastly, create a specific cluster for ESX hosted in SoftLayer in order to enable High Availability and Distributed Resource Scheduler functionality between servers hosted in the same data center. This will allow them to balance virtual machines across your ESX servers with good performance

As all good things come to an end, this is the last of a series of three posts to show you how to burst your cloud with SoftLayer. Now you can show off at the coffee machine by telling people that when your data center reaches its maximum capacity, you don’t have to say no to your customers—you simply overflow your workload in a public cloud by implementing a cloud bursting solution powered by SoftLayer.

If you have any comments, or just want to share another way to show off at the coffee machine, feel free to contact me on Twitter or LinkedIn, or reach out to my colleague Benoit Raymond on LinkedIn.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, 16.0.0.4. It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading