17. Creating VPN to Remote Site using SD-WAN and Loop back Health Check.

hey guys welcome back to another

recording my name is Devin Adams I'm a

Ford an instructor here in Tempe Arizona

I work for a dynamic world widen and I

record these videos for the people

who've taken my class anyways I've been

recording several of them trying to

build up to the point where I can start

doing demos and things like that it's

it's taking forever guys I'm I'm so

sorry for that but I'm waiting for my my

labs to boot up for my classes next week

and I thought hey why not let's do let's

do a video so in the last video we

created a basic internet access SD win

rule and some performance SLA so it

would always take the best path and the

reason why we did that is because there

is a implicit load balancing algorithm

that sits at the bottom of the SD win so

as you throw interfaces into it if you

don't define the rules it falls right

through and gets gets load balanced so

the 40 gates have been doing this for

for a while now it's called equal pass

equal cost multi path way and load

balancing and we don't want that to

happen when we start putting in our VPN

tunnel 'some so in this video and I I

was gonna do a bunch of stuff like at

once and I thought to myself you know

what I better just take it slow and and

just do it one step at a time

because I know it can be confusing even

for myself but in this video we are

basically going to start slowly building

out our hub-and-spoke topology to our

headquarters for two gates so we're

gonna use the SD wanne interface doing

this we're not going to be doing the the

point-to-point wizard which makes it

pretty easy we're gonna do it with the

SD win simply because we can have a

little bit more flexibility over which

VPN tunnels to take so and I have done

videos on this so if you guys want to

check that out just go to my playlists

but this is the first time I'm doing it

was 6 to 3 so and then after that we did

create some loop backs and some earlier

videos and we are gonna

please create the health checks for

those connections or at least this first

connection here using that loopback

interface and hopefully once this thing

gets rolling adding the additional

tunnels should not be should not be too

difficult so in this one we're gonna

take this first wind connection over

here in the headquarters and we're going

to connect it over to our New York

office

so normally VPN tunnels do not have IP

addresses associated with them all right

they get it capsulated at the way in

interface traverse the internets and

then they get stripped off and yeah

there's usually no need for IP address

as well here we are gonna add IP

addresses all right so that's one thing

that we can do on the four de gates and

this is gonna kind of act like that I

don't I don't know a good way to

describe it other than just like maybe

like a management IP address for that

VPN tunnel so but basically when we

added to the SD win we can tell to pass

it off to these IP addresses and I drew

a little red wine here using these tools

in G necessary because you know what it

will get a little bit complicated once

we start doing everything so but let's

go ahead and start so I'm gonna load up

the DC office here because I've been

using the domain controller is such a

bad idea you never do this in real life

but I wanted a Windows environment and

as you guys can see I did make some of

our interfaces publicly facing just for

simplicity but I'm gonna go to

headquarters here I'm gonna log in

alright there we go

and let's go ahead and take a look at

what we got so far so if we go to

network alright and we go to our SD win

you'll see here that we have our 4 wind

connections I don't know why I did 4 I

must have been going crazy whatever okay

so what we're gonna do here though is

that we're gonna say create new alright

and when we drop down our interfaces

there's this VPN plus so here we go and

we're gonna say hey you know what this

is gonna be going to

and why I see all right and our remote

IP addresses are 10 205 one I'm just

gonna verify that super quick so yep

right there okay and then our outgoing

interface see how we could we could if

we wanted to we could select all four of

these interfaces but you know what

that's what I meant by we're just gonna

make it nice and and simplistic for the

first example here all right so we don't

get too crazy okay and then after that

we go ahead and we hit create and there

you go we now have this interface here

but if you notice there's no there's no

gateway okay so I'm just gonna hit

cancel super quickly all right and I'm

gonna go to my interfaces I'm gonna go

to my SD win all right I'm gonna expand

that and there's my cock's connection

these are all make-believe of course and

I'm gonna double click here and I'm

gonna put an IP address associated with

here so here we go I'm gonna say allow

it to have ping access and 10 10 21 all

right and then on the other side it's

gonna be 20.2 with the slash 32 I'm

gonna hit OK and that is how we put IP

addresses on her on our VPN tunnel so

now we're gonna come back to our SD win

rules all right

not sty enrolls mob mob by Ed my SD wins

okay I'm gonna say crate new drop-down

to that New York tunnel okay and the

Gateway is gonna be 10 10 22 now if you

guys are just wondering the naming

naming convention the IP convection that

I'm doing here is the 10 see the 1 see

the 20 see the two that's kind of what I

was thinking there I was trying to keep

it all with him the 10 range just to

make you know summation and side are

easier later down the road

anyways so but there you go so we have

one side of our tunnel not too bad huh

so let's go ahead and hop

over here to New York City okay and

let's go ahead and do the same in

Reverse all right in New York City's

even even alive I don't even remember

what I was doing over here to be honest

with him so all right sure

go slow stirred it's all good we have

all the time in the world okay forget it

I'll do it from this side so normally

you want to be publicly facing but I did

what you call it did turn on

management's on the way in interface

there just just because for simplicity

reasons we can do that kind of stuff

when it's a laugh environment so hey

that was kind of interesting all right

there oh look at that that's kind of

weird I wonder if I have like weird

asymmetrical routing going on or

something so let me try let me try from

from this side again this New York yeah

it's New York I think the application

just crashed it's been a couple of days

since I touched the lab environment so

heaven forbid that these these demos

ever go smoothly right so all right come

on buddy

I don't know why I just lost my I think

I was shaking it too hard bring it back

there we go

all right let's go to ten dot I don't

know why that's going so slow to be

honest with you all right that should be

our firewall okay yep take your time

it's all good

here all day all right here we go so now

from the New York side hopefully maybe

I'll edit out some of that business all

right sorry I have this laughs I'd just

how horrible these videos are okay so

here we go

let's go to our let's go to our network

all right so let's go to our SD win and

we're just going to do the same in the

opposite direction

so we're gonna say create new and we're

gonna say our interface is our VPN and

we're gonna say to HQ 1010 oh my bad

200 that 1.1 our outgoing interface and

like I said now normally we could select

multiple gears and that's the whole

purpose of of having this interface it's

supposed to be creating these VPN

tunnels for multiple interfaces to be to

be easy but like I said I just I just

don't want that complexity for right now

just in case something goes wrong or

just so it's not as confusing we'll add

more later on so there we go

wait close all right and then we'll just

say cancel and then we'll go to our

interfaces so then expand the sd1 here

we are do there it is rockin at the

bottom there we are there we are and as

you can see there's no IP addresses

associated with it so let's open er up

all right and we'll say well we don't

need to put anything the name describes

it enough so but this is gonna be 10.10

dot dots 2 and the other side of that is

going to be our headquarters

just like we made before we'll do a

little ping ping action all right there

we are nice and then after that we have

to add it back into the SD win so all

right here we go to HQ right and we're

gonna pass it off to 1010 21 and hit OK

and believe it or not that should be

enough to to get started so there's a

couple of things we have to do all right

before we can actually make all this

work now just as a heads up okay it's

been my personal

let's go to the SD Wain rules real

quickly so in the last video we made

this general internet connection right

and we didn't care where it was coming

from or where it was going out but it

picked the one that had the least

latency and the reason why is because

when I added in that third connection

which was a VPN tunnel I didn't want it

to fall through into this load balancing

algorithm down here because you know it

would not be able to make it out to the

Internet we don't have any of our of our

firewall rules to do that even if we

wanted to I mean technically speaking I

guess we could back all of it to one

location but that's that's not the point

unless we had some kind of like MPLS

connection or something like that but

anyway so just something to keep in mind

here now before we create our second

part here and that is the hell check

using loopback

we need to make sure that it can

actually it can actually reach the

loopback all right so what I'm gonna do

here is I'm gonna take a really insecure

rule maybe I'll maybe I'll fix that a

little bit later but let's go ahead and

go to our policy and objects all right

I'm gonna say create new and I'm just

gonna call this something like VPN

loopback health check I don't know I'm

trying to abbreviate here so but it's

gonna pop out of the SD win ok and it's

going to hit the loopback and only the

loopback so you know what this is what I

meant I don't really care where it's

coming from

I don't care where it's going - all

right the services the only thing we're

gonna allowed is ICMP for right now okay

heck we could have said all known adding

all right and then we hit okay that

should be enough for it to be able to

ping the loopback before we make the

health rule now let's go ahead and do it

on the other side all right so here we

are back at our headquarters we're gonna

go to policies IP 4 all right

and then geez look at all this business

going on here I don't even know what's

going on here alright I'm already too

many rules so once again we'll just say

VPN loopback health check and then it's

gonna pop out of the SD win okay and it

is going to hit the loopback and no care

I don't care

we're just say all I see and be alright

don't really need Nats okay now that

should be enough for the firewall

policies to be okay with it now with the

VPN tunnel though it's not going to get

initiated unless there is a route for it

okay so my loopback by the way I can't

even remember what I did my loot bags

for I'm gonna have to look that up real

quick so alright so it was ten one two

seven okay so so basically when we have

traffic routed down a VPN tunnel it has

to make a route lookup and that's where

these SD when rules come into place so

basically when we make our rule here to

allow that to happen it is making the

route it's making a pulse here out for

it alright so let's go ahead and say

create new alright and I'm just going to

say here we go I'm gonna say VPN

loopback a health check just once again

don't really care where it's coming from

but for the destination all right I am

going to make a loopback address with

the slash 16 so if it's trying to go to

what 10.1 to 7 0 0 okay geez that's the

name that's not the IP address I'll just

call this

loopback all right with a slash 16 so in

other words it's gonna look at the first

two octets there all right loop we're

gonna go ahead and pick the best quality

the best quality of what you guys see

our VPN tunnel here I'm not saying our

VPN tunnel where is our VPN tunnel okay

that has to be a bug because I'm not

seeing our VPN tunnel in our interfaces

here do you guys see that oh man all

right wha-wha-wha okay did I not hit

okay I guess I didn't geez what a what a

weird thing not to do here we go

did I skip that part anyways that's

really awkward anyways let me hit apply

okay to New York all right sorry about

that guys

let's let's try that again okay VP and

loopback health check

oops HQ health check so anyways I don't

care about the source but once again if

it's going towards a a loopback alright

I wanted to go ahead and pick the best

quality the best quality of what we only

have one for right now all right

now we did not do a a health check here

but we eventually will alright so you

know what for right now I better just I

better just do manual so until we can

get get more interfaces in there okay

but guys these rules are top-down so

don't forget to drag it above the other

okay so all right sounds good let's go

ahead and do it now in New York City

okay so we'll go to our SD win and we'll

go to our SD win rules all right we'll

say create new and we'll say VPN VPN

loopback health check

we don't care where it's coming from but

we do care about that loopback address

so we'll say create new address loop

back health check I think I screwed up

my naming convention ten to seven zero

zero with the slash 16 all right okay

and we'll just manually pick up for

right now okay

don't forget to drag it and drop it

above the other all right I don't even

want to look there I don't even want to

see what's going on there so let's go

ahead and do one more thing are you guys

ready

performance SLA okay we're going to

create new all right and we're gonna say

this is gonna be our our VPN I don't

know health check okay and our server

address here because it's going to be

going to New York all right all right

not New York to headquarters we're gonna

say two to seven

zero-one and our participants are going

to be our VPN tunnel all right and then

if you guys notice look at that

what yeah that's right that's the health

of our VPN come on that's cool guys

that's cool

everyone just calm down okay so that's

actually pinging through the VPN tunnel

to get the statistics there now you're

gonna see in later videos when we start

adding the tunnels here we can actually

make it check

constantly the VPN connections between

all those different carriers and it take

the best one that it can find when it

comes to what you call it

when it comes to the actual quality of

the link all right let's go ahead and

finish this up and do it on the other

side okay because it was all it was all

leading up to this so there we go so

we're gonna say performance SLA okay

we're gonna say create new and we're

gonna say VPN health check in why see is

what it should have said in New York

City the server is gonna be ten dot and

I did not do my naming convention very

well I apologize guys the participants

is gonna say to New York City I'm gonna

hit okay all right and as you can see

what yeah that's right we now have a

health check okay so not not too bad

right guys so there you go so what did

we do here

so basically we made our SD win VPN

tunnel to New York City and then after

that we wrote a rule to allow the

loopback to be ping Abul through the VPN

tunnel then we made sure that that rule

was in the SD ran rules when I said rule

I meant like our firewall policy rule

then we had to make our SD win rule here

all right to make sure that it was doing

the routing because

does make a policy based route okay and

make sure that it goes beyond the more

generic one here because it is a

top-down okay with the rules alright and

then lastly you made a performance SLA

for the VPN tunnels so we can keep keep

an eye on the packet loss latency and

jitter okay so I will take it to the

next level in the next video guys I

don't know when that will be but we'll

go ahead and make another reap in

connection and make it pinging through

that loop and hopefully because the the

structure of it's there it will not be

too too complicated so sorry for the

kind of long video I hope that wasn't

too too confusing and I'll see you guys

next time