Published June 14, 2023, 1:20 p.m. by Courtney
We are finally starting to build our vpn tunnels. In this video we create a vpn to the NYC remote site in our lab using the sd-wan interface. We also create the Firewall Policy to allow pinging the Loop back interface. Lastly we create the sd-wan rule and health checks for the loop back.
More to come as we add additional tunnels to our lab.
You may also like to read about:
hey guys welcome back to another
recording my name is Devin Adams I'm a
Ford an instructor here in Tempe Arizona
I work for a dynamic world widen and I
record these videos for the people
who've taken my class anyways I've been
recording several of them trying to
build up to the point where I can start
doing demos and things like that it's
it's taking forever guys I'm I'm so
sorry for that but I'm waiting for my my
labs to boot up for my classes next week
and I thought hey why not let's do let's
do a video so in the last video we
created a basic internet access SD win
rule and some performance SLA so it
would always take the best path and the
reason why we did that is because there
is a implicit load balancing algorithm
that sits at the bottom of the SD win so
as you throw interfaces into it if you
don't define the rules it falls right
through and gets gets load balanced so
the 40 gates have been doing this for
for a while now it's called equal pass
equal cost multi path way and load
balancing and we don't want that to
happen when we start putting in our VPN
tunnel 'some so in this video and I I
was gonna do a bunch of stuff like at
once and I thought to myself you know
what I better just take it slow and and
just do it one step at a time
because I know it can be confusing even
for myself but in this video we are
basically going to start slowly building
out our hub-and-spoke topology to our
headquarters for two gates so we're
gonna use the SD wanne interface doing
this we're not going to be doing the the
point-to-point wizard which makes it
pretty easy we're gonna do it with the
SD win simply because we can have a
little bit more flexibility over which
VPN tunnels to take so and I have done
videos on this so if you guys want to
check that out just go to my playlists
but this is the first time I'm doing it
was 6 to 3 so and then after that we did
create some loop backs and some earlier
videos and we are gonna
please create the health checks for
those connections or at least this first
connection here using that loopback
interface and hopefully once this thing
gets rolling adding the additional
tunnels should not be should not be too
difficult so in this one we're gonna
take this first wind connection over
here in the headquarters and we're going
to connect it over to our New York
office
so normally VPN tunnels do not have IP
addresses associated with them all right
they get it capsulated at the way in
interface traverse the internets and
then they get stripped off and yeah
there's usually no need for IP address
as well here we are gonna add IP
addresses all right so that's one thing
that we can do on the four de gates and
this is gonna kind of act like that I
don't I don't know a good way to
describe it other than just like maybe
like a management IP address for that
VPN tunnel so but basically when we
added to the SD win we can tell to pass
it off to these IP addresses and I drew
a little red wine here using these tools
in G necessary because you know what it
will get a little bit complicated once
we start doing everything so but let's
go ahead and start so I'm gonna load up
the DC office here because I've been
using the domain controller is such a
bad idea you never do this in real life
but I wanted a Windows environment and
as you guys can see I did make some of
our interfaces publicly facing just for
simplicity but I'm gonna go to
headquarters here I'm gonna log in
alright there we go
and let's go ahead and take a look at
what we got so far so if we go to
network alright and we go to our SD win
you'll see here that we have our 4 wind
connections I don't know why I did 4 I
must have been going crazy whatever okay
so what we're gonna do here though is
that we're gonna say create new alright
and when we drop down our interfaces
there's this VPN plus so here we go and
we're gonna say hey you know what this
is gonna be going to
and why I see all right and our remote
IP addresses are 10 205 one I'm just
gonna verify that super quick so yep
right there okay and then our outgoing
interface see how we could we could if
we wanted to we could select all four of
these interfaces but you know what
that's what I meant by we're just gonna
make it nice and and simplistic for the
first example here all right so we don't
get too crazy okay and then after that
we go ahead and we hit create and there
you go we now have this interface here
but if you notice there's no there's no
gateway okay so I'm just gonna hit
cancel super quickly all right and I'm
gonna go to my interfaces I'm gonna go
to my SD win all right I'm gonna expand
that and there's my cock's connection
these are all make-believe of course and
I'm gonna double click here and I'm
gonna put an IP address associated with
here so here we go I'm gonna say allow
it to have ping access and 10 10 21 all
right and then on the other side it's
gonna be 20.2 with the slash 32 I'm
gonna hit OK and that is how we put IP
addresses on her on our VPN tunnel so
now we're gonna come back to our SD win
rules all right
not sty enrolls mob mob by Ed my SD wins
okay I'm gonna say crate new drop-down
to that New York tunnel okay and the
Gateway is gonna be 10 10 22 now if you
guys are just wondering the naming
naming convention the IP convection that
I'm doing here is the 10 see the 1 see
the 20 see the two that's kind of what I
was thinking there I was trying to keep
it all with him the 10 range just to
make you know summation and side are
easier later down the road
anyways so but there you go so we have
one side of our tunnel not too bad huh
so let's go ahead and hop
over here to New York City okay and
let's go ahead and do the same in
Reverse all right in New York City's
even even alive I don't even remember
what I was doing over here to be honest
with him so all right sure
go slow stirred it's all good we have
all the time in the world okay forget it
I'll do it from this side so normally
you want to be publicly facing but I did
what you call it did turn on
management's on the way in interface
there just just because for simplicity
reasons we can do that kind of stuff
when it's a laugh environment so hey
that was kind of interesting all right
there oh look at that that's kind of
weird I wonder if I have like weird
asymmetrical routing going on or
something so let me try let me try from
from this side again this New York yeah
it's New York I think the application
just crashed it's been a couple of days
since I touched the lab environment so
heaven forbid that these these demos
ever go smoothly right so all right come
on buddy
I don't know why I just lost my I think
I was shaking it too hard bring it back
there we go
all right let's go to ten dot I don't
know why that's going so slow to be
honest with you all right that should be
our firewall okay yep take your time
it's all good
here all day all right here we go so now
from the New York side hopefully maybe
I'll edit out some of that business all
right sorry I have this laughs I'd just
how horrible these videos are okay so
here we go
let's go to our let's go to our network
all right so let's go to our SD win and
we're just going to do the same in the
opposite direction
so we're gonna say create new and we're
gonna say our interface is our VPN and
we're gonna say to HQ 1010 oh my bad
200 that 1.1 our outgoing interface and
like I said now normally we could select
multiple gears and that's the whole
purpose of of having this interface it's
supposed to be creating these VPN
tunnels for multiple interfaces to be to
be easy but like I said I just I just
don't want that complexity for right now
just in case something goes wrong or
just so it's not as confusing we'll add
more later on so there we go
wait close all right and then we'll just
say cancel and then we'll go to our
interfaces so then expand the sd1 here
we are do there it is rockin at the
bottom there we are there we are and as
you can see there's no IP addresses
associated with it so let's open er up
all right and we'll say well we don't
need to put anything the name describes
it enough so but this is gonna be 10.10
dot dots 2 and the other side of that is
going to be our headquarters
just like we made before we'll do a
little ping ping action all right there
we are nice and then after that we have
to add it back into the SD win so all
right here we go to HQ right and we're
gonna pass it off to 1010 21 and hit OK
and believe it or not that should be
enough to to get started so there's a
couple of things we have to do all right
before we can actually make all this
work now just as a heads up okay it's
been my personal
let's go to the SD Wain rules real
quickly so in the last video we made
this general internet connection right
and we didn't care where it was coming
from or where it was going out but it
picked the one that had the least
latency and the reason why is because
when I added in that third connection
which was a VPN tunnel I didn't want it
to fall through into this load balancing
algorithm down here because you know it
would not be able to make it out to the
Internet we don't have any of our of our
firewall rules to do that even if we
wanted to I mean technically speaking I
guess we could back all of it to one
location but that's that's not the point
unless we had some kind of like MPLS
connection or something like that but
anyway so just something to keep in mind
here now before we create our second
part here and that is the hell check
using loopback
we need to make sure that it can
actually it can actually reach the
loopback all right so what I'm gonna do
here is I'm gonna take a really insecure
rule maybe I'll maybe I'll fix that a
little bit later but let's go ahead and
go to our policy and objects all right
I'm gonna say create new and I'm just
gonna call this something like VPN
loopback health check I don't know I'm
trying to abbreviate here so but it's
gonna pop out of the SD win ok and it's
going to hit the loopback and only the
loopback so you know what this is what I
meant I don't really care where it's
coming from
I don't care where it's going - all
right the services the only thing we're
gonna allowed is ICMP for right now okay
heck we could have said all known adding
all right and then we hit okay that
should be enough for it to be able to
ping the loopback before we make the
health rule now let's go ahead and do it
on the other side all right so here we
are back at our headquarters we're gonna
go to policies IP 4 all right
and then geez look at all this business
going on here I don't even know what's
going on here alright I'm already too
many rules so once again we'll just say
VPN loopback health check and then it's
gonna pop out of the SD win okay and it
is going to hit the loopback and no care
I don't care
we're just say all I see and be alright
don't really need Nats okay now that
should be enough for the firewall
policies to be okay with it now with the
VPN tunnel though it's not going to get
initiated unless there is a route for it
okay so my loopback by the way I can't
even remember what I did my loot bags
for I'm gonna have to look that up real
quick so alright so it was ten one two
seven okay so so basically when we have
traffic routed down a VPN tunnel it has
to make a route lookup and that's where
these SD when rules come into place so
basically when we make our rule here to
allow that to happen it is making the
route it's making a pulse here out for
it alright so let's go ahead and say
create new alright and I'm just going to
say here we go I'm gonna say VPN
loopback a health check just once again
don't really care where it's coming from
but for the destination all right I am
going to make a loopback address with
the slash 16 so if it's trying to go to
what 10.1 to 7 0 0 okay geez that's the
name that's not the IP address I'll just
call this
loopback all right with a slash 16 so in
other words it's gonna look at the first
two octets there all right loop we're
gonna go ahead and pick the best quality
the best quality of what you guys see
our VPN tunnel here I'm not saying our
VPN tunnel where is our VPN tunnel okay
that has to be a bug because I'm not
seeing our VPN tunnel in our interfaces
here do you guys see that oh man all
right wha-wha-wha okay did I not hit
okay I guess I didn't geez what a what a
weird thing not to do here we go
did I skip that part anyways that's
really awkward anyways let me hit apply
okay to New York all right sorry about
that guys
let's let's try that again okay VP and
loopback health check
oops HQ health check so anyways I don't
care about the source but once again if
it's going towards a a loopback alright
I wanted to go ahead and pick the best
quality the best quality of what we only
have one for right now all right
now we did not do a a health check here
but we eventually will alright so you
know what for right now I better just I
better just do manual so until we can
get get more interfaces in there okay
but guys these rules are top-down so
don't forget to drag it above the other
okay so all right sounds good let's go
ahead and do it now in New York City
okay so we'll go to our SD win and we'll
go to our SD win rules all right we'll
say create new and we'll say VPN VPN
loopback health check
we don't care where it's coming from but
we do care about that loopback address
so we'll say create new address loop
back health check I think I screwed up
my naming convention ten to seven zero
zero with the slash 16 all right okay
and we'll just manually pick up for
right now okay
don't forget to drag it and drop it
above the other all right I don't even
want to look there I don't even want to
see what's going on there so let's go
ahead and do one more thing are you guys
ready
performance SLA okay we're going to
create new all right and we're gonna say
this is gonna be our our VPN I don't
know health check okay and our server
address here because it's going to be
going to New York all right all right
not New York to headquarters we're gonna
say two to seven
zero-one and our participants are going
to be our VPN tunnel all right and then
if you guys notice look at that
what yeah that's right that's the health
of our VPN come on that's cool guys
that's cool
everyone just calm down okay so that's
actually pinging through the VPN tunnel
to get the statistics there now you're
gonna see in later videos when we start
adding the tunnels here we can actually
make it check
constantly the VPN connections between
all those different carriers and it take
the best one that it can find when it
comes to what you call it
when it comes to the actual quality of
the link all right let's go ahead and
finish this up and do it on the other
side okay because it was all it was all
leading up to this so there we go so
we're gonna say performance SLA okay
we're gonna say create new and we're
gonna say VPN health check in why see is
what it should have said in New York
City the server is gonna be ten dot and
I did not do my naming convention very
well I apologize guys the participants
is gonna say to New York City I'm gonna
hit okay all right and as you can see
what yeah that's right we now have a
health check okay so not not too bad
right guys so there you go so what did
we do here
so basically we made our SD win VPN
tunnel to New York City and then after
that we wrote a rule to allow the
loopback to be ping Abul through the VPN
tunnel then we made sure that that rule
was in the SD ran rules when I said rule
I meant like our firewall policy rule
then we had to make our SD win rule here
all right to make sure that it was doing
the routing because
does make a policy based route okay and
make sure that it goes beyond the more
generic one here because it is a
top-down okay with the rules alright and
then lastly you made a performance SLA
for the VPN tunnels so we can keep keep
an eye on the packet loss latency and
jitter okay so I will take it to the
next level in the next video guys I
don't know when that will be but we'll
go ahead and make another reap in
connection and make it pinging through
that loop and hopefully because the the
structure of it's there it will not be
too too complicated so sorry for the
kind of long video I hope that wasn't
too too confusing and I'll see you guys
next time
2CUTURL
Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.
© 2CUTURL. All Rights Reserved.