Tuesday, March 4, 2014

My first experience with VMware vCHS - Part 1 - Setup and IPSEC

Prologue to vCHS Migration

I've decided to do a few articles regarding my migration to VMware vCHS (cloud hosting) solution and this is the 1st in the series.

I've had a few significant technical issues but the support has been as good as I can imagine. Last night I even met up with the specialty sales-rep assigned to my account and we spent nearly 3 hours talking over dinner about things in general and my project. VMware is not only doing more than I could hope to get me up and running but they're also looking at how they can help me through their "success stories" to help promote our business in a mutually beneficial manner which is wonderful because after 10 years of seeing 20%+ growth per year, we're likely going to explode this year leaving those gains in the dust and any help they provide will only strengthen our growth.

By the way, the "Customer Success Team" isn't a hollow catch-phrase. It reminds me of my experience as a consumer with American Express. They JUMP every time I need help. We have scheduled 2 hours calls (that we 3 hours) where they literally sat on the phone with me to walk through issues and wait for me to learn and question them AND did it with a wonderful attitude (sincerely eager to help).

In summary, the migration has been rough, but when do they go smooth? That said, I can't imagine a better infrastructure than they're giving me and their support is the best I've seen for any product/service anywhere save perhaps for high-end auto purchase experiences I've had.

I would HIGHLY recommend vCHS to anyone that needs a rock-solid, highly flexible hosting solution that covers everything from end-end.

At the moment we have 3 units of the VPS solution (they have dedicated and shared, VPS is the shared solution) which includes 15GHz dedicated CPU (you really can't talk cores or speed with the way they work), 30Ghz Burst, 60GB Ram (dedicated) and 2TB of SAN storage that is SSD cached and I'm constantly seeing 150MB-250MB/s with <2ms latency and my SQL Server is running as fast as it was locally with dual-quad xeons on a 8-disk RAID 10 over 15kSAS drives.

My first experience with VMware vCHS - Part1 - Setup and IPSEC

My present hosting provider hasn't been a pleasant experience. I seem to have some bad luck this way. My last experience was with RackSpace who has very good service in so many ways, but I found out the hard way that their security is severely lacking and when they make a mistake that cost me $10,000's, they had NO interest in taking responsibility and I'm not big on law suits so I dealt with the months (almost years) of heartache, moved on and tried Central Host (the hosting division of 8x8 which has since been bought up by Black Lotus.

My experience with 8x8 was a nightmare and I'm still feeling the pain as Black Lotus does their best to clean up the data center I'm in. They've also made amazing efforts to make things right with me but I'll leave that for my other blog. In the end, they offered me an incredible deal (~$2,000/mo for dedicated virtual hosts, 6-core HT, 3.5Ghz Xeon CPUs, 32GB ram, 2TB SATA RAID with 200GB SSD caching, 24 IPS and each of 2 hosts were at different data-centers) but they use App-Assure (Xen and/or Kvm) and I'm a Vmware guy interested in uptime and performance more than raw performance and didn't want to learn new systems either. VCenter is amazing and I know how to keep my business running with it so I went with vCHS. I also appreciate the way vCHS scales compared to typical virtual hosting solutions. I don't have to worry about "hosts".

The way the actual provisioning went was very straight forward. I got an email once the contract was signed and they told me provisioning had started. Once provisioning was done, I got an email with vCloud login and password setup links. I set my password, logged in, and headed over to the edge network configuration interface in the vCloud Director portal (the things they haven't made more simple and put into the vCHS portal and accessed through a full-blow vCloud Director instance which I prefer anyway not having really taken to the vSphere Web interface as it is).

Since I use pfSense (presently 2.1 and everything below assumes that) at all my other data-centers, I did a quick search and ended up using THIS guide as a reference to catch the nuances of their IPSec implementation (main/aggressive, which encryption he got working, etc..)

From there I went to my only gateway, edge gateway services, enabled VPN, setup the public IP, then added my tunnel (they combine phase 1 and phase 2 into a single UI). I quickly found that they use main and not aggressive which I should have caught from the tutorial I found. This is where I had my first issue. vCloud directory gateway status shows "System Alerts" with a red icon that was clickable and I wanted to see what it had to say so I clicked it and watched the entire UI refresh. I tried this a few times before giving up. I'm guessing it's a popup blocker issue at this point but since the directory comes up in a new window with no address bar and uses Flash (grr, WHY would they do that with such a new system???!!!) so there was no way to tell quickly and so I gave up there and went back to pfSense logs to see how things are going.

As so often is the case when doing IPSEC between pfSense and anything other than pfSense, I had to figure out what IPSEC standards they use. Here's what I found and I hope it saves someone some time. It's taken me years to get to a point where this doesn't become an all-night project:

If you know what you're doing and want to skim the settings, just know that even though vCHS asks for "Peer ID", it only supports Main mode which only supports IPs are IDs so Peer ID MUST be the remote gateway IP. This stinks for those of us trying to use more advanced methods to get around dynamic IPs. Really, "Peer ID" should read "Peer IP" and the only reason you have to provide both it AND "Peer IP" (which should read "Peer Gateway IP") is because they do support NAT-T.

Once I realized my mistake with the Peer ID, I had to delete the entry and create a new one then got an error about "Configuring Edge Gateway Services". I refreshed and it disappeared so I figured it was a fluke until I was seeing the same errors about IDs and when I check vCHS, the settings were back to the first entry so I deleted and tried again tripple-checking using the settings below and THEN I got a connection (I already had phase 2 setup. See below Phase 1 for settings). Once everything was working, my IPSec log had only 3 entries before a full connection (since there were so few options or advanced features being used).

Phase 1
  • Main Mode
  • Name: Anything descriptive you like
  • Description: More descriptive stuff you like
  • Enable this VPN: checked (default)
  • Establish VPN to: "a remote network"
  • Local Endpoint: (predefined external IP endpoint at the vCHS end)
  • Local ID: The vCHS public IP assigned to the local endpoint (pfsense: Remote Gateway and Peer identifier)
  • Peer ID: The IP of the remote gateway (pfsense: My identifier, My IP Address)
  • Peer IP: The IP of the remote gateway
  • Encryption protocol: AES-256 (pfsense: same for Phase 1 Encryption algorithm)
  • pfsense-Hash: SHA1
  • pfsense-DH Key Group: 2 (1024 bit)
  • pfsense-Lifetime: 28800
  • pfsense-Nat-T: Disable (if you need it, enable and update the Local ID on vCHS accordingly)

Phase 2 (pfsense)
  • Mode: Tunner IPv4
  • Local Network: Lan subnet
  • Remote Network: CIDR format for remote subnet (ex.
  • Protocol: ESP
  • Encryption: AES 256 (they only appear to support AES at this time)
  • Hash: SHA1
  • PDF key group: 2 (1024bit) (they support off also)


Post a Comment