FusionHub and IPSec VPN


#1

Hello,

I have a need to be able to do IPSec VPN from a FusionHub instance running in AWS.

Why has the IPSec VPN feature been removed from FusionHub? Is that a feature that Peplink is planning to re-introduce?

This is needed sooner rather than later, otherwise I’ll need to go to a different (less desirable) connectivity model between my Peplink Balance sites and my several AWS VPCs.

Thanks,


#2

Hello,

FusionHub is designed specifically as a SpeedFusion/PePVPN terminator to connect to other Peplink/Pepwave devices.


#3

Further to Jarids response, Fusionhub has been designed and built from the start to act as a SpeedFusion VPN concentrator - it should not be considered as a like for like Balance router replacement.

Although we are continuously working on and adding new features to FusionHub, each feature addition is carefully considered with the intention of keeping Fusionhub’s codebase and resource requirement low so that it can be run cost effectively on many different types of commercial hypervisor platforms.

I frequently see FusionHub deployed in the cloud alongside an additional Layer 3 virtual or physical router appliance, which is a nice approach as the customer can use whatever flavour of router they prefer to then tightly integrate with their existing infrastructure. So you could host a FusionHub vm alongside a PFsense vm and leverage pfsense for ipsec connectivity for example. Also its worth noting that Fusionhub to Fusionhub pepvpn is possible and this is a nice way to link cloud environments from different providers together (ie AWS to external and internally hosted vmware environments) as well as pools of vms hosted on the same providers network but in different geographical datacenters.


#4

Appreciate the response. The requirement is for us to be able to provide a fault-tolerant AWS-based deployment that would permit us to connect a multi-vpc implementation to multiple physical sites. While the physical sites are interconnected to each other with SpeedFusion and IC2, there’s a need to have a more controlled communications path (IE, not a full mesh) that can use a routing protocol to provide redundant connections. SpeedFusion from the multiple balance routers that we’ve deployed to FusionHub deployments at communication hub VPCs would appear to solve the problem for us, but the reduced feature set (i.e. no routing protocol, and no IPSec VPN) makes this unsuitable for our goals.

Ah well - seems like a good idea. Let me know when you guys decide to meet the needs of enterprises by offering a more robust feature set.


#5

OK, so A WAN topology consisting of multiple remote sites each using physical Multi WAN Peplink appliances that are in a full or partial VPN mesh, that subsequently also have two additional SF profiles configured that connect each remote site to both an active and failover DC - where Fusionhub virtual appliances terminate the VPN, will I believe be possible soon using fw6.3 and OSPF as the routing protocol with costs set to control active / failover path usage.

Still not clear about where and why you need IPSEC. Perhaps you could elaborate?


#6

I need IPSec in order to connect from the FusionHub instances in our AWS communication hub VPC over to VyOS instances running OpenVPN connecting to multiple production VPCs.

The challenge is that HA between systems residing in differing AWS availability zones is very difficult since there’s no Layer2 multicast/broadcast between systems. As such, mechanisms such as VRRP cannot operate. Therefore, some other mechanism is required to do so. Take a look at this article to see what’s required: http://aws.amazon.com/articles/2781451301784570.

The long and short of it is that even with a routing protocol, I can provide redundant paths with FusionHub, but I must do something else to provide a redundant next-hop within a VPC. FusionHub cannot provide that mechanism. However, if FusionHub was able to perform OSPF and give us IPSec VPN, then it could serve as a great bridge between our physical sites which are connected via Balance-based SpeedFusion, and our cloud solution.


#7

Hi,

Can you please provide a simple network diagram that illusion the network setup that you need to achieve using the FusionHub ?

Thank You


#8

Hi,

I am trying to establish ± the same setup.
I’m blocked at the required FusionHub configuration. I want to avoid running a dedicated pfsense and fusionhub server just for this customer but I fear that I’ll have to activate “SpeedFusion Peers Access Internal Network”.


Currently, SF and IPSec are established but I can’t ping for the PC (192.168.30.10) to the site LAN (10.X.X.X).
The IPSec tunnel is configured with remote LAN 10.0.0.0/16 and local LAN 192.168.30.1/24.

I guess I’m missing some routing on the pfsense but the required configuration on the FusionHub is not clear to me.

Can you advise on pfsense and FusionHub configuration for appropriate routing?


#9

Hi,

FusionHub

  1. Please enable LAN interface on FusionHub. Please refer to user manual to enable LAN interface.

  2. Follow the settings on the screen shot below. Please take note we will perform default route for all SpeedFusion remote peers to pfsense.


  1. Route 192.168.30.0/24 from pfsense to FusionHub.

Hope this help.


#10

Hi TK,

Thanks for the fast answer.

If LAN ip has to be 192.168.1.203, does it mean that I can leave WAN ip empty or even remove the WAN interface?

The FusionHub is getting its public ip address via the pfsense as a virtual ip. The pfsense fwds all trafic from [publicip1] to 192.168.1.203 and the FH uses the pfsense as a gateway for outgoing trafic.


#11

Hi Paille,

WAN interface must be there. It will served the SpeedFusion connection from remote peers. Of course you need to ensure WAN and LAN interface are having different subnet.

"The FusionHub is getting its public ip address via the pfsense as a virtual ip. The pfsense fwds all trafic from [publicip1] to 192.168.1.203 and the FH uses the pfsense as a gateway for outgoing trafic."
Do you mean pfsense is doing NAT Mapping (MAP a public IP to 192.168.1.203) for FusionHub’s LAN IP? If so, I believe this doesn’t affect the IPSec traffic. Users behind HD4 still seeing original IP (10.0.0.x) from the customer site.


#12

Ok but then I would have twice a similar setup for LAN and WAN as they are the same. All WAN goes through the ipsec, he “owns” the management of the publicip1.

On FusionHub

WAN:

IP: 192.168.1.203 (virtually publicip1)
GW:192.168.1.202

LAN:

IP: 192.168.1.205
GW: 192.168.1.202


#13

Hi Paille,

I think there is some misunderstanding here. Please find the attached diagram below. May I know this is the actual connectivity?


If my assumption is correct, your routing path will be 192.168.30.10 —> HD4 —SpeedFusion tunnel—> FusionHub —> PfSense —IPSec tunnel—> 10.0.0.x

Please provide trace route result from 192.168.30.10 to 10.0.0.x.

Thank you.


#14

Yes , this is the setup.

But then I don’t understand if the LAN on FusionHub is needed or not.
The way I understand your last graph is that there is only WAN and the option SF peers access WAN is active.

Correct?


#15

As soon as I deactivate NATing on the FH WAN parameters, the device goes offline, no access to the Net.


The traceroute is blocked at the router ip: 192.168.30.1

I guess everything relies on the WAN,LAN & IPSEc configuration of the pfsense.

I’m sending all 500&4500 trafic fromWAN to LAN and tunnel can establish.
I should have fusionhub forwarding my 192.168.30.X traffic into the LAN
The IPSec traffic is forwarded to 192.168.1.203 (not sure about this, I tried with and without but no effect)

I’m missing the link between my LAN 192.168.30.X and the IPSec remote side 10.0.X.X
I’m also missing internet access for SF peers.


#16

Hi Paille,

Since my drawing is correct, LAN interface is not needed for your case. I misinterpret your diagram initially because there is a LAN IP on FusionHub. Sorry, my bad.

  1. Which device goes offline? FusionHub? FusionHub goes offline in InControl2?
  2. “Net” is referring to internet?

I need to ensure we are on the same page. Then I can provide better suggestion on this.

Thank you.