How to Set Up a VPN for Your OVHcloud Zerto Disaster Recovery Plan

This article provides an outline of how to configure a virtual private network (VPN) between an on-premises Zerto platform and an OVHcloud Hosted Private Cloud (HPC). We will use the OPNsense open-source VPN solution as an example and explain the simplest way to set up a VPN tunnel to the Zerto network.

Prerequisites

• One public IP available on the target HPC for the VPN endpoint
• A Zerto platform installed on the on-premises platform
• Virtual Replication Appliances (VRAs) on both sides that are able to connect to the counterpart on TCP ports 4007 and 4008
• Zerto administration consoles or Zerto Virtual Managers (ZVMs) that are able to connect to the counterpart on TCP port 9081

Topics

• Solution Overview
• Activating Zerto Features in the OVHcloud Manager
• Activating the IPsec Service
• Setting Up the IPsec Tunnel
• Setting Up the Firewall
• Zerto Virtual Manager Pairing

Solution Overview

Listed parameters:

On-premises side:

• VPN endpoint public IP address (1)
• VPN internal IP address (2)
• ZVM internal IP address (3)
• ZVM internal network (4)

OVHcloud side:

• VPN endpoint public IP address (5)
• ZVM internal network (6)
• ZVM internal IP address (7)

Note: You need to decide in which network you will deploy the OVHcloud ZVM. This avoids any overlap with local networks, which would prevent routing. You can either accept the suggested network or provide your own as long as it is within a valid /23 range.

Step 1: Activating Zerto Features in the OVHcloud Manager

Zerto features can be activated quickly and easily in the OVHcloud Manager. To do so, log into the Manager and select the PCC datacenter on which you wish to configure Zerto from the left-hand sidebar. Then click the Disaster Recovery Plan (DRP) tab.

On this tab, select Between your infrastructure and an OVHcloud Private Cloud. Then click Activate Zerto DRP.

Next, select a free public IP from the dropdown menu.

Now, choose the desired network range for the ZVM deployment.

 Finally, confirm the VRA network range and then click Install.

Now that we have activated Zerto in the OVHcloud Manager, we will activate configure our IPsec service.

Step 2: Activating the IPsec Service

From the OPNsense interface, click the VPN menu on the left and select IPsec and then Tunnel Settings from the ensuing menus.

Check the Enable IPsec box and click Save.

Now that the IPsec tunnel is enabled, we will look at how to set it up.

Step 3: Setting Up the IPsec Tunnel

To configure the IPsec tunnel, we will define two sets of parameters: Phase 1 and Phase 2.

Setting Up Phase 1

In the VPN menu, go to Tunnel settings, and click the + to add Phase 1.

Check that the default values are correct. If so, add the OVHcloud IPsec endpoint IP address in the "Remote gateway" field.

On the "Authentication" screen, ensure that the default values are valid and add the shared secret for authentication to the "Pre-Shared Key" field.

On the "Phase 1 proposal (Algorithms)" page, set the values as follows:

Click Save and Apply changes once you have confirmed that everything is correct. If you have done everything correctly, Phase 1 will now be present in the interface.

Now that we have configured Phase 1, we will move on to configuring Phase 2.

Setting Up Phase 2

To begin, click the + Show 0 Phase-2 entries button.

You will need to add a new Phase 2 since there is not one by default.

Click the + button to create Phase 2.

Make sure the "Mode" is set to Tunnel IPv4.

Next, on the "Local Network" page, set the "Type" as LAN subnet.

On the "Remote Network" page,  we will use the ZVM IP and the associated network range in CIDR notation. On the OVHcloud side, the ZVM subnet will always be /23.

Finally, on the "Phase 2 proposal (SA/Key Exchange)" page, select the values chosen in the following screenshot:

You can leave the advanced options set to their default values. When you have confirmed that everything is correct, click the Save and Apply changes buttons.

Checking VPN Status

Now that we have configured Phase 1 and Phase 2, we are going to check our VPN's status. To do so, click the VPN button on the left-hand menu and then select IPsec and Status Overview from the ensuing menus.

 Next, click the orange triangle on the right to initiate the connection.

 

If all of the parameters are correct, the tunnel will come up and two new icons will appear:

• tear down tunnel
• tunnel information

Click the information icon.

The tunnel is now up. Make sure to add a route to the OVHcloud ZVM network on your local ZVM if required.

Troubleshooting

If the tunnel is not coming up, make sure that the following parameter values are identical on both sides:

• Shared secret
• Remote endpoint IP address
• Remote network range

Make sure that a firewall is not interfering in the dialog between the local and remote endpoints.

You can check the IPsec log file in /var/log/ipsec.log on the OPNsense appliance to get more information.

Step 4: Setting Up the Firewall

To allow pairings of on-premises and OVHcloud instances, traffic must be authorized on the following ports:

• TCP 9081 between ZVMs
• TCP 4007/4008 between VRAs

Click the Firewall menu then go to the Rules section and IPsec interface.

Click the Add button to add a new rule.

Set the rule parameters as seen in the following screenshot:

For the "Source" and "Destination" fields, select "Single host or Network" type. The source is the OVHcloud ZVM and the destination is your on-premises ZVM. The destination TCP port is 9081.

Once you have confirmed that everything is configured correctly, click the Save and Apply Change button. Now ZVM traffic will pass through the firewall but we still need to open VRA traffic. VRAs are a bit more complex since there are multiple VRAs on each side that need to be able to exchange information on ports 4007 and 4008. To simplify this setup, we are going to use the alias feature of OPNsense. An alias is a group of objects (e.g., IPs, networks, URLs, etc.) that can be used in firewall rules.

We will define three aliases:

• one for VRA IPs on the customer side
• one for VRA IPs on the OVHcloud side
• one for the ports

You can get the OVHcloud VRAs IP from the destination Private Cloud vCenter interface.

Let's create the OVH_VRA alias for OVHcloud VRAs:

 

Similarly, we can create an alias for the on-premises VRAs:

Finally, you need to create the ports alias:

We now have all the elements we need to implement the required firewall rules to authorize data coming from the OVHcloud platform. It is the same procedure as before; we just need to use the aliases instead of explicit IPs or ports:

At this point, we have a functional and secure link between our on-premises platform and the Private Cloud instance.

Now we just need to pair our on-premises ZVM to our OVHcloud ZVM and everything will be ready to go.

Step 5: Zerto Virtual Manager Pairing

Log in to your on-premises ZVM. The following screen is displayed:

Select "Pair to a site with a license", enter the OVHcloud ZVM IP, and press Start. In the dashboard, you can see the pairing is ongoing:

You will be notified when the pairing is successful:

You can check that your OVHcloud Hosted Private Cloud is visible in the Sites tab.

At this point, your Zerto setup is functional and you can start to create your virtual protection groups (VPGs).

If the on-premises ZVM is not able to successfully contact the OVHcloud ZVM (due to an incorrect firewall setup, for example), you will get the following message:

You will then be brought back to the login screen with the following error message:

The most probable cause is that the OVHcloud ZVM is not authorized to contact your on-premises AVM on TCP 9081 (it needs to be able to initiate the connection).

Conclusion

Having read this article, you should be able to install and configure Zerto for Disaster Recovery from your on-premises infrastructure to OVHcloud. To learn more about how to use your Hosted Private Cloud, please check out the Hosted Private Cloud section of our Support page.