Skip to main content

Setting up a VPN for OVHcloud Zerto DRP

Stephanie R.
Updated

Learn how to get started with a VPN for OVHcloud Zerto Disaster Recovery Plan (DRP).

This guide provides an outline of how to configure a virtual private network between an on-premises Zerto platform and an OVHcloud Hosted Private Cloud. We will use the OPNsense open-source VPN Solution as an example, and explain the simplest way to set up a VPN tunnel to the Zerto network.

 

Requirements

  • One public IP, available on the target Hosted Private Cloud for the VPN endpoint
  • A Zerto platform installed on the on-premises platform

    NOTE: To get the installation package for the On-Prem ZVM, please click here. The password for the file is OVHcloudShare. You must be logged into your OVHcloudShare account to be able to download the file.

  • VRAs (Virtual Replication Appliances) on both sides that can connect to the counterpart on TCP ports 4007 and 4008
  • Zerto administration consoles or ZVMs (Zerto Virtual Managers) that can connect to the counterpart on TCP port 9071

 

Solution overview

image-EN-1.png

Listed parameters:

On-premises side:

  • VPN endpoint public IP address (1)
  • VPN endpoint internal IP address (2)
  • ZVM internal IP address (3)
  • ZVM internal network (4)

OVHcloud side:

  • VPN endpoint public IP address (5)
  • ZVM internal network (6)
  • ZVM internal IP address (7)

 

Instructions

You need to decide which network to deploy the OVHcloud ZVM in. This avoids any overlap with local networks, which would prevent routing.

You can either accept the suggested network or provide your own, as long as it is within a valid /23 range.

 

Topics:

 

Step 1 - Activate Zerto features

It is easy to activate Zerto features from the OVHcloud Control Panel. You just need to select the datacenter linked to the Hosted Private Cloud solution that you want to use, from the Disaster Recovery Plan tab.

image-EN-2.png

First, select Between your infrastructure and an OVHcloud Private Cloud, then click Enable Zerto DRP. Next, select a free public IP from the drop-down menu and enter the desired network range for the ZVM deployment. Confirm the VRA Network range and then click Install.

image-EN-3.png

Proceed through the following menu, selecting your IP address pool, VRA data center network, and your on-premises network.

 

Step 2 - Activate IPsec service

From the OPNsense interface, go to the VPN menu on the left, click the IPsec section, and select Tunnel Settings. Click Enable IPsec and click Save.

image-EN-4.png

image-EN-5png.png

 

Step 3 - Set up IPsec tunnel

You can configure the IPsec tunnel by defining two sets of parameters: Phase 1 and Phase 2.

 

Step 3A - Set up Phase 1

In the VPN menu, go to Tunnel settings, and click on the + to add a new Phase 1:

image-EN-6.png

If the default values are correct:

  • Connection Method: Default
  • Key Exchange version: V2
  • Internet Protocol: IPV4
  • Interface: WAN

The only required parameter is the OVHcloud IPSec endpoint IP address.

image-EN-7.png

Once the default values are valid, you only need to provide the shared secret for authentication.

image-EN-8.png

Supported values for each parameters:

  • Encryption algorithms: AES 256 bits
  • Hash algorithms: SHA256
  • Duffie-Hellman key group: 14 (2048 bits)
  • Lifetime: 28,800 seconds

image-EN-9.png

You can keep the default values for the other parameters. Click Save, then Apply changes.

The new Phase 1 is now present in the interface:

image-EN-10.png

 

Step 3B - Set up Phase 2

Click on +.

image-EN-11.png

Check that the mode is set to "Tunnel IPV4".

image-EN-12.png

The local network type must be set to "LAN subnet".

image-EN-13.png

You need to give the OVHcloud side VRA IP Network.

On the OVHcloud side, the VRA network is always a /23 network (512 IPs).

WARNING: Make sure to double-check the parameters, otherwise the VPN tunnel won't come up.

image-EN-14.png

Supported values are:

  • Protocol: ESP
  • Encryption algorithm: AES 256 bits
  • Hash algorithms: SHA256
  • PFS: Off

image-EN-15.png

You can leave advanced parameters to their default value. Click Save, then Apply changes.

 

Step 3C - Check VPN status

To check the VPN status, select VPN, then IPsec, and Status Overview.

image-EN-16.png

Click the orange triangle on the right to initialize the connection:

image-EN-17.png

If all the parameters are correct, the tunnel will come up, and two new icons will appear:

  • 🅇 tear down tunnel
  • ⓘ tunnel information

Click on the information icon.

image-EN-18.png

The tunnel is now up. Make sure to add, if required, a route to the OVHcloud ZVM network on your local ZVM.

image-EN-19.png

 

Troubleshooting

If the tunnel is not coming up, make sure that the parameter values are identical on both sides:

  • Shared secret
  • Remote endpoint IP address
  • Remote network range

Make sure that a firewall is not interfering with the dialog between the local and remote endpoints.

You can check the IPsec log file in /var/log/ipsec.log on the OPNsense appliance to get more information.

 

Step 4 - Set up the firewall

To allow pairings of on-premises and OVHcloud instances, traffic must be authorized on the following ports:

  • TCP 9071 between ZVMs
  • TCP 4007/4008 between vRAs

 

Step 4A - ZVM opening

Go to the Firewall menu, Rules section, IPsec interface:

image-EN-20.png

Click on Add to create a new rule.

image-EN-21.png

Rule parameters are as follow:

  • Action: "Pass" (authorize traffic)
  • Interface: "IPsec" (incoming traffic coming from the VPN tunnel)
  • Protocol: "TCP"

image-EN-22.png

For "Source" and "Destination", select "Single host or Network" type. The source is the OVHcloud ZVM, and the destination is your on-premises ZVM.

The destination TCP port range is 9071. Click Save and Apply Change.

updatezertoport.png

 

Step 4B - VRAs opening

VRAs opening is a bit more complex since there are multiple VRAs on each side that need to be able to exchange information on TCP ports 4007 and 4008. To simplify this setup, we are going to use the alias feature of OPNsense. An alias is a group of objects IPs, networks, URLs, etc., that can be used in firewall rules.

We will define three aliases:

  • one for VRA IPs on the On-Prem side
  • one for VRA IPs on the OVHCloud side
  • one for the ports

You can get the OVHcloud VRAs' IP from the destination Private Cloud vCenter interface.

image-EN-24.png

Let's create the OVH_VRA alias for OVHcLoud VRAs:

image-EN-25.png

Similarly, we can create an alias for the on-premises VRAs:

image-EN-26.png

Finally, you need to create the ports alias:

image-EN-27.png

We now have all the elements we need to implement the required firewall rules to authorize data coming from the OVHcloud platform. It is the same procedure as before, we just need to use the aliases instead of explicit IPs or ports:

image-EN-28.png

At this point, we have a functional and secure link between our on-premises platform and cloud instance.

image-EN-29.png

Now that all of the network flows and rules have been created, we need to pass them to the OVHcloud side VPN to activate the connection.

To do this, you go back to OVHcloud Manager. You will see that it is requesting you to input the information to complete the setup. The following information will be needed.

image-EN-30.png

 

Step 5 - ZVM Pairing

As of Zerto 10.0_u6, the pairing method now requires a token. To get your pairing token, log in to your OVHcloud ZVM. Go to theSites

Log in to your on-premises ZVM. The following screen is displayed.

Select Pair to a site with a licence, enter the OVHcloud ZVM IP and the token generated in your OVHcloud ZVM, then press Start.

image-EN-32.png

In the dashboard, you can see the pairing is ongoing:

image-EN-33.png

You will be notified when the pairing is successful:

image-EN-34.png

You can check that your OVHcloud PCC is visible in the Sites tab.

image-EN-35.png

At this point, your Zerto setup is functional and you can start to create your virtual protection groups (VPGs).

 

Troubleshooting

If the on-premises ZVM is not able to successfully contact the OVHcloud ZVM (due to an incorrect firewall setup, for example) you will get the following message:

image-EN-36.png

You will then be brought back to the log-in screen, with the following error message:

image-EN-37.png

The most probable cause is that the OVHcloud ZVM is not authorized to contact your on-premises ZVM on TCP 9071 (it needs to be able to initiate the connection).

 

Step 6 - Installing VRAs on Hosts

Once the sites are paired, you will get a pop-up once inside the UI instructing you to deploy VRAs to all hosts. Each host needs to have its own VRA. The requirements for the VRAs and how to configure them can be found here and here respectively.

 

Go further

For more information and tutorials, please see our other Hosted Private Cloud support guides or explore the guides for other OVHcloud products and services.

Related articles