Introduction to vGateway

Overview

In this document, you’ll become familiar with the concepts and basic features of Acreto vGateway.

Functionality

Acreto vGateway is a software appliance that allows simple connectivity between branch offices, on-premise data centers, cloud platforms, and Acreto.

High-level view of Acreto vGateway High-level view of Acreto vGateway

vGateway uses 2 network interfaces:

  • WAN (usually the first interface on the device / VM) - used to communicate with the Internet.
  • LAN (usually the second interface on the device / VM) - used to communicate with the local network.

vGateway acts as a gateway, allowing bidirectional communication between Acreto and the local network using an IPsec connection.

Devices (workstations, VMs, servers, etc.) in the local network should use vGateway’s LAN IP address as their default gateway. vGateway forwards traffic coming to its LAN interface to Acreto, and then sends traffic received from Acreto to its local destination.

Requirements

Supported Platforms

Acreto vGateway is supported on the following platforms:

  • KVM (qcow2)
  • VMware ESXi (.vmdk)
  • VirtualBox (.vdi)
  • Microsoft Hyper-V (.vhdx)
  • Microsoft Azure (.vhd)
  • Raspberry Pi 3 and 4

Network Connectivity

vGateway physical connectivity diagram vGateway physical connectivity diagram

vGateway LAN interface should be connected to the LAN network. All devices in the LAN network should use vGateway as a default gateway.

vGateway WAN interface should be connected to the internet router.

Firewall

Acreto vGateway communicates with Acreto using IPv4 and IPsec protocol. To allow networking connectivity, the firewall needs to allow communication on the following ports and protocols:

  • Protocol: UDP, ports: 500, 4500
  • Protocol: ESP

You can find a list of IP networks used by Acreto on IPv4 and IPv6 subnets page.

NAT

Acreto vGateway can be installed behind NAT. However, if you are installing more than one vGateway behind the same NAT device, each of them must get a different public IP address.

In addition, the NAT device should have IPsec Passthrough enabled.

Example

In a deployment involving two vGateway devices (192.0.2.10, 192.0.2.11), the NAT device needs to have at least two public IP addresses (198.51.100.10, 198.51.100.11) and define Source NAT rules to assign a different public IP address to each vGateway. In this case:

  • to vGateway 1 - 198.51.100.10
  • to vGateway 2 - 198.51.100.11

vGateway NAT diagram vGateway NAT diagram

Specification

  • Base OS:
    • Raspberry Pi version: Ubuntu 20.04 (LTS)
    • Other platforms: Ubuntu 18.04.5 (LTS)
  • Disk size (raw): 5400 MB
  • Open ports:
    • TCP 22 (SSH)
    • UDP 500, UDP 4500 (ipsec)

Configuration

Web-based Configuration

The recommended way to configure Acreto vGateway is to modify configuration at https://wedge.acreto.net, and then generate and download a new image.

Manual Configuration

Acreto vGateway is a Linux-based solution. Administrators can connect and manage vGateways using SSH protocol and standard Linux tools. To get access credentials for your vGateway, please contact support.

Warning

vGateways with configuration modified by administrators might not be supported by Acreto.

The network configuration of Acreto vGateway is implemented using Netplan configuration files, placed in /etc/netplan. Refer to the Netplan website for more information.

IPsec connections are established using a Strongswan ipsec.conf configuration format, placed in /etc/ipsec.d/*.conf on the vGateway. The list of subnets that should be routed through Acreto is stored in /etc/ipsec.d/*.route files.

Alternatives

You can find other connectivity options on the Connect to the Acreto platform page.

Licensing Information

Acreto vGateway uses OpenSource software that is part of Ubuntu Linux. You can find more licensing information on the Ubuntu website, at https://ubuntu.com/licensing.