How to

List of ‘How to’ articles

Subsections of How to

How To Setup NAT Loopback

Before You Start

DIAGRAM NEEDED

Overview

In this article, you’ll learn how to setup NAT loopback, also knowns as hairpin NAT.

Prerequisities

In order to setup NAT loopback, you will need:

  1. Active Acreto Ecosystem

The Purpose of NAT Loopback, known as Hairpin NAT

NAT loopback, also known as Hairpin NAT, is a technique that allows users on the internal network to access a server on the same network using its public IP address.

This can be useful in situations where the server is configured to use a public IP address, and users need to access it from both the internal and external networks.

Here is a step-by-step guide on how to configure NAT loopback:

How To Steps

Step 1: Create a new ecosystem

To configure NAT loopback, you will need to have a network infrastructure that supports it. Start by creating a new Ecosystem, if you don’t already have one set up.

Step 2: Create a WireGuard gateway object

To enable VPN connectivity, you need to create a WireGuard gateway object. This object will be used to configure VPN connectivity to the ecosystem.

Step 3: Connect a VM running a WebServer using WireGuard VPN to the Ecosystem

Connect a virtual machine running a web server to the ecosystem using WireGuard VPN. This VM will serve as the target server for NAT loopback.

Step 4: Create an Allocated-IP object for the WebServer

Create an Allocated-IP object for the web server. This IP address will be used to access the server from the internet.

Step 5: Create a security policy: “any to any”

Create a security policy that allows traffic from any source to any destination.

Step 6: Create a NAT policy: DNAT (inbound)

Create a NAT policy that maps the public IP address of the server to its private IP address. This policy should be configured to allow inbound traffic from any source.

Step 7: Create a NAT policy: NAT-loopback/NAT-U-turn

Create a NAT policy that allows users connected to the VPN to access the web server using its public IP address. This policy should be configured to allow traffic from the VPN subnet to the Allocated-IP object.

Step 8: Create a Thing Device object

Create a Thing Device object for the VPN users (things) that will be connecting to the ecosystem. This object will be used to configure VPN connectivity for the users.

Step 9: Connect to the Ecosystem with Acreto Connect Client (VPN)

As a user, connect to the ecosystem using Acreto Connect Client (VPN) to establish a VPN connection.

Step 10: Connect to the WebServer using the Allocated-IP

As a VPN user, connect to the web server using the Allocated-IP object. This will allow you to access the server using its public IP address, even if you are on the internal network.

Frequently Asked Questions

Q1: Why do I need to setup NAT Loopback, known as Hairpin NAT?

Usually the Orgazniations use Acreto to secure the WebServer or MailServer. If the server is connected to Acreto Ecosystem, and is properly isolated and secured, then to access that Server users may choose to connect:

  1. Using server’s Local IP
  2. Using public IP when connecting from Internet
  3. Using DNS name (which points to public IP) when connecting from Internet, so in fact it’s the same as option 2.
  4. Using DNS name or public IP when connecting using VPN (via Acreto)

Option 4. requires NAT loopback, to allow redirection of the traffic that is originated in local network (source IPs are local), but the destination is Public IP. The loopback policy allows to divert back the traffic to Local IP of the Server.

Summary

The benefit from this NAT Loopback (Hairpin NAT) configuration is for the End-Users.

End-Users can connect the Server using it’s DNS name from any location (inside Ecosystem while connected using VPN such as Acreto Connect Client), or from the Internet.

Identity Providers Overview

Overview

In this article, you will learn how Acreto integrates with Identity Providers (like Active Directory or OKTA) to authenticate your users.

Definitions

Identity Provider on the Acreto Platform

An Identity Provider is a service that verifies and stores user identity information. Some examples of Identity Providers are:

  • Microsoft Active Directory
  • Okta
  • OpenLDAP

2-Factor Authentication

In addition to an Identity Provider, you might also want to configure a 2-Factor Authentication (2FA) provider.

Using a 2FA provider will require your users to provide more than one type of credential when authenticating; for example, a password (something users know) and a code displayed via mobile phone (something users own).

Benefits of Identity Provider Integration

Integrating an Identity Provider will allow you to:

  • Keep credentials under control with centralized management.
  • Avoid data duplication by storing user data in one place only.
  • Control user data processing to ensure compliance with personal data processing regulations, such as GDPR.
  • Limit risks by managing access to your network based on rules and policies.
  • Disable access of company resources for former partners or employees by removing or limiting access rights in a single place.
  • Easily Onboard employees and organization members.
  • Connect to the Acreto Ecosystem with the Identity Provider credentials.

How Acreto Uses Identity Providers

Acreto uses Identity Providers to deliver the following features for data plane users:

  1. Authentication of users connecting with Acreto TLS-Client and OpenVPN
  2. Ability to send invitation emails to data plane users

Acreto sends a request to the Identity Provider each time it needs to access user information. We only store some anonymized user identity data (for example, in Active Directory it is Guid). We might also cache some user data in memory on a short-term basis.

Identity Providers are only used to authenticate an Ecosystem’s data plane users or while connecting to an Ecosystem with OpenVPN or Acreto TLS-Client.

In this section

Subsections of Identity Providers Overview

Active Directory - Azure

Before You Start

Overview

In this article, you’ll learn how to integrate your Azure Active Directory with an Acreto Ecosystem. This process involves the following steps:

  1. Configuration of Azure AD
  2. Configuration of Acreto Ecosystem
  3. Providing an Onboarding Portal link to users
Warning

This feature is currently in beta mode.

Prerequisities

In order to integrate Acreto with Azure Active Directory, you will need:

  1. Active Acreto Ecosystem
  2. Azure Active Directory - Active Subscription is needed - but basic features are free
  3. Azure Active Directory Domain Services - Active Subscription is needed - ~$109.50/month/set

The Purpose of Azure Active Directory Integration

An Azure Active Directory integration allows your Acreto Ecosystem to utilize the user credentials stored in your Active Directory to connect to the Ecosystem using Acreto TLS Client.

It uses the LDAPS (LDAP Secure) protocol and the Domain Services which can be deployed on the Azure account to sync with AD passwords.

The LDAPS protocol is used to establish communication between the Acreto Ecosystem and the Azure Active Directory.

Tip

Administrators integrate with a Lightweight Directory Access Protocol (LDAP) directory to streamline the user login process and to automate administrative tasks, such as creating users and assigning roles. An LDAP integration allows the system to use it’s existing LDAP server as the master source of user data.

Typically, AD integration is also part of a single sign-on implementation.

How Does it Work?

The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.

In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and Azure AD.

Communication flow between some Employee and Acreto Ecosystem and Azure AD Communication flow between some Employee and Acreto Ecosystem and Azure AD

Info

The integration never stores LDAP passwords on the Ecosystem.

The integration uses a read-only connection that never writes to the Azure Active Directory. The integration only queries for information.

How To

Configuration of Azure Active Directory

To configure your Azure Active Directory to work with Acreto, please:

  1. Configure secure LDAP for an Azure Active Directory Domain Services managed domain
  2. Enable password synchronization in Azure Active Directory Domain Services
    • If you followed the first tutorial and don’t use on-premises AD the synchronization (between your Azure AD and Azure AD Domain Services) will be enabled by default. However it is needed to reset the password of all current users. It can be done by expiring all the current passwords, or resetting them manually from the Azure AD Users View.

Configuration of Acreto Ecosystem

1.Log in to New or Existing Ecosystem

Login Login

  1. Create Security Policy

    Create a Security Policy that allows users to connect through your Identity Provider to reach all destinations.

    Warning

    In beta mode, all users authenticated using Identity Providers belong to default profile group Profile Group 1. This will change in future versions.

    To simplify the initial configuration, we will create a policy that allows all traffic to be passed through the Ecosystem.

    Info

    You should customize the Security Policy to fit your needs once the Identity Provider setup is complete. It should be configured to limit access to network resources for each group (Profile Group).

    Security Policy Security Policy

    Security Policy Security Policy

  2. Add New Identity Provider

    To add a new Identity Provider, select Objects and Identity Providers from the left menu and then click on “Add New”.

    Add IdP Add IdP

    add idp add idp

    Add IdP screenshot 1 Add IdP screenshot 1

    Add IdP screenshot 2 Add IdP screenshot 2

  3. Fill the form with proper values:

    1. Name - descriptive name for this IdP
    2. Description - description of the IdP
    3. Identity Provider Type - in case of AD config choose one of two available options
    4. Host - domian or IP address of your AD server
    5. Port - 636
    6. Username - user that will be used to connection
    7. Password - password for the user account
    8. User Base DN - for Azure AD use OU=AADDC Users, DC=somedomain, DC=onmicrosoft, DC=com, for On-premise Windows Server AD CN=Users, DC=SOMEDOMAIN, DC=com
Tip

Base DN and other values may be specific for your custom configuration. Check proper configuration in the AD control panel.

  1. Save and commit your changes

To allow users, employees or team members VPN users to authenticate in OpenVPN using Azure AD credentials, Acreto offers unique and individual URLs for every Ecosystem portal called Onboarding Portal.

  1. To access the unique URL to that portal, please click on Edit next to previously added IdP and scroll down.

    Onboarding Portal Onboarding Portal

  2. Then, click on the icon to copy the URL.

    Onboarding Portal Onboarding Portal

  3. Now, provide the generated link to your users.

VPN User Experience

When the End User or Employee opens the Onboarding Portal, the Welcome Page will be presented.

The Ecosystem Admin should share this URL with the End Users, ask them to open it, and then follow instructions.

Onboarding screenshot 1 Onboarding screenshot 1

Onboarding screenshot 2 Onboarding screenshot 2

Frequently Asked Questions

  1. Active Directory included into Office 365 subscription sufficient for the integration?

    No, Office 365 subscription covers only the free Azure Active Directory.

    You need Azure Active Directory Domain Services which is an additional subscription from Microsoft.

  2. Why is it required to enable password synchronization in Azure Active Directory Domain Services?

    Enable password synchronization in Azure Active Directory Domain Services - As documented on Microsoft article Tutorial: Configure secure LDAP for an Azure Active Directory Domain Services managed domain:

    Users (and service accounts) can’t perform LDAP simple binds if you have disabled NTLM password hash synchronization on your managed domain.

    Acreto uses LDAP simple binds, therefore NTLM password hash synchronization feature needs to be enabled.

    If you followed the first tutorial and don’t use on-premises AD the synchronization (between your Azure AD and Azure AD Domain Services) will be enabled by default. However it is needed to reset the password of all current users. It can be done by expiring all the current passwords or resetting them manually from the Azure AD Users View.

Summary

Thanks to Acreto and Azure Active Directory Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.

Also, Acreto Ecosystem Admin(s) can re-use any existing password and security policies that are already in place. For example, the Active Directory may already have account lockout and password expiration policies.

Active Directory - Windows Server

Overview

In this article, you’ll learn how to integrate your Windows Server Active Directory with an Acreto Ecosystem. This process involves the following steps:

  1. Configuration of Windows Server Active Directory
  2. Configuration of Acreto Ecosystem
  3. Providing an Onboarding Portal link to users

The Purpose of Active Directory Integration

An Active Directory integration allows your Acreto Ecosystem to utilize the user credentials stored in your Active Directory to connect to the Ecosystem using Acreto TLS Client.

The LDAPS protocol is used to establish communication between the Acreto Ecosystem and the Active Directory.

Tip

Administrators integrate with a LDAP (Lightweight Directory Access Protocol) to streamline the user login process and to automate administrative tasks, such as creating users and assigning roles. An LDAP integration allows the system to use it’s existing LDAP server as the master source of user data.

Typically, an AD integration is also part of a single sign-on implementation.

How Does it Work?

The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.

In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and AD.

%%{init:{"fontFamily":"monospace", "sequence":{"showSequenceNumbers":true}}}%%
sequenceDiagram
    Employee->>Ecosystem:Here is my password.
    Ecosystem->>Azure AD: is Employee's password.
    Azure AD->>Ecosystem: Sure, let the Employee in!
    Ecosystem->>Employee: Welcome!
Info

The integration never stores LDAP passwords on the Ecosystem.

The integration uses a read-only connection that never writes to the Active Directory. The integration only queries for information.

Prerequisite

To complete this procedure, you should:

  1. Have an active and configured Ecosystem.
  2. Have an active Windows Server with installed Active Directory Domain Services.
  3. Have basic knowledge of LDAP protocol.

Configuration of Windows Server Active Directory

Install the “Active Directory Certificate Services” role through Server Manager roles.

  1. On your Windows Server Machine, click on Start –> Server Manager –> Add Roles and Features.
  2. After selecting Add Roles and Features Click on Next.
  3. Choose the Role-based or feature-based installation option and click on the Next button.
  4. Choose Select a server from the server pool option & Select LDAP server from the server pool and click on the Next button.
  5. Choose the Active Directory Certificate Services option from the list of roles and click on the Next button.
  6. Choose nothing from the list of features and click on Next button.
  7. In Active Directory Certificate Services (AD CS) choose nothing and Click on Next button.
  8. Mark Certification Authority from the list of roles and Click on Next button.
  9. Click on Install button to confirm installation.
  10. Now, click on Configure Active Directory Certificate Services on Destination Server option and click on Close button.
  11. We can use the currently logged on user to configure role services since it belongs to the local Administrators group. Click on Next button.
  12. Mark Certification Authority from the list of roles and Click on Next button.
  13. Choose Enterprise CA option and Click on Next.
  14. Choose the Root CA option and Click on the Next button.
  15. Choose to Create a new private key option and click on the Next button.
  16. Choose most recent hasing alhorithm from the list of options. For minimum recommended configuration choose SHA256 as the hash algorithm and Click on Next.
  17. Click on the Next button.
  18. Specify the validity of the certificate choosing Default 5 years and Click on Next button.
  19. Select the default database location and Click on Next.
  20. Click on Configure button to confirm.
  21. Once the configuration succeeded and click on Close button.

Create a certificate template

  1. Go to Windows Key+R and run certtmpl.msc command and choose the Kerberos Authentication Template.
  2. Right-click on Kerberos Authentication and then select Duplicate Template.
  3. The Properties of New Template will appear. Configure the setting according to your requirements.
  4. Go to the General tab and Enable Publish certificate in Active Directory option.
  5. Go to the Request Handling Tab and Enable Allow private key to be exported option.
  6. Go to the Subject Name tab and Enable the subject name format as DNS Name and click on Apply & OK button.

Issue certificate template

  1. Go to Start –> Certification Authority –> Right-click on Certificate Templates –> select New –> Certificate Template to Issue.
  2. Now, select your recently created Certificate Template and click on the OK button.

Request a new certificate for the created certificate template

  1. Go to Windows Key+R –> mmc –> From top menu choose File -> Add/Remove snap-in.
  2. Select Certificates, click on Add button, and then click on the OK button.
  3. Select the Computer account option and click on the Next button.
  4. Select the Local computer option and click on the Finish button.
  5. Now, right click on Certificates select All Tasks and click on Request for new Certificate.
  6. Click on the Next button.
  7. Click on the Next button.
  8. Select your certificate and click on Enroll button.
  9. Click on the Finish button.

Export the created certificate

  1. Right-click on the recently generated certificate and select All tasks –> Export.
  2. Click on the Next button.
  3. Select Do not export the private key option and click on the Next button.
  4. Choose Base-64 encoded X .509 file format and click on Next.
  5. Export the .CER file to your local system path and click on Next.
  6. Click on the Finish button to complete the certificate export.

Configuration of Acreto Ecosystem

  1. Login to New or Existing Ecosystem Login Login

  2. Create Security Policy

    Create a Security Policy that allows users connecting through your Identity Provider to reach all destinations.

    Warning

    In beta mode, all users authenticated using Identity Providers belong to default profile group Profile Group 1. This will change in future versions.

    To simplify initial configuration, we will create a policy that allows all traffic to be passed through the Ecosystem.

    Info

    You should customize the Security Policy to fit your needs once the Identity Provider setup is complete. It should be configured to limit access to network resources for each group (Profile Group).

    Security Policy Security Policy

    Security Policy Security Policy

  3. Add New Identity Provider

    To add a new Identity Provider, select Objects and Identity Providers from the left menu and then click on “Add New”.

    Add IdP Add IdP

  4. Fill the settings with connection details

    add idp add idp

  5. Save and commit your changes

To allow users, employees or team members VPN usersto authenticate in Acreto Connect Client using AD credentials, Acreto offers unique andindividual URLs for every Ecosystem portal called Onboarding Portal.

  1. To access the unique URL to that portal, please click on Edit next to previously added IdP and scroll down. Onboarding Portal Onboarding Portal
  2. Then, click on the icon to copy the URL. Onboarding Portal Onboarding Portal
  3. Now, provide the generated link to your users.

VPN User Experience

When the VPN user opens the Onboarding Portal, the Welcome Page will be presented.

The Ecosystem Admin(s) should share this URL with the VPN Users, ask them to open it and then follow instructions.

The first step of onboarding is to recognize the user’s operating system to provide platform-specified installers and profiles.

Onboarding Portal Onboarding Portal

The second step allows you to download the latest version of Acreto Connect Client and the VPN profile.

Onboarding Portal Onboarding Portal

Summary

Thanks to Acreto and Active Directory Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.

Also, Acreto Ecosystem Admin(s) can re-use any existing password and security policies that are already in place. For example, the Active Directory may already have account lockout and password expiration policies.

OKTA

Warning

This feature is currently in Beta.

Introduction

In this article, you’ll learn how to integrate OKTA with an Acreto Ecosystem. The OKTA integration allows your Acreto Ecosystem to utilize the user credentials managed by OKTA to connect to the Ecosystem using Acreto TLS Client.

It uses the LDAPS (LDAP Secure) protocol and the OKTA LDAP Interface which can be deployed on the OKTA account.

Steps

This process involves the following steps:

  1. Enable OKTA LDAP Interface
  2. Configure Acreto Ecosystem
  3. Define Security Policies
  4. Test the integration

How OKTA integration works

The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.

In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and Azure AD.

sequenceDiagram
    Employee->>Ecosystem: Hello Ecosystem, can I connect? Here is my password.
    Ecosystem->>OKTA LDAP Interface: Hello OKTA, can Employee connect? Here is Employee's password.
    OKTA LDAP Interface->>OKTA API: Let me know if these credentials are correct.
    OKTA API->>OKTA LDAP Interface: Yes, they are.
    OKTA LDAP Interface->>Ecosystem: Sure, let the Employee in!
    Ecosystem->>Employee: Welcome!
Info

The integration never stores users passwords (except the password provided during Identity Provider configuration).

The integration uses a read-only connection that never writes to the OKTA. It only queries for information.

Limitations

  1. All authentication requests originate from Acreto Ecosystem addresses. Therefore, it’s not possible to implement granular network-based access control on OKTA. See relevant article in OKTA documentation.

  2. We recommend using OKTA Verify Push Verification method for multifactor authentication. If you want to use other methods, see Use multifactor authentication with the LDAP Interface.

Prerequisities

To proceed with setting OKTA for Acreto Ecosystems, you need:

  1. OKTA account with admin rights
  2. Create and login to Acreto Ecosystem

You should also be familiar with:

  1. Acreto Identity Providers Overview
  2. OKTA documentation: Set up and manage the LDAP Interface

How To

Step 1: Enable OKTA LDAP Interface

To configure your OKTA account, you need to enable the OKTA LDAP Interface. Please go through the following procedures:

  1. Enable OKTA LDAP Interface
  2. Read OKTA LDAP configuration details:
    1. In the Admin Console, go to Directory(1) > Directory Integrations(2).
    2. Select LDAP Interface(3)
    3. Note displayed information
  3. Create OKTA Third-Party Administrator account with read-only administrator role. This administrator account will be used by Acreto Ecosystem to authenticate with OKTA.
Tip

Ensure that created Third-Party Administrator account will not be challenged with OKTA Multifactor Authentication for requests originating from your Ecosystem IP addresses. You also need to whitelist the following addresses on your server section of the Identity Provider creation page in step 2.

Step 2: Configuration of Acreto Ecosystem

  1. Add New Identity Provider

    To add a new Identity Provider:

    1. Select Objects and Identity Providers from the left menu.
    2. Click on “Add New”.
    3. Fill in the following information:
      1. Name and Description
      2. Host, User Base DN, Group Base DN - as provided on OKTA LDAP Interface settings screen
      3. Username and Password - credentials of the OKTA Third-Party Administrator account created in step 1
    4. Save your changes.
  2. Create Security Policy to allow traffic sent by your users

    When you create a new Identity Provider, a new Profile Group is created with a name containing Identity Provider name, for example: Identity Provider LDAP001 (fa45). By default, all users authenticated with this Identity Provider are assigned to that Profile Group.

    To allow traffic from your users using that Identity Provider, select this Profile Group in the Source field of Security Policy. For detailed instructions on creating a Security Policy, see Create first security policy.

  3. Commit your changes

Step 3: Testing

To test the integration:

  1. Generate Onboarding Portal Link
  2. Open generated Onboarding Portal Link and follow the instructions
  3. Connect to your ecosystem providing username and password managed by OKTA

To get more information about end-user onboarding experience, see onboarding documentation

Next steps

  1. Customize your security policies
  2. Define mappings of LDAP groups to Identity Provider groups
  3. Send invitations to your users

Summary

Thanks to Acreto and OKTA Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.

See also

  1. OKTA documentation:Set up and manage the LDAP Interface

Multifactor Authentication

What is Multifactor Authentication, and why should you use it?

Two-Factor Authentication (2FA or MFA) - 2FA is an extra layer of security to ensure that people trying to access an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they must provide other information. For example, this second factor could come from one of the following categories:

  1. Something you know: This could be a password
  2. Something you have: Typically, a user would have something in their possession, like a smartphone, or a small hardware token
  3. Something you are: This might include a biometric pattern of a fingerprint, an iris scan, or a voice print

Acreto supports the most popular form of two-factor authentication - which uses a software-generated time-based, one-time passcode (also called TOTP, or “soft-token”) and also auth-code sent to the user’s email.

First, users must download and install a free 2FA app on their smartphone or desktop. They can then use the app with any site supporting this authentication type. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app. Like hardware tokens, the soft token is typically valid for less than a minute. And because the code is generated and displayed on the same device, soft tokens remove the chance of hacker interception. That’s a big concern with SMS or voice delivery methods.

Since app-based 2FA solutions are available for mobile, wearables, or desktop platforms — and even work offline — user authentication is possible almost everywhere.

Prerequisities

To start using MFA, you must own an application that will be your second-factor code generator. Several popular MFA (Multi-Factor Authentication) applications are available in the market:

  1. Google Authenticator: Google Authenticator is a free MFA app for Android and iOS devices. It generates time-based one-time passwords (TOTP) to provide an additional layer of security for Google accounts and third-party accounts that support the TOTP protocol.
  2. Microsoft Authenticator: Microsoft Authenticator is a free MFA app that generates TOTP codes and pushes notifications for Microsoft and third-party accounts supporting the TOTP or OpenID Connect protocols.
  3. Authy: Authy is a free MFA app that generates TOTP codes, push notifications, and SMS-based codes. It supports various third-party accounts and the Authy OneTouch feature for fast and easy authentication.
  4. Duo Mobile: Duo Mobile is a free MFA app that generates push notifications, SMS-based and TOTP codes. It supports various third-party accounts and the Duo Push feature for fast and easy authentication.

All mentioned application uses starts supported by Acreto - choose the best tool for you and install it on your device.

How Acreto uses MFA to provide security?

Acreto uses Multifactor Authentication in two scenarios:

  1. Secure Ecosystem Access - Ecosystem Administrator can activate the MFA to secure access to Acreto Portal.
  2. MFA Based Profiles for users - this future allows to force all users connecting to Ecosystem to use MFA in the defined period. For example, each person connected to MFA must confirm the connection with the MFA token once a day.

Both of these options are optional and can be enabled or disabled any time.

Summary

In an increasingly interconnected and threat-prone digital landscape, Multi-Factor Authentication has emerged as a “must-have” feature for organizations and individuals. By mitigating password vulnerabilities, enhancing security, complying with regulations, and offering user convenience, MFA significantly strengthens access control and protects against unauthorized access and data breaches. Implementing MFA is a proactive step towards bolstering overall cybersecurity posture and safeguarding sensitive information.

Subsections of Multifactor Authentication

MFA for Acreto Connect Client - How To Enable

Before You Start

What is Multifactor Authentication and why should you use it?

Two-Factor Authentication (2FA or MFA) - 2FA is an extra layer of security to ensure that people trying to access an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they must provide other information.

Read more about why you should enable MFA in Acreto Ecosystem in this article.

Prerequisites

To enable MFA for Ecosystem users, there are some steps required:

  1. Make sure that all users know what the MFA is and why you enable it.
  2. You need to be Ecosystem Administrator to enable this option.
  3. Ecosystem users need to be imported to Ecosystem by Identity Provider

How To

Step 1: Enable the MFA for Users

To activate Multi-Factor Authentication for the Ecosystem users, login into Acreto Portal and choose your Ecosystem from the Ecosystem list.

MFA enable - Identity Provider status MFA enable - Identity Provider status

Move to Multi-Factor Auth (1) and enable the MFA option (2). When enabled, you may change the available source of the second factor (3).

You may enable a One-time password generator like Google Auth or/and email address. In the second case, the user will receive an email message with a code on each authentication. You may find more details about the second factor in an article for users.

This setting only enables the configurable option for the user, which may choose from available methods when configuring MFA for his account.

MFA enable - MFA enable MFA enable - MFA enable

Save and commit the settings.

Step 2:

When the MFA is enabled, go to the Users section and invite all users again - this will generate a special type of Acreto Connect Client profile with MFA support.

This part of the procedure is mandatory - this invitation allows users to set up their Multi-Factor access.

Choose the users from the list and send the invitation.

Reset MFA

Working with users, you may expect many potential issues with the second factor - lost devices, forgotten passwords, etc.

The best solution for all potential issues with locked access is a reset of the MFA. However, this action is available only to Ecosystem Administrator for security reasons.

If the users need to reset the MFA, they should ask Administrator to reset MFA.

Ecosystem Administrator can then go to the Users list in Acreto Portal, choose a user, and perform Reset MFA or Reset and Logoff action.

MFA enable - MFA enable MFA enable - MFA enable

The reset option is dedicated to users who " forgot " the MFA device/source credentials. In case of the situation when the device was stolen, the best practice is to use Reset MFA and Logoff - this will automatically close all existing Acreto sessions related to this device.

Summary

MFA is an easy-to-enable and managed feature that increases security to another level.

MFA for Acreto Connect Client - User Guide

Before You Start

What is Multifactor Authentication, and why should you use it?

Two-Factor Authentication (2FA or MFA) - 2FA is an extra layer of security to ensure that people trying to access an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they must provide other information.

This article explains why you should enable MFA in Acreto.

Prerequisites

The Administrator of your Ecosystem should Enable the MFA for you.

To get the best User Experience with Acreto MFA, you need to download and install Acreto Connect Client

How To

Step 1: Start the Onboarding Procedure

If MFA is enabled in your Ecosystem, you should receive an Invitation email that allows you to set up the MFA for your account.

MFA - User profile edition MFA - User profile edition

Click the Button Accept Invitation to start the onboarding process. Next, you see an MFA setup page - provide your username and password registered on Identity Provider ( Generic LDAP, Azure Active Directory, Windows Server AD, Google Workspace, etc.) and select one of the Multi-Factor Providers to register their Multi-factor device.

MFA - Enable MFA in wedge MFA - Enable MFA in wedge

On this screen, you may also choose the second-factor method: Email or Authentication Application - more details about them in next the step.

Step 2: Choose the Second Factor

There are two ways of receiving the second factor of authentication - Email and Authentication Application.

Email

  1. If you choose Email as the Multi-factor provider, you receive the auth code as an email message whenever you try to log in.
  2. Provide the token received on the email on the Acreto auth page.
  3. Whenever the token expires(generally 24 hours), Acreto will prompt for reconnection, and the user will have to provide the username/password and new token sent via email to reconnect.
  4. Proceed to the next step for finishing the Onboarding process to Acreto VPN.

One-Time Password

  1. If you choose One-Time Password as the Multi-factor provider, you need to scan the QR code screen to register the authenticating device which can receive the token.
  2. Download Google Authenticator or an equivalent app from the App Store on your mobile device.
  3. Scan the QR code on the Acreto page to add the account on the Authenticator app.
  4. The Authenticator app will generate the token after adding the account. Use the token on the Authenticator app and provide it on the token box on the Acreto page.
  5. Whenever the token expires(generally 24 hours), Acreto will prompt for reconnection, and the user will have to provide the username/password and token generated on the Authenticator app to reconnect.
  6. PProceed to the next step for finishing the Onboarding process to Acreto VPN. MFA - Scan QR code MFA - Scan QR code

Step 3: Complete the onboarding process

  1. After successful authentication, the user will be provided the link to download the VPN configuration. MFA - Download Profile MFA - Download Profile
  2. Click the link to download the VPN configuration.
  3. Import the downloaded VPN configuration on the Acreto Connect Client
  4. Upon successful import, the Acreto VPN will be auto-connected.
  5. Verify your connection by checking Acreto’s ISP.

ACC Connection

From now on, periodically (usually once for 24h), Acreto Connect Client will ask you about the second factor.

You must provide the token to keep the connection or establish a new one. Acreto Connect CLient will inform you about the need to authenticate with the proper window.

MFA - Inactivity timeout MFA - Inactivity timeout

Summary

In an increasingly interconnected and threat-prone digital landscape, Multi-Factor Authentication has emerged as a “must-have” feature for organizations and individuals. By mitigating password vulnerabilities, enhancing security, complying with regulations, and offering user convenience, MFA significantly strengthens access control and protects against unauthorized access and data breaches. Implementing MFA is a proactive step towards bolstering overall cybersecurity posture and safeguarding sensitive information.

Multifactor Authentication - MFA for Ecosystem

Before You Start

What is Multifactor Authentication and why should you use it?

Two-Factor Authentication (2FA or MFA) - 2FA is an extra layer of security to ensure that people trying to access an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they must provide another information.

Read more about why you should enable MFA in Acreto Ecosystem in this article.

Prerequisities

To start using MFA, you must own an application that will be your second-factor code generator. Several popular MFA (Multi-Factor Authentication) applications are available in the market:

  1. Google Authenticator: Google Authenticator is a free MFA app for Android and iOS devices. It generates time-based one-time passwords (TOTP) to provide an additional layer of security for Google accounts and third-party accounts that support the TOTP protocol.
  2. Microsoft Authenticator: Microsoft Authenticator is a free MFA app that generates TOTP codes and pushes notifications for Microsoft and third-party accounts supporting the TOTP or OpenID Connect protocols.
  3. Authy: Authy is a free MFA app that generates TOTP codes, push notifications, and SMS-based codes. It supports various third-party accounts and the Authy OneTouch feature for fast and easy authentication.
  4. Duo Mobile: Duo Mobile is a free MFA app that generates push notifications, SMS-based and TOTP codes. It supports various third-party accounts and the Duo Push feature for fast and easy authentication.

All mentioned application uses starts supported by Acreto - choose the best tool for you and install it on your device.

How To

Two-Factor Authentication (2FA) and Timeout Log in to your Acreto account, and clock on your email address in the top right corner; next, choose the Profile option.

MFA - User profile edition MFA - User profile edition

Scroll down to the bottom of the panel, and click the Enable button in Two-Factor Authentication (2FA) to enable this feature.

MFA - Enable MFA in wedge MFA - Enable MFA in wedge

The new window will show a QR code you should scan using Google Authenticator or a similar tool. Scan it, and in step #4 place the first authentication code from this app, to confirm that the setup is correct; click on Enable button.

MFA - Scan QR code MFA - Scan QR code

From now on, every login to Wedge will ask you about the second factor. On the same panel, you can also define the inactivity timeout when logged out - you can choose between 5min, 10min, and 30min.

MFA - Inactivity timeout MFA - Inactivity timeout

Remember to save the setting using the Update button.

What next?

When MFA for an account is activated on every login to the Ecosystem, you will need to use the second factor to confirm your credentials.

MFA - on login page MFA - on login page

Summary

In an increasingly interconnected and threat-prone digital landscape, Multi-Factor Authentication has emerged as a “must-have” feature for organizations and individuals. By mitigating password vulnerabilities, enhancing security, complying with regulations, and offering user convenience, MFA significantly strengthens access control and protects against unauthorized access and data breaches. Implementing MFA is a proactive step towards bolstering overall cybersecurity posture and safeguarding sensitive information.

Subsections of Quick start guide

Register your Acreto account

Overview

Registering and activation of the account is the first step to start using Acreto services. This article is a guide on the standard register & confirm procedure.

Account registration

If you would like to create an account on Acreto:

  1. Go to Acreto WEDGE.
  2. Click on the Register Here  link or yellow Sign up button on the top bar.

  1. On a register page enter the email address (1) and click accept in the box provided next to the Privacy Policy (2).

  1. Click on the Sign up button (3) and shortly thereafter you will receive an email with an activation link from Acreto to the email address provided.
Tip

If you do not receive an email from Acreto within a minute or so, check your spam folder or retype your email address in the registration form.

  1. Once you receive the email, click on the embedded link so that we may confirm your account.

  1. Set up your First Name, Last Name, and Password on the page that will appear - after you have completed, hit Next.

  1. The second step allows us to set up your company and includes Company Name, Address, and Administrative Contact.
Tip

The Administrative Contact is the person that you want to receive all notices related to any issues with your account and all general notices regarding the Acreto platform.

  1. The third part of the profile setup establishes your method of payment, either a credit card or an established corporate account ID.
  • For credit card - simply enter your credit card number in the fields provided. Your card information does not come to Acreto but is transacted with an accredited card processor.
  • Contract ID - if you have a corporate contract ID number, please enter it in the field provided. If you would like to set up a corporate billing ID, please contact us today.

When you click the finish  button your profile will be complete. You are now ready to set up your first Acreto Ecosystem

Create a New Ecosystem

Overview

Ecosystem security is a methodology unique to the Acreto platform. It’s actually quite simple. Within your organization, there are many different departments, functions, and programs. Each of these areas contains specific applications, users, and devices that work together to execute organizational tasks. For example, your remote sales team may consist of and utilize Office 365, Salesforce, another internal pricing application, and of course, every sales team member. This is an Ecosystem. In a similar fashion, your Vendor Relations department may have 75 external suppliers that provide your organization with various goods and services. In order to be effective, each vendor must interact with your purchasing application(s). These vendors, your internal purchasing department, and every utilized purchasing application is an Ecosystem.

In addition to isolating Ecosystem members from the Internet, Acreto enables you to establish security policies at the Ecosystem level, allowing you to apply customized security policies for each Ecosystem. The right set of security policies for the sales team may very well differ from the needed security policies for the vendors.

How to Create A New Ecosystem

Creating a new Acreto Ecosystem is simple:

  1. Log in to Acreto and click on the Add New button to add a new Ecosystem.
  2. Enter your Ecosystem name and click on the Add button. Use a descriptive name so that others in your organization can differentiate one Ecosystem from another. For example ATM Ecosystem, Guest WiFi Ecosystem, Cafeteria POS Ecosystem, Conference Room Tech Ecosystem, Branch Edge Ecosystem, etc.
  3. Acreto will immediately create your new Ecosystem. You will see it on the screen next to the Add New Ecosystem box.

You’re now ready to start configuring and connecting your Thing(s) and Gateway(s) into your Ecosystem!

Switch Between Ecosystems

Acreto allows you to create multiple Ecosystems. You can create a separate Ecosystem for each physical location and manage them from one WEDGE panel.

To switch between existing Ecosystems:

  1. Log in to Acreto Wedge and select the first existing Ecosystem.
  2. On the Wedge panel, check the name of the currently selected Ecosystem.
  3. Click on the <– All Ecosystems button on the side menu.
  4. Choose a different Ecosystem.

Create a new Gateway

Prerequisites

This procedure required:

  1. Active Acreto Account.
  2. Basic knowledge about local network configuration.

Overview

Gateway is a device that allows you to connect your local network to Acreto and secure whole network traffic and end-user devices without configuring them one-by-one. Take a look at the images below to compare standard network connection with the network secured by Acreto with the Gateway method.

Gateway may be configured in IPsec or vGateway mode. Each of these configurations may be used for different purposes and in different network structures:

  • choose vGateway when you want to download a preconfigured Acreto vGateway appliance and install it on a Raspberry Pi device or some virtualization platform (like KVM or VMware)
  • choose IPSec if you prefer to manually configure your existing device (like router or Linux machine) which supports IPSec protocol

To create a Gateway, you need to:

  1. Create a Gateway object inside your Ecosystem
  2. Create one or more security policies to allow traffic from that Gateway to the Internet

How to create a new Gateway

  1. Log in to an Acreto platform at wedge.acreto.net
  2. Select your ecosystem and go to Objects using the left menu.
  3. Click Add new Object and select Gateway.
  4. Fill at least:
    1. Name: - the name of the gateway that you creating, needs to be compatible with Strongswan connection name requirements (basically, only letters and numbers)
    2. Category: IoT
    3. Fill gateway type-specific settings described here: IPsec | vGateway
  5. Save the created Gateway by pressing Add.
  6. Add security policy that will allow communication from the Gateway device to the Internet.
  7. Commit pending changes (top of the screen)

How to create Acreto Gateway - animation How to create Acreto Gateway - animation

Notice: To successfully test your connectivity, you also need to create a security policy that will allow traffic to go through your device.

IPsec Gateway

Set specific setting for IPsec Gateway:

  1. Allow connection from: Empty (describes the source IP address where the connection will be permitted)
  2. Local Networks: - your local network addresses that should be routed through this gateway

Tip: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using ping, traceroute, and similar tools.

vGateway

Set specific setting for IPsec Gateway:

  1. DHCP/Static: - select the method of assigning addresses on the network
  2. vGateway Local IP: - address of local (LAN) interface of your device (for example 192.168.200.1/24)
  3. Local Networks: - your local network addresses that should be routed through this gateway
  4. vGateway Internet IP - IP address with a netmask of internet-facing (WAN) interface, for example 1.2.3.4/24
  5. vGateway Default Route - IP address of your Internet gateway/router that allows access to the Internet, for example 1.2.3.1

Tip: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing

Next Steps

When Gateway is ready you should configure the gateway device on your end to act as a gateway to the Acreto platform and pass traffic from your endpoints through the gateway device. connectivity from the gateway through Acreto using ping, traceroute, and similar tools.

When gateway device is created then verify Acreto secured connection.

Connect first Thing

Overview

We define a Thing as any individual compute device that belongs to an Ecosystem, including servers, desktops, laptops, tablets, smartphones, IoT devices, etc. Whenever you want to connect a new device, you can create a new Thing that will represent the device in your Ecosystem.

Note: To connect your local network instead of an individual device, you should create and provision a Gateway.

Add Thing to Acreto WEDGE

Before starting this process, you should make sure that you have an Acreto account with at least one Ecosystem added to your Profile.

To add a new Thing to Acreto:

  1. Log in to your Acreto account

  2. Identify and select which Ecosystem you’d like to connect your Thing.

  3. Click on the Things option in the left sidebar menu.

  4. Once your Thing panel opens, select the Add New Thing option.

  5. An Add Device window will appear, where you can enter information about the Thing that you want to add:

Configuration tab

  • Name - the human-readable name of the Thing that you want to add. For example, a “Front Door Security Camera.”
  • Category - the category of the Thing that helps you better understand its purpose (informational only). For example, “Physical Security.”
  • Operational Importance - a scale from 1-10 that lets you determine which Thing is a priority for your business. For example, a “1” is of minor importance and a “10” is critical.
  • Profile Group – enables you to group similar Things together to provide simple security policy management.

Descriptors tab

The Descriptors tab contains some optional informational fields that allow you to manage your Things with ease.

  • Description - this field should contain any additional information that describes your added Thing(s).
  • Location – this field allows you to save the geographical location of your Thing(s).
  1. After you complete the required form fields, click the Add button to save the Thing on Acreto. Your new Thing will now be visible on the Things list.

Next, let’s configure your Thing to connect to the Acreto platform.

Configure Thing

To learn how to configure your Thing(s) on a variety of platforms, please refer to the Acreto Connect documentation.

Please note: it’s recommended to test your connectivity from a different device than the one you use to manage your Ecosystem at https://wedge.acreto.net.

Configure a Security Policy for Connected Things

A security policy is a set of rules that manages the network traffic in an Ecosystem. These policies allow you to decide what traffic should be allowed from or into your added Thing(s) and which should be blocked or redirected.

Warning

Acreto follows a Zero-Trust approach. This means that all network traffic is blocked by default. To allow traffic to pass through your Ecosystem you must create some security policies, as described in the next article.

Create first security policy

Overview

In the previous step, you configured and connected your first Thing to your Ecosystem. Now, you need to create a security policy.

A security policy is a set of rules that manages network traffic in an Ecosystem. These policies allow you to decide what traffic should be allowed, inspected, or blocked.

Warning

Acreto follows a Zero-Trust approach. This means that all network traffic is blocked by default.

Security policy: Allow all

To allow communications to flow through an Ecosystem, you must define a set of security policies. Without a matching security policy, the traffic is blocked.

For testing purposes, we’ll guide you through the creation of an Allow all traffic security policy. To do this, you will complete an Add New Policy form as shown below.

Complete the form by entering the correct values:

  • Name - use a descriptive name so that others in your organization will know what this policy is for; in this case, Allow all.
  • Description – add a short description of the policy; in this case, Allow all outgoing traffic.
  • Source - choose the source where the traffic will come from; in this case, select your profile group.
  • Service - select a protocol (like TCP, UDP, ICMP) and destination port of the traffic; in this case, Any.
  • Application - choose the applications for which the policy applies; in this case, Any.
  • Destination - choose a target where the traffic should be directed; in this case, Any.
  • Action - allow/drop traffic when the conditions have been met; in this case, Allow.
  • Threat protection - decide whether you want to enable threat protection for the traffic; in this case, Marked.
  • Click on the Add button to save the configuration.
  • Once the new security policy has been added and is visible on the list, you must Commit your changes.

Before saving, the form should look like the image below :

Warning

Your changes will not be applied until you Commit them!

Now, any Thing in a selected Profile group (Source) should be able to securely connect to any destination.

Security Policy: Block Facebook Using Application Control

If you want to block Facebook from accessing your Ecosystem users, you should use the Application Control security policy. To create such a policy, fill out the Add New Policy form as shown below.

  • Name - use a descriptive name so that others in your organization will know what this policy is for; in this case, “Block facebook.com.”
  • Description – create a short description of the policy; in this case, Block all facebook.com traffic.
  • Source - choose the source from where the traffic will come; in this case, Any.
  • Service - select the protocol (TCP, UDP, ICMP) and destination port of the traffic; in this case, Any.
  • Application - choose the application(s) for which the policy applies; in this case, facebook-base and facebook-chat.
  • Destination – select a target where the traffic should go; in this case, Any.
  • Action - allow/drop traffic when the conditions have been met; in this case, Drop.

Click the Add button to save the configuration.

Once the new security policy has been added and is visible on the list, you must Commit your changes.

Warning

Your changes will not be applied until you commit them!

After committing your settings, any Facebook traffic now coming through the Ecosystem should be blocked.

Share the Ecosystem (Access Granting)

Before You Start

Overview

In this article, you’ll learn how to grant access to your Ecosystem to another person. This function may be used to share access with your team or to allow Acreto Support to get access to it.

Warning

Share access only with trusted people! Anyone with Ecosystem Admin privileges may control all your network traffic.

Prerequisities

To grant access to your Ecosystem, you will need:

  1. Active Acreto Ecosystem - where you have Owner or Ecosystem Admin role.

How-To

Grant Ecosystem Access

To grant access to your Ecosystem, please:

  1. Log in to Wedge
  2. On the list of Ecosystem’s find this one that you want to share and click on the menu icon
  3. From the menu choose the edit option.
  4. On the edit screen input the email address of the person that you want to share the access with. You may add more than one person at once (1).
  5. Select the role of the new user that you are sharing access with (2).
  6. Click on the Save button.
  7. Double-check the information about the person that you are adding on the pop-up windows that will appear.
  8. If the added person doesn’t have an Acreto Wedge account yet, Acreto will send an invitation to create a new one. Otherwise, that person will get an email invitation to the Ecosystem and the Ecosystem will be made available in Wedge.

The person that you shared access with can now access your Ecosystem.

Revoke Ecosystem Access

To revoke access to your Ecosystem, please:

  1. Log in to Wedge
  2. On the list of Ecosystem’s find this one that you want to share and click on the menu icon
  3. From the menu choose the Edit option.
  4. On the edit screen in the Associated Administrators area find the email address of the person that you want to revoke access from.
  5. Click on the Bin button.
  6. Confirm action on the modal window and click on the Save button.

The person that you removed from the list of Associated Administrators will be not able to access your ecosystem anymore.

Summary

Associated Administrator option allows you to easily share and revoke access to your ecosystem.

Connect to the platform

The following connectivity methods are supported:

Connecting to the Acreto platform

Subsections of Connect to the platform

Acreto Connect Client - administrator guide

About Acreto Connect Client

Acreto Connect Client is a simple application that allows to connect your device to Acreto Ecosystem. It is available on Windows, macOS, Android and iOS.

Download Acreto Connect Client:

See also

Table of Contents

Subsections of Acreto Connect Client - administrator guide

Connect the Thing with Acreto Connect Client

Before You Start

Overview

In this article, you’ll learn how to create and connect Thing to the Acreto ecosystem.

This Use Case allows you to securely connect client (PC, laptop, smartphone) to the office ecosystem.

  1. Configure the Thing
  2. Install Acreto Connect Client

Prerequisites

To connect your Thing to the Ecosystem, you will need:

  1. Existing Acrereto Ecosystem, if you don’t have one learn how to create it.
  2. Access to Acreto Wedge.
  3. A device that you want to connect to the Ecosystem.

How To

Configure the Thing

  1. Log in to the Wedge
  2. Choose your Ecosystem.
  3. From the left menu choose Objects > Things (1) and click on this option.
  4. In the Things panel click on the + Add New Thing button (2)
  5. Fill the form:
    1. Input the descriptive name of the device.
    2. Choose the category of the device.
    3. Choose the Profile Group for the device if you have more than one group. Otherwise, leave the default value.
    4. Save the form to add the Thing.
  6. The newly created Thing is now available on the list.
  7. Click on the Apply changes button on the top of the screen to commit a new thing to the Ecosystem.
  8. Wait for the changes to be applied
  9. Click on the name of created Thing to see its details.
  10. On the right part of the details screen you may see Configuration Options - find the right configuration file for your device and copy the link by clicking on the icon.

Install Acreto Connect Client

At first, you need to download and install Acreto Connect Client - a small application that allows you to connect to the Acreto ecosystem.

  1. Open kb.acreto.net/client on the device which you want to connect to the Ecosystem.
  2. Download the ACC version for your operating system - this page tries to recognize the type of your device and allows you to download the dedicated version.
  3. When the installation file is downloaded, install the Acreto Connect Client.
  4. Run Acreto Connect Client - the interface of the application is the same on all platforms. You should get a screen similar to this shown below:
  5. Click on the Import Profile button.
  6. You will see three options to connect import the profile: Code, URL, and the file. In this case, we will use the URL generated in the previous step.
  7. Paste the configuration link from the Wedge generated in the previous step and click on the Import button
  8. The Acreto Connect Client will import the profile and atomically connect your device to the Ecosystem.

Your device is now connected to the Ecosystem!

Summary

Acreto Connect Client allows connecting your Thing to the Ecosystem. This method works on every platform and it’s easy to understand for Users.

Please don’t forget to create Security Policy - Policies to allow Outbound traffic for your Thing(s) to connect to the Internet, or to the other devices within your Ecosystem.

VPN Start Before Logon (SBL)

Before You Start

Overview

Available only for Windows platforms, the Acreto Connect Client Start Before Logon (SBL) establishes the VPN connection before logging onto Windows. The purpose of this feature is while the computer is off the office or when the user is logging onto a new computer remotely. SBL allows remote users to log to Windows using Domain Controlled credentials because the VPN tunnel to the Data-Center is always on.

Note

This feature is available only for version 2.4.0 and newer. Update your ACC if you want to use this option.

Prerequisites

To connect your Windows device to the Ecosystem on the log on you will need:

  1. Existing Acreto Ecosystem, if you don’t have one learn how to create it.
  2. Access to Acreto Portal.
  3. A Windows device that you want to connect to the Ecosystem.
  4. Acreto Connect Client (minimal version 2.4.0).

How To

Install Acreto Connect Client

At first, you need to download and install the Acreto Connect Client.

  1. Go to the download page to get Acreto Connect Client.

  2. Install the ACC

  3. Go to

    C:\Program Files (x86)\Acreto Connect Client

    to confirm that the sbl directory exists.

  4. Run the acc_sbl.reg file - it will add some information into your system registry.

  5. Open the Powers Shell with Administrator privileges and run:

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

    Answer “Y” for the question in PowerShell, then run:

    cd "C:\Program Files (x86)\Acreto Connect Client\sbl"
    .\sbl.ps1

    You will receive confirmation of Acreto-SBL Service creation.

Create And Configure The Profile

SBL feature will run any profile that you will place in C:\Program Files (x86)\Acreto Connect Client\sbl.

  1. Create the profile in Acreto Portal.

  2. Download the profile and place it in C:\Program Files (x86)\Acreto Connect Client\sbl directory.

  3. If the profile requires authorization:

    1. create auth.txt file and provide the username and password in form:

      username
      password

    2. Modify your profile - search for the auth-user-pass line and change it to

      auth-user-pass "C:\\Program Files (x86)\\Acreto Connect Client\\sbl\\auth.txt"

Verification

To verify that the feature works correctly, perform the test:

  1. Verify using Acreto Portal:

    1. Login into Acreto Portal.

    2. Choose the proper Ecosystem.

    3. From the left menu, choose Logs(1) > User and Things(2).

    4. Set Refresh rate to 5S.

    5. Restart the device with the SBL profile.

    6. Wait for the login screen on the tested device (do not log in) and the logs, where you should receive information that the profile you placed in the config directory is connected to your Ecosystem (3).

  2. Verify using logs:

    1. Restart the device with the SBL profile.

    2. Wait for a few seconds on the logon screen, then log in.

    3. Go to C:\Program Files (x86)\Acreto Connect Client\sbl

    4. Find the NAME OF YOUR PROFILE.log and open it to check the logs.

Limitation

We highly recommend using the Split-tunnel profiles.

Once SBL starts the connection User will not be able to disconnect it. If you use the Full-tunnel profile, you will not connect using other full-tunnel profiles.

Summary

Acreto Connect Client allows connecting your Windows device to the Acreto Ecosystem using the SBL feature.

Deep Link

To import a profile directly to app from a web browser link, deep link is avalaible with the pattern acreto://

Import Profile using URL

To import from a URL link use the format acreto://import-profile?url=<URL_TO_PROFILE>

Example:

acreto://import-profile?url=https://api-is-rock-solid.acreto.net/v2/tlsvpn/config/openvpn-udp/code/123456

Import Profile using Ecosystem Code

To import from a invite Code use the format acreto://import-profile?code=<6_DIGIT_CODE>

Example:

acreto://import-profile?code=123456

Webserver configuration

To make sure that the VPN profile is opened automatically by the Acreto Connect Client, make sure that the webserver that hosts the .ovpn file sends the correct mime media type in the response HTTP header.

If the header is missing, the .ovpn file may be opened as a text file on Android and iOS devices.

Apache

On Apache servers update mime.conf file and restart the server:

sudo echo "        AddType application/x-openvpn-profile .ovpn" >> /etc/apache2/mods-enabled/mime.conf
sudo systemctl restart apache2

NGINX configuration

On Nginx servers update mime.types file and restart the server:

Edit mime.types config file with your favorite text editor:

nano /etc/nginx/mime.types

Add new mime type

application/x-openvpn-profile .ovpn

Restart the server

sudo systemctl reload nginx

Test

Use any Android or iOS device with Acreto Connect Client installed and tap on the deep link based on your server.

If Acreto Connect Client appeared after the click and the VPN profile is on the list everything works properly.

Install ACC from Windows Command Line

Overview

If your company manages the software using the Active Directory Group Policy Object or tools like Syxsense - ACC is ready to be installed by CMD. This solution lets you quickly onboard your entire team to the Acreto Ecosystem.

Installation and configuration of ACC with the GPO Rules is described in a separate article.

Install and Update Acreto Connect Client with CMD

Acreto Connect Client installer supports parameters that allow the install of software without user action:

Powershell command: Start-Process ".\Acreto-Connect-Client-v2.9.6.exe" -ArgumentList '/VERYSILENT /NORESTART /SUPPRESSMSGBOXES'

Windows CMD command: .\Acreto-Connect-Client-v2.9.6.exe /VERYSILENT /NORESTART /SUPPRESSMSGBOXES

Parameters used in install command:

  1. /VERYSILENT - instructs to proceed with installation in the background - no windows will be shown on the system GUI. Alternatively, it may be replaced by /SILENT - in this case, the installation will only show the progress window.
  2. /NORESTART - disables installer option to restart user device after installation - this option is highly recommended.
  3. /SUPPRESSMSGBOXES - instructs to suppress any message boxes that appear at installation time and proceed with default options. It only has an effect when combined with /SILENT or /VERYSILENT.

If you need more options, please follow the official documentation for the installer.

Next step

The commands described above can be used to install or upgrade ACC. You can use them in your custom scripts or software management tool.

Install ACC with Group Policy Object

Overview

If your company manages the users by the Active Directory, it’s possible to provide and install Acreto Connect Client using Group Policy Object. ACC is ready to be installed and configured by GPO rules. This solution allows you to quickly onboard the whole of your team to the Acreto Ecosystem.

This article consists of two parts:

  1. Install Acreto Connect Client with Group Policy Object
  2. Importing Profile into Acreto Connect Client with Group Policy Object

Prerequisites

Note

This feature is available only for version 2.4.3 and newer. Update your ACC if you want to use this option.

To complete these tutorial steps, the following items are required:

  • Windows Server machine
  • Basic knowledge of Windows Server configuration
  • Active Directory setup experience

Install Acreto Connect Client with Group Policy Object

Acreto Connect Client uses *.EXE installer - this means that you cant use the default way of software installation for GPOs. To install ACC you need to create a Scheduled Task to run the installation script. Scheduler task allows to run the script and install software with administrator privileges. What’s more important - installation is completely invisible for the user.

How to

  1. First, create the shared folder that will be available for the users.

  2. Download the last version of Acreto Connect Client for Windows.

1.Rename the installer to Acreto-Connect-Client.exe and place it in a shared folder. Installation script also takes care of the updates - it will read the installation version and compare it to the one existing on the users device - if the available version is newer, it will install it.

  1. On the domain controller server, create an acreto_install.ps1 file with the below content:

    # ADD YOUR VALUES HERE
    $InstallPath = 'C:\Program Files (x86)\Acreto Connect Client' #local installation path
    $InstallerFile = '\\SERVER\acc\Acreto-Connect-Client.exe' #ACC installer path shared in internal network
    # END
    
    IF (Test-Path -Path $InstallPath) {
    #if path exists then... 
    $InstallPathExe = 'C:\Program Files (x86)\Acreto Connect Client\Acreto Connect Client.exe' #local installation binary
    $update = ((Get-Item $InstallerFile).VersionInfo.ProductVersion) #Version of ACC available on server
    $current = ((Get-Item $InstallPathExe).VersionInfo.ProductVersion) #Version of ACC available on server
    
    IF ([System.Version]"$update" -gt [System.Version]"$current"){
       #if update is available than install
       & "$InstallerFile" /qn /SILENT /norestart INSTALLSTARTMENUSHORTCUTS=1 DISABLEADVTSHORTCUTS=0
       & 'C:\Program Files (x86)\Acreto Connect Client\post_install.exe'-y /qn /SILENT /norestart
    } ELSE {
       #If thers no update, exit. 
       EXIT
    }
    } ELSE {
    & "$InstallerFile" /qn /SILENT /norestart INSTALLSTARTMENUSHORTCUTS=1 DISABLEADVTSHORTCUTS=0
    & 'C:\Program Files (x86)\Acreto Connect Client\post_install.exe'-y /qn /SILENT /norestart
    }
  2. In Group Policy Management, create a new Group Policy under your domain. image1 image1

  3. Edit the GPO by right-clicking on it and select Edit.

  4. Navigate to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks image2 image2

  5. Click Right Mouse Button on Scheduled Task panel and choose New > Immediate Task (At least Windows 7) image3 image3

  6. In task creation widow set:

    1. Name: ACC installer

    2. When running the task, use the following user account: click on Change User or Group button and inpute SYSTEM as a user and click on Check names button. As a Result you should recive the NT AUTHORITY\System.

    3. Check: Run whether user is logged or not

    4. Check: Run with highest privileges

    5. Configure for: Windows 7, [..]

      image3 image3

  7. Go to Actions tab and click on New… tab

    1. Action: Start a program

    2. Program script: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe - path to the PowerShell

    3. Add arguments: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file PATH-TO-acreto_install.ps1 - make sure that path to script will be available throught the network.

    4. Click Ok butten and the sace whole task.

      image3 image3

Result

As a result, the scheduled task will be run regularly on users devices and run the installer script. Installer script working with system privileges will check if ACC needs to be installed or updated.

Importing Profile into Acreto Connect Client with Group Policy Object

Acreto Connect Client is already installed on the user’s computer. To establish a connection the ACC required a profile with configuration. Create the policies to download the correct Profile for ACC.

How to

  1. Add the script to import the profile, navigate to User Configuration > Policies > Windows Settings > Scripts ( Logon / Logoff ): image5 image5

    Copy and paste the below code into acreto_profile_deep_link.ps1:

    Start-Process "acreto://import-profile?code=123456"
    Note

    This action needs to be made on user log-on because it required Internet access to download the profile data.

  2. Navigate to Computer Configuration > Policies > Administrative Templates > All Settings

  3. Do the following change under settings:

    1. Configure Logon Script Delay: Enabled
    2. Turn on Script Execution: Enabled image6 image6
  4. Double click on Turn on Script Execution and modify its setting. Make sure that the Execution Policy is set to Allow all scripts. If you want to run only signed scripts it is also possible, but you will need to sign in with your certificate before running it. image7 image7

This script will be executed on the user login. ACC import profile by the deep link. No user actions are required.

Next step

All computers should be configured to use Acreto Connect Client. The user needs to use their credentials to login into the Ecosystem (if the profile needs that).
If users were imported from the AD the credential should be the same as stored in AD.

Connect GL.iNet using Wireguard client

Overview

In this article, you’ll learn how to setup Wireguard client on Gl.iNet and connect it to the Acreto ecosystem.

How to

Prerequisites

To connect GL.iNet router with Acreto Ecosystem, you will need:

  1. Existing Acreto Ecosystem, if you don’t have one learn how to create it.

  2. Access to Acreto Wedge.

  3. GL.inet router with Wireguard client installed.

Download the OpenVPN profile from Acreto

  1. Log in to the Acreto Portal.

  2. Choose your Ecosystem.

  3. Create a new Wireguard gateway profile using tutorial and download the new Wireguard configurations. GL.iNet - wireguard GL.iNet - wireguard

Setup OpenVPN client on GL.iNet

  1. Login to the GL.iNet routers Web Admin Panel.

  2. From the left sidebar, goto VPN » Wireguard Client and click + Set up WireGuard Manually.. GL.iNet - wireguard GL.iNet - wireguard

  3. Goto tab Configuration and paste the Wireguard configuration from the downloaded file in previous steps. GL.iNet - wireguard GL.iNet - wireguard

  4. Modify the Alloweed IPs = 0.0.0.0/0 and click Next. GL.iNet - wireguard GL.iNet - wireguard

  5. Enter a description for your Wireguard connection and then click Add. GL.iNet - wireguard GL.iNet - wireguard

  6. Click Connect to start the Wireguard connection. GL.iNet - wireguard GL.iNet - wireguard

  7. Once connected, the Disconnect button is shown on the screen along with the recieved IP address and Data sent and recieved information. GL.iNet - wireguard GL.iNet - wireguard

  8. Also the Gl.iNet Dashboard, will show the Wireguard VPN connected. GL.iNet - wireguard GL.iNet - wireguard

IPsec Gateway

Overview

This document describes some challenges and issues identified when testing and using vGateway to connect to the Acreto platform.

Routing

Default Route

Once vGateway connects to the Acreto platform, we:

  1. create a direct route to the Acreto platform (“right” server in IPSec nomenclature) via a local gateway, to ensure we can reach the server
  2. create a new default route that goes through vti- device
  3. remove the previous default route to disallow sending any traffic to the Internet if the tunnel is down

This causes several issues:

  1. DHCP can restore the default route when refreshing the lease
  2. If the interface goes down (like network cable disconnect or adapter failure), route in point 1 will disappear, making it impossible to maintain/reconnect ipsec connection (as our default route goes now through vti- device)

Note We are not deleting vti- device/route when the tunnel goes down because this causes a “no route to host” error. It means that any default route records in the routeing table will not be used, because they will have lower priority (higher metric) than vti- default route.

Subsections of IPsec Gateway

AWS EC2 - Automatic IPsec Configuration

Prerequisites

  1. Acreto Ecosystem
  2. Basic knowledge about AWS VPC.
  3. Basic knowledge about AWS EC2.

AWS - Create VPC

  1. Login to AWS console.
  2. follow the official guide and create a VPC.
    1. If your VPC already exists, make sure that there’s at last one subnet.
  3. Open setting for VPC (Networking & Content Delivery section) or use the search option to find VPC settings.
    1. Please note the network address of this subnet.

Acreto - Create Gateway

  1. Log in to Acreto Portal.
  2. Create new Gateway - IPSec type - follow this article.
  3. When configuring new Gateway add network(s) - same as VPC subnet in Local networks area.

AWS VPC - Create EC2 and Install Acreto Gateway Software

  1. Create new EC2 with Ubuntu in selected VPC.
  2. Connect with SSH to the new EC2 instance (username: ubuntu)
  3. Copy and paste the command for acreto auto installation script - don’t press ENTER yet.
    1. Acreto - Generate IPsec config and copy the link
    2. Paste the link in the SSH terminal and press ENTER

AWS VPC - Update VPC Subnet Route Table

  1. Open the VPC panel on AWS, and from the left menu choose Route Tables.
  2. Modify the VPC Route Table - read more
    1. Info: A routing table that’s associated with a subnet for the VPC.
    2. Add 100.64.0.0/16 on the Route Table
      1. Destination 100.64.0.0/16.
      2. Target Instance - “Acreto Gateway” (eni- of that instance).
  3. If there are more AZ (Availability Zones), update the route table for the other subnets as well.
  4. Update AWS Security Group to allow all inbound and outbound traffic for Acreto subnet
    1. 100.64.0.0/16
    2. Allow all traffic from/to this subnet, because we control the traffic on Acreto Security Policies

AWS EC2 - Disable source/destination checks for EC2 instance

  1. To disable source/destination checking using the console
  2. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  3. In the navigation pane, choose Instances.
  4. Select the NAT instance, choose Actions, Networking, Change Source/destination check.
  5. Verify that source/destination checking is stopped. Otherwise, choose Stop.
  6. Choose Save.
  7. Read more on AWS

Acreto - Configure Security Policy

  1. Create a Security Policy to allow traffic from selected Gateway and/or Profile Group(s) to the VPC subnet

AWS Site-to-Site VPN using Virtual Private Gateway

Before You Start

Overview

This article describes how to configure a Route-Based Site-to-Site IPsec VPN between an Acreto Ecosystem and the Amazon Web Services (AWS) Virtual Private Cloud (VPC) using static routing:

  1. Network Diagram
  2. Concepts and Glossary
  3. Prerequisities
  4. The Purpose of Site-to-Site IPsec VPN
  5. Configuring Acreto Gateway object for IPsec AWS Site-to-Site VPN tunnel
  6. Setting up the Amazon AWS Virtual Private Cloud and VPN Connection
  7. References and Related Articles

Network Diagram

Network Diagram Network Diagram

Concepts and Glossary

  1. IPsec VPN tunnel: An encrypted link where network traffic can pass between Acreto Ecosystem and AWS VPS.
  2. Customer gateway: An AWS resource that provides information to AWS about the Acreto IPsec Gateway object.
  3. Virtual private gateway: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection.

Prerequisites

In order to setup IPsec Site-to-Site VPN tunnel between Acreto Ecosystem and AWS VPS you need:

  1. Access to Active Acreto Ecosystem
  2. Access to AWS Management Console

The Purpose of Site-to-Site IPsec VPN

Acreto as a Cloud Provider allows to connect and integrate multiple networks, both physical and virtual. All connections require stable and secure links. Virtual (EC2) Instances running on Amazon VPC can’t communicate securely with your own (remote) network by default. It is possible to connect your network to Acreto Ecosystem and then you can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection.

Acreto Ecosystem configures the routing automatically and passes the traffic between AWS VPC and your network. Additionally, the traffic is scanned by the Acreto Threat Engine to block suspicious traffic and malware.

Tip

AWS Site-to-Site VPN limitations: IPv6 traffic is not supported for VPN connections on a virtual private gateway. An AWS VPN connection does not support Path MTU Discovery. In addition, take the following into consideration when you use Site-to-Site VPN.

How To: Configure Site-to-Site VPN in AWS

Use the following procedures to manually set up the AWS Site-to-Site VPN connection on Amazon AWS.

You can create a Site-to-Site VPN connection with either a virtual private gateway or a transit gateway as the target gateway.

Step 1: Create VPC

Use existing VPC or create a new VPC using the steps below :

  1. Login to AWS console.

  2. Goto the region where you want to create your VPC.

  3. Search VPC in the Services search tab. IPsec with AWS IPsec with AWS

  4. From the VPC Dashboard, click Your VPCs under VIRTUAL PRIVATE CLOUD in the left sidebar and click Create VPC

  5. Create a VPC with the following values:

    • IPv4 CIDR Block: 172.16.0.0/22
    • IPv6 CIDR Block: No IPv6 CIDR Block
    • Tenancy: default

    IPsec with AWS IPsec with AWS

  6. Click Create VPC

Step 2: Create Subnet

Now create a new subnet in the VPC address range. If you want to use an existing subnet, you can skip this step and use the pre-existing subnet in subsequent steps.

  1. From the VPC Dashboard, click Subnets under VIRTUAL PRIVATE CLOUD in the left sidebar and click Create Subnet

  2. Select the new VPC created in the Step 1 or your existing VPC in the VPC ID options.

  3. Create a new Subnet under Subnet settings with the below details :

    • Availability Zone: No preference
    • IPv4 CIDR block: 172.16.1.0/24

    IPsec with AWS IPsec with AWS

  4. Click Create Subnet button

Step 3: Create Internet Gateway

  1. From the VPC Dashboard, click Internet Gateway under VIRTUAL PRIVATE CLOUD in the left sidebar and click Create Internet Gateway

  2. Give the name for the Internet gateway and click Create internet gateway IPsec with AWS IPsec with AWS

  3. Select the Internet gateway and click Actions and Attach to VPC

    IPsec with AWS IPsec with AWS

  4. Assign your VPC

    IPsec with AWS IPsec with AWS

  5. Click Attach internet gateway.

Step 4: Create Route Table

Configure Route table for the above subnet to reach Acreto’s public IP through Internet Gateway.

  1. From the VPC Dashboard, click Route Tables under VIRTUAL PRIVATE CLOUD in the left sidebar and click Create Route Table

  2. Create a Route table with the following values:

    • Name: Acreto_ipsec_RT
    • VPC: Select the VPC created in Step 1
  3. Click Create Route Table, with parameters as shown in screenshot below: IPsec with AWS IPsec with AWS

  4. Select the Route table created above and click Subnet association, with parameters as shown in screenshot below:

    IPsec with AWS IPsec with AWS

  5. Select your Subnet and click Save associations, with parameters as shown in screenshot below:

    IPsec with AWS IPsec with AWS

  6. Select the routes and click Edit routes, with parameters as shown in screenshot below:

    IPsec with AWS IPsec with AWS

  7. Add route for Acreto’s Default Tunnel IP used to form the VPN through the Internet Gateway, with parameters as shown in screenshot below:

    IPsec with AWS IPsec with AWS

  8. Click Save changes.

Step 5: Create Customer Gateway

Create new Customer Gateway with Acreto’s public IP.

  1. From the VPC Dashboard in the left side bar, goto VIRTUAL PRIVATE NETWORK (VPN) » Customer Gateways

  2. Click Create Customer Gateway

  3. Provide the following values :

    • Name: Acreto
    • Routing: Static
    • IP Address: Acreto’s Default Tunnel IP

    IPsec with AWS IPsec with AWS

  4. Click Create Customer Gateway.

    IPsec with AWS IPsec with AWS

Step 6: Create Virtual Private Gateway

Create a Virtual Private gateway that will be used to form the Ipsec tunnel with Acreto.

  1. From the VPC Dashboard in the left sidebar, goto VIRTUAL PRIVATE NETWORK (VPN) » Virtual Private Gateways

  2. Click Create Virtual Private Gateway

  3. Give the name and click Create Virtual Private Gateway

    IPsec with AWS IPsec with AWS

  4. Select the Virtual Private Gateway and click Actions » Attach to VPC

    IPsec with AWS IPsec with AWS

  5. Select your VPC and click Yes, Attach button.

    IPsec with AWS IPsec with AWS

  6. From the VPC Dashboard, click Route Tables under VIRTUAL PRIVATE CLOUD in the left sidebar.

  7. Select the route table created in Step 4

  8. Select the Route Propagation tab and click the button Edit route propagation.

    IPsec with AWS IPsec with AWS

  9. Check Enable

    IPsec with AWS IPsec with AWS

  10. Click the Save button.

Tip

This step ensures that the AWS virtual hosts receive a route for the 100.64.0.0/16 network (Acreto Ecosystem Internal network) after the VPN establishes.

Step 7: Create and Configure VPN Connection

Create a new VPN connection and associate the previously created VGW and CGW.

  1. From the VPC Dashboard in the left sidebar, go to VIRTUAL PRIVATE NETWORK (VPN) » Site-to-Site VPN Connections.

  2. Click Create VPN Connection.

  3. Provide the following values in the tunnel setting:

    • Name: Acreto_ipsec
    • Target Gateway Type: Virtual Private Gateway
    • Virtual Private Gateway: Select the Virtual Private gateway created above
    • Customer Gateway: Existing
    • Customer Gateway ID: Select the Customer gateway created above
    • Routing Options: Static
    • Static IP Prefixes: 100.64.0.0/16

    IPsec with AWS IPsec with AWS

  4. Click Create VPN Connection.

  5. Select the VPN created and click the tab Tunnel Details. Copy the Outside IP address of the tunnel to form a VPN with Acreto.

    IPsec with AWS IPsec with AWS

This Outside IP address will be used in the next steps to configure the Acreto gateway on Wedge Ecosystem.

Step 8: Create Acreto Gateway for IPsec

Create Gateway on Ecosystem by following the instruction in the link. Provide the following values:

  • Type: IPsec
  • Category: Data Center
  • Model: AWS site-to-site VPN
  • Connections from: AWS Tunnel’s Outside IP address
  • Local network: local_network
  • Save and Commit the changes.

IPsec with AWS IPsec with AWS

Step 9: Read the Configuration

  • Click the gateway created on wedge.

  • Click the Play button under Configuration Options to generate the strongSwan Config.

    IPsec with AWS IPsec with AWS

  • Once the Config file is generated, click the Download button to download the configuration on the local computer.

    IPsec with AWS IPsec with AWS

  • Unzip the downloaded file and copy the psk from the file ipsec.secrets

    IPsec with AWS IPsec with AWS

Step 10: Update AWS VPN tunnel configuration

  1. Goto AWS Site-to-Site VPN connections

  2. Select the VPN and click Actions » Modify VPN Tunnel Option

    IPsec with AWS IPsec with AWS

  3. Select the tunnel used to create the VPN with Acreto.

  4. Update the password copied from the ipsec.secrets file from strongSwan config file downloaded from Wedge

    IPsec with AWS IPsec with AWS

  5. In the same window “Modify VPN Tunnel Options” scroll down and select the following action under tunnel configuration:

    • DPD Timeout Action: Restart
    • Startup Action: Start
  6. Click Save

How-to: Update Route Table in AWS

Configure Route table to set the default route to VPN tunnel

  1. From the VPC Dashboard, click Route Tables under VIRTUAL PRIVATE CLOUD in the left sidebar

  2. Select the Route table and click Edit routes

    IPsec with AWS IPsec with AWS

  3. Add the following route :

    • Destination: 0.0.0.0/0
    • Target: Select the Virtual Private Gateway id

    IPsec with AWS IPsec with AWS

  4. Click Save changes.

Verify the connections

Once the tunnel connection is successfully established, the status of the connection will be up.

  1. To verify on AWS, navigate to the VPN created under VIRTUAL PRIVATE NETWORK (VPN) » Site-to-Site VPN Connections .

  2. Verify the following:

    IPsec with AWS IPsec with AWS

  3. Do a traceroute or equivalent command from an internal server to public IP like 4.2.2.2. It should show Acreto’s IP in the path.

    IPsec with AWS IPsec with AWS

What is AWS Site-to-Site VPN?

Summary

Acreto IPsec Gateway allows to set up VPN tunnel to connect Acreto Ecosystem with Amazon Web Services (AWS) Virtual Private Cloud (VPC).

Azure Site-to-Site connection using VPN Gateway

Before You Start

Overview

This article describes configuring a Route-Based Site-to-Site IPsec VPN between an Acreto Ecosystem and Azure network.

Network Diagram

Network Diagram Network Diagram

Pre-requisite

To set up an IPsec Site-to-Site VPN tunnel between Acreto Ecosystem and Azure, you need:

  1. Access to Active Acreto Ecosystem (Wedge)
  2. Access to Azure Portal

How To: Configure Site-to-Site VPN in Azure

Use the following procedures to set up the Azure Site-to-Site VPN connection manually.

Step 1: Create a virtual network

Use an existing virtual private network or create a new virtual private network using the steps below:

  1. Login to Azure Portal
  2. Click on Create a resource
  3. Click on Networking from the left sidebar.
  4. Click on Virtual Network
  5. Fill in the following fields in the Basics tab.
    • Project details
      • Subscription
      • Resource group
    • Instance details
      • Name
      • Region IPsec with Azure IPsec with Azure
  6. Fill in the following fields in the IP Addresses tab
    • Address space
    • Subnet Name
    • Subnet Address range IPsec with Azure IPsec with Azure
  7. Review the configurations on the Review + create tab and click Create IPsec with Azure IPsec with Azure

Wait for the deployment to finish and the Virtual Network to be created.

Step 2: Create a VPN gateway

Create the virtual network gateway for your virtual network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

  1. Click on Create a resource
  2. Click on Networking from the left sidebar
  3. Click on Virtual network gateway
  4. Fill in the following fields in the Basics tab.
    • Project details
      • Subscription
    • Instance details
      • Name
      • Region
      • Gateway type: VPN
      • VPN type: Route-based
      • SKU
      • Generation: Generation 1
      • Virtual Network: (select the virtual network you created earlier)
      • Gateway Subnet address range IPsec with Azure IPsec with Azure IPsec with Azure IPsec with Azure
    • Public IP address
      • Public IP address: Create a new ( or use existing)
      • Public IP address name
  5. Review the configurations on the Review + create tab and click Create IPsec with Azure IPsec with Azure

Step 3: Create a local network gateway

The next step is to create a local gateway representing your local network.

  1. Click on Create a resource
  2. In the search bar, search for Local Network Gateway
  3. Click on Create.
  4. Fill in the following fields in the Basics tab.
    • Project details
      • Subscription
      • Resource group
    • Instance details
      • Name
      • Region
      • Endpoint: IP address
      • IP Address: Acreto’s Tunnel IP
      • Address Space(s): 100.64.0.0/16 IPsec with Azure IPsec with Azure
  5. Review the configurations and click Create IPsec with Azure IPsec with Azure

Step 4: Create a VPN connection

This step creates a Site-to-Site VPN connection between your VPN device and the virtual network gateway.

  1. Click on Create a resource
  2. In the search bar, search for Connection
  3. Click on Create.
  4. On the Basics tab, fill in the following fields:
    • Connection type (Site-to-site)
    • Subscription (select the same subscription as before)
    • Resource group (select the same resource group as before)
    • Location (select the same location as before)
  5. Click on Next
  6. On the Settings tab, fill in the following fields:
    • Virtual network gateway (created in step 2)
    • Local network gateway (created in step 3))
    • Shared key (create a temporary password)
    • Click on Next
  7. Click on Review + Create IPsec with Azure IPsec with Azure

Wait for the deployment to finish and the connection created.

Step 5: Download strongswan configuration

Next, download the VPN configurations from Azure to use it to configure the Acreto gateway.

  1. Go to the VPN connection created in step 4.
  2. Click Overview from the left sidebar
  3. Click Download Configuration
  4. Select any Device vendor, Device family, and Firmware version of your choice.
  5. Click the button Download configuration IPsec with Azure IPsec with Azure
  6. Open the downloaded file and note the Azure VPN Gateway IP IPsec with Azure IPsec with Azure

Step 6: Create Gateway on Wedge with option AWS Site-to-Site IPsec and Azure Tunnel IP

Create Gateway on Ecosystem by following the instruction in the link. Provide the following values:

  1. Goto Objects » Gateways

  2. Add New Gateway

  3. Provide the following information :

    • Name: Azure
    • Category: Cloud Instance
    • Type: IPSec
    • Model: AWS site-to-site VPN
    • AWS Tunnel Outside IP Address: <Azure VPN gateway IP from Step 5>
    • Local Network

    IPsec with Azure IPsec with Azure

Step 7: Read the Configuration

Read the PSK information from the Acreto gateway created in the previous steps.

  1. Click the gateway created on Acreto in Step 5.
  2. Click the Play button under Configuration Options to generate the strongSwan Config. IPsec with Azure IPsec with Azure
  3. Once the Config file is generated, click the Download button to download the configuration on the local computer. IPsec with Azure IPsec with Azure
  4. Unzip the downloaded file and copy the PSK from the file ipsec.secrets IPsec with Azure IPsec with Azure

Step 8: Update the PSK from Wedge in Azure VPN

Update the new PSK from the previous step and update the VPN connection on Azure.

  1. Goto VPN connection created in step 4
  2. From the left sidebar, click Settings » Shared key
  3. Update the Shared key (PSK) from the Step 7
  4. Save IPsec with Azure IPsec with Azure

Step 9: Update IPsec Parameter

  1. Goto VPN connection created in step 4.
  2. From the left sidebar, click Settings » Configuration
  3. Update the following
    • IPsec / IKE policy - Custom
    • IKE Phase 1
      • Encryption - AES256
      • Integrity/PRF - SHA256
      • DH Group - DHGroup14
    • IKE Phase 2(IPsec)
      • Encryption - AES256
      • Integrity/PRF - SHA256
      • DH Group - ECP256
    • IPsec SA lifetime in seconds - 3600
    • DPD timeout in seconds - 30
  4. Save. IPsec with Azure IPsec with Azure

Step 10: Check Connection

  1. Goto VPN connection created in step 4.
  2. From the left sidebar, click Settings » Connections
  3. Give a few minutes for changes to be effective.
  4. Once all the configurations are saved, the status of the VPN connection will be shown as Connected. IPsec with Azure IPsec with Azure

What is Azure Site-to-Site connection?

Summary

Acreto IPsec Gateway allows to set up VPN tunnel to connect Acreto Ecosystem with Azure VPN Gateway.

Connect to multiple VPCs in AWS using Transit Gateway

Before You Start

Overview

This article describes configuring a Route-Based Site-to-Site IPsec VPN between an Acreto Ecosystem and the Amazon Web Services (AWS) Transit Gateway to access multiple VPCs.

Network Diagram

Network Diagram Network Diagram

Concepts and Glossary

  1. IPsec VPN tunnel: An encrypted link where network traffic can pass between Acreto Ecosystem and AWS VPS.
  2. Customer gateway: An AWS resource that provides information to AWS about the Acreto IPsec Gateway object.
  3. Virtual private gateway: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection.

Prerequisites

To setup an IPsec Site-to-Site VPN tunnel between Acreto Ecosystem and AWS VPS, you need:

  1. Access to Active Acreto Ecosystem
  2. Access to AWS Management Console
  3. Pre-configured VPC, subnets, route tables, NACL, and security groups

The Purpose of Site-to-Site IPsec VPN

Acreto, as a Cloud Provider, allows to connect and integrate multiple physical and virtual networks. All connections require stable and secure links. Virtual (EC2) Instances running on Amazon VPC can’t communicate securely with your own (remote) network by default. However, it is possible to connect your network to Acreto Ecosystem. Then, you can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection and configuring routing to pass traffic through the connection.

Acreto Ecosystem configures the routing automatically and passes the traffic between AWS VPC and your network. Additionally, the traffic is scanned by the Acreto Threat Engine to block suspicious traffic and malware.

How To

Configure Site-to-Site VPN in AWS

Use the following procedures to manually set up the AWS Site-to-Site VPN connection transit gateway on Amazon AWS.

Step 1.1: Create Customer Gateway

Create a new Customer Gateway with Acreto’s public IP.

  1. From the VPC Dashboard in the left sidebar, go to VIRTUAL PRIVATE NETWORK (VPN) » Customer Gateways

  2. Click Create Customer Gateway

  3. Provide the following values :

    • Name: Acreto
    • Routing: Static
    • IP Address: Acreto’s Default Tunnel IP

    IPsec with AWS IPsec with AWS

  4. Click Create Customer Gateway.

    IPsec with AWS IPsec with AWS

Step 1.2: Create Transit Gateway

Create a Transit gateway that will be used to form the IPsec tunnel with Acreto.

  1. From the VPC Dashboard in the left sidebar, go to TRANSIT GATEWAYS » Transit Gateways.

  2. Click Create Transit Gateway.

  3. Give the name and click Create Transit Gateway

    IPsec with AWS IPsec with AWS

  4. Wait for a few minutes to get the state of Transit Gateway to Available.

    IPsec with AWS IPsec with AWS

Step 1.3: Create Transit Gateway attachment

Create a Transit gateway attachment that will attach to the primary VPC.

  1. From the VPC Dashboard in the left sidebar, go to TRANSIT GATEWAYS » Transit Gateways Attachment

  2. Click Create Transit Gateway Attachment

  3. Provide the following values

    • Transit Gateway ID - Select the Transit gateway created in the previous step
    • Attachment type - VPC
    • VPC ID - Select the VPC
    • Subnet IDs - Select the subnets that will communicate over the VPN

    IPsec with AWS IPsec with AWS

  4. Click Create Transit Gateway attachment

Step 1.4: Create and Configure VPN Connection

Create a new VPN connection and associate the previously created Virtual Gateway in Step 2 and Customer Gateway in Step 1.

  1. From the VPC Dashboard in the left sidebar, go to VIRTUAL PRIVATE NETWORK (VPN) » Site-to-Site VPN Connections.

  2. Click Create VPN Connection.

  3. Provide the following values in the tunnel setting:

    • Name: Acreto_ipsec
    • Target Gateway Type: Transit Gateway
    • Transit Gateway: Select the Transit gateway created Step 6
    • Customer Gateway: Existing
    • Customer Gateway ID: Select the Customer gateway created in Step 5
    • Routing Options: Static
    • Static IP Prefixes: 100.64.0.0/16

    IPsec with AWS IPsec with AWS

  4. Click Create VPN Connection.

  5. Select the VPN created and click the tab Tunnel Details. Copy the Outside IP address of the tunnel to form a VPN with Acreto.

    IPsec with AWS IPsec with AWS

This Outside IP address will be used in the next steps to configure the Acreto gateway on Wedge Ecosystem.

Step 1.5: Create Acreto Gateway for IPsec

Create Gateway on Ecosystem by following the instructions in the link. Provide the following values:

  • Type: IPsec
  • Category: Data Center
  • Model: AWS site-to-site VPN
  • Connections from: AWS Tunnel’s Outside IP address
  • Local network: local_network
  • Save and Commit the changes.

IPsec with AWS IPsec with AWS

Step 1.6: Read the Configuration

  • Click the gateway created on the Wedge.

  • Click the Play button under Configuration Options to generate the strongSwan Config.

    IPsec with AWS IPsec with AWS

  • Once the Config file is generated, click the Download button to download the configuration on the local computer.

    IPsec with AWS IPsec with AWS

  • Unzip the downloaded file and copy the PSK from the file ipsec.secrets

    IPsec with AWS IPsec with AWS

Step 1.7: Update AWS VPN tunnel configuration

  1. Goto AWS Site-to-Site VPN connections

  2. Select the VPN and click Actions » Modify VPN Tunnel Option

    IPsec with AWS IPsec with AWS

  3. Select the tunnel used to create the VPN with Acreto.

  4. Update the password copied from the ipsec.secrets file from strongSwan config file downloaded from Wedge

    IPsec with AWS IPsec with AWS

  5. In the same window “Modify VPN Tunnel Options” scroll down and select the following action under tunnel configuration:

    • DPD Timeout Action: Restart
    • Startup Action: Start
  6. Click Save

Step 1.8: Update the Transit Gateway Route Table

Configure the Route table to set the default route to the VPN tunnel.

  1. From the VPC Dashboard, click Transit Gateway Route Table under TRANSIT GATEWAYS in the left sidebar

  2. Select the Transit gateway Route table entry.

  3. Select tab Routes and click Create Static Route

    IPsec with AWS IPsec with AWS

  4. Click Create Static Route

    IPsec with AWS IPsec with AWS

Step 1.9: Update Route the Table for the Subnet

  1. From the VPC Dashboard, click Route Tables under VIRTUAL PRIVATE CLOUD in the left sidebar

  2. Select the Route table and click Edit routes. Add the following values :

    • CIDR - 100.64.0.0/16
    • Attachment - Select the Transit VPN attachment id

    IPsec with AWS IPsec with AWS

  3. Click Save changes.

Attach Secondary VPC in the same account to the Transit Gateway

Step 2.1: Create Transit Gateway attachment for Secondary VPC

to TRANSIT GATEWAYS » Transit Gateways Attachment

  1. Click Create Transit Gateway Attachment

  2. Provide the following values

    • Transit Gateway ID - Select the Transit gateway created in step 6
    • Attachment type - VPC
    • VPC ID - Select the new VPC
    • Subnet IDs - Select the subnets that will communicate over the VPN

    IPsec with AWS IPsec with AWS .

  3. Click Create Transit Gateway attachment

Step 2.2: Verify the routes from the new VPC Transit Gateway attachment is available on the Transit Gateway Route table.

Configure Routes from the new VPC transit gateway attachment appears in the Transit Gateway Route table.

  1. From the VPC Dashboard, click Transit Gateway Route Table under TRANSIT GATEWAYS in the left sidebar

  2. Select the Transit gateway Route table entry.

  3. Select tab Routes

  4. Check the Static route from the new VPC Transit Gateway attachment is available

IPsec with AWS IPsec with AWS

Step 2.3: Update the routes for the Subnet in Secondary VPC

Follow Step 1.9 to add the route for Acreto subnet 100.64.0.0/16 through the transit gateway.

IPsec with AWS IPsec with AWS

Verify the connections

Once the tunnel connection is successfully established, the status of the connection will be up.

  1. To verify on AWS, navigate to the VPN created under VIRTUAL PRIVATE NETWORK (VPN) » Site-to-Site VPN Connections. Verify the following:

    IPsec with AWS IPsec with AWS

  2. Connect a Remote user with the Acreto Connect Client and access the resources in the VPC connected using Transit Gateway.

IPsec with AWS IPsec with AWS IPsec with AWS IPsec with AWS

Summary

Acreto Gateway allows setting up an IPsec VPN tunnel with AWS Transit Gateway, which can be used to access resources in multiple VPCs.

Fortinet FortiGate Dual VPN setup

Before You Start

Overview

This article illustrates a Dual VPN setup and explains how to connect the secondary tunnel from your environment to the second Ecosystem which can act as a backup in case of failure of the Primary ISP or Ecosystem. With this setup, when the first tunnel is down, the traffic will automatically start going through the second tunnel to the backup Ecosystem. FortiGate - VPN list FortiGate - VPN list

Prerequisites

  1. FortiGate installation
  2. Ecosystem set up with proper security policies

How-To

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway Wedge - New Gateway
Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

Task 1: Read IPsec Gateway Values Required for FortiGate Configuration

To proceed with the FortiGate configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

FortiGate - VPN wizard panel FortiGate - VPN wizard panel

Task 2. Configure Primary Tunnel on FortiGate with Acreto Primary EcoSystem

  1. In FortiGate, go to VPN > IPsec Tunnels. From Create New drop-down menu, select IPsec Tunnel
    FortiGate - VPN list FortiGate - VPN list
  2. In the next window, give the primary tunnel name and click on Custom and click on Next.
    FortiGate - VPN list FortiGate - VPN list
  3. Configure the following VPN settings:
    1. IP Version: IPv4
    2. Remote Gateway: Static IP Address
    3. IP Address: Primary EcoSystem Gateway
    4. Interface: Select WAN Interface
    5. Mode Config: Enable
    6. DPD Retry interval: 30 FortiGate - VPN list FortiGate - VPN list
  4. Expand Advance Option and configure as below:
    1. Add Route: Disabled
    2. Authentication Method: Pre-shared Key
    3. Pre-shared Key: enter the pre-shared key
    4. IKE Version: 2 FortiGate - VPN list FortiGate - VPN list
  5. In Phase1 Proposal. Delete all proposals except two as below:
    1. Encryption: AES 128 Authentication: SHA256
    2. Encryption: AES 128 Authentication: SHA512
    3. DH Group: 15 , 14, 2
    4. Key Lifetime: 10800
    5. Local ID: enter the peer id FortiGate - VPN list FortiGate - VPN list
  6. In Phase2 setting, please enter below:
    1. Encryption: AES 128 Authentication: SHA256
    2. Encryption: AES 128 Authentication: SHA512
    3. PFS: Enable
    4. DH Group: 15 , 14, 2
    5. Auto Keep Alive: Enable FortiGate - VPN list FortiGate - VPN list
  7. Click OK to save the VPN setting.

Task 3. Configure Secondary Tunnel on FortiGate with Acreto Secondary EcoSystem

  1. Repeat the above steps for the creation of a secondary tunnel. We will use Acreto-ECO-2 as the name of a secondary tunnel in this article.

Task 4. Configure IPs on Tunnel Interfaces

This step is required for policy routing to work. Any dummy/unused IPs can be used for interfaces.

  1. Go to Network > Interfaces. Select Acreto-ECO-1 Tunnel interface and click on Edit FortiGate - VPN list FortiGate - VPN list
  2. Configure IP as below:
    1. IP: 169.254.254.1
    2. Remote IP: 169.254.254.2/32
  3. Click on Save FortiGate - VPN list FortiGate - VPN list
  4. Repeat the step to configure IP on the secondary tunnel interface.
  5. Go to Network > Interfaces. Select Acreto-ECO-2 Tunnel interface and click on Edit.
  6. Configure IP as below:
    1. IP: 169.254.254.3
    2. Remote IP: 169.254.254.4/32
  7. Click on Save. FortiGate - VPN list FortiGate - VPN list

Task 5. Configure Routing for VPN Traffic

  1. Go to Network > Static Route. Click on Create New. FortiGate - VPN list FortiGate - VPN list
  2. In the next window, configure the static route as below:
    1. Destination: 0.0.0.0/0
    2. Interface: Acreto-ECO-1 (Acreato-primary-tunnel)
    3. Administrative Distance: 30
  3. Click on Save FortiGate - VPN list FortiGate - VPN list
  4. Repeat the step to configure a static route for the secondary tunnel.
  5. Go to Network > Static Route. Click on Create New.
  6. In the next window, configure the static route as below:
    1. Destination: 0.0.0.0/0
    2. Interface: Acreto-ECO-2 (Acreato-secondary-tunnel)
    3. Administrative Distance: 30
  7. Click on Save FortiGate - VPN list FortiGate - VPN list

Task 6. Configure Policy Route on FortiGate for Traffic from LAN to Acreto.

  1. To configure the policy route, Go to Network > Policy Route. Click on Create New. FortiGate - VPN list FortiGate - VPN list
  2. In the next window, configure policy route setting as below:
    1. Incoming Interface: Select LAN interface
    2. Source - IP/Netmask: 192.168.253.0/24 (LAN Network)
    3. Destination - IP/Netmask: 0.0.0.0/0
    4. Outgoing Interface: Acreto-ECO-1 (Primary Tunnel)
    5. Gateway Address: 169.254.254.2 (Remote IP for primary tunnel interface)
  3. Click on save. FortiGate - VPN list FortiGate - VPN list
  4. Repeat the step to configure the policy route for the secondary tunnel.
  5. Go to Network > Policy Route. Click on Create New.
  6. In the next window, configure policy route setting as below:
    1. Incoming Interface: Select LAN interface
    2. Source - IP/Netmask: 192.168.253.0/24 (LAN Network)
    3. Destination - IP/Netmask: 0.0.0.0/0
    4. Outgoing Interface: Acreto-ECO-2 (secondary Tunnel)
    5. Gateway Address: 169.254.254.4 (Remote IP for secondary tunnel interface)
  7. Click on Save. FortiGate - VPN list FortiGate - VPN list

Task 7. Configure Firewall Policies to Allow the Traffic.

  1. Go to Policy & Objects > Firewall Policy. Click on Create New. FortiGate - VPN list FortiGate - VPN list
  2. In the next window, configure the policy setting as below for primary VPN.
    1. Name: Give a name to the primary policy
    2. Incoming Interface: LAN
    3. Outgoing Interface: Acreto-ECO-1 (Primary Tunnel Interface)
    4. Source: LAN Address
    5. Destination: all
    6. Schedule: Always
    7. Service: All
    8. Action: Accept
    9. NAT: Disable
    10. Protocol Option: default
    11. SSL Inspection: no-inspection
    12. Logging: As needed
  3. Click on Save. FortiGate - VPN list FortiGate - VPN list
  4. Repeat the step to create a firewall policy to allow traffic on secondary VPN.
  5. Go to Policy & Objects > Firewall Policy. Click on Create New.
    1. Name: Give a name to the secondary policy
    2. Incoming Interface: LAN
    3. Outgoing Interface: Acreto-ECO-2 (Secondary Tunnel Interface)
    4. Source: LAN Address
    5. Destination: all
    6. Schedule: Always
    7. Service: All
    8. Action: Accept
    9. NAT: Disable
    10. Protocol Option: default
    11. SSL Inspection: no-inspection
    12. Logging: As needed
  6. Click on Save. FortiGate - VPN list FortiGate - VPN list

Task 8. Check the status of the VPN.

  1. Go to Dashboard > Network > IPsec.
  2. If the tunnel is showing down. Select the tunnel and click on Bring UP FortiGate - VPN list FortiGate - VPN list
  3. Primary and secondary VPN selection is handled by Policy Route.

Traffic will be matched with the policy on top if both tunnels are up. FortiGate - VPN list FortiGate - VPN list

Summary

After this setup, there are two tunnels created from FortiGate to Acreto Primary and Secondary Ecosystem through Primary and Secondary tunnel respectively. If the primary tunnel goes down, all traffic will start going from the backup tunnel, which in this case is the Secondary tunnel.

Fortinet FortiGate IPsec Configuration

Prerequisites

  1. FortiGate installation
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway Wedge - New Gateway
Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Step 1: Read IPsec Gateway Values Required for FortiGate Configuration

To proceed with the FortiGate configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

FortiGate - VPN wizard panel FortiGate - VPN wizard panel

Step 2: Configure FortiGate - VPN Creation Wizard

Use VPN Wizard to create all basic configurations.

  1. Log in to the FortiGate Dashboard.
  2. In the navigation panel, select VPN > IPsec Wizard and view VPN Creation Wizard
    FortiGate - VPN wizard panel FortiGate - VPN wizard panel
  3. Complete the first step of VPN Wizard, VPN Setup, by inserting these values:
    1. Name: AcretoGate (or your own readable name)
    2. Template Type: Site to Site
    3. Remote Device Type: Cisco
    4. NAT Configuration: No NAT between sites
  4. When the form is ready, click Next.
  5. Complete the second step of the VPN wizard, Authentication.
    1. Remote Device: IP address
    2. IP Address: Input the IP address of your Acreto Gateway created in Wedge.
    3. Outgoing Interface: Select the existing interface that will be used for this connection.
    4. Authentication Method: Pre-shared Key
    5. Pre-shared Key: Enter the Pre-shared Key common for Acreto and FortiGate (available on Acreto Wedge in the Gate configuration panel).
  6. When the form is ready, click Next.
  7. Complete the last step of the VPN wizard, Policy & Routing.
    1. Local Interface: Select the local interface that will use this connection.
    2. Local Subnets: Define local subnets for this connection.
    3. Remote Subnets: Define remote (Acreto site) subnets for this connection (0.0.0.0/0 - for all networks).
    4. Internet Access: None
  8. Click on Save.
  9. From the side menu, choose VPN > IPsec Tunnels to confirm that the newly created VPN is displayed on the list in the Site to Site section. FortiGate - VPN list FortiGate - VPN list

Step 3: Configure FortiGate - Convert VPN to Custom Tunnel

  1. From the side menu, choose VPN > IPsec Tunnels. You should see the Acreto Gate tunnel created in the previous step.
  2. Double-Click on the tunnel name to open editing options.
  3. On the Edit VPN tunnel screen, click Convert To Custom Tunnel- this action will convert your VPN to a custom tunnel, allowing you to configure additional settings. FortiGate - VPN list FortiGate - VPN list
  4. After you click on Convert To Custom Tunnel, a few additional options will be displayed on the screen.
  5. Edit Network by clicking on Edit and set the Mode Config to check, as shown on the screen below (IP address and Interface will be different). FortiGate - VPN list FortiGate - VPN list
  6. Edit Authentication by clicking on Edit and set Version to 2, as shown on the screen below. FortiGate - VPN list FortiGate - VPN list
  7. Edit Phase 1 Proposal by clicking on Edit and set Version to 2, as shown on the screen below.
    1. Encryption: AES256
    2. Authentication: SHA512
    3. Diffie-Hellman Group: 16
    4. Key Lifetime: 3600 FortiGate - VPN list FortiGate - VPN list
  8. Edit Phase 2 Selectors by clicking on Edit > Advanced, as shown on the screen below:
    1. Encryption: AES256
    2. Authentication: SHA512
    3. Enable Replay Detection: check
    4. Enable Perfect Forward Secrecy (PFS): check
    5. Diffie-Hellman Group: 16
    6. Autokey Keep Alive: check
    7. Key Lifetime: Seconds
    8. Seconds: 3600 FortiGate - VPN list FortiGate - VPN list
  9. When all edits are complete, click OK at the bottom of the screen to convert the tunnel. From now on, the IPsec tunnels panel will show as Custom.

Step 4: Configure FortiGate - Assign IP to the tunnel interface

  1. From the side menu, choose Network > Interfaces. Find the tunnel interface name AcretoGate under WAN interface.
  2. Edit the interface and assign local and remote IP. You can choose any IP, it will not affect the traffic.
    1. IP: <any /32 IP>
    2. Netmask: 255.255.255.255
    3. Remote IP/Netmask: <any /32 IP> FortiGate - VPN list FortiGate - VPN list

Step 5: Configure FortiGate - Routing Changes

  1. From the side menu, choose Network > Static Routes. Find the static route created by the wizard. Should be with the name <Tunnel_name>_remote.
  2. Edit the static route and change the Administrative Distance to 50. FortiGate - VPN list FortiGate - VPN list
  3. Click OK to save the route.
  4. From the side menu choose Network > Policy Routes and click on Create New
  5. Configure the new Policy Route, as shown on the screen below.
    1. Incoming Interface: <select your local interface>
    2. Source Address-Ip/Netmask : <enter local subnet >
    3. Destination Address-Ip/Netmask : 0.0.0.0/0
    4. Action : Forward Traffic
    5. Outgoing Interface : AcretoGate OR <choose your tunnel interface>
    6. Gateway Address : <enter Remote IP configured in Step 4.2.3> FortiGate - VPN list FortiGate - VPN list
  6. Click OK to Save

Step 6: Configure FortiGate - Bring the Tunnel Up

  1. From the side menu, choose Dashboard > Network > IPsec
  2. Select the Tunnel and click on Bring Up.

Step 7: Configure FortiGate - Verify

When the configuration is complete, all network traffic on the selected interface and the selected subnet(s) is redirected through Acreto.

Fortinet FortiGate IPsec Configuration through CLI

Before you start

Overview

This article will show you how to use CLI to connect the FortiGate managed network to the Acreto Ecosystem.

Prerequisites

  1. FortiGate installation
  2. Ecosystem set up with proper security policies

How-To

Create Gateway for IPsec

This step is optional, skip it if you already own the Gateway.

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New
Gateway Wedge - New
Gateway
Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

Step 1: Read IPsec Gateway Values Required for Fortigate Configuration

To proceed with the Fortigate configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Fortigate - VPN wizard panel Fortigate - VPN wizard panel

Step 2: Configure Fortigate - Create VPN (Phase1 and Phase2)

Use the following commands to create a VPN through CLI.

Log in to the Fortigate CLI.

  1. Configure IPsec VPN Phase-1

    config vpn ipsec phase1-interface
    edit AcretoGate
     set interface <wan_interface>   
     set peertype any
     set net-device disable
     set mode-cfg enable
     set proposal aes128-sha256 aes256-sha512
     set ike-version 2
     set keylife 10800
     set remote-gw acreto-peer-ip       (Copy from Wedge Dashboard)
     set psksecret psk                  (Copy from Wedge Dashboard)
     set dhgrp 16
     set localid local-id              (Copy from Wedge Dashboard)
     next
    end
  2. Configure IPsec VPN Phase-2

    config vpn ipsec phase2-interface
     edit AcretoGate
      set phase1name AcretoGate
      set proposal aes256-sha512 aes256gcm
      set dhgrp 16
      set keepalive enable
      set keylifeseconds 3600
     next
    end

Step 3: Configure Fortigate - Create Address and Address group

  1. Create addresses for all local addresses/subnets

    config firewall address
    
    edit AcretoGate_local_1
      set allow-routing enable
      set subnet 192.168.1.0 255.255.255.0
      next
    
    edit AcretoGate_local_2             
      set allow-routing enable
      set subnet 192.168.2.0 255.255.255.0
      next
    end
  2. Create an address group to add all the addresses created in the previous step

    config firewall addrgrp
    
    edit AcretoGate_local_grp
     set member AcretoGate_local_1 AcretoGate_local_2
     next
    end

Step 4: Configure Fortigate - Create Firewall Policy for Traffic

  1. Outbound Policy for traffic originating from Local lan interface to internet through Acreto VPN

    config firewall policy
    edit 0
      set name Outbound_toAcreto 
      set srcintf lan_interface_ip 
      set dstintf AcretoGate
      set srcaddr AcretoGate_local_grp
      set dstaddr all
      set action accept
      set schedule always
      set service ALL
      next
    end 
  2. Inbound Policy for traffic coming from Acreto VPN to Local lan

    config firewall policy
    edit 0
      set name Inbound_fromAcreto
      set srcintf AcretoGate
      set dstintf  lan_interface_ip
      set srcaddr all
      set dstaddr AcretoGate_local_grp
      set action accept
      set schedule always
      set service ALL
      next
    end

Step 5: Configure Fortigate - Routing Changes

Scenario 1: When traffic from all local subnet/interfaces need to pass through the tunnel

  1. Add Static Route

    config router static
    edit 0
     set dst Acreto_PeerIP
     set device wan_interface
     Set gateway ISP_Gateway       
     next
    edit 0
     set dst 0.0.0.0 0.0.0.0
     set device AcretoGate
     set distance 4
     next
    end

Scenario 2: When traffic from a specific subnet/interface needs to pass through the tunnel.

  1. Add IP at the tunnel interface

    config system interface
    edit "AcretoGate"
     set ip 2.2.2.2 255.255.255.255
     set remote-ip 2.2.2.3 255.255.255.255
     next
    end
  2. Add Static Route to direct the traffic through the tunnel with a higher administrative distance

    config router static
    edit 0
     set distance 254
     set device AcretoGate
     set dst 0.0.0.0 0.0.0.0
     next
    end
  3. Add Policy Route to direct the specific traffic through the tunnel

    config router policy
    edit 0
     set input-device lan_interface 
     set srcaddr AcretoGate_local_grp
     set dstaddr all
     set output-device AcretoGate
     Set gateway 2.2.2.3
     next
    end

Step 6: Configure Fortigate - Bring the Tunnel Up

Run the following command to bring the tunnel up bash diagnose vpn tunnel up AcretoGate

diagnose vpn tunnel up AcretoGate

Step 7: Configure Fortigate - Verify

  • Check the status of tunnel Phase-1
diagnose vpn ike gateway list name AcretoGate
  • Check status of Phase-2
diagnose vpn tunnel list name AcretoGate

Summary

Once the VPN connection is successfully established, all the internet traffic will be routed through Acreto.

Linux - Automatic IPsec Configuration

Prerequisites

  1. Ubuntu 18.04 or newer installed on your device
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

If you didn’t do it yet, you need to create a new Gateway device on the Acreto platform.

  1. Login to the Acreto platform at wedge.acreto.net

  2. Select your ecosystem and go to Objects using the left menu.

  3. Click Add new Object and select Gateway.

  4. Fill at least:

    1. Name: the name of the IPSec connection needs to be compatible with Strongswan connection name requirements (basically, only letters and numbers)

    2. Category: IoT

    3. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted)

    4. Local Networks: - your local network addresses that should be routed through this gateway

      Wedge - New Gateway Wedge - New Gateway

      Note: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using ping, traceroute, and similar tools.

  5. Save the created Gateway by pressing Add.

  6. Add a security policy that will allow communication from the Gateway device to the Internet. Wedge - New Gateway Wedge - New Gateway

  7. Commit pending changes (top of the screen) Wedge - New Gateway Wedge - New Gateway Note: to successfully test your connectivity, you also need to create a security policy that will allow traffic going through your device.

Generate Strongswan config files

  1. Log in to the Acreto platform at wedge.acreto.net

  2. Select your ecosystem and go to Objects using the left menu

  3. Open the gateway object which you want to use by clicking on its “Info” button.

    Wedge - Gateway Info button Wedge - Gateway Info button

  4. Generate the IPsec strongSwan config using Configuration Options > Bare Metal, OS and Software

    Wedge - Download configuration Wedge - Download configuration

    Then Click on [Play Button]

  5. Copy the link to the IPsec strongSwan config file

    Wedge - Copy the link to IPsec strongswan config Wedge - Copy the link to IPsec strongswan config

Installation using acreto-ipsec.sh script

  1. Execute the following commands on your Linux shell

    curl -fsSL https://kb.acreto.net/reference-material/downloads/acreto-ipsec.sh | sudo bash -s -- [URL_to_strongswan_config]

    where [URL_to_strongswan_config] is the URL copied in previous step.

    Example:

    curl -fsSL https://kb.acreto.net/reference-material/downloads/acreto-ipsec.sh | sudo bash -s -- https://api-is-rock-solid.acreto.net/v2/gateways/ipsec/config/strongswan?_token=s.WNJJeTxWsIeXMkgeIA96SOe8

IPsec tunnel and routing verification

  1. Ensure that traffic goes through Acreto (with traceroute or mtr)

    Execute the command:

    mtr 8.8.8.8

    The ouput should indicate that packets go through 100.65.0.x:

    Host                     Loss%   Snt   Last   Avg  Best  Wrst StDev
    1. 100.65.0.30            0.0%     9  225.1 225.1 224.6 225.8   0.3
    2. 100.65.0.1             0.0%     8  225.9 227.5 225.7 237.1   3.9
    3. ???
    4. nyk-b2-link.telia.net  0.0%     8  226.0 226.9 226.0 228.3   0.7
    5. 72.14.218.254          0.0%     8  227.1 227.8 226.4 230.4   1.2
    6. 108.170.248.97         0.0%     8  227.1 227.2 226.8 227.9   0.4
    7. 108.170.227.211        0.0%     8  226.5 226.9 226.0 227.7   0.6
    8. dns.google             0.0%     8  226.7 227.6 226.7 229.2   0.8

IPsec Operational Commands

  1. Restart IPsec service with the following command: ipsec restart

  2. Wait approximately 10 seconds, and check the status of IPsec: ipsec statusall

  3. If the connection did not start, try to take it up manually:

    CONN=`grep '^conn .*' /etc/ipsec.d/*.conf|cut -d' ' -f2`; echo $CONN
    ipsec up $CONN

    It should display information useful for debugging purposes.

  4. Ensure everything works fine with:

    ipsec statusall
    ip address show
    ip route show
  5. Check if you have Internet access

IPsec Watchdog

In case you Internet connection if very unstable or your ISP changes your public IP, then you may consider running an IPsec watchdog that verifies every minute if the tunnel is passing the traffic to Acreto Ecosystem.

Please download the script and follow the steps from the comments section at the beginning of this script.

Click on the button and save the script in your home directory:

Get ipsec-watchdog.sh

or open the terminal and download the script directly to your vGateway using the command:

cd /etc/ipsec.d/
wget https://kb.acreto.net/reference-material/downloads/ipsec-watchdog.sh

Linux - Manual IPsec Configuration

Prerequisites

  1. Ubuntu 18.04 or newer installed on your device
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

If you didn’t do it yet, you need to create a new Gateway device on the Acreto platform.

  1. Log in to the Acreto platform at wedge.acreto.net

  2. Select your ecosystem and go to Objects using the left menu.

  3. Click Add new Object and select Gateway.

  4. Fill at least:

    1. Name: - the name of IPSec connection, needs to be compatible with Strongswan connection name requirements (basically, only letters and numbers)

    2. Category: IoT

    3. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted)

    4. Local Networks: - your local network addresses that should be routed through this gateway

      Wedge - New Gateway Wedge - New Gateway

      Note: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using ping, traceroute, and similar tools.

  5. Save the created Gateway by pressing Add.

  6. Add security policy that will allow communication from the Gateway device to the Internet. Wedge - New Gateway Wedge - New Gateway

  7. Commit pending changes (top of the screen)

Note: to successfully test your connectivity, you also need to create a security policy that will allow traffic going through your device.

Generate Strongswan config files

  1. Log in to the Acreto platform at wedge.acreto.net

  2. Select your ecosystem and go to Objects using the left menu

  3. Open the gateway object which you want to use by clicking on its “Info” button.

    Wedge - Gateway Info button Wedge - Gateway Info button

  4. Download Strongswan configuration using Configuration Options > Software Clients with Config

    Wedge - Download configuration Wedge - Download configuration

  5. Download Strongswan configuration to your device.

Install dependencies on the device

  1. Log in to your device.

  2. Set up time/date server, to do that use the following command:

    sudo timedatectl set-ntp on
    ntpdate -s ntp.ubuntu.com
  3. Install required packages:

sudo apt-get update
sudo apt-get install -y --no-install-recommends \
    apt-utils \
    ifupdown2 \
    inetutils-ping \
    strongswan \
    kmod \
    openssl \
    libstrongswan-standard-plugins

Apply configuration files

  1. Log in to your device.

  2. Unzip downloaded config file and copy respective files to their location:

    unzip -x 10b6c4d8-0e9a-f5c7-c4c9-7edd6a6493ed.zip
    sudo cp -r etc/*  /etc
  3. Ensure the files are in proper location

    1. /etc/ipsec.d/[connection uuid].conf
    2. /etc/ipsec.d/leftifupdown.sh
    3. /etc/ipsec.secrets

Enable gateway mode (optional)

To work in gateway mode, you need to configure IPsec to use VTI devices.

Modify /etc/strongswan.d/charon.conf - leave all on defaults except for the following:

install_routes = no
install_virtual_ip = no
ignore_routing_tables = 220

Modify connection file /etc/ipsec.d/*.conf to enable VTI support - uncomment mark and leftupdown options:

# uncomment this line for policy routing configuration
mark=105

# uncomment this line for policy routing configuration
leftupdown=/etc/ipsec-leftupdown.sh

Determine connection name as defined in ipsec configuration:

CONN=`grep '^conn .*' /etc/ipsec.d/*.conf|cut -d' ' -f2`; echo $CONN

Create a routing file that will contain (remote) networks which should be routed through the Acreto platform - by default, it would be a default gateway:

cat > /etc/ipsec.d/$CONN.route << EOF
0.0.0.0/0
EOF

Enable IP forwarding

echo net.ipv4.ip_forward=1 > /etc/sysctl.d/10_ac_ip_forward.conf
systemctl restart systemd-sysctl

Configure connection autostart

sed -i''  -e s/auto=route/auto=start/ /etc/ipsec.d/*.conf

Start IPSec

  1. Restart ipsec service with following command:

    ipsec restart
  2. Wait approximately 10 seconds, and check status of ipsec:

    ipsec statusall
  3. If the connection did not start, try to take it up manually:

    CONN=`grep '^conn .*' /etc/ipsec.d/*.conf|cut -d' ' -f2`; echo $CONN
    ipsec up $CONN

    It should display information useful for debugging purposes.

  4. Ensure everything works fine with:

    ipsec statusall
    ip address show
    ip route show
    Check if you have Internet access enabled.
  5. Check if you have Internet access enabled.

Validation

Ensure that traffic goes through our platform (with traceroute, mtr,). Verify with the command below

Tunnel verification command

mtr 8.8.8.8

Expected output after successful tunnel creation

Host                     Loss%   Snt   Last   Avg  Best  Wrst StDev
1. 100.65.0.30            0.0%     9  225.1 225.1 224.6 225.8   0.3
2. 100.65.0.1             0.0%     8  225.9 227.5 225.7 237.1   3.9
3. ???
4. nyk-b2-link.telia.net  0.0%     8  226.0 226.9 226.0 228.3   0.7
5. 72.14.218.254          0.0%     8  227.1 227.8 226.4 230.4   1.2
6. 108.170.248.97         0.0%     8  227.1 227.2 226.8 227.9   0.4
7. 108.170.227.211        0.0%     8  226.5 226.9 226.0 227.7   0.6
8. dns.google             0.0%     8  226.7 227.6 226.7 229.2   0.8

Palo Alto Networks IPsec Configuration

This section describes how to configure two IPSec VPN tunnels on a PA-200 firewall running version 9.1.x. Refer to Palo Alto Networks documentation for additional information about the web interface.

IPSec Connectivity Guide for Palo Alto Networks Firewall

The ethernet1/2 interface is connected to the internal corporate network. This interface will act as a gateway to the internal corporate network. The ethernet1/1 interface is the external interface. The internal network configuration will be in a trust security zone, and the external network interface configuration will be in an untrust security zone. Also, ensure that both interfaces use the same Virtual Router service.

To configure the IPSec VPN tunnels on PA-200, complete the following tasks:

Task 1: Create a New Virtual Router

For this task, you will create a new Virtual Router. To configure the new Virtual Router:

  1. In the Palo Alto Networks web interface, go to Network → Virtual Routers.
  2. Click Add to add a new Virtual Router.
  3. Enter the Virtual Router name, in this case vrouter.
  4. Click OK to save the vRouter configurations.

Task 2: Create New Zones

It is recommended to use separate zones to setup IPsec tunnels with PAN.

To configure trust and untrust zones, execute the following commands:

  1. In the Palo Alto Networks web interface, go to Network → Zones.
  2. Click Add to create a new zone.
  3. Enter the trust zone name, in this case trust. Choose zone type Layer3.

  4. Click OK to save the zone.
  5. Click Add to create a new zone.
  6. Enter the untrust zone name, in this case untrust. Choose zone type Layer3.

  7. Click OK to save the zone.

Task 3: Configuring the External Ethernet Interface

Configure the external network interface on PAN to be an untrust zone.

  1. In the Palo Alto Networks web interface, go to Network -> Interfaces
  2. Navigate to the Ethernet tab and click on Ethernet 1/1
  3. Set the Interface Type to Layer3
  4. Configure the ethernet 1/1, assign it to an untrust zone and connect to vrouter Virtual Router

  5. Configure the IP address on the external network, in this example 10.1.203.96/24

  6. Click OK to save the configurations

Task 4: Configuring the Internal Ethernet Interface

Configure the internal network interface on PAN to be a trust zone.

  1. In the Palo Alto Networks web interface, go to Network -> Interfaces.
  2. Navigate to the Ethernet tab and click on Ethernet 1/2.
  3. Set the Interface Type to Layer3.
  4. Configure the ethernet 1/2, assign it to a trust zone and connect to vrouter Virtual Router.

  5. Configure the IP address on the internal interface, in this case 10.1.201.96/24.

  6. Click OK to save the configurations.

Task 5: Configuring the Tunnel Interfaces

Configure the tunnel interface on the external interface (ethernet1/1). Ensure the tunnel is configured in the untrust security zone. In this example, the tunnel interface is named tunnel.1 with a source IP address 10.1.203.93.

To configure the primary tunnel interface:

  1. In the Palo Alto Networks web interface, go to Network -> Interfaces.
  2. Click the Tunnel tab.
  3. Click Add to create a new tunnel interface.
  4. In the Tunnel Interface window, complete the following:

    • Interface Name: Enter a name for the tunnel interface, such as tunnel.1.
    • Netflow Profile: Choose the appropriate NetFlow profile. In this example, it’s None.
    • Comment: Enter additional notes or information (optional).
    • Assign Interface To:
      • Virtual Router: Choose vrouter.
      • Security Zone: Choose untrust.
  5. Under the IPv4 tab, assign IP address 10.1.203.93 to the tunnel.1 interface.

  6. Click OK to save the tunnel interface.
  7. Click *Commit to apply the configurations.

Task 6:  Creating the IKE Crypto Profile

Create an IKE crypto profile that specifies the security settings for the IKE phase 1 negotiations.

To create an IKE crypto profile:

  1. In the Palo Alto Networks web interface, go to Network.
  2. Expand Network Profiles.
  3. Select IKE Crypto.
  4. Click Add to create an IKE crypto profile.
  5. In the IKE Crypto Profile window, complete the following:
    • Name: Enter a name for the IKE crypto profile. In this case: acreto-ike-crypto.
    • DH Group: Click Add and choose group14, group19, group20.
    • Encryption: Click Add and choose aes-128-cbc aes-256-cbc.
    • Authentication: Click Add and choose sha256, sha384, sha512.
    • Lifetime: Set it to 8 hours.

  6. Click OK to save configurations.

Task 7: Creating the IKE Gateway

Create IKE gateways using the Acreto Gateway IP address. In this case: 104.193.146.132.

To create the primary IKE gateway:

  1. In the Palo Alto Networks web interface, go to Network.
  2. Expand Network Profiles.
  3. Click IKE Gateways.
  4. Click Add.
  5. In the IKE Gateway window, complete the following:
    • Name: Enter a name for the IKE gateway, such as Acreto-IPsec.
    • Version: Select IKEv2 only mode.
    • Interface: Choose the external interface ethernet 1/1.
    • Local IP Address: Choose None.
    • Peer IP Type: Choose Static.
    • Peer IP Address: Enter the Acreto Gateway address for the primary gateway. In this case, it's 104.193.146.132.
    • Pre-shared Key: Enter the pre-shared key you generated in the Acreto web Portal.
    • Confirm Pre-shared Key: Reenter the pre-shared key.
    • Local Identification: Enter the Peer ID from the Acreto Web Portal.
    • Peer Identification: Choose None.
    • Show Advanced Phase 1 Options: Select to show the following options.
      • IKE Crypto Profile: Choose the IKE crypto profile you created in the previous step. In this case, it's acreto-ike-crypto.
      • Enable Passive Mode: Deselect.
      • Enable NAT Traversal: Select.
      • Liveness Check: Deselect.
  6. Below are reference snapshots of the IKE gateway configurations.

  7. Click OK to save configurations.

Note: To view the Acreto Web Portal information, complete the following steps:

  1. Log in to https://wedge.acreto.net/.
  2. Click on the Ecosystem you want to connect to.
  3. Navigate to Elements → Objects → Gateways.
  4. Navigate to the gateway you want to connect to and click the Information sign on the right.

  5. A new window will appear. Click on “VPN Parameters” to expand the details:

  6. From here you can view the Pre-Shared Key, Gateway Address and Peer ID.
  7. These parameters will be used for Task #7.

Task 8: Creating the IPSec Crypto Profile

Create an IPSec crypto profile that specifies the security parameters for the IKE phase 2 negotiations.

To create an IPSec crypto profile:

  1. In the Palo Alto Networks web interface, go to Network
  2. Expand Network Profiles.
  3. Click IPSec Crypto.
  4. Click Add to create a IPSec crypto profile.
  5. In the IPSec Crypto Profile window, complete the following:
    • Name: Enter a name for the IPSec crypto profile, such as acreto-ipsec-crypto.
    • IPSec Protocol: Ensure ESP is chosen.
    • Encryption: Click Add and choose aes-256-gcm to encrypt the traffic.
    • Authentication: Click Add and choose sha256.
    • DH Group: Ensure group20 is chosen.
    • Lifetime: Set it to 1 Hour.
    • Lifesize: Set the lifesize according to your incoming traffic volume (optional).
  6. Reference snapshot of IPsec crypto profile.

  7. Click OK to save configurations.

Task 9: Creating the IPSec VPN Tunnels

Configure the IPSec VPN Tunnel using the Acreto Gateway Address. In this case, 104.193.146.132

To create the IPSec VPN tunnel:

  1. In the Palo Alto Networks web interface, go to Network -> IPSec Tunnels.
  2. Click Add to create a new IPSec tunnel.
  3. In the IPSec Tunnel window under the General tab, complete the following:
    • Name: Enter a name for the tunnel, such as Acreto-IPsec-Tunnel.
    • Tunnel Interface: Choose the tunnel interface you created in Configuring the Tunnel Interfaces. In this case, it's tunnel.1.
    • Type: Ensure Auto Key is chosen.
    • IKE Gateway: Choose the primary IKE gateway you created in Creating the IKE Gateway section. In this case, it's Acreto-IPsec.
    • IPSec Crypto Profile: Choose the IPSec crypto profile you created in Creating the IPSec Crypto Profile. In this case, it's acreto-ipsec-crypto.
    • Show Advanced Options: Select to show the following options.
      • Enable Replay Protection: Select.
      • Copy TOS Header: Deselect.
  4. In the Proxy IDs tab, click Add and complete the following:
    • Proxy ID: Enter a name for the proxy.
    • Local: Enter the local IP address 0.0.0.0/0.
    • Remote: Enter the remote IP address 0.0.0.0/0.
    • Protocol: Ensure Any is chosen.
  5. Click OK to save the proxy ID.
  6. Click OK again to save the IPSec tunnel configurations.
  7. Reference configuration for the IPSec Tunnel is described in the snapshots below:

  8. Click Commit to apply configurations on PAN.

Task 10: Defining the Policy-Based Forwarding Rule

Defining two policy-based forwarding rules to route the traffic from the Palo Alto Network appliance into the tunnel.

To define the primary policy-based forwarding rule:

  1. In the Palo Alto Networks web interface, go to Policies -> Policy-Based Forwarding.
  2. Click Add to create a new rule.
  3. In the General tab, complete the following:
    • Name: Enter a name for the policy, such as pbf-ipsec-acreto.
    • Description: Enter a description (optional).
    • Tags: Choose a tag (optional). 
    • Reference configurations are described in the image below:

  4. In the Source tab, choose Type Zone. Under Zone, click Add and choose trust. Reference configurations of the Source tab are below:

  5. In the Destination/Application/Service tab, complete the following:
    • Destination Address: Ensure Any is selected.
    • Applications: Ensure Any is selected.
    • Service: Ensure Any is selected.
    • Reference configurations of this tab are described in the image below:

  6. In the Forwarding tab, complete the following:
    • Action: Choose Forward.
    • Egress Interface: Choose the primary tunnel interface you created in task 5. Configuring the Tunnel Interfaces. In this case, it's tunnel.1.
    • Next Hop: Leave this field blank.
    • Monitor: Deselect.
    • Enforce Symmetric Return: Deselect.
    • Schedule: Choose None.
    • Reference configurations for this tab are described in the image below:

  7. Click OK to save the configurations.
  8. Commit the changes in PAN.

Task 11: IPSec Tunnel Status

Once completing the above step, the IPsec tunnel will be established between PAN and the Acreto IPsec Gateway. To check the status of the tunnel, navigate to  Network → IPSec Tunnels and view the tunnel status. A green color status signifies that the tunnel is established correctly.

Task 12: Configure Routing on PAN

To validate the network traffic going from PAN to the Acreto IPsec gateway, routes must be configured in the virtual router in PAN. Execute the following steps to configure the routes:

  1. In the Palo Alto Networks web interface, go to Networks -> Virtual Routers.
  2. Click on the router that was created in the previous task, in this case vrouter.
  3. From the left panel, select Static Routes.
  4. Click Add to add a new route.
  5. Configure the route fields according to the details below:
    • Name: test-ipsec-pan.
    • Destination: 8.8.8.8/32.
    • Interface: tunnel.1.
    • Next Hop: None.
    • Admin Distance:
    • Metric: 10.
    • Route Table: Unicast.
    • BFD Profile: Disable BFD.
    • Path Monitoring: Deselect.
  6. Reference configurations of this route are described in the image below:

  7. Click OK to save the configurations.
  8. Click Commit to apply the configurations.

Task 13: Verifying the Connectivity

In this section, the connectivity between PAN and Acreto gateway will be verified.

  1. SSH to the PAN device.

  2. Run the following command below:

    ping source <tunnel.1 IP address> host 8.8.8.8

  3. The ping should work with a sample output like below:

         PING 8.8.8.8 (8.8.8.8) from 10.1.203.93 : 56(84) bytes of data.
         64 bytes from 8.8.8.8: icmp\_seq=1 ttl=116 time=7.98 ms
         64 bytes from 8.8.8.8: icmp\_seq=2 ttl=116 time=4.76 ms
         64 bytes from 8.8.8.8: icmp\_seq=3 ttl=116 time=4.24 ms
         64 bytes from 8.8.8.8: icmp\_seq=4 ttl=116 time=4.90 ms
         64 bytes from 8.8.8.8: icmp\_seq=5 ttl=116 time=4.99 ms
  4. You should be able to see these traffic logs in the Acreto Reports dashboard. Navigate to the Ecosystem and from the left panel, select Reports. Below is a sample of the reports from the Acreto Web Portal:

Pfsense Ipsec with Acreto

Overview

This article will help you connect and secure your pfSense installation with Acreto Ecosystem. Network Diagram Network Diagram

Prerequisites

  1. pfSense installation.
  2. Ecosystem set up with proper security policies.

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the exact requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway Wedge - New Gateway
Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the pfSense configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

pfSense - VPN wizard panel pfSense - VPN wizard panel

Task 2: Configure IPsec on pfSense

  1. Log in to your pfSense panel.

  2. Go to VPN > IPsec. Click on Add P1 to configure the Phase 1 settings.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  3. In the following window, configure VPN Phase1 settings as below:

    • General Information:
      1. IKE Exchange Version: IKEV2
      2. Internet Protocol: IPv4
      3. Interface: WAN
      4. Remote Gateway: Acreto Peer IP
      5. Description: AcretoVPN

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Phase 1 Proposal (Authentication)
      1. Authentication Method: Mutual PSK
      2. My Identifier: select Distinguished Name and use Peer ID in the value field.
      3. Pre-Shared Key: PSK
    • Phase 1 Proposal (Encryption Algorithm)
      1. Encryption Algorithm: AES 128 SHA256 15(3072)
      2. Expiration and Replacement
      3. Lifetime: 10800

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Advanced Options
      1. Dead Peer Detection: Enable
      2. Delay: 30
      3. Max Failures: 5
  4. Click Save to save the configuration.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  5. Click on Show Phase 2 Entries and Click on Add P2.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  6. In the next window, configure the Phase 2 setting as below:

    • General Information:
      1. Mode: Tunnel IPv4
      2. Local Network: Select Network and enter local network address 192.168.252.0/24
      3. Remote Network: Select Network and enter 0.0.0.0/0
      4. Description: AcretoVPN_P2

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Phase 2 Proposal (SA/Key Exchange)
      1. Protocol: ESP
      2. Encryption Algorithm: AES 128
      3. Hash Algorithm: SHA256
      4. PFS key group: 15 (3072)

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Expiration and Replacement
      1. Lifetime: 3600 `
  7. Click on Save.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  8. Click on Apply Changes to save the configuration.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

Task 3. Configure Policy to allow traffic from LAN to VPN

  1. Go to Firewall > Rules and select LAN

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. Click on Add button to add a new rule.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  3. In the next window, configure policy as below:

    • Edit Firewall Rules
      1. Action: Pass
      2. Interface: LAN
      3. Address Family: IPv4
      4. Protocol: Any

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Source
      1. Source: Select Network and enter local lan address i.e., 192.168.252.0/24
    • Destination
      1. Destination: Any
    • Click on Save

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Click on Apply Changes to save the configuration.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

Task 4. Disable NAT for traffic over VPN

  1. Go to Firewall > NAT.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. Select Outbound, and in the Mapping section click on the Add button.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  3. In the next window, configure the rule as below:

    • Edit Advanced Outbound NAT Entry
      1. Do not NAT: Enable
      2. Interface: IPsec
      3. Address Family: IPv4
      4. Protocol: Any
      5. Source: Select Network and enter local lan address i.e., 192.168.252.0/24
      6. Destination: Any
  4. Click on Save

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  5. Click on Apply Changes to save the NAT rule.

  6. In the same window, select mode Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below) in Outbound NAT Mode.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  7. Click on Apply Changes to save settings.

Task 5. Verify Tunnel Status

  1. Go to Status > IPsec.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. The following window will show the status of the VPN as below. Click on Connect VPN if the tunnel is down.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

Task 6. Check the connectivity using the LAN interface

  1. Go to Diagnostics » Ping.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. In the next windows, check ping as below:

    • Hostname: 8.8.8.8
    • Source address: LAN

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  3. Ping should be successful, and logs on the Wedge dashboard should show the same record.

Task 7. Optional: Configure the local source and destination to bypass from IPsec

  1. Go to VPN > IPsec and click on Advanced Setting.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. In IPsec bypass rules, enter the source and destinations of your local traffic, which doesn’t need to go through Acreto VPN.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

Summary

Once the VPN connection is successfully established, all the internet traffic will be routed through the Acreto.

Sonicwall 6.5 IPsec Configuration

Overview

In this article, you will learn how to connect your Sonicwall to the Acreto Ecosystem. To make it possible and secure, we will use the IPSec VPN connection. Network Diagram Network Diagram

Prerequisites

  1. Sonicwall 6.5 installation
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

Create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  • Type: IPsec
  • Category: Data Center
  • Model: AWS site-to-site VPN
  • Connections from: Public IP
  • Local network: local_network
  • Save and Commit the changes

Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (use /32 prefix for public interface). This allows testing connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the Sonicwall configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All the details may be found within the Gateway details panel - please check the video below for further instructions.

Sophos - VPN wizard panel Sophos - VPN wizard panel

Task 2: Configure IPsec VPN on Sonicwall

To configure the IPsec VPN using tunnel interface, proceed with the following steps:

  1. Goto MANAGE » VPN » Base Settings.

  2. Under the VPN Policies click the ADD button

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  3. Under the General tab, enter the following values:

    • Security Policy
      • Policy Type: Tunnel Interface
      • Authentication Method: IKE using Preshared Secret
      • Name: Acreto
      • IPsec Primary Gateway Name or Address: <Wedge_Tunnel_IP>
    • IKE Authentication
      • Shared Secret:
      • Confirm Shared Secret:
      • Local IKE ID: IPv4 Address: wedge_tunnel_IP Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration
      • Peer IKE ID: IPv4 Address: Local Public IP Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration
  4. Goto Proposals

    • IKE (Phase 1) Proposal
      • Exchange: IKEv2 Mode
      • DH Group: Group 2
      • Encryption: AES-256
      • Authentication: SHA256
      • Life Time (seconds): 10800
    • IPsec (Phase 2) Proposal
      • Protocol: ESP
      • Encryption: AES-256
      • Authentication: SHA256
      • Enable Perfect Forward Secrecy: Yes
      • DH Group: Group 14
      • Life Time (seconds): 3600 Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration
  5. Advanced Settings

    • Enable Keep Alive: Enable Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration
  6. Click the OK button.

Task 3: Create a new tunnel interface

Next, we will create the tunnel interface that will be used to route the traffic.

  1. Goto MANAGE » Network » Interfaces

  2. In the middle of the screen, for the field Add Interface, select VPN Tunnel Interface.

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  3. Create a new interface with the following values:

    • VPN Policy: Acreto
    • Name: vdi_Acreto
    • IP Address: <any random IP as 2.2.2.2>
    • Subnet Mask: 255.255.255.255

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  4. Click the OK button.

Task 4: Configure Routing

To allow the traffic from the LAN subnet to route through the tunnel interface, perform the following steps:

  1. Goto MANAGE » Network » Routing

  2. Under the tab Route Policies, click the Add button Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  3. Create a new rule with the following values under General:

    • Route Policy Settings
    • Name: Lan_to_Acreto
    • Source: <lan_subnets>
    • Destination: Any
    • Service: Any
    • Interface: <tunnel_interface>

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  4. Click the OK button

Task 5: Configure Access Rules

Verify existing or create a new access rule to allow the desired traffic

  1. Goto MANAGE » Rules » Access Rules

  2. Click the Add button Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  3. Under General, provide the following values:

    • Name: To_Acreto
    • Action: Allow
    • From: <Lan_interface>
    • To: <tunnel_interface>
    • Source Port: Any
    • Service: Any
    • Source: <lan_subnet>
    • Destination: Any

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  4. Click the OK button

Task 6: Verify the connection

Once the tunnel connection is successfully established, its status will change to UP.

  1. To verify the status on Sonicwall, navigate to goto MANAGE » VPN » Base Settings

    • VPN Policies

    The status of the VPN policy should be Green.

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

    • Currently Active VPN Tunnels

    The active VPN tunnel will be shown in the list.

  2. Execute tracert 1.1.1.1 (or traceroute 1.1.1.1) on internal server check the route to external host 1.1.1.1. It should show Acreto’s IP in the path. Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

Summary

Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.

Sonicwall 7.0 IPsec Configuration

Overview

In this article, you will learn how to connect your Sonicwall to the Acreto Ecosystem. To make it possible and secure, we will use the IPSec VPN connection. Network Diagram Network Diagram

Prerequisites

  1. Sonicwall 7.0 installation
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

Create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  • Type: IPsec
  • Category: Data Center
  • Model: AWS site-to-site VPN
  • Connections from: Public IP
  • Local network: local_network
  • Save and Commit the changes

Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (use /32 prefix for public interface). This allows testing connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the Sonicwall configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All the details may be found within the Gateway details panel - please check the video below for further instructions.

Sophos - VPN wizard panel Sophos - VPN wizard panel

Task 2: Configure IPsec VPN on Sonicwall

To configure the IPsec VPN using tunnel interface, proceed with the following steps:

  1. Goto NETWORK » IPsec VPN » Rules and Settings.

  2. Click the ADD button.

  3. Under the General tab, enter the following values:

    • Security Policy
      • Policy Type: Tunnel Interface
      • Authentication Method: IKE using Preshared Secret
      • Name: Acreto
      • IPsec Primary Gateway Name or Address: <Wedge_Tunnel_IP>
    • IKE Authentication
      • Shared Secret: PSK
      • Confirm Shared Secret: PSK
      • Local IKE ID: IPv4 Address: Wedge_tunnel_IP
      • Peer IKE ID: IPv4 Address: Local Public IP Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration
  4. Goto Proposals

    • IKE (Phase 1) Proposal
      • Exchange: IKEv2 Mode
      • DH Group: Group 2
      • Encryption: AES-256
      • Authentication: SHA256
      • Life Time (seconds): 10800
    • IPsec (Phase 2) Proposal
      • Protocol: ESP
      • Encryption: AES-256
      • Authentication: SHA256
      • Enable Perfect Forward Secrecy: Yes
      • DH Group: Group 14
      • Life Time (seconds): 3600 Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration
  5. Advanced Settings

    • Enable Keep Alive: Enable Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration
  6. Click the OK button.

Task 3: Create a new tunnel interface

Next, we will create the tunnel interface that will be used to route the traffic.

  1. Goto NETWORK » System » Interfaces.

  2. Click the Add Interface button and select VPN Tunnel Interface

  3. Create a new interface with the following values:

    • VPN Policy: Acreto
    • Name: vti_Acreto
    • IP Address: <any random IP as 2.2.2.2>
    • Subnet Mask: 255.255.255.254

    Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  4. Click the OK button.

Task 4: Configure Routing

To allow the traffic from the LAN subnet to route through the tunnel interface, perform the following steps:

  1. Goto POLICY » Rules and Policies » Route Policy

  2. Create a new rule with the following values under General tab:

    • Name: Lan_to_Acreto
    • Source: <lan_subnets>
    • Destination: Any
    • Select Service radio button
    • Service: Any

Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  1. Click Next Hop tab and give the following values :

    • Select Standard Route radio button
    • Interface: <tunnel_interface>

Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  1. Click the SAVE button

Task 5: Configure Security Policy

Verify existing or create a new access rule to allow the desired traffic

  1. Goto POLICY » Rules and Policies » Security Policy

  2. Click the Add button

  3. Under General, provide the following values:

    • Name: To_Acreto
    • Action: Allow
    • From: <Lan_interface>
    • To: <tunnel_interface>
    • Source Port: Any
    • Service: Any
    • Source: <lan_subnet>
    • Destination: Any

Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  1. Click the OK button

Task 6: Verify the connection

Once the tunnel connection is successfully established, its status will change to UP.

  1. To verify the status on Sonicwall, navigate to goto NETWORK » IPsec VPN » Rules and Settings » Active Tunnels tab.

    • The status of the VPN policy should be Green.

    Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

    • Currently Active VPN Tunnels

    The active VPN tunnel will be shown in the list.

    Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  2. Execute tracert 1.1.1.1 (or traceroute 1.1.1.1) on internal server check the route to external host 1.1.1.1. It should show Acreto’s IP in the path. Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

Summary

Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.

Sophos Ipsec with Acreto

Overview

This article will help you connect your Sophos XG with Acreto Ecosystem through the IPsec tunnel.

Network Diagram Network Diagram

Prerequisites

  1. Sophos XG installation
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway Wedge - New Gateway
Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the Sophos configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Sophos - VPN wizard panel Sophos - VPN wizard panel

Task 2: To configure IPsec VPN on Sophos

Configure Acreto policy

  1. Log in to the Sophos Firewall panel as a user with an administrator role.

  2. From the left side navigation, choose Configure > VPN (1).

  3. Move to the IPsec policies tab (2) and click on the Add button (3) to create a new policy.

    SophosXG - ipsec - configuration SophosXG - ipsec - configuration

  4. Fill the creation form with the following values:

    • General Settings

      • Name: Acreto_ipsec
      • Key exchange: ikev2 SophosXG - ipsec - configuration SophosXG - ipsec - configuration
    • Phase1

      • Key life: 10800
      • DH group (key group): 14,16,20
      • Encryption - Authentication:
        • AES256 -SHA2 256
        • AES128 - SHA2 256
        • AES256 - SHA2 512

    SophosXG - ipsec - configuration SophosXG - ipsec - configuration

    • Phase2
      • PFS group (DH group): Same as phase1
      • Key life: 3600
      • Encryption - Authentication:
        • AES256 -SHA2 256
        • AES128 - SHA2 256
        • AES256 - SHA2 512

    SophosXG - ipsec - configuration SophosXG - ipsec - configuration

    • Dead Peer Detection
      • Dead Peer Detection: enable

    SophosXG - ipsec - configuration SophosXG - ipsec - configuration

  5. Click on the Save button to create the policy.

Configure IPSec VPN

  1. Goto VPN from left side navigator

  2. Select tab IPsec connections and click Add button

  3. Configure VPN with the following setting:

    • General Settings

      • Name: Acreto
      • IP version: IPv4
      • Connection type: Tunnel interface
      • Gateway type: Initiate the connection
      • Activate on Save: enable
    • Encryption

      • Policy: Acreto_ipsec
      • Authentication type: Preshared key
      • Preshared key: key (copied from Wedge)
      • Repeat preshared key: key (copied from Wedge). SophosXG - ipsec - configuration SophosXG - ipsec - configuration

Gateway settings

  • Local gateway

    • Listening interface: wan_ip
    • Local ID type: DNS
    • Local ID: peer_id (copied from Wedge)
  • Remote gateway

    • Gateway address: acreto_gateway (copied from Wedge)
    • Remote ID type: IP address
    • Remote ID: acreto_gateway (copied from Wedge) SophosXG - ipsec - configuration SophosXG - ipsec - configuration
  1. Click Save.

Upon saving, the tunnel will try to establish a connection with Acreto, and upon successful connection, the tunnel will come up. SophosXG - ipsec - configuration SophosXG - ipsec - configuration SophosXG - ipsec - configuration SophosXG - ipsec - configuration

Task 3: Configure IP on the new tunnel interface

  1. Goto Network from left side navigator

  2. Select tab Network

  3. Click the blue bar on the wan interface. It will unfold the new VPN tunnel interface formed

    SophosXG - ipsec - configuration SophosXG - ipsec - configuration SophosXG - ipsec - configuration SophosXG - ipsec - configuration

  4. Click the tunnel interface and add some random IP

    • IPv4/netmask - 2.2.2.2 /32 SophosXG - ipsec - configuration SophosXG - ipsec - configuration
  5. Click Save.

Task 4: Configure Routing

  1. Goto Routing from the left side navigator
  2. Select tab Static Routing
  3. Click Add button to configure the following routes

Direct route to Acreto gateway to establish the connection

  • Destination IP/Netmask : acreto_gateway_ip /32 (copied from wedge)
  • Gateway: ISP_gateway
  • Interface: wan
  • Distance: 0

SophosXG - ipsec - configuration SophosXG - ipsec - configuration

Default route to through the tunnel

  • Destination IP/Netamsk: 0.0.0.0 /0
  • Gateway: blank
  • Interface: tunnel_inetrface
  • Distance: 10

SophosXG - ipsec - configuration SophosXG - ipsec - configuration

Task 5: Configure Security Rules

  1. Goto Rules and policies from left side navigator

  2. Select tab Firewall rules and click Add firewall rule to add a new firewall rule

    SophosXG - ipsec - configuration SophosXG - ipsec - configuration

  3. Create the firewall rule with values as below

    • Rule name: to_acreto

    • Action: Accept

      SophosXG - ipsec - configuration SophosXG - ipsec - configuration

    • Source Zone: LAN

    • Source network and devices: Any

    • During Scheduled time: All the time

    • Destination zones: Any

    • Destination network: Any

    • Services: Any

      SophosXG - ipsec - configuration SophosXG - ipsec - configuration

Task 6: Verify the connection

Verify the connection is going through Acreto.

From any server in the internal subnet, do traceroute or mtr and verify if traffic is going through Acreto.

SophosXG - ipsec - configuration SophosXG - ipsec - configuration

Summary

Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.

Troubleshooting - FortiGate Cloud Management issue

Issue

Forticloud management connection was lost after connecting to Acreto.

Description

When FortiGate is set up to route all traffic through Acreto, it may lose connection with FortiGuard/FortiCloud management servers.

Reason

When the default route is set towards Acreto, FortiGate sends all the FortiCloud connections through Acreto. However, while sending these requests, FortiGate uses its WAN IP as the source of the connection, which may not be allowed in Acreto EcoSystem.

To fix the issue, apply the solutions listed below:

Solution: Changes in FortiGate ( from the Customer side)

Alternatively, this issue can be resolved at the Customer location by setting Fortigate’s LAN IP as the source address for Fortiguard by following the steps below :

  1. Login to Fortigate Dashboard

  2. Goto Network > Interfaces > select the LAN interface

  3. Copy the IP address of the LAN interface of FortiGate (Gateway IP for the LAN network)

    Lan_IP Lan_IP

  4. Login to CLI of FortiGate.

  5. Run the following commands:

config system fortiguard
set source-ip <ip_address_lan_interface>
end

Any one of the above solutions will restore the connection with FortiCloud.

Ubiquiti Unifi IPsec Configuration

Overview

In this article, you will learn how to connect to the Acreto ecosystem with your Unifi USG/Edgerouter using IPSec VPN.

Prerequisites

  1. Ubiquiti USG/EdgeRouter installation
  2. Ecosystem set up with proper security policies

How-To

Step1: Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here. If you already have one, make sure that it’s IPsec type and jump to How-to.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway Wedge - New Gateway
Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

Step 2: Read the IPsec Gateway Values Required for Ubiquiti Configuration from Acreto Ecosystem

To proceed with the Ubiquiti configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers
  4. Peer ID Wedge - New Gateway Wedge - New Gateway

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Fortigate - VPN wizard panel Fortigate - VPN wizard panel

Step 3: Configure VPN settings on Ubiquiti

  1. Login into Ubiquiti and enter Configuration mode

    configure
  2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.

    set vpn ipsec auto-firewall-nat-exclude enable.
  3. Create the IKE / Phase 1 (P1) Security Associations (SAs) by providing the following values

    set vpn ipsec ike-group AcretoGate key-exchange ikev2
    set vpn ipsec ike-group AcretoGate lifetime 10800
    set vpn ipsec ike-group AcretoGate proposal 1 dh-group 16
    set vpn ipsec ike-group AcretoGate proposal 1 encryption aes256
    set vpn ipsec ike-group AcretoGate proposal 1 hash sha256
  4. Create the ESP / Phase 2 (P2) SAs.

    set vpn ipsec esp-group AcretoGate lifetime 3600
    set vpn ipsec esp-group AcretoGate proposal 1 encryption aes256
    set vpn ipsec esp-group AcretoGate proposal 1 hash sha256
    set vpn ipsec esp-group AcretoGate compression disable
  5. Execute the below command using values from previous steps: Configure the below steps with values for Gateway address, Preshared key and Peer Id collected in Step 1.

    • GATEWAY_ADDRESS - available in step 1, number 1 on screen.
    • PRE-SHARED KEY - available in step 1, number 2 on screen.
    • PEER ID - available in step 1, number 4 on screen.
    set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS authentication mode pre-shared-secret
    set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS authentication pre-shared-secret PRE-SHARED_KEY
    set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS description ipsec
    set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS authentication id PEER_ID
  6. Copy the WAN IP and router address from the Ubiquiti gateway device Ubiquiti - Wan IP Ubiquiti - Wan IP

  7. Use the above WAN IP and conFigure the Peer with the below commands

    set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS local-address LOCAL_WAN_INTERFACE	
  8. Link the SAs created in the above steps to the remote peer and bind the VPN to a virtual tunnel interface (vti0).

    set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS ike-group  AcretoGate
    set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS vti bind vti0
    set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS vti esp-group AcretoGate
  9. Configure a static route to route gateway address to the internet directly. Use router address copied from step 6.

    set protocols static route GATEWAY_IP_ADDRESS next-hop ROUTER_IP_ADDRESS
  10. Configure default static route to send all traffic to Acreto VPN.

    set protocols static interface-route 0.0.0.0/0 next-hop-interface vti0
  11. Commit the changes and save the configuration.

    commit ; save

Summary

Once the VPN connection is successfully established, all the internet traffic will be routed through Acreto.

Watchguard IPsec Configuration

Overview

This article will show you how to configure the Watchguard to connect to the Acreto Ecosystem. This configuration will be made by using IPsec VPN.

Prerequisites

  1. Watchguard installation
  2. Ecosystem set up with proper security policies

How-To

Step 1: Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New
Gateway Wedge - New
Gateway
Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway, or similar tools.

Step 2: Read the Values from Acreto Gateway

To proceed with the Watchguard configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Peer ID
  4. Recommended Ciphers Wedge - New Gateway Wedge - New Gateway

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Fortigate - VPN wizard panel Fortigate - VPN wizard panel

Step 3: Configure VPN settings on Watchguard

  1. Create Phase 2 proposal - Navigate to VPN > Phase 2 Proposals and click ADD button Watchguard - VPN Watchguard - VPN

  2. Create Phase 2 with the following values and SAVE

  • Name: Acreto
  • Description: Acreto phase2 selectors
  • Type: ESP
  • Authentication: SHA-512
  • Encryption: AES(128-bit)
  • Time: 1 hour Watchguard - VPN Watchguard - VPN
  1. To set up IPsec VPN navigate to VPN > BOVPN Virtual Interfaces and click ADD from the right pane Watchguard - VPN Watchguard - VPN

  2. Select Remote Endpoint Type as Cloud VPN or Third-Party Gateway Watchguard - VPN Watchguard - VPN

  3. Provide the Preshared key copied from the Wedge dashboard in Step 1 and click ADD button to configure Gateway Endpoint Watchguard - VPN Watchguard - VPN

  4. Configure Local gateway - Select Interface By Domain Name and provide the Peer ID copied from Wedge dashboard in Step 1. Watchguard - VPN Watchguard - VPN

  5. Configure Remote gateway with values copied in Step 1 and click OK

  • Static IP Address : Wedge_gateway
  • By IP Address: Wedge_gateway Watchguard - VPN Watchguard - VPN
  1. Click Phase 1 Settings tab Watchguard - VPN Watchguard - VPN

  2. the following values

  • Version: IKEv2
  • Keep-alive interval: 540 seconds
  • Traffic-idle timeout: 30 seconds Watchguard - VPN Watchguard - VPN
  1. Select the Phase 1 Transform set in Transform Settings and click EDIT. Set the following values and click OK.
  • Authentication: SHA2-512
  • Encryption: AES(28-bit)
  • SA Life: 3 hours
  • Key Group: Diffie-Hellman Group 15 Watchguard - VPN Watchguard - VPN
  1. Click Phase 2 Settings and configure Phase 2 with values as below
  • Enable Perfect Forward Secrecy: Diffie-Hellman Group 15

Select Acreto from Phase 2 proposal and ADD and SAVE. Watchguard - VPN Watchguard - VPN

  1. Verify the tunnel status - Navigate to SYSTEM STATUS > VPN Statistics > Branch Office VPN and click IKEv2 Virtual Interface. If the VPN is successfully established, the statistics related to VPN will be displayed. Watchguard - VPN Watchguard - VPN

Summary

Once the VPN connection is successfully established, all the internet traffic will be routed through Acreto.

WireGuard - Administrator Guide

About WireGuard

WireGuard is a modern VPN protocol that aims to be faster, more secure, and more useful than older solutions like OpenVPN or IPsec.

How To

Prerequisites

To connect to the Ecosystem using WireGuard, you will need:

  1. Existing Acreto Ecosystem, if you don’t have one learn how to create it.
  2. Access to Acreto Portal.
  3. A device that you want to connect to the Ecosystem.

Steps

  1. Download the WireGuard client from the official site and install it.
  2. Log in to the Acreto Portal.
  3. Open your Ecosystem.
  4. From the left menu choose Objects > Gateways (1) and click on this option.
  5. In the Gateways section, click on the + Add New Gateway button (2)
  6. Fill out the form:
    1. Set gateway type to WireGuard(1)
    2. Input the descriptive name of the gateway e.g. WireGuard-Gateway-01(2)
    3. Choose the category of the gateways as IoT (3)
    4. Set WireGuard Client Local IP 4)
    5. Set Local Networks (5)
    6. Click on the Add button to save the form to add the Gateway.
  7. The newly created Gateway is now available on the list.
  8. Click on the Apply changes button on the top of the screen to commit a new gateway to the Ecosystem.
  9. Wait for the changes to be applied.
  10. Click on the name of created Gateway object to see its details.
  11. Click Generate new private and public key and confirm with yes
  12. Click on “Download configuration” (1) button, and then on Apply your changes link (2)
  13. Open the WireGuard and import the new tunnel from the downloaded configuration file - right click on tunnel list and choose the Import tunnel(s) from file (Crtl+O).
  14. In the WireGuard Client select and activate the tunnel. You should see the Peer section containing the server address and connection details.

At this point, the machine is connected to Acreto Ecosystem by the WireGuard gateway. You may confirm that by checking logs available in Acreto Portal > Logs > Gateways.

See also

Subsections of Acreto vGateway

Install vGateway on Windows Server - example of implementation

Overview

In this article, you’ll learn how to run Acreto vGateway on a Windows Server machine. This process involves the following steps:

  1. Configuration of Acreto Ecosystem
  2. Image installation
  3. Connectivity check

Before You Start

Case study

In this example, our target is to connect the existing virtual server to Acreto Ecosystem. The selected server works as a Virtual Machine based on Windows Server 2019 Hyper-V. In the same data center/cloud exist also other servers connected to different internal LANs but using the same Internet Router. The existing configuration was presented in the below diagram.

To connect the selected server to Acreto Ecosystem we will use the vGateway - a small virtual machine-generated by Acreto Wedge. This machine will be installed on the same host that other virtual machines in Data Center and connected to the same internal network. Also, network routing will be changed to redirect “external traffic” from/to the selected server thru Acreto vGateway.

The step-by-step procedure will be described in the below article.

Prerequisities

To run vGatway on Hyper-V, you will need:

  1. Active Acreto Ecosystem.
  2. Windows Server machine.
  3. Get familiar with Introduction to vGateway.
  4. Knowledge of network infrastructure and routing rules.

Configuration of Acreto Ecosystem

Create and configure vGateway

  1. Log in to an Acreto platform at wedge.acreto.net
  2. Select your ecosystem and go to Objects (1) using the left menu.
  3. Click Add new Object(2) and select the Gateway Option.
  4. Fill at least:
    1. Name: - the name of the created gateway. Needs to be compatible with Strongswan connection name requirements (basically, only letters and numbers). In this example- s01gateway
    2. Category: IoT
    3. Switch Gateway type to vGateway and set the specific setting for vGateway:
      1. DHCP/Static: - select the method of assigning addresses on the network> In this example - Static
      2. vGateway Internet IP - IP address with a netmask of internet-facing (WAN) interface. In this example: 198.51.100.2/24
      3. vGateway Default Route - IP address of your Internet gateway/router that allows access to the Internet, for example 1.2.3.1. In this example 198.51.100.1
      4. vGateway Local IP: - address of local (LAN) interface of your device. In this example 192.168.1.2/32
      5. Local Networks: - your local network addresses that should be routed through this gateway. In this example fill only the left field in the row: 192.168.1.12/32.
  5. Save the created Gateway by pressing Add.
  6. Add security policy that will allow communication from the Gateway device to the Internet:
    1. From the left menu choose the Policies option (1), then click on the + Add New Policy button (2).
    2. Fill the form with values similar to that from the screen.
    3. Save the new policy by clicking on the Add button.
  7. Commit pending changes (top of the screen)
  8. Go to Elements > Objects > Gateways menu position.
  9. On the list of existing gateways choose this created in the previous step, click on its name.
  10. Choose VM and Cloud Images to expand the available option for download virtual images.
  11. Click on Play for Microsoft Hyper-V .vhdx vGateway Image option. Generation of image for you Gateway may take a while, please be patient.
  12. When the image will be ready you may download it or copy the URL - save it on your Windows Server machine.

vGateway image installation

Adding the Hyper-V role to your Windows Server

Hyper-V feature is disabled by default in Windows Server. If you are sure that this option is already turned on on your machine you may skip this step.

To turn on Hyper-V on Windows Server:

  1. Log in to your Windows Server.
  2. Open the Server Manager Panel.
  3. Choose Add roles and features
  4. Choose Role-based or feature-based installation and click on the Next button.
  5. Choose Select a server from the server pool and mark one on the list of available servers.
  6. On the list of the available roles search for Hyper-V, check this option and click on the Next button. If this option is already checked there’s no need to activate the Hyper-V option.
  7. On Hyper-V Virtual Switches screen choose the proper switch for your network configuration.
  8. Go thru the rest of the configuration screens.
  9. Restart the machine to finish Hyper-V Installation.
  10. After reset you should see Hyper-V in Roles and server groups.

Install vGateway image

  1. Open Hyper-V Manager and select the New option to create a new virtual machine.
  2. On the Specify name and location screen call your new VM vGateway.
  3. On the Specify generation screen choose Generation 1
  4. On the Configure network screen connect VM to the proper interface.
  5. On the Connect Virtual Hard Disc screen choose Use an existing hard disk and select downloaded vGatway image.
  6. Go thru the rest of the configuration steps and run the VM.
  7. Once the VM is up and running, you should be able to SSH to it with password authentication as:
    1. login: acreto
    2. password: acreto.io
  8. Change your password after the first login

Connectivity check

  1. Test the network connectivity
  2. IPsec status showing the tunnel status ipsec statusall
  3. Traceroute to check if the traffic goes through Acreto Ecosystem traceroute 8.8.8.8
  4. More information about checking the connectivity can be found under Connectivity Check the article where a dedicated tool is available.

Summary

Thanks to the Hyper-v technology you were able to install Acreto vGateway in just a few steps. Users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.

Also, Acreto Ecosystem Admin(s) can re-use any existing password and security policies that are already in place. For example, the Active Directory may already have account lockout and password expiration policies.

Introduction to vGateway

Overview

In this document, you’ll become familiar with the concepts and basic features of Acreto vGateway.

Functionality

Acreto vGateway is a software appliance that allows simple connectivity between branch offices, on-premise data centers, cloud platforms, and Acreto.

High-level view of Acreto vGateway High-level view of Acreto vGateway

vGateway uses 2 network interfaces:

  • WAN (usually the first interface on the device / VM) - used to communicate with the Internet.
  • LAN (usually the second interface on the device / VM) - used to communicate with the local network.

vGateway acts as a gateway, allowing bidirectional communication between Acreto and the local network using an IPsec connection.

Devices (workstations, VMs, servers, etc.) in the local network should use vGateway’s LAN IP address as their default gateway. vGateway forwards traffic coming to its LAN interface to Acreto, and then sends traffic received from Acreto to its local destination.

Requirements

Supported Platforms

Acreto vGateway is supported on the following platforms:

  • KVM (qcow2)
  • VMware ESXi (.vmdk)
  • VirtualBox (.vdi)
  • Microsoft Hyper-V (.vhdx)
  • Microsoft Azure (.vhd)
  • Raspberry Pi 3 and 4

Network Connectivity

vGateway physical connectivity diagram vGateway physical connectivity diagram

vGateway LAN interface should be connected to the LAN network. All devices in the LAN network should use vGateway as a default gateway.

vGateway WAN interface should be connected to the internet router.

Firewall

Acreto vGateway communicates with Acreto using IPv4 and IPsec protocol. To allow networking connectivity, the firewall needs to allow communication on the following ports and protocols:

  • Protocol: UDP, ports: 500, 4500
  • Protocol: ESP

You can find a list of IP networks used by Acreto on IPv4 and IPv6 subnets page.

NAT

Acreto vGateway can be installed behind NAT. However, if you are installing more than one vGateway behind the same NAT device, each of them must get a different public IP address.

In addition, the NAT device should have IPsec Passthrough enabled.

Example

In a deployment involving two vGateway devices (192.0.2.10, 192.0.2.11), the NAT device needs to have at least two public IP addresses (198.51.100.10, 198.51.100.11) and define Source NAT rules to assign a different public IP address to each vGateway. In this case:

  • to vGateway 1 - 198.51.100.10
  • to vGateway 2 - 198.51.100.11

vGateway NAT diagram vGateway NAT diagram

Specification

  • Base OS:
    • Raspberry Pi version: Ubuntu 20.04 (LTS)
    • Other platforms: Ubuntu 18.04.5 (LTS)
  • Disk size (raw): 5400 MB
  • Open ports:
    • TCP 22 (SSH)
    • UDP 500, UDP 4500 (ipsec)

Configuration

Web-based Configuration

The recommended way to configure Acreto vGateway is to modify configuration at https://wedge.acreto.net, and then generate and download a new image.

Manual Configuration

Acreto vGateway is a Linux-based solution. Administrators can connect and manage vGateways using SSH protocol and standard Linux tools. To get access credentials for your vGateway, please contact support.

Warning

vGateways with configuration modified by administrators might not be supported by Acreto.

The network configuration of Acreto vGateway is implemented using Netplan configuration files, placed in /etc/netplan. Refer to the Netplan website for more information.

IPsec connections are established using a Strongswan ipsec.conf configuration format, placed in /etc/ipsec.d/*.conf on the vGateway. The list of subnets that should be routed through Acreto is stored in /etc/ipsec.d/*.route files.

Alternatives

You can find other connectivity options on the Connect to the Acreto platform page.

Licensing Information

Acreto vGateway uses OpenSource software that is part of Ubuntu Linux. You can find more licensing information on the Ubuntu website, at https://ubuntu.com/licensing.

Troubleshooting - Unsupported or invalid disk error in ESXi

Error Description

Failed to power on virtual machine XXXXXX . Unsupported or invalid disk type 23 for ‘scsi0:1’. Ensure that the disk has been imported. Error in ESXi Error in ESXi

Cause

This issue occurs if a virtual machine that is meant for VMware Hosted products such as VMware Workstation, VMware Player or VMware Fusion is powered-on on an ESX/ESXi host.

The underlying format used to store virtual machines on VMware Hosted products differs from the format used to store virtual machines on ESX/ESXi hosts.

Solution

The .vmdk file needs to be converted to the accepted the ESXi format using the steps below:

  1. Upload the .vmdk file to datastore in ESXi

  2. Connect to the ESX/ESXi host via SSH

  3. Run the below commands to convert the file

    cd vmfs
    cd volumes
    cd datastore1
    vmkfstools -i xxxxxx.vmdk xxxx-New.vmdk

Result

After successful conversion new file will be generated.

vGateway image installation on Azure

Overview

This article shows how to setup vGateway on Azure to connect your network to Acreto Ecosystem.

Create new Gateway

To set up the vGateway on Azure first it is needed to configure the Gateway object.

Please follow the steps in Gateway creation guide with the vGateway as a type of a gateway.

Generate Azure .vhd type vGateway Image

To generate an Azure the image you need to:

  1. In the Elements > Objects > Gateways menu click on the specified vGateway name - the details panel will appear.
  2. On the right side of the gateway details panel click on VM and Cloud Images images to show a list of options to generate images.
  3. Click the play icon next to the Microsoft Azure .vhd vGateway Image entry.
  4. The generation of the image may take a while, please be patient.
  5. When the image will be ready you may download it or copy the URL - save it on your PC.

Image installation

To install the generated vhd image on Azure we need to proceed with uploading the image to Azure according to official documentation.

  1. Create an empty managed disk on Azure.

  2. Upload a vhd image to empty managed disk.

  3. Start the VM with the uploaded image.

  4. Once the VM is up and running, you should be able to SSH to it with password authentication as:

    1. login: acreto
    2. password: acreto.io
  5. Change your password after the first login

  6. Test the network connectivity

    • IPsec status showing the tunnel status

      ipsec statusall
    • Traceroute to check if the traffic goes through Acreto Ecosystem

      traceroute 8.8.8.8

    More information about checking the connectivity can be found under Connectivity Check the article where a dedicated tool is available.

vGateway image installation on VirtualBox

Overview

This article shows how to set up vGateway on VirtualBox to connect your network to Acreto Ecosystem.

Create new Gateway

To set up the vGateway on VirtualBox first it is needed to configure the Gateway object.

Please follow the steps in Gateway creation guide with the vGateway as a type of a gateway.

Generate VirtualBox .vid type vGateway Image

To generate a VirtualBox vid image you need to:

  1. In the Elements > Objects > Gateways menu click on the specified vGateway name - the details panel will appear.
  2. On the right side of the gateway details panel click on VM and Cloud Images images to show a list of options to generate images.
  3. Click the play icon next to the VirtualBox .vdi vGateway Image entry.
  4. The generation of the image may take a while, please be patient.
  5. When the image will be ready you may download it or copy the URL - save it on your PC.

Image installation

To install the generated vdi image we need a machine with a VirtualBox hypervisor installed.

  1. Create a new VM from vdi image by opening the Machine > New menu.

    • In Type choose Linux.
    • In Version choose Ubuntu (64-bit).
    • In Hard disk choose Use an existing virtual hard disk file and select previously downloaded vdi image.
  2. Start the VM.

    • Ensure Acreto Ecosystem is routable from the hypervisor network.
    • Enable a second network interface in the machine settings Network section.
    • Run the VM.
  3. Once booted log in as:

    1. login: acreto
    2. password: acreto.io
  4. Change your password after the first login

  5. Test the network connectivity

    • IPsec status showing the tunnel status

      ipsec statusall
    • Traceroute to check if the traffic goes through Acreto Ecosystem

      traceroute 8.8.8.8

    More information about checking the connectivity can be found under Connectivity Check article where a dedicated tool is available.

vGateway installation on RasbperryPi

Overview

This article explains how to set up a vGateway on Raspberry Pi to connect your network to an Acreto Ecosystem.

Create New Gateway

To set up the vGateway on Raspberry Pi, you must first configure the Gateway object. Creating new vGateway Creating new vGateway

Please follow the steps below to create and configure a new Gateway that will be used as vGateway.

  1. Log in to the Acreto Portal at wedge.acreto.net.
  2. Select your Ecosystem and go to Objects using the left-side menu.
  3. Click Add new Object and select Gateway.
  4. Fill in the following fields:
    1. Name: the name of the gateway
    2. Category: IoT
    3. vGateway: select Gateway in the upper right corner
    4. DHCP/Static: Select DHCP
    5. vGateway Local IP: IP address of Raspberry Pi device in your LAN, i.e 192.168.200.1/24
    6. Local Networks: your local network addresses that will be routed through this gateway
  5. Save the created Gateway by pressing Add.
  6. Add a security policy that will allow communication from the Gateway device to the Internet.
  7. Commit pending changes (located at top of the screen).
Tip

To simplify testing, add the IP addresses of every interface connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using Ping, Traceroute, or similar tools.

Note

To successfully test your connectivity, you also need to create a security policy that will allow traffic to go through your device.

Generate Raspberry Pi vGateway Image

To proceed with this step, you should have at least one Gateway configured as vGateway in your Ecosystem. From the left-side menu, select Objects > Gateways to display the list of existing gateways.

To generate a Raspberry Pi configuration image, you must:

  1. Click on the vGateway name on the vGateway panel. The details panel will then appear.
  2. On the right side of the gateway details panel, click on SBC and IoT Images to view a list of image generation options.
  3. Click the play icon for the right version of the device.
  4. The generation of the image may take a while, please be patient.
  5. When the image is ready, you may download it or copy the URL & save it on your PC.

Image Installation

Linux

To proceed with this step, you must have an image file generated by Acreto or a URL to the image for your vGateway.

To install the image, you must first proceed with flashing the SD card.

  1. Download the write_image.sh script.

    Click on the button and save the script in your home directory:

    Get write_image.sh

    or open the terminal and download the script using the command:

    wget https://kb.acreto.net/reference-material/downloads/write_image.sh
  2. Take the SD card out of your Raspberry Pi device.

  3. Insert the SD card into your computer.

    • Ensure it doesn’t mount automatically - if it does, unmount it.
  4. Use the write_image.sh script to write the image onto the SD card.

    • if you have an image file downloaded locally:

      ./write_image.sh image-file.zip /dev/sdb
    • if you want to use the URL of an image directly:

      ./write_image.sh https://aws1-vgateway-images.s3.amazonaws.com/vgateway-raspberry-pi4.s.nAH2xOL8HyJIK1g8v4HEsNCt.img.zip /dev/sdb

      where /dev/sdb is the location of your SD card

  5. Once finished, take the SD card from your computer and plug it into your device.

  6. Restart the Raspberry device and wait until it boots from the SD Card.

  7. Log in to your WEDGE account.

  8. From the left menu choose the Logs > Gateways option.

  9. As one of the last inputs, you should see information about the established connection from your Gateway.

More information about checking the connectivity can be found in the Connectivity Check article, where a dedicated tool is available.

Windows

To proceed with this step, you must have an image file generated by Acreto.

  1. Take the SD card out of your Raspberry Pi device.

  2. Insert the SD card into your computer, wait until it is visible in the system.

  3. Unzip the file downloaded from WEDGE, make sure that you can see the *.img file.

  4. Go to Raspberry Pi Software Page.

  5. Download the last version of Raspberry Pi Imager.

  6. Run downloaded *.exe file and install it.

  7. If Raspberry Pi Imager doesn’t start after installation, run it manually. You should see the window presented below:

  8. Click on the Choose OS button and select the Use custom option.

  9. Select a downloaded image using the explorer window.

  10. Click on the Select Storage button and choose your SD Card.

  11. Double-check the settings and if they’re OK, click on the Write button.

  12. The writer will warn you about erasing the current content of the SD Card, click on the YES button to continue. Now the Writing process will start, it may take a few minutes.

  13. When writing ends, you should see the below information.

  14. Once finished, take the SD card from your computer and plug it into your device.

  15. Restart the Raspberry device and wait until it boots from the SD Card.

  16. Log in to your WEDGE account.

  17. From the left menu choose the Logs > Gateways option.

  18. As one of the last inputs, you should see information about the established connection from your Gateway.

    More information about checking the connectivity can be found in the Connectivity Check article, where a dedicated tool is available.

List of Supported USB Ethernet Adapters to Use for LAN

By default, the Raspberry Pi has only one Ethernet adapter. But to connect your network, you’ll need an additional Ethernet adapter.

Acreto recommends using a USB Ethernet dongle facing the LAN network.

USB Ethernet Adapters Officially Supported by Acreto

  1. TP-Link
    • TP-Link UE300 USB 3.0 to Gigabit Ethernet Network Adapter.
      • Works out of the box on Raspbian Wheezy on a Pi 2 Model B.
      • No external power source or USB hub needed.
      • Pi is powered by a 2.5 amp power supply.

Other Raspberry Pi Supported USB Ethernet Adapters

Other devices:

Warning! Please note that this is a list of USB Ethernet adapters confirmed to work by the Raspberry Pi Community. None of the devices below were tested by Acreto.

  1. ADMtek
    • ADM8511 Pegasus II Ethernet, full-speed, idVendor=07a6, idProduct=8511:
      • Works out of the box. No external power source needed.
  2. AVM
    • FRITZ!Box WLAN 3030 USB Ethernet Adapter: Works out of the box.
    • No external power source needed.
  3. ASUS
    • USB 2.0 to Fast Ethernet Adapter (ASIX AX88772B)
      • USB Ethernet Adapter: As distributed with Zenbook Ultrabooks.
      • Works out of the box.
      • No external power source needed.
  4. Cable Matters
    • USB 3.0 to Gigabit Ethernet Adapter (ASIX AX88179) USB Ethernet Adapter.
    • NOTE: Since Raspbian 3.8.y kernel does not include a driver for this hardware, you must build a new kernel module from the source code provided by ASIX here.
    • Easy to follow instructions on how to download the kernel source code and symbol files can be found in the second posting here, including how to compile the module.
    • For Raspbian 3.9.+ the driver is already included in the distribution.
  5. Wintech
    • USB 2.0 LanCard Model: LAU-15 (CK0049C) using the mcs7830 driver.
      • Probably needs more than 100 mA current. [1]
  6. LogiLink
    • USB 2.0 UA0144: AX88772 chipset using the ASIX kernel driver.
      • Does not work without a powered USB hub. (idVendor=0b95, idProduct=772b)
    • LogiLink Fast EN USB 2.0 to RJ45 Adapter: Test on Wheezy-Raspian
      • (2012-08-16) without USB Hub will be confirmed
      • lsusb output: Bus 001 Device 004: ID 9710:7830 MosChip Semiconductor MCS7830 10/100 Mbps Ethernet adapter
    • BE CAREFUL: There exists a copied Chinese version without the Logilink logo using the Kontron DM9601-chip (see “Problem Ethernet adapters” below). This only supports USB1.1 and isn’t well-supported in Linux. If you get a model without the Logilink logo and the model number JP1082, it’s a fake.
  7. Apple
    • Apple USB Ethernet Adapter using ASIX kernel driver.
    • Works out of the box (driver present since kernel 2.6.32).
    • Doing OK using Apple USB charger and Pi’s own USB port.
    • USB register states that it draws max. 250 mA.
  8. Belkin
    • USB 2.0 Ethernet Adapter (F4U047)
      • Works out of the box without any needed setup.
      • No powered USB hub needed, tested on Raspberry Pi A+.
  9. Edimax
    • Edimax EU-4208 USB2.0 Fast Ethernet Adapter
      • (idVendor=0b95, idProduct=772b)
      • Works out of the box.
      • Requires own power supply (from powered USB hub).
    • Edimax EU-4230 USB2.0 Fast Ethernet Adapter with 3 port USB hub
      • Works out of the box.
      • Requires own power source.
  10. D-Link
    • D-Link DUB-E100 Fast Ethernet USB 2.0 Adapter
      • Works out of the box.
      • Requires own power supply (from powered USB hub).
  11. LinkSys
    • LinkSys - USB200M - Compact USB 2.0 10/100 Network Adapter
      • Raspbian recognizes it automatically.
      • Tested on a powered USB hub.
    • Linksys - USB300M - Compact USB 2.0 10/100 Network Adapter
      • Works out of the box.
      • Doesn’t require powered hub when powering Pi using MicroUSB supply rated for 0.7A output.
    • Linksys - USB3GIG v1 (Vendor ID: 13b1, Product ID: 0041)
      • USB 3.0 gigabit adapter
      • Works very well on a Raspberry Pi 2 running Raspbian 2015-02-16.
      • Faster than the built-in adapter, connects at gigabit rate.
      • iperf tests show about 150 - 175 Mbit speed.
  12. Pluscom
    • Pluscom U1EC
      • Davicom DM9000E chipset
      • DM9601 driver
      • Max current 144mA
      • Unlike later ( what is later? ), USB 1.1 devices using the same driver
    • Pluscom U2E-ADM8515
      • ADMtek, Inc. AN8515 Ethernet chipset
      • Pegasus driver
      • Max current 224 mA
      • Works with a Model “A” Pi if plugged into an external (maybe unpowered) hub.
  13. Sabrent
    • Sabrent USB 2.0 10/100 Ethernet Adapter
      • Works out of the box (ASIX).
      • USB 2.0 only
      • (Does not work if using dwc_otg.speed=1 in cmdline.txt to force USB 1.1 for other problem hardware)
  14. Sitecom
    • Sitecom LN-030 V2 detected as ASIX AX88772 USB 2.0
      • Ethernet Adapter works out of the box.
      • Doesn’t seem to require any extra power supply.
  15. TrendNet
    • Trendnet TU2-ET100 Adapter works out of the box.
    • Trendnet TU3-ETG Gigabit USB 3.0 Adapter works out of the box.
      • Works well on a Raspberry Pi 2 running OSMC Release Candidate.
      • SMB test shows approx 150mpbs.
  16. Hama
    • Hama 00049244 Fast Ethernet USB 2.0-Adapter
      • Detected as MOSCHIP 7830/7832/7730 usb-NET adapter.
      • Works out of the box on Debian Wheezy/sid (2012-08-08-wheezy-armel).
      • (Not tested yet on other OS).
      • No external power source or USB hub needed.
  17. Newlink
    • Newlink NLUSB2-ETH USB 2.0 Ethernet Adapter
      • Works out of the box on Raspbian.
      • Detected as ASIX AX88772.
      • ASix driver
      • Max current 250mA
      • Works without a powered hub or when plugged into an unpowered hub.
  18. Axago
    • Axago ADE-X1 10/100 Ethernet Adapter (USB: 9710:7830 driver:mcs7830)
      • Adapter needs the last Raspbian kernel.
      • With older kernels the adapter works about 10 minutes without a problem, but after that, the kernel writes an error message to dmesg and no packet is received. Must unplug and plug USB again.
      • Tested with and without a powered USB hub.
  19. i-tec
    • i-tec USB 2.0 Ethernet Adapter Fast Ethernet (chip ASIX AX88772B)
      • Works out of the box very stable with ASIX kernel driver on latest Raspbian 3.6.11+ (Nov. 2013), Raspberry Pi model B, 256MB RAM.
      • Connected through a powered USB hub (may work without it, not tested).
      • lsusb output: Bus 001 Device 005: ID 0b95:772b ASIX Electronics Corp.
  20. Plugable
    • Plugable USB2-E100 USB 2.0 10/100 Ethernet adapter
      • Works out of the box.
      • (ASIX AX88772 chipset)
      • Raspberry Pi reboots when you plug it into the USB port, but after that it works fine.

References

Subsections of Open VPN connection

Connect GL.iNet using OpenVPN client

Overview

In this article, you’ll learn how to set up an OpenVPN client on Gl.iNet and connect it to the Acreto ecosystem.

How to

Prerequisites

To connect GL.iNet router with Acreto Ecosystem, you will need:

  1. Existing Acreto Ecosystem, if you don’t have one learn how to create it.

  2. Access to Acreto Wedge.

  3. GL.inet router with OpenVPN client installed.

Download the VPN profile from Acreto

  1. Log in to the Acreto Portal.

  2. Choose your Ecosystem.

  3. Create a new VPN profile using tutorial or use the existing profile.

  4. Download the Acreto VPN profile GL.iNet - openvpn GL.iNet - openvpn

Setup OpenVPN client on GL.iNet

  1. Login to the GL.iNet routers Web Admin Panel.

  2. From the left sidebar, goto VPN » OpenVPN Client and click Add a New OpenVPN Configuration. GL.iNet - openvpn GL.iNet - openvpn

  3. Add a new OpenVPN configuration. GL.iNet - openvpn GL.iNet - openvpn

  4. Upload your VPN configuration file from Acreto. GL.iNet - openvpn GL.iNet - openvpn

  5. Enter a description for your VPN configuration file and then click Submit to finish the upload process. GL.iNet - openvpn GL.iNet - openvpn

  6. Click Connect to start the VPN connection. GL.iNet - openvpn GL.iNet - openvpn

  7. Once connected, the Disconnect button is shown on the screen along with the recieved IP address and Data sent and recieved information. GL.iNet - openvpn GL.iNet - openvpn

  8. At this point, the machine is connected to Acreto Ecosystem. You may confirm that by checking logs available in Acreto Acreto Portal > Logs > User and Things. GL.iNet - openvpn GL.iNet - openvpn

Android

Overview

This guide will help you to configure the Acreto Security connection on your Android device with the help of the OpenVPN app.

Android

Android doesn’t have built-in OpenVPN support. It is required to download OpenVPN app from Google Play store.

1. Go to the Google Play Store

OpenVPN config - Android - Play Store OpenVPN config - Android - Play Store

2. Search for the OpenVPN Connect application

OpenVPN config - Android - Play Store OpenVPN config - Android - Play Store

3. Install the OpenVPN Connect application

OpenVPN config - Android - Play Store OpenVPN config - Android - Play Store

4. Once the application is installed, download the configuration

Open the https://wedge.acreto.net in your favorite browser.

Add a thing named laptop on Acreto Ecosystem - check how to do it

Wedge on Android - adding thing Wedge on Android - adding thing

Open the laptop thing details:

Wedge on Android - adding thing Wedge on Android - adding thing

Click on Download OpenVPN config file to save the configuration.

Wedge on Android - saving config Wedge on Android - saving config

5. Launch the application from your home screen or menu

On the following window, select FILE tab.

OpenVPN config - Android - Import profile OpenVPN config - Android - Import profile

6. A similar permissions prompt window should be received

OpenVPN config - Android - Permissions OpenVPN config - Android - Permissions

7. Click Allow and navigate to the folder with OpenVPN config file

OpenVPN config - Android - List .ovpn profiles OpenVPN config - Android - List .ovpn profiles

By default, it should be in the downloads folder.

OpenVPN config - Android - List .ovpn profiles OpenVPN config - Android - List .ovpn profiles

Make sure that OVPN is selected (see image below), then select the files you want to import and press IMPORT button on the upper-right corner.

OpenVPN config - Android - Import profile OpenVPN config - Android - Import profile

8. Enter any title for the connection

OpenVPN config - Android - Import profile OpenVPN config - Android - Import profile

Select Connect after import

Then press the Add button.

9. When asked for permissions

OpenVPN config - Android - Import profile OpenVPN config - Android - Import profile

Click the OK button.

10. When prompt for a certificate

Click on Continue button.

11. The connection is successful

The connection stats window should be visible.

There you can see extensive information about your connection, such as current data throughput or duration.

OpenVPN config - Android - Import profile OpenVPN config - Android - Import profile

12. To disconnect

Simply press the switch button next to the OpenVPN profile name and toggle it off.

iOS

Overview

This guide will help you to configure the Acreto Security connection on your Apple mobile device with the help of the OpenVPN app.

iOS

1. Go to the App Store on your iPad/iPhone

OpenVPN config - iOS - Play Store OpenVPN config - iOS - Play Store

2. Enter OpenVPN connect in the search bar

OpenVPN config - iOS - Play Store OpenVPN config - iOS - Play Store

3. Tap on the GET button

OpenVPN config - iOS - Play Store OpenVPN config - iOS - Play Store

4. Once the application is installed, download the configuration

Open the https://wedge.acreto.net in your favorite browser.

Add a thing named laptop on Acreto Ecosystem - check how to do it

Wedge on iOS - adding thing Wedge on iOS - adding thing

Open the laptop thing details:

Wedge on iOS - adding thing Wedge on iOS - adding thing

Click on Download OpenVPN config file to save the configuration.

Wedge on iOS - saving config Wedge on iOS - saving config

5. Launch the application from your home screen or menu

Select whether you wish to enable push notifications.

OpenVPN on iOS - push notifications OpenVPN on iOS - push notifications

Accept the OpenVPN Policy Agreement

6. Go to home screen and open Files

7. Navigate to the folder with OpenVPN config file

Files on iOS - file location Files on iOS - file location

Select the Share button in the upper right-hand corner.

Files on iOS - share Files on iOS - share

Press Copy to OpenVPN

Files on iOS - open with Files on iOS - open with

8. Add the VPN profile

Ensure the OpenVPN profile selected is correct, then press ADD.

OpenVPN on iOS - add profile OpenVPN on iOS - add profile

9. Name the connection

Feel free to specify the profile name, by changing the field

OpenVPN on iOS - name profile OpenVPN on iOS - name profile

Be sure to check the box Connect after import

OpenVPN on iOS - name profile OpenVPN on iOS - name profile

10. When asked for permissions

Click Allow to allow OpenVPN to add VPN connections.

OpenVPN on iOS - permissions OpenVPN on iOS - permissions

Click Yes to allow OpenVPN to enable the VPN connection.

OpenVPN on iOS - permissions OpenVPN on iOS - permissions

If all went well, you should see the following

OpenVPN on iOS - success OpenVPN on iOS - success

11. To disconnect

Tap on the same button you used to connect.

Linux

Overview

This article will demonstrate how to secure your Ubuntu system with an Acreto Secured Connection. To create an additional layer of security, we’ll use the OpenVPN application.

Before proceeding to the installation, make sure that you’ve added at least one Thing to your Ecosystem - if not, check how to do it.

Solution 1: Script-based Installation

Acreto Wedge offers a ready-to-use script that will install and configure the Acreto client on your Ubuntu system:

  1. Log in to your account on Acreto Wedge.
  2. Select the Ecosystem where your device is configured.
  3. Click on the Objects item from the left side menu.
  4. Find your Ubuntu device on the list and click the i button to show the details panel.
  5. Within the details panel, you’ll see a Configuration Options section with a list of ready-to-use configurations. Find Acreto Connect Client for Ubuntu 18.04 LTS on this list and click the download icon.
  6. Run this downloaded script – acreto-connect.sh.
sudo ./acreto-connect.sh

Once the script finishes downloading your device should be connected to Acreto.

The script:

  1. Checks the type and version of the Operating System
  2. Installs OpenVPN and all other required dependencies
  3. Pulls the TLS-client configuration via API call using the device token
  4. Creates a service enabled at boot
  5. Starts the service and connects the client to the Acreto platform

In case the TLS client is already installed, the user is presented with a menu to update/remove it.

Solution 2: Manual Installation

Don’t want to manage the VPN setup automatically?

How to connect to OpenVPN manually using the terminal:

  1. Open the Terminal (keyboard shortcut: ctrl + alt + t).
  2. Install OpenVPN client by entering:
    sudo apt-get install openvpn
    (if asked for a password, enter the password used when creating your Linux account).
  3. Navigate to the OpenVPN configuration directory with this command:
    cd /etc/openvpn
  4. Download OpenVPN configuration files – in the terminal, type command:
    curl -k --silent --request POST -H 'Accept: text/plain' \
    https://api-is-rock-solid.acreto.net/v2/tlsvpn/config?_token=SECRET
    In case you get an ERROR, the certificate is not trusted. Please install the ca-certificates package with the command:
    sudo apt-get install ca-certificates
  5. Start OpenVPN with a chosen configuration by entering:
    sudo openvpn [file name]
    For example:
    sudo openvpn acreto.ovpn
  6. You have successfully connected to the VPN!
  7. To disconnect, open the terminal window it’s running in and press ctrl + c.

MacOS

Overview

This article will show you how to secure your MacOS device with Acreto Secured Connection. To create an additional layer of security we will use the Tunnelblick app.

Configuring MacOS

The Tunnelblick application is a recommended option for connecting to ACRETO servers on your Mac.

1. Download the Tunnelblick

Tunnelblick provides free, user-friendly control of OpenVPN client connections for macOS.

2. Download the OpenVPN configuration

Add a thing named laptop on Acreto Ecosystem - check how to do it

OpenVPN config download OpenVPN config download

Open the laptop thing details:

OpenVPN config download OpenVPN config download

Save the file as-is, or change the name to acreto-thing.ovpn

3. To begin the installation of OpenVPN for macOS

Navigate to your Downloads folder and double-click the Tunnelblick image (DMg) file you just downloaded

macOS OpenVPN Installation macOS OpenVPN Installation

4. Double-click on the Tunnelblick icon in the Tunnelblick disk image Finder window

macOS OpenVPN Installation macOS OpenVPN Installation

5. A dialog box will appear

Tunnelblick is an app downloaded from the Internet. Are you sure you want to open it?

Click Open

macOS OpenVPN Installation macOS OpenVPN Installation

6. The installer will ask for your password. Enter it and click OK:

MacOS OpenVPN Installation MacOS OpenVPN Installation

7. After the installation completes, you will see a pop-up notification:

Installation succeeded. Tunnelblick was successfully installed. Do you wish to launch Tunnelblick now? (An administrator username and password will be required so Tunnelblick can be secured.).

Click Launch

8. Alternatively, you can click on the Tunnelblick icon on the status bar

and click VPN details:

MacOS OpenVPN Installation MacOS OpenVPN Installation

9. A dialog box will appear:

There are no configurations installed.

Click I have configuration files

MacOS OpenVPN Installation MacOS OpenVPN Installation

10. A pop-up will appear with instructions on how to import configuration files:

MacOS OpenVPN Installation MacOS OpenVPN Installation

Click OK

11. Drag and drop the previously downloaded .ovpn file

From your Downloads folder, copy->paste or drag and drop to the Configurations tab on the Tunnelblick.

MacOS OpenVPN Installation MacOS OpenVPN Installation

12. A new pop-up will appear

The Installer will ask if you want to install the configuration profile for your current user only, or for all users on your Mac.

Select your preferred option: [All Users] / [Cancel] / [Only Me]

13. You will be asked to enter your password again.

14. A new pop-up warning will appear about comp-lzo deprecation.

You can safely check the Do not warn about this again and click OK.

15. Select the server and click Connect.

16. You are connected to the VPN

17. Check your IP address

Browse to https://www.myip.com/ and verify your IP and network (should be different than your ISP).

18. Disconnect

Click on the Tunnelblick icon in your menu bar and select Disconnect from the drop-down menu.

Windows

Overview

This article will show you how to secure your Microsoft Windows with Acreto Secured Connection. To create an additional layer of security we will use the OpenVPN application.

Configuring Windows 10

Use these steps to set up a VPN on a computer running Windows 10.

You can set up a manual OpenVPN connection by using the OpenVPN application.

1. Download the OpenVPN GUI application

https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe

2. Open the installer file

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

3. Follow the setup wizard

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

4. Once the application is installed, download the configuration

Add a thing named laptop on Acreto Ecosystem - check how to do it

OpenVPN config download OpenVPN config download

Open the laptop thing details:

OpenVPN config download OpenVPN config download

Save the file as-is, or change the name to acreto-thing.ovpn

5. Go to the folder where the configurations are downloaded

6. Click and drag to select the OpenVPN configuration downloaded

7. Right-click on them and select Copy

8. Find the OpenVPN config folder

Right-click the OpenVPN GUI shortcut on your desktop and select Open file location.

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

9. Once you’re there, click the parent OpenVPN folder in the address bar

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

10. Extract the configuration file you need to this directory:

c:/Program Files/OpenVPN/config

11. Open the OpenVPN config folder

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

12. Paste the copied configuration files in the folder

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

13. Click Continue to allow the files to be extracted to the folder

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

14. Note: How to prevent possible DNS leaks (optional)

If you are using Windows 10, add an extra line in the configuration files.

To do that, open the downloaded .ovpn configuration file with any text editor and paste this line:

block-outside-dns

Don’t forget to save the file before proceeding to the next steps of this tutorial.

15. Run OpenVPN

Now that the configuration files have been loaded into the proper folder for the application to detect them, let’s open the OpenVPN GUI app itself.

Double-click the shortcut on your desktop.

16. Allow the application to make necessary changes to your device

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

17. The application will start running in the system tray

It’s the area near your clock:

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

It might also be in the hidden system tray area:

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

18. Right-click on the application icon, hover over one of the servers, and click Connect

19. The connection log window will pop up

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

You don’t need to provide any passwords.

20. In a few seconds, the application will connect, and its window will disappear.

The system tray icon will turn green and indicate that you are connected when you hover over it:

Win 10 OpenVPN Installation Win 10 OpenVPN Installation

21. Check Internet access and IP

Browse to https://www.myip.com/ and verify your IP and network (should be different than your ISP)

Secure Google Access

Overview

Acreto offers a comprehensive solution for businesses seeking to safeguard their access to corporate Google applications and data. This is achieved by channeling all traffic to these applications through Acreto’s advanced threat engine and instituting a restriction rule on Google to accept traffic from Acreto’s IP address exclusively. With Acreto, enterprises can be assured of a secure and reliable connection to their essential Google assets.

This document outlines a clear and easy-to-follow process for businesses to secure their corporate Google access with the help of Acreto.

Pre-requisite

  1. Google Workspace Enterprise version or above
  2. New or existing configured Ecosystem
  3. Onboard users to Acreto Ecosystem

Step 1: Enforce IP restrictions on Google using Context-Aware access (CAA)

Google Administrators must enforce the IP restriction rule using Context-Aware access under the Admin console to allow access only from Acreto Ecosystem IP.

When this step is done, access to Google based services will be restricted to the IP address of Acreto, only users connected by Acreto Connect Client can access it.

  1. Log in to https://admin.google.com/ with Admin credentials
  2. Goto Home » Security » Access and Data control » Context-Aware Access Secure-Google Secure-Google
  3. Click Create New Access Level Secure-Google Secure-Google
  4. In the Details section, provide the following:
    • Access level name: Acreto_access_allow
    • Description: Access is allowed only through Acreto Secure-Google Secure-Google
  5. Log in to Acreto Portal amd choose your Ecosystem. From the Left menu choose Objects > Alocated IP’s and copy default exits IPs. Secure-Google Secure-Google
  6. In the Context conditions sections, click ADD CONDITION
    • Select meets all attributes (AND)
    • Select:
      • Attribute: IP Subnet
      • Value: Ecosystem Exit IP IPv4 , Ecosystem Exit IP IPv6 with mask /56 from Acreto Portal
    • Click Create Secure-Google Secure-Google
  7. Next, click ASSIGN ACCESS LEVEL Secure-Google Secure-Google
  8. Select all the apps that need secure access and click ASSIGN Secure-Google Secure-Google
  9. Check both the Access level and assign to the Desktop app and click SAVE, Secure-Google Secure-Google

With this step, the IP enforcement configuration on Google is complete.

Step 2: Turn ON Context-Aware Access

Once onboarding of all the users on Acreto is complete, the administrators can Turn-On the Context-Aware Access for everyone.

When this step is done access restriction rule will be applied to all users.

  1. Goto Home » Security » Access and Data control » Context-Aware Access and click Turn-On Secure-Google Secure-Google

Summary

Once the user or device is connected by Acreto Connect Client, the traffic goes through Acreto Ecosystem, which is thoroughly scanned against any threat or malware. Also, the traffic leaving Acreto gains Acreto’s Exit IP as the source, meeting the Google CAA access criteria.

All traffic that comes from the user to Google is now additionaly secured.

Subsections of Microsoft ecosystem-based solutions

How to configure IIS Restricted Access for OWA

Before You Start

Overview

As the administrator, I need to restrict access for OWA (Outlook Web Access) or other site/URL based on the IIS server on port 443.

Windows Server provides IP Address and Domain Restrictions feature to define and manage rules that allow or deny access to content for a specific IP address, a range of IP addresses, or a domain name or names. This feature may be combined with Acreto Ecosystem to restrict access only for users/devices connected through Acreto.

Pre-requisite

To complete this procedure those elements may be required:

  1. Windows Server environment
  2. Working IIS server with resources that access needs to be restricted
  3. Acreto Ecosystem

How to

IP Address and Domain Restrictions feature enable

  1. Open the Server Manager by selecting Start > Administrative Tools > Server Manager.
  2. On the next screen, select Role-based or feature-based, then select your server and click Next.
  3. Click the Add Role Services link to add the required role.
  4. From the Select Role Services screen, navigate to Web Server (IIS) > Web Server > Security.
  5. Check the IP and Domain Restrictions check box and click Next to continue. IP and Domain Restrictions IP and Domain Restrictions
  6. From the Confirm Installation Selections screen, click Install to add the IP and Domain Restrictions role service. Confirm Installation Selections Confirm Installation Selections

Configuring the Behavior for IIS when Allowing specific IP Addresses

To configure the behavior for allowing specific IP addresses, use the following steps:

  1. Log in as an administrator on your Windows Server 2012 computer.
  2. Open the Internet Information Services (IIS) Manager.
  3. Select the root folder or the website
  4. Select Add Allow Entry from the Action sidebar in the right.
  5. Add all the local subnet that will be allowed to access the site. Add local subnet Add local subnet
  6. Click OK

Configuring the Behavior for IIS when Denying IP Addresses

To configure the behavior that IIS will use when denying IP addresses, use the following steps:

  1. Log in as an administrator on your Windows Server 2012 computer.
  2. Open the Internet Information Services (IIS) Manager.
  3. Select the website, or folder path in the Connections pane, and then double-click IP Address and Domain Restrictions in the list of features. The restriction option The restriction option
  4. Click Edit Feature Settings in the Actions pane. Feature settings Feature settings
  5. When the Edit IP and Domain Restriction Settings dialog box appears, provide the following values:
  • Action for unspecified clients: Deny
  • Deny Action type: Forbidden Deny Action type: Forbidden Deny Action type: Forbidden

References: https://docs.microsoft.com/…#configuring-iis-to-deny-access-based-on-http-requests

Summary

By following these steps, restrictive access to OWA can be achieved. This solution allows access only to specific internal users while blocking it for everybody else.

Subsections of Solutions

Azure AD DS synchronization issues

Problem description

After connecting the Azure network to Acreto and sending all traffic through Acreto vGateway, Azure Active Directory Domain Services managed domain fails to synchronize with Microsoft Windows Active Directory servers.

Symptom 1: Domain synchronization alerts

In Azure, you can see an alert:

Name: The managed domain has not completed synchronization with Azure AD for a long time
Severity: Critical
ID: AADDS500

Symptom 2: Logs contain something

In Azure, you can see an alert:

Name: The managed domain is experiencing a network error
Severity: Critical
ID: AADDS104

Cause

Most likely, your Azure network’s routing table has a default route (0.0.0.0/0) defined that routes all traffic through Acreto vGateway. It means that also communication required to synchronize with Azure AD DS is sent through Acreto, and is SNAT’ed (its source IP address is replaced) to Acreto Allocated IP address. Microsoft detects that synchronization traffic goes from a different source IP address than expected, and blocks that traffic. This breaks synchronization between Azure AD DS and the target server.

Solutions

  1. Deploy Azure AD DS into a separate virtual network ("ADDS virtual network")
  2. Configure default route in Azure AD DS to use default Azure gateway
  3. Deploy Acreto vGateway and resources connected to Acreto into another virtual network ("resources virtual network"), and peer that network to the ADDS virtual network
  4. Configure routing table in the resources virtual network to push all traffic (0.0.0.0/0) via Acreto vGateway
  5. In case Acreto users are authenticated using Azure AD DS, ensure that traffic from ADDS virtual network to subnet 100.64.0.0/16 is routed through resources virtual network and Acreto vGateway

See Azure virtual network design for details.

Solution 2: Define static routes on resources

  1. In Azure routing table, use default value for the route to 0.0.0.0/0
  2. On each resource (server) that uses Acreto, define a static default route that will go

Solution 3: Define explicit routes to send Azure AD DS traffic through the Azure gateway

Create routing configuration that will route IP addresses from Azure service tags through standard Azure gateway, while keeping default route pointing to Acreto vGateway. You can download a list of Azure IP Ranges and Service Tags – Public Cloud.

See User-defined routes for more details.

See also

Please refer to the following additional material:

  1. Known issues: Common alerts and resolutions in Azure Active Directory Domain Services
  2. Known issues: Network configuration alerts in Azure Active Directory Domain Services
  3. Virtual network design considerations and configuration options for Azure Active Directory Domain Services

Windows Activation failure

Problem description

Windows activation fails when all the Internet traffic goes through Acreto.

This article describes how to resolve the KMS activation problem you might experience when you force all the traffic to go through Acreto.

Symptom

You enable forced tunneling on Azure virtual network subnets to direct all Internet-bound traffic back to your on-premises network. In this scenario, the Azure virtual machines (VMs) that run Windows fail to activate Windows.

Cause

The Azure Windows VMs need to connect to the Azure KMS server for Windows activation. The activation requires that the activation request come from an Azure public IP address. The activation fails in the forced tunneling scenario because the activation request comes from Acreto instead of from an Azure public IP address.

Solution

Use the Azure custom route to route activation traffic to the Azure KMS server to resolve this problem.

The IP address of the KMS server for the Azure Global cloud is 23.102.135.246. Its DNS name is kms.core.windows.net. If you use other Azure platforms such as Azure Germany, you must use the IP address of the corresponding KMS server. For more information, see the following table:

Platform KMS DNS IP
Azure Global kms.core.windows.net 23.102.135.246
Azure Germany kms.core.cloudapi.de 51.4.143.248
Azure US Government kms.core.usgovcloudapi.net 23.97.0.13
Azure China 21Vianet kms.core.chinacloudapi.cn 42.159.7.249

How to

Update the route table of the Subnet where Windows VM was created :

  1. Login to Azure portal

  2. Goto you Virtual network whose subnet’s route table needs to be modified.

  3. In the virtual network menu bar, choose Subnets.

  4. Select the subnet for which the route table needs to be updated.

  5. In the Route table, add the following route :

    • Route name - kms.core.windows.net
    • Address prefix - 23.102.135.246/32
    • Next Hop - Internet

    Windows Activation Windows Activation

    Windows Activation Windows Activation

  6. Select Save.

Verify

With the custom route, the Window activation traffic goes directly to the Azure KMS server, and the process will be successfully completed.

Windows Activation Windows Activation

References

Microsoft article: Windows Activation troubleshooting

How To use WiFi as LAN interface on Raspberry Pi

Introduction

When using Rasberry PI as a vGateway device, you may use a built WiFi card to create a WiFi Access point. This procedure requires modification of image created for Ecosystem you by Wedge.

Prerequisites

  1. Existing and configured Ecosystem
  2. Configured Gateway
  3. Basic knowledge about Unix configuration.

How-To

  1. Generate an image for your Raspberry device and install it on your device - check how to do it

  2. Log in to the device.

  3. Update system and install Hostpad

    sudo apt-get update -y
    sudo apt-get install -y hostapd
  4. Go to /etc/hostapd/ and check dose the file hostapd.conf exist. Edit it by adding config of your Access Point:

    interface=wlan0 
    ssid=acreto
    hw_mode=g
    channel=1
    wmm_enabled=0
    macaddr_acl=0
    auth_algs=1
    ignore_broadcast_ssid=0
    wpa=2
    wpa_passphrase=acreto#1234
    wpa_key_mgmt=WPA-PSK
    wpa_pairwise=TKIP
    rsn_pairwise=CCMP
  5. Go to /etc/ipsec.d/ adn create the ipsec-leftupdown.sh file withe this content:

    #! /bin/bash
    
    #  This script creates a new vti interface and adds routes based on data passed from Strongswan.
    #  To use, add to "conn..." section of ipsec config file:
    #    leftupdown=/path/to/ipsec-leftupdown.sh
    
    set -o nounset
    set -o errexit
    
    VTI_IF="vti-${PLUTO_CONNECTION:0:10}"
    VTI_IF="${VTI_IF/./}"
    
    # Create run directory
    RUNDIR=/var/run/acreto ; mkdir -p $RUNDIR
    
    # Read configuration from config file
    
    networks_right=''
    if [ -f /etc/ipsec.d/$PLUTO_CONNECTION.route ] ; then
      networks_right=`cat /etc/ipsec.d/$PLUTO_CONNECTION.route`
    else
        echo WARN: Routing info file /etc/ipsec.d/$PLUTO_CONNECTION.route not found
    fi
    
    # Determine gateway to use to reach ${PLUTO_PEER}
    function detectGateway {
       # Find a route with a 'via' address
       local gateway=""
    
    
       # Start with default route
       # Note that we exclude gateways that are on vti- devices
       [ -z "$gateway" ] &&  gateway=`ip route show default | grep -v 'dev vti-'  | egrep -o1 'via (([0-9]{1,3}.){3}[0-9]{1,3})' | head -1 |cut -d' ' -f2  `
    
       # Try 'ip route get'
       # It's not first rule because it doesn't survive link change
       [ -z "$gateway" ] && gateway=`ip route get $1 | grep -v 'dev vti-' | egrep -o 'via (([0-9]{1,3}.){3}[0-9]{1,3})' |cut -d' ' -f2`
    
       # Fallback to a previously detected gateway
       [ -z "$gateway" ] && gateway=`cat $RUNDIR/local-gateway.conf` || true
    
       # Save detected gateway
       [ ! -z "$gateway" ] && echo $gateway > $RUNDIR/local-gateway.conf
    
       echo $gateway
    }
    
    set -x
    
    gateway=`detectGateway  ${PLUTO_PEER}`
    
    case "${PLUTO_VERB}" in
       up-client)
          if ip tunnel show "${VTI_IF}" ; then
             op=change
          else
             op=add
          fi
    
          ip tunnel $op "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
                okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
          ip link set "${VTI_IF}" up
          sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
    iptables -t nat -F
    iptables -t mangle -F
    iptables -F
    iptables -X
    
          for net in $networks_right ; do
                if [ $net == '0.0.0.0/0' ] ; then
                   # Ensure that PEER is always accessible if we set up default route (and ignore errors)
                   [ ! -z "$gateway" ] && ip route replace ${PLUTO_PEER} via $gateway || true
                   # Ensure we don't have any other default gateway defined
                   while ip route show default|grep -q default ; do
                      ip route del default
                   done
                fi
                ip route add $net dev ${VTI_IF}
          done
          ;;
       down-client)
          # Ensure that PEER is always accessible if we set up default route (and ignore errors)
          [ ! -z "$gateway" ] && ip route replace ${PLUTO_PEER} via $gateway || true
    
          # Nothing else to do here:
          # 1. We don't delete the tunnel interface and routing setup because it causes connection reset, as down-client is called whenever a connectionis renegotiated, and it makes apps (like mtr) break.
          # 2. We also don't remove the specific route to our gateway to be able to re-establish the connection.
          # 3. We also don't recover the default gateway, as we want to block all traffic if the tunnel is down.
          ;;
    esac
  6. Go to /etc/netplan/ and check does the 50-acreto.yaml file (or common) exist. Edit it by adding Access Point configuration:

    network:
    version: 2
    +  renderer: NetworkManager
    ethernets:
       eth0:
          dhcp4: yes
    +  wifis:
    -  eth1:
    +    wlan0:
          addresses:
          - 10.153.250.1/29
    +      dhcp4: true
    +      optional: true
    +      access-points:
    +        "acreto":
    +          password: "acreto#1234"
    +          mode: ap
  7. After all of the modifications content of the folder should look like this:

    Custom /boot/firmware/strongswan.zip contents
    ❯ tree custom
    custom
    └── etc
       ├── default
       │   └── hostapd               <-- added one line
       ├── hostapd
       │   └── hostapd.conf         <-- all WiFi settings
       ├── ipsec.d
       │   ├── 402fd2ced4.conf
       │   ├── 402fd2ced4.route
       │   └── ipsec-leftupdown.sh  <-- added iptables commands to flush rules
       ├── ipsec.secrets
       ├── netplan
       │   └── 50-acreto.yaml      <-- added configuration for ap mode and IP
       └── sysctl.d
          └── 10_ac_ip_forward.conf
  8. Restart the device to provide all of the changes.

  9. Try to connect to the acreto wifi network using acreto#1234 as a password.

Summary

After the device restart, you should be able to connect to the Acreto WiFi network. All traffic will go thru the Ecosystem and should be visible in logs.

Connect first SaaS application - Office365

Overview

The company wants to restrict access to Office 365 in the following ways.

  1. A user can’t go direct to O365
  2. A user has to go through a secure infrastructure before they gain access to O365
  3. A users access to the Onedrive application is blocked if they are not in the USA or EU
  4. A user has to go through two-factor authentication before they can access OneDrive, even though they have access to other office applications without the need for two-factor authentication.

Apply these configurations to O365 in a simple fashion. (e.g. from a centralized GUI without having to log into MSFT console)

Solution

Acreto solution allows us to secure access to Office365/OneDrive using Microsoft Azure AD.

Acreto will provide the policy configurations to control the following:

  • All users logged in through Acreto SASE+ can access O365.
  • All users not logged in through Acreto SASE+ are not allowed to reach O365. e.g. they can’t go from home cable modem direct to O365 going around Acreto VPN.
  • All users logged in through Acreto SASE+ but not logging in from a specific location such as China will not be allowed to log in to O365
  • All users logged in through Acreto SASE+ but not logging in from a specific location such as the United States or Europe can access O365, but not OneDrive

Before you start

To solve the described issue you will need:

  • Acreto account with configured security policy
  • Microsoft Azure ActiveDirectory with more than one user
  • Office365 licenses managed by Azure ActiveDirectory
  • Active Directory users with Office365 licenses and internet connection secured by Acreto

Make sure that you have all the required elements before you will start.

Create Acreto security policy

As a first step you need to create a secure connection between end-user and acreto - use one of two possible solutions:

No matter which way you choose, after you connect to Acreto your external IP address should be masked with Acreto gateway - this means that any Internet service or website will be not able to see your real IP address. Acreto will mask your IP with an address that you may find in WEDGE panel - go to Allocated IP’s and then find Default Exit position - this is your Secured IP address.

Make this IP address to be the only address that should be allowed to access Office365/OneDrive services in your organization.

Configuration of Active Directory

If you already secured your internet connection with Acreto it’s time to make a security rule on Microsoft Azure ActiveDirectory.

1.Login to Azure panel as a user with administrator right and click on Azure Active Directory icon:

2. Choose the “Security” option marked on the screen below.

3.Create Named location - named and defined IP address range that will be allowed to access Office365/OneDrive.

To do this click on Named location on side menu (marked as “1”) and then click on + New location (marked as “2”).

4. Fill new location form with readable name and choose options and save:

  • Define the location using - choose IP ranges
  • Mark as trust location - check
  • IP ranges - add the IP address of Acreto gateway (104.193.146.121/32) - this is an example address, your Acreto Gateway may have different IP.

5.Create a security rule to limit access to Office365/OneDrive

Choose Conditional Acces option from the side menu and click on ** + New policy ** button.

The form of policy creation is advanced and offers many options, in this scenario we will use a minimal amount of options that allow us to get a working configuration.

  • Assignments > Users and groups - select users or a whole group of users that needs to be under control.
  • Assignments > Cloud apps or actions - choose the select apps option and then mark all apps that should be under control: Office 365 Exchange Online, Office 365 SharePoint Online, Office 365 (preview).
  • Assignments > Conditions > Locations - choose Configure: yes and Selected location to be able to restrict access only from previously configured Named location. Be sure that the selected option is the Named location with the Acreto IP address.
  • Assignments > Conditions > Client apps (Preview) - choose all available options to make sure that there will be no security gap in access rules.
  • Access controls > Block access/Grant - decide do these rules should grant or block access when conditions are true. Here you may also define additional authentification steps like multi-factor authentication.
  • Access controls > Session - choose Use app enforced restrictions, Use Conditional Access App Control

That’s a minimum required configuration necessary to make a goal of this case.

6. Make sure that Enable policy: On. -

This option is displayed on the bottom right part of the screen and it decided does the whole configuration is on.

Tip

If you can’t turn the rule on it’s possible that you need to disable Security Defaults

7. Double-check all rules and click on the save button.

Security verification

To verify does the created access rules works we do a two-part test:

  1. Login into Office365 without the Acreto
  2. Login into Office365 with the Acreto

In both tests, we will use a user account managed by Azure AD. This account is added to the created rule of conditional access.

Login into Office365 without the Acreto

At the first test, we will check dose it possible to log in to Office365 from an internet connection that is not secured with Acreto.

  1. The user goes to www.office.com and clicks on the login button
  2. Fill login form with username and password
  3. Click on the Log in button

The login page should return information that the User is not able to log in because does not meet the criteria to access this resource. This means that created security rule work.

Login into Office365 with the Acreto

In the second test user use Acreto secured internet connection and trying to login to office.com

  1. The user goes to www.office.com and clicks on the login button
  2. Fill login form with username and password
  3. Click on the Log in button

The login page works in a standard way and allows the user to access his account.

Summary

Thanks to Acreto and Azure AD conditional access rules you can create advanced security solutions.

How to Invite a User with Onboarding Portal

Introduction

Acreto Support User Management - as an Ecosystem administrator, you may create user accounts or import them from LDAP / identity providers (like Azure Active Directory, Okta ) and invite them to start using Acreto by email or link.

Before you invite users to Acreto, make sure that Identity provider is present and configured in your Ecosystem.

Acreto allows inviting users that exist in LDAP/Identity provider service(s) connected to the Ecosystem and have an email address in account details.

To invite user by e-mail:

  1. Loing into Wedge
  2. Select right Ecosystem
  3. From the side menu choose the Users option
  4. On the list of users check those who should get an invitation.
  5. Click on the button Send invitations you will be a move to Send invitation emails form.
  6. Fill the form:
    1. Title - title for your reference only
    2. Description - additional description for your reference only.
    3. Note to your users - Invitation note - Add some personalized note to your users that will be included in the invitation
    4. Contact person - contact information of the person responsible for invitation, that information will be displayed at the bottom of invitation e-mail - users may use them in case of issues.
  7. Click on the Send button placed under the form. This action will send emails to users also you will see windows with information about which email been used to send invitations.
  8. Window also contains Next Steps information - create/check Security Policy for invited users - click on Go to Security Policies button to go to the polices panel.

Acreto allows inviting users that exist in LDAP/Identity provider service connected to the Ecosystem.

To invite user by the link:

  1. Loing into Wedge
  2. Select right Ecosystem
  3. From the side menu choose Identity Providers option
  4. From the list of configured LDAP/Identity providers choose this, into which you want to invite users, and click on the Edit button.
  5. Scroll to the bottom of the screen to the Status summary section.
  6. Click on the Copy icon in line Copy link to onboarding Portal this will copy the invitation link into your cache.
  7. Now paste this URL into any form of communication with users: email, slack, or any internal communicator. Done! Any user that gets this link and has LDAP/Identytiy provider credentials may configure and connect to Acreto.