Configure Datacenter

Goal

We already imported and secured our users - they able to connect to the Ecosystem. To meet the assumptions of the “Work from Anywhere” idea, it is necessary to provide users with access to the data center and internal services. For this purpose, we will connect the data center with the Ecosystem.

Prerequisite

To complete this procedure you should:

  1. Have an active Acreto account (How to regiester)
  2. Finish procedure described in previous article
  3. Know the Data Center in your company - checklists placed below may be helpful to collect the required information.

Choose Cinnectuin Method

For maximum flexibility Acreto offers three options to connect your datacenters and applications

  1. Use Acreto provided software virtual gateway (vGateway) installed on a KVM or ESX virtual machine
  2. Use your existing branch office equipment such as your existing Cisco router, or existing firewall
  3. For IoT/OT/Kiosks we provide the image for a 2 port IoT gateway (e.g. RaspberryPi)

Checklist 2: Datacenter Service Connection using vGateway

This checklist includes information to connect Acreto to your internal Datacenter for private application access

Acreto Virtual Gateway method behind datacenter Firewall:

  1. Select a machine to run Acreto vGateway (Virtual Appliance, i.e. Hyper-V, VMware ESXi, Proxmox, OpenStack)
  2. Confirm Machine has access to both WAN and DataCenter LAN (setup default gateway)
  3. Provide an IP address for vGateway for LAN (Local Network) connection: _ _ . _ . _ . _ _ / 24
  4. Provide a Gateway for vGateway for LAN (Local Network) connection: _ _ . _ . _ . _ _ / 32
  5. Provide an IP address for vGateway for WAN connection: _ _ . _ . _ . _ _ / 24
  6. Provide a Gateway for vGateway for WAN connection: _ _ . _ . _ . _ _ / 32
  7. Provide Network IP address and Netmask for all the networks you want to connect with Acreto: _ _ . _ . _ . _ _ / _ _ _

Checklist 3: Datacenter Service Connection and Branch using existing Firewall/VPN

This checklist includes information to connect Acreto to your internal Datacenter using the existing firewall/VPN gateway

  1. 3rd party Firewall/VPN in Datacenter for each branch location
  2. Confirm existing firewall/VPN/router supports IPSEC
  3. Have the login and password to your existing router or firewall handy: /_
  4. Have the manual for your existing firewall or router handy with how to build IPSEC tunnels
  5. Have the existing IP address for LAN (Local Network) connection: _ _ . _ . _ . _ _ / 24
  6. Provide a Gateway for way for LAN (Local Network) connection: _ _ . _ . _ . _ _ /24
  7. Repeat this process for each branch office location
  8. Select user authentication server and write down the following information
  9. Decide on the user authentication server / identity provider to user: Okta, Azure Active Directory, Windows Server AD, LDAP
  10. Domain name (yourcompany.com):__________________
  11. Address of Authentication server (IP or FQDN) :__________________
  12. Write down User Base DN, Group Base DN (i.e. ou=users, dc=dev-209171, dc=okta, dc=com) : __________________
  13. Username / Password to authenticate against Identity provider: /
  14. Decide on the list of initial 10 users to invite to participate in Acreto VPN solution if you like to take a phased approach

Configuration

Using the checklist above connect Acreto your Datacenters to Acreto via IPSEC (vGateway or existing HW). The below procedure shows how to do it using the Raspberry device as a vGateway.

It’s not the only method to reach the goal, other possibilities have been described here. As an alternative, you may use your existing branch office equipment such as your existing Cisco router, or existing firewall.

The following procedure is a summary of Linux - Automatic IPsec Configuration article - which you may want to ready if you want to know more.

To connect your Datacenter/Branch Office to Acreto:

Create new Gateway on Acreto WEDGE

  1. Log in to the Acreto Portal at wedge.acreto.net
  2. Select your ecosystem and go to Objects using the left menu.
  3. Click Add new Object and select Gateway.
  4. Fill at least: 1. Name: the name of the gateway 1. Category: IoT 1. vGateway make sure that in the right top corner Gateway is selected 1. DHCP/Static: Select DHCP 1. vGateway Local IP: IP address of RaspberryPi device in your LAN, i.e 192.168.200.1/24 1. Local Networks: - your local network addresses that should be routed through this gateway
  5. Save the created Gateway by pressing Add.
  6. Add a security policy that will allow communication from the Gateway device to the Internet.
  7. Commit pending changes (top of the screen)
Tip

To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using ping, traceroute, and similar tools.

Note

To successfully test your connectivity, you also need to create a security policy that will allow traffic to go through your device.

Generate Raspberry Pi vGateway Image

To proceed with this step you should have at last one Gateway configured as vGateway in your Ecosystem. From the left menu choose Objects > Gateways to display the list of existing gateways.

To generate an image with the configuration for Raspberry Pi you need to:

  1. Click on the vGateway name, gear ⚙ icon, or “i” button on the vGateway panel - the details panel will appear.
  2. On the right side of the gateway details panel click on IoT Hardware Images images to show a list of options to generate images.
  3. The generation of the image may take a while, please be patient.
  4. When the image will be ready you may download it or copy the URL - save it on your PC.

Image installation

To proceed with this step you need to have an image file generated by Acreto or URL to the image for your vGateway.

To install the image we need to proceed with flashing the SD card.

  1. Download the write_image.sh script

    Click on the button and save the script in your home directory:

    Get write_image.sh

    or open the terminal and download the script using the command:

    wget https://kb.acreto.net/reference-material/downloads/write_image.sh

  2. Take your SD card from your Raspberry device

  3. Put your SD card into your computer

    • Ensure it didn’t mount automatically - if it did, unmount it

  4. Use write_image.sh script to write the image to SD card

    • if you have an image file downloaded locally:

      ./write_image.sh image-file.zip /dev/sdb

    • if you have want to use the URL of an image directly::

      ./write_image.sh https://aws1-vgateway-images.s3.amazonaws.com/vgateway-raspberry-pi4.s.nAH2xOL8HyJIK1g8v4HEsNCt.img.zip /dev/sdb

      where /dev/sdb is the location of your SD card

  5. Once finished, plug the SD card into your device and log in as:

    1. login: acreto
    2. password: acreto.io

  6. Change your password after the first login

  7. Test the network connectivity

    • IPsec status showing the tunnel status

      ipsec statusall

    • Traceroute to check if the traffic goes through Acreto Ecosystem

      traceroute 8.8.8.8

    More information about checking the connectivity can be found under Connectivity Check article where a dedicated tool is available.