Skip to main content

HCX Tunnels

Image
By

Hi How are you? I hope you are doing great.

Thanks for coming to my blog, In this blog we discuss about HCX Tunnels.


HCX deploys few appliances as per the services enabled in compute profile, among them HCX-IX and HCX-NE these two appliances establish IPSec tunnels with the peer appliances on the target site.

In this blog, I would like to explore the tunnel configuration. Before exploring the HCX IPSec tunnels, let's try to understand what are IPSec tunnels.


What is IPSec?

  • IPSec is short form of Internet protocol security.
  • It is a group of protocols that are used together to setup encrypted connections between the two sites. 
  • IPSec tunnel encrypts and authenticates the data flowing through the tunnel.
  • IPSec tunnel creates robust security layers to fully protect the data that is transmitting over the Internet or through an enterprise's network.

This is how tunnel works:


  • To protect the data packets, IPSec peers(source and destination) need to establish a tunnel.
  • To establish tunnel, IPSec uses protocol called IKE
  • There will be two phases

In IKE phase 1, two peers will negotiate about encryption, authentication, hashing and other protocols they want to use and some other parameters that are required. 

In this phase IKE phase-1 tunnel will be formed and it is only used for management traffic like keep-alives.


credit: https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security 


By using this first tunnel, we establish the second tunnel called IKE Phase 2 tunnel


Data packets will be transmitted through IKE Phase 2 tunnel.

  • IKE builds the tunnels, but it don’t authenticate or encrypts the data, IPSec uses two other protocols AH (Authentication header ) and ESP (Encapsulating security payload).
  • AH and ESP both offer authentication and integrity but only ESP supports encryption. Because of this, ESP is the most popular choice nowadays.

Now lets see how the tunnel is formed in HCX IX appliance

To explore this, I am using VMware HCX Hands on Lab https://pathfinder.vmware.com/activity/vmware_hcx_gs_hol

  • Connect to HCX Connector (HCX Manager on the source site from which we migrate VMs) SSH Session.

  • Then launch HCX central cli by typing the command ccli. It will take you HCX Central CLI mode.

  • Type help command to list all the available commands.


  • Type list command to see all the available HCX appliances. Here we can see IX , NE and SGW appliances are deployed and connected state.
IX- HCX Interconnect
NE - Network extension
SGW - Sentinel Gateway 


  • To login to HCX IX Appliance, type go 0


  • Now type command list so that you can go inside the HCX-IX appliance CLI.
  • You can see IX appliance is selected now and the command prompt also changed to admin@hcx-connect-01a:HOL-1-IX-I1.
  • Now type command ssh to go into linux shell of HCX-IX appliance.
  • You can see the prompt changed. And logged into IX appliance as root.


  • Now let's check the IP address configuration



If you observe the output, vNic_0 is the management interface of IX appliance.
t_1, t_2, t_3 are point to point tunnel interfaces.

Lets check the IPSec configuration.

You can see there are 3 security associations established.


We test to ping the remote site IP and see the ping works, which means tunnel connected.




Popular posts from this blog

SDDC Manager Command line overview-part 1

By
In this blog, we will discuss about sddc manager and what are the command line options we have what we can do in command line. Sddc manager is the core component in VCF environment. It is responsible for doing many different tasks related to your VCF inventory configuration, life cycle management, security etc. Commission/decommission the hosts Deploying new workload domains  Expanding the clusters or adding new clusters to workload domain Configure network pools for host networks (Management, Storage(VSAN/NFS etc) Deploying vRealize suite of products Certificate and password management  Life cycle Management NSX-T Edge/AVNs deployment Usually all these tasks can be carried out from GUI, VCF admins rarely login sddc manager mostly when the VMware GSS is involved. SDDC Manager command line provides different use cases for example: monitoring the logs  looking up for passwords collecting logs do command line health checks etc How to access sddc manager CLI? There are two us...
Read more

SDDC Manager Command line overview-part 2

By
Welcome back. Hope you all doing great. In the previous blog   we discussed about how to access sddc manager, what are the different logs in sddc manager. In this blog we will discuss about SOS tool. There is a tool called SOS (Supportability and serviceability utility) tool in sddc manager  It is available in this location /opt/vmware/sddc-support To run sos tool you need to change as root or run with sudo  When you run sos tool with -h (--help) option it will show tool usage ./sos --help Sos tool is useful to do multiple tasks, we will look into following examples to understand SOS and its usage. Health checks  Log collection Enable disable ssh for esxi nodes or vcenter servers Get host IP address details  -- Running health check for a specific workload domain, if you didn’t specify the domain-name option then health check will run on all the available workload domains. ./sos --health-check --domain-name nameofthedomain Once the health check completes, it...
Read more