For our SD-WAN controllers to be able to securely communicate with each other, the controllers will need a root certificate. Once they all have a root certificate installed, they can setup a secure control plane connection in order to mutually authenticate one another.
In my lab I have deployed a Ubuntu server with 2 ethernet interfaces. The first step to setting up the is to configure this device with static IP addresses.
Start by verifying IP info and interface names: ip a
I had to use the " altname" from the output to get the static configuration to work
ens3 (altname: enp0s3) corresponded with e0 in my diagram
ens4 (altname: enp0s4) corresponded with e1 in my diagram
Next I'll make a backup of the current netplan config, in case I mess up the rest of the config and I need to rollback.
sudo cp /etc/netplan/00-installer-config.yaml /etc/netplan/00-installer.config.yaml.BACKUP
Here's the new config that will be used in my lab environment. ENP0S4 connects to the management network and ENP0S3 connects to the underlay network. Note that I'm using the "routes" statement as opposed to the deprecated "gateway" configuration for the default route.
network:
ethernets:
enp0s4:
dhcp4: false
addresses:
- 192.168.1.180/24
nameservers:
addresses: [192.168.1.1]
enp0s3:
dhcp4: false
dhcp6: false
addresses:
- 10.10.0.180/24
routes:
- to: default
via: 10.10.0.1
nameservers:
addresses: [10.10.0.1]
version: 2
sudo netplan apply
Once this has been setup properly and we can reach our other components, we can start on the certificate part.
First we generate our private key.
openssl genrsa -out CA.key 2048
Next we use this private key to generate our selfsigned root certificate.
openssl req -new -x509 -days 365 -key CA.key -out CA.crt
After hitting enter, you'll need to provide additional info about your organization (Country, state/province, city, organization,..). Now you'll have your new selfsigned root certificate available which can be copied onto our controllers
We can easily copy the certificate to each of the controllers using scp:
user@ubuntu:~$ scp CA.crt admin@192.168.1.182:
The authenticity of host '192.168.1.182 (192.168.1.182)' can't be established.
ECDSA key fingerprint is SHA256:SrMAeXpNX826K8Y64g5bzXqf2ubcz3GUEJGaFam+L30.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.182' (ECDSA) to the list of known hosts.
viptela 20.9.4
(admin@192.168.1.182) Password:
CA.crt 100% 1249 1.5MB/s 00:00
Repeat this process for the other 2 controllers as well:
scp CA.crt admin@192.168.1.181:
scp CA.crt admin@192.168.1.183:
We can verify if the certificate is on the device by logging into the device and accessing the Linux shell through the vshell command
vSmart# vshell
vSmart:~$ pwd
/home/admin
vSmart:~$ ls
CA.crt archive_id_rsa.pub
Finally install the root certificate on each of the devices (vBond, vSmart, vManage)
request root-cert-chain install /home/admin/CA.crt
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/CA.crt via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
To complete the certificate deployment we need to tell SD-WAN as a whole to use this certificate as authentication. You can do this by browsing to the following vManage URL:
https://<vManage-mgmt-IP>/dataservice/system/device/sync/rootcertchain
This should prompt you with the message, stating the rootcertchain sync has been done. If you don't get this output and you just get logged into the vManage portal, just retry browsing to that URL and you should get the message.
This completes the basic certificate setup of our SD-WAN deployment. In the next post we'll continue setting up the controllers.
Comments