Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Virtual Managed Services (VMS) 3.2 Cloud VPN and Cloud VCE Service Pack Guide

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Virtual Managed Services (VMS) 3.2 Cloud VPN and Cloud VCE Service Pack Guide

Chapter Title

Using Cloud VPN Service

Results

Updated:
March 20, 2018

Chapter: Using Cloud VPN Service

Using Cloud VPN Service

To begin, log in to the VMS Service Interface using your consumer credentials.

In case of association with several tenants, choose a customer name from the drop-down in the left pane of the Welcome page. The Services and Devices menu items in the UI are populated only after you finish ordering or shopping.

Resetting Password

The Administrator first creates a Tenant and then one or more users.

As a new user, when you receive an email notification (with link) to configure the password, you must click this link before the password expiry date, to specify your new password. In case you forget the password, access the Login page, and click the Forgot Password link. This link opens a page where you are prompted to specify information, so that you receive a mail with the new password.

Placing an Order for a Cloud VPN Service

The Cloud VPN service is a comprehensive networking solution that includes:

  • A VPN that connects one or more locations over the public Internet using the IPsec protocol

  • Remote VPN users (SSL VPN users)

  • Intelligent router (self-configure and self-install) per site

  • Simple self-service management interface with capability to customize the VPN access based on company size, select the VPN speeds and desired level of security.

To get started with the Cisco VMS Portal, begin by placing an order. Consumers/End customers order the Cloud VPN service through the service portal, selecting optional security features before registering one or more CPEs to create a site-to-site VPN.
Procedure
    Step 1   Log in to the Cisco VMS Portal using consumer credentials.
    Step 2   From the left pane, click Service Catalog. Click Cloud VPN in the select Service page.
    Step 3   Select an offer such as Cloud VPN Foundation , Cloud VPN Advanced , or Cloud VPN Advanced with Web Security. A service form is displayed that corresponds to the Offer you've selected.
    Note   

    The Order Summary is displayed in the right pane, based on the details you've entered in the service form.

    Step 4   In the service form, enter the following details:
    • In the Tell us about your company area, enter details such as the number of sites and number of users for each site. Slide the bar in the Anticipated Growth field to indicate the anticipated employee growth.


      Note   

      After you have completed the form, the icon located near the top of the Tell us about your company area turns green indicating the next area can be edited.

    • In the Cloud VPN Speed area (Area name is based on the service you select), select the required speed. Speed controls the maximum throughput of the cloud VPN service. Your choice of speed tells the application to update the purchase amount accordingly.


    • (This option is not available for Cloud VPN Foundation offer.) In the Users area (area name is based on the service and offer selected, for example, Remote Access Users), choose the number of remote access users by sliding the bar. Additional users add charges to your service.


      • The following options are available for Cloud VPN Advanced and Cloud VPN Advanced with Web Security offers only:

      • In the Automated Recovery Service area, select a recovery service based on your requirement. This service provides system recovery for any outage. (This option is only available if Cisco Network Services Orchestrator (NSO) is deployed in multiple data centers.)

      • (This option is available for Cloud VPN Advanced with Web Security offer only.) In the URL Filtering area, select Low, Medium, or High based on your requirement. URL filtering scans HTTP traffic between the VPN users and Internet, takes different actions depending on the category of the destination URL.


      • (Optional) Include the Cloud VCE instance in the VCE attachment area, which allows remote branches that use different WAN access methods to communicate. For more information, see Place an Order for Cloud VCE chapter.


    • In the Devices area, click Add Devices, to select a device.

      • View the list of devices in the Device Catalog popup window. You can click the device to view the specification details.

      • Enter the required quantity in the Quantity field and click Save to close the Device Catalog popup window.

      • You can remove device selection in device popup while upgrade or downgrade of the service.

    • In the Installation Address area, enter the installation address details for each device chosen.

    Note   

    Areas displayed in the service form are based on the service selected in step 3.

    Step 5   Click Save.
    Step 6   Click Review Order placed under the Summary area, at the right pane. Review your order summary in Order Summary page.
    Step 7   Check the I accept the Terms and Conditions check box if you agree to proceed for the purchase. You can also click the Terms and Conditions hyperlink to view the terms and conditions, before you proceed.
    Step 8   Click Purchase. An order confirmation with purchase details is sent to the service provider. You can configure notifications as an email and/or REST to the Service Provider. After confirmation, the service that you have purchased is displayed in the Services window. You can view the Cloud VPN service instance ID.
    Note   

    You can order only one offer for each service, for a customer with many remote users and sites. Also, you can also add more devices for an existing service.

    After your order has been placed, your service is automatically set up and your ordered devices are shipped to your device location by the service provider. You can now start the actual configuration process of the device.

    Approving or Rejecting a Service Request

    When a new service order is submitted, the service request goes through an approval process before it is provisioned. Only an approver user or a user with approver privilege can approve or reject a request. If notifications are enabled, the approvers are notified of the pending approvals. An approver can approve or reject the following request types:

    • New service request

    • Update to an existing service request

    • Service cancellation request

    For a service provider user, the status of the submitted order stays in pending state until it is approved or rejected. If the notifications are configured for the service provider, the user is notified of the status through an email or REST API.

    Note

    Only a user with an out-of-the-box Approver role or Approver permissions can perform this process. By default, VMS provides the approval privileges to an Operator user.

    Before You Begin

    Procedure
      Step 1   Log in to the Cisco VMS Portal.
      Step 2   From the left pane, click Approvals to view a list of pending service requests.
      Step 3   Select a request and do the following:
      1. Click View Details to view the service order summary.
      2. Click Approve or Reject. If rejected, provide a reason for rejection.

      The user is notified about the status.

      .

      Configuring Firewall Rules

      As a consumer, you can define or update the firewall configuration for a Cloud VPN Advanced or Cloud VPN Advanced with Web Security offer.

      Procedure
        Step 1   From the left pane of the service interface, click Services to view the list of offers you have purchased.




        Step 2   In the right pane of the selected (either Advanced or Advanced with Web Security) offer, under Total Bandwidth area, click the Edit firewall (pencil) icon.
        Step 3   In the Firewall Settings window, you can Add or modify a rule (Inside to Outside Firewall Rules area) by entering the mandatory values and click Submit.
        Step 4   Similarly, in the Port Forwarding Rule window, you can Add or modify a rule (Outside to Inside Port Forwarding Rule) by entering the mandatory values and click Submit.

        You can also delete a firewall rule by selecting the specific rule in the Firewall Rule or Port Forwarding Rule area.

        Configuring or Deploying Customer Premise Equipment (CPE)

        Customer Premise Equipment (CPE) supported in the VMS solution currently comes from the Cisco ISR-G2 family of IOS-based routers. These include the 800, 1900, 2900 and 3900 series ISR-G2 routers. CPE is deployed at customer sites and provides secure tunnels from an end customer network into a Cisco Cloud VPN service chain. Provisioning of the CPE is automated by the VMS solution. The key IOS features utilized on these routers are: PnP (Plug and Play), FlexVPN, BGP, NBAR2, and QoS.

        Configuration Requirements

        The Day-1 Startup Configuration loaded on the CPE device includes the following items before the CPE is shipped to the end customer.

        • HTTPS - PnP protocol uses HTTPS on TCP port 443 to contact the PnP server that runs on NSO. The CPE must have an IP address in order to originate this HTTPS request. This is the first point of contact between the CPE and PnP server on NSO.

        • DNS - The CPE requires DNS lookup to work for certificate validation. If DNS is not working, the CPE will not be able to establish a PnP session because it will reject the certificate.

        • NTP - The CPE requires NTP to be working and have its internal clock be relatively close to actual time to ensure certificate validation. If NTP is not working and the CPE clock is not accurate, it might think the certificate is not valid. Most certificates are valid only during a certain date range.

        • Certificate - The CPE must have a certificate in its configuration to properly establish HTTPS session with the PnP server.

        • IOS version and Feature set - Cisco VMS Cloud VPN/VCE requires a minimum IOS version of 15.5(1)T or newer. The use of FlexVPN and IPsec requires that the IOS has a feature set that can support IPsec. This is designated with a "K9" in the image name, and the IOS license type should be "Advanced Security."

        • DHCP- The CPE needs to have an IP address on its WAN interface to connect to the PnP server (NSO) and get provisioned, and this is typically obtained via Dynamic Host Configuration Protocol (DHCP) from the Internet Service Provider (ISP). DHCP also provides a default gateway for the CPE that allows packets to be sent across the Internet.

        • Internet Access - The CPE connects to the PnP server across the open Internet. The Internet connection must be capable of routing traffic across the Internet to the PnP server.

        • WAN port vs LAN port - Each CPE has two or more Ethernet connections. One of them is designated as the WAN port and must be connected to the Internet.

          To complete the deployment of a VMS Cloud VPN service, the CPE devices need to be connected to the respective WAN and LAN links.

          Devices

          WAN Interface

          LAN Interface

          ISR 1900, 2900, 3900 series

          All Cloud VPN ISR devices take on the role of CPEs

          GE 0/1

          GE 0/0

          ISR 881

          FE 4

          FE 0

          ISR 892

          GE 8

          GE 0

        Day -1 Configuration

        All CPEs delivered to a customer must have the Day -1 config as the startup-config, and the same configuration should also be stored in the device flash storage as day--1-config file. If the Day -1 configuration is missing, then the CPE will never attempt to connect to the PnP server until the configuration is loaded. The same configuration is stored as flash:day--1-config so that it can be reset back to "factory defaults" once it has been de-commissioned from the vMS service. If the flash:day--1-config is not present, then the CPE will fail to reconnect to the PnP server after being reset or removed from a service chain. Each CPE type needs a day--1-config file that is specific to the CPE type and deployment. It should be tested in a lab before the configurations are finalized and placed on multiple CPEs.

        A console connection is required to configure a CPE. Once connected to the CPE console, enter enable mode, config mode, and then paste the day--1-config in the terminal session. 

         
 router>enable
 router#config t
 router-config# < now paste the day--1-config into the terminal >
 router-config#end

 router#copy running-config startup-config
 router#copy running-config flash:day--1-conf
        Here is a sample configuration for day--1-config 
         
 aaa new-model

!

aaa authentication login default none

!

 crypto pki trustpoint ncs

 enrollment terminal

 revocation-check crl

!
!
crypto pki certificate chain ncs
 certificate ca 0509
  308205B7 3082039F A0030201 02020205 09300D06 092A8648 86F70D01 01050500
  3045310B 30090603 55040613 02424D31 19301706 0355040A 13105175 6F566164
  B478A53A 874C8D8A A5D54697 F22C10B9 BC5422C0 01506943 9EF4B2EF 6DF8ECDA
  F1E3B1EF DF918F54 2A0B25C1 2619C452 100565D5 8210EAC2 31CD2E  <--Certificate has been truncated in this sample.

        quit
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
!
 interface GigabitEthernet0/0

 ip address dhcp

 duplex auto

 no shut

 speed auto

!
ntp 0.pool.ntp.org
ntp 1.pool.ntp.org
!
line vty 0 15
!

pnp profile test

 transport https ipv4 11.17.0.11 port 443 remotecert ncs  <-- Your NSO server public IP address that this CPE can connect to.

end

        Verification

        The configuration can be checked with the following commands. Both commands should have the same output, and should display all of the configuration needed for PnP to work. 
         
	more flash:day--1-config
 more nvram:startup-config

        The serial number of the CPE can be displayed by executing the show version command. The serial number of the CPE should be saved so that it can be referenced later in case of difficulty. Notice that the show version command also displays the IOS feature set that is enabled.

        For new combinations of CPE device types and Day -1 configurations, it is recommended to verify that the IOS version, feature set, and configuration works before deploying to the field. It is suggested to test it by the normal CPE on-boarding process into a test service chain. This can prevent troubleshooting sessions.

        What Next- The CPE can be on-boarded/registered in the portal either before or after it is connected to the Internet. After a CPE serial number has been associated with a service chain from the portal, and CPE establishes connectivity with NSO, then the CPE is provisioned by NSO. See Registering a Cloud VPN Device section.

        Registering a Cloud VPN Device

        After you subscribe/purchase and configure the Cloud VPN service, the CPEs (devices) must be on-boarded for the Cloud VPN service. Device on-boarding is a two step process: Registering the CPE in the Cloud VPN user interface and connecting the CPEs to the respective WAN and LANs.

        Device registration establishes the mapping between a Cloud VPN service (specific tenant) and the CPEs associated with that tenant.

        When devices are registered in Cisco VMS for a Cloud VPN service, the Plug-N-Play (PnP) server maps the service configuration (that it needs to orchestrate) to the device. In the Cisco VMS solution, the NSO also functions as the PnP server that is used for Zero-Touch Deployment (ZTD) of the CPEs (devices)

        End customer CPEs connect via the IPsec tunnels (implemented with FlexVPN) to the Cloud VPN hub in order to communicate with each other and also to securely access the Internet

        You can register a device as follows:

        Procedure
          Step 1   From the left pane of the Service Interface UI, click Devices to view the list of devices. The devices that are in various statuses such as Unregistered, Registering, Provisioned, Ordering, Updating, Provisioning Failed, Up, Down, Unknown are displayed.
          Step 2   Click the unregistered device.


          Step 3   In the right pane, enter the serial number of the device in the Enter Device Serial Number (SN) field.
          Note   

          A Serial Number is associated to the Customer Premises Equipment (CPE) before the device is shipped. When you specify the serial number, you tell the application to register the device with the Cloud VPN service.

          If the serial number you've specified is incorrect, edit the serial number in the right pane to re-register the device.

          Step 4   Click Register. The status turns to "Provisioned" after the registration is complete.

          The Cloud VPN service requires at least one registered CPE to function. Ensure that you do not delete all CPEs.

          Note   

          • You can modify the serial number of a device or delete a device in the right pane, when you select a device on the Resources page.

          • After you delete a device, the device can be connected again to the same or another Cloud VPN service and does not retain any properties that were previously defined.

          • You can register several devices at the same time- While registering a device, you can register another device before the response for the first is received.

            However, you cannot try to register or update the device if the device is still being registered/provisioned.

          After the CPE has been added to/registered with Cloud VPN, the Cloud VPN portal communicates to NSO by sending edit-config message with the following parameters:

          • cloudvpn - Cloud VPN name

          • CPE - CPE-identifier

          • S/N - Serial Number of CPE

          The service chain configuration (as seen in show configuration cloudvpn <service-chain-name> in NSO CLI) now contains the CPE serial number: 
          admin@ncs> show configuration cloudvpn <service-chain-name> cpe
cpe cpe_1 {
serial FTX00000000;
allocate {
ip-type ipv4;
prefix-size 24;
}
}
          Use cases for updating a serial number:

          • If the tenant administrator enters the incorrect serial number, you must re-enter the serial number as there is no message indicating that the earlier serial number is incorrect. For more details, refer to the Troubleshooting Cloud VPN/VCE Service Errors section.

          • If the device serial number is registered correctly, but registration fails because the device itself has some problems and has to be replaced, then the tenant administrator must modify or update the serial number that has already been entered, so PnP server can associate the new device with the tenant , and update the correct configurations for the replaced/changed device.

          • Similarly, if the device is properly registered and configured, but fails later on, the tenant administrator must swap the device for that customer, then the serial number is changed and the new device is configured.

          • The same is true when the customer upgrades a device where they need to swap device for an existing site. The customer can perform the above steps to change the serial number or register a new device and then configure it.

          Step 5   Set up the traffic bandwidth for each CVPN device or CPE. For more information, see Setting up Bandwidth Prioritization for a CVPN Device or CPE.

          Setting up Bandwidth Prioritization for a CVPN Device or CPE

          After you provision a VMS CVPN service, you can set up the traffic bandwidth for each CVPN device or CPE. Traffic prioritization classifies traffic and assigns bandwidth prioritization as data traverse the network.

          To set the bandwidth prioritization for a CPE or device, you need to:

          • Assign the bandwidth percentage to each traffic class.

          • Specify the upstream and downstream speed.

          • Select the application types for each traffic class.

          To set the bandwidth prioritization, do the following:

          Procedure
            Step 1   Log in to the Cisco VMS Portal.
            Step 2   From the left pane of the Service Interface, click Device.
            Step 3   Choose the device for which you want to specify the bandwidth prioritization and double-click. The Cloud VPN Advance screen appears.
            Step 4   Click the Edit button next to Bandwidth Prioritization. The Bandwidth Prioritization screen appears.

            In Cloud CVPN, the network traffic is classified into four traffic classes: Important, Standard, Critical, and Low.

            Step 5   Select the percentage of the bandwidth that you want to allocate to each traffic class.
            Note    The total bandwidth percentage allocated cannot exceed 100%.
            Step 6   Enter the bandwidth for the Upstream and the Downstream traffic.
            Step 7   Select the application types for each traffic class. You can drag and drop the application types to the respect traffic classes.
            Note    Each traffic class needs at least one application type.
            Step 8   Click Save button to keep your change.

            Upgrading or Downgrading a Service Subscription

            As a consumer, you can either upgrade or downgrade a service subscription based on your requirement. The following scenarios are applicable:

            • Upgrade a Cloud VPN Foundation service to Cloud VPN Advanced service

            • Upgrade a Cloud VPN Foundation service to Cloud VPN Advanced with Web Security service

            • Upgrade a Cloud VPN Advanced service to Cloud VPN Advanced with Web Security service

            • Downgrade a Cloud VPN Advanced with Web Security service to Cloud VPN Advanced service

            • Downgrade a Cloud VPN Advanced with Web Security service to Cloud VPN Foundation service

            • Downgrade a Cloud VPN Advanced service to Cloud VPN Foundation service

            Procedure
              Step 1   From the left pane of the Service Interface, click Services to view the list of services you have purchased in the Services window.
              Step 2   Select a service you want to upgrade or downgrade. The service details are displayed in the right pane.
              Step 3   Click Modify. The offers available for the selected service are displayed in the Modify Service Offer page.
              Step 4   Select an offer based on your requirement and make the necessary changes in the service form. For more information, see the Placing an Order for a Service section.
              Step 5   Click Review Order placed under the Summary area, at the right pane. Review your order summary in Order Summary page.
              Step 6   Check the I accept the Terms and Conditions check box if you agree to proceed for the purchase. You can also click the Terms and Conditions hyperlink to view the terms and conditions, before you proceed.
              Step 7   Click Purchase. An email with purchase details is sent to the service provider. The service that you have purchased is displayed on the Services page.

              Canceling a Service Subscription

              When you cancel or unsubscribe from a service, the service, and associated entities (such as devices, remote users) are removed from the network link.
              Procedure
                Step 1   From the left pane, click Services. The Services window displays the list of services purchased by you.
                Step 2   Select a service you want to unsubscribe. The service details are displayed in the right pane.
                Note   

                You can also delete the service that has not been Provisioned (service whose status is Provisioning Failed).

                Step 3   Click Unsubscribe in Account Options area of the right pane.




                A confirmation message is displayed. Click Unsubscribe. The service is removed in the Services window.
                Note   

                To view the list of events that have occurred in your service, from the left navigation pane in the VMS Portal, click Event Logs.

                You can filter these events by severity and time frame. The object name helps you identify the service for which events are displayed.

                Managing Remote Users

                Remote users must be created in order to access Cisco VMS services from a remote location. As an operator or a consumer, you can create remote users, activate or suspend user accounts, and reset passwords.

                The consumer must enter a username for the remote access user account that needs to be created. A randomly generated password will be created for the newly added user. An email is generated to notify the new remote access user about the login credentials. The email also contains the URL for remote access. This is the URL that was created by the DNSUpdater when the original CloudVPN service was provisioned.


                Note

                This feature is only available for Cloud VPN Advanced and Cloud VPN Advanced with Web Security services.

                Procedure
                  Step 1   From the left navigation pane in the VMS Portal, click Services to view the list of services you have purchased in the Services window.
                  Step 2   Select a provisioned service to which you want to add remote users.
                  Step 3   Click Remote Users (people icon) to display the Services / Remote Users page.
                  Step 4   Click the Add (+) icon. Enter the email address of the remote user and click Save.
                  Note   

                  An email with details about new remote user is sent to the service provider and the remote user, and another email is sent to the remote user with password reset information. Before the password is reset, remote user is in Suspended state.

                  When the remote user resets the password, the status of the remote user automatically changes to active status. To access the Cisco VMS Portal from the remote location, click Download Client to download the VPN client from the Download Software window.

                  The Service Provider operator can host the AnyConnect client wherever they want, and point to it in VMS operator configuration, so customers can click this to download AnyConnect client software.

                  Select the user and choose an appropriate option from Status drop-down to activate or deactivate a remote user.

                  An email is sent to the Service Provider when the status of the remote user is changed.


                  Note

                  • Within this same Remote Users page, a user account can be removed by selecting the remote user account and clicking on X (remove button). A Remote Access User account can also have the password reset by selecting the Remote Access User account and clicking on the Reset Password button.

                  • To view the set of activities performed by the remote user, click the Logs icon.

                  Searching for an event log

                  Procedure
                    Step 1   Log in to the Service Interface using your credentials. If a user belongs to many tenants, a drop-down is displayed to select the tenant.
                    Step 2   Click Search displayed at the top of the window.
                    Step 3   Enter an event name or a keyword in the search box. The list of matching events is displayed.

                    Note

                    To view the list of events that have occurred in your service, from the left navigation pane of the Service Interface, click Event Logs. You can filter these events by severity and time frame.

                    Was this Document Helpful?

                    FeedbackFeedback

                    Contact Cisco

                    Related Cisco Community Discussions

                    About Us
                    Contact Us
                    Work with Us