Introduction
This tutorial shows how to receive, modify and send XML blocks, which represent the configuration of IPsec VPN tunnels inside an EDGE Gateway. The guide covers modifying local and peer IP addresses, local and peer IDs, and adding or removing local and peer subnets.
Use Scenarios:
- Allows clients to quickly make changes to IPsec configurations
- Changes of this nature are not possible in the VMware Cloud Director GUI without first completely removing the existing IPsec VPN configuration and re-enter the settings. Depending on the number of tunnels, this can be a time-consuming task. Making changes to the IPsec VPN configuration via the vCloud API can significantly speed up this process.
Before you start
Before using the vCloud API to view and update your IPsec VPN settings, we recommend that you install a REST client that will allow you to access the API. The steps in this article use the POSTMAN client but you can also use the Firefox RESTClient plugin. For information on how to install this plugin, as well as how to get the authorization token and VDC data, see our article How to access VMware Cloud Director through the vCloud API. This guide will not cover the initial setup of the client.
Get vOrg information via the API
- Get an authorization token (See KB article)
- Create a GET request via API
- In the server response, find the API URL to access vOrg
The resulting URL should look like this:
https://<api_url>/api/org/<org_id>
https://vcd.cloud4y.ru/api/org/958faa8f-e5ab-44f0-a4b5-8144886f1591
- Once we have a link to our organization, make a GET request to get the API URL about entities such as Networks, VDCs and directories belonging to vOrg. Here we will be interested in the API link to the VDC.
Obtaining VDC and EDGE information via AP
To retrieve VDC entity information, follow these steps.
- Insert the received link in the query line and send the query
https://<api_url>/api/vdc/<vdc_id>
https://vcd.cloud4y.ru/api/vdc/75f35912-e397-493b-81ce-7e745747dbeb
- a new server response will be displayed, where we can find the API URL for the EDGE request
- Enter the specified URL in the query line to retrieve information on the specified EDGE. If the request was successful, the server should return a response where you can find the API URL of the EDGE of interest.
- Enter the API URL you found in the request line and make a GET request. If the response is successful, you will get a server response with the following information:
Checking EDGE configuration
In the output xml response, EDGE configuration information is contained between the opening <Configuration> and closing </Configuration> tags.
This XML block is divided into sections that detail the configuration parameters that apply to a particular item, function or service available on EDGE. There are twelve sections in all. But we are only interested in the configuration parameters contained in the <GatewayIpsecVpnService> tags. The example below shows a general overview of the structure of the returned XML block, including the <GatewayIpsecVpnServices> tags.
! We recommend that you save XML data from tag <Configuration> to tag <\Configuration> in a separate file. This is necessary to be able to roll back to a working version in case of incorrect changes.
Configuring IPsec VPN settings in the returned XML
To edit the IPsec VPN settings, insert the content between the opening <GatewayIpsecVpnService> and closing </GatewayIpsecVpnService> tags in the text file. Its content should look like the block of XML shown in the above paragraph.
You can now change any of the parameters that are in this block.
The local IP address and local identifier are denoted by <localIpAddress> and </localIpAddress> tags, and <localId> and </localId> tags respectively.
A remote tunnel endpoint to a new device or IP address, with the <PeerIpAddress> and <PeerId> tags (remember that these values must match each other)
Local subnets with tag <LocalSubnet> or remote local subnets with tag <PeerSubnet>
Shared secret change the value between the opening <SharedSecret> and closing </SharedSecret> tags
These changes are the most common when configuring IPSec tunnels.
Applying the new configuration
After making changes to the xml data, you can apply them in the EDGE settings. To do this, complete the following conditions:
- Conclude the new configuration in a pair of <EdgeGatewayServiceConfiguration> tags.
- Copy and paste this configuration into the Body section of the Postman client. In the settings of the window, specify the RAW data type, XML method.
- In the list of request types, select POST.
- Add the following to the URL in the URL address field:
/action/configureServices
5. Also, be sure to have one more Header in Postman before sending the new configuration. In the Headers menu at the top of the REST client, select Headers.
6. In the Name field, enter Content-Type, and in the Attribute Value field, enter the following:
application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml
- Press Send to apply the new configuration.
