Before starting work on building an IPsec VPN tunnel between your on-prem firewall/router and the Infoblox’s NIOS-XaaS, you will need to setup some pre-requisites in the Infoblox Portal.
...
“Access Locations”. Where you specify the type, Location, Credential (PSK) and WAN IP Address(es). You can specific up to two public IP addresses for a single site.
“Service Location” settings. Size determines how many locations can use the Service Location and how many Universal DDI Server tokens the Service Location will require. The Location setting specifies where POP will be geographically located (e.g. AWS Europe or GCP or GCP US West).
Service IP is the private IP address of your choice that will host the Capabilities (DNS/DHCP/DNS Security).
Primary Neighbor IP: The IP that that will be used as the source IP when the Service Location initiates traffic to on-prem (for example, forwards a DNS request from the POP to a DNS server that is on-prem).
Secondary Neighbor IP: The IP that that will be used as the source IP when the Service Location initiates traffic to on-prem. (e.g. forwards a DNS request from the POP to a DNS server that is on-prem). This is the backup of the Primary Neighbor IP as it exists in a separate availability zone in the POP.
...
In principle, you will need to ensure that the following traffic flows are allowed on your network.
Source IP | Destination IP | Port/Protocol/Application |
|---|---|---|
WAN IP/Peer IP | WAN IP/Peer IP |
|
All internal IP addresses or subnets that should be able to query DNS. | Service IP | DNS (upd-53/tcp-53) |
All internal IP addresses or subnets that should be able to access DHCP. | Service IP | DHCP (udp/67 and udp/68 and tcp/67 and tcp/68) |
All internal IP addresses or subnets that should be able to ping the service IP for troubleshooting. | Service IP | Ping (ICMP) |
| Internal DNS servers that NIOS-XaaS may forward to or transfer zones from. | DNS (upd-53/tcp-53) |
Source and Destination IP (this rule should be bi-directional):
You firewall IP. This is likely going to be the same as your “WAN Address” as defined earlier but it is possible you are setting up a device that is located inside the network and so this might be the private IP of your device and so your edge firewall must permit this traffic.
“Peer IP” as defined earlier.
Application/Port: IKE (udp/500) and IPsec (udp/4500 and IPSec protocol)
You will also need to permit DNS and DHCP through the tunnel and you may want to allow ICMP as the “Service IP” is pingable through the VPN.
Source IP: All internal IP addresses or subnets that should be able to access the capability (DNS/DHCP)
...
DNS (udp/53 and tcp/53)
...
DHCP (udp/67 and udp/68 and tcp/67 and tcp/68)
...
VPN Tunnel
You will need to configure the IPsec VPN tunnel as per the vendor instructions for the firewall device you are using. The following information is relevant.
...
The following tunnel service statuses are reported:
Not Ready (status color ORANGE ): Indicates that the service is in the process of being provisioned at the Infoblox POP (service location). This is a one-time state; it will not revert back to this state once it changes.
Ready (status color ORANGE): Indicates the backend for the tunnel(s) is provisioned, but the link is not physically connected at the customer site. This is a one-time state; it will not revert to this state once it changes.
Connected (status color GREEN): All tunnels are active and operational on both ends: both the Infoblox PoP and the customer site (router).
Not Connected (status color RED): Indicates that all tunnels are down.
Degraded (status color ORANGE): Indicates that there are multiple tunnels to one Availability Zone and one or more (not all) of the tunnels go down, or if any existing tunnel fails, it results in a degraded state. Degradation is based on tunnel metrics such as latency and packet loss.
...