DIAGRAM NEEDED
In this article, you’ll learn how to setup NAT loopback, also knowns as hairpin NAT.
In order to setup NAT loopback, you will need:
NAT loopback, also known as Hairpin NAT, is a technique that allows users on the internal network to access a server on the same network using its public IP address.
This can be useful in situations where the server is configured to use a public IP address, and users need to access it from both the internal and external networks.
Here is a step-by-step guide on how to configure NAT loopback:
To configure NAT loopback, you will need to have a network infrastructure that supports it. Start by creating a new Ecosystem, if you don’t already have one set up.
To enable VPN connectivity, you need to create a WireGuard gateway object. This object will be used to configure VPN connectivity to the ecosystem.
Connect a virtual machine running a web server to the ecosystem using WireGuard VPN. This VM will serve as the target server for NAT loopback.
Create an Allocated-IP object for the web server. This IP address will be used to access the server from the internet.
Create a security policy that allows traffic from any source to any destination.
Create a NAT policy that maps the public IP address of the server to its private IP address. This policy should be configured to allow inbound traffic from any source.
Create a NAT policy that allows users connected to the VPN to access the web server using its public IP address. This policy should be configured to allow traffic from the VPN subnet to the Allocated-IP object.
Create a Thing Device object for the VPN users (things) that will be connecting to the ecosystem. This object will be used to configure VPN connectivity for the users.
As a user, connect to the ecosystem using Acreto Connect Client (VPN) to establish a VPN connection.
As a VPN user, connect to the web server using the Allocated-IP object. This will allow you to access the server using its public IP address, even if you are on the internal network.
Usually the Orgazniations use Acreto to secure the WebServer or MailServer. If the server is connected to Acreto Ecosystem, and is properly isolated and secured, then to access that Server users may choose to connect:
Option 4. requires NAT loopback, to allow redirection of the traffic that is originated in local network (source IPs are local), but the destination is Public IP. The loopback policy allows to divert back the traffic to Local IP of the Server.
The benefit from this NAT Loopback (Hairpin NAT) configuration is for the End-Users.
End-Users can connect the Server using it’s DNS name from any location (inside Ecosystem while connected using VPN such as Acreto Connect Client), or from the Internet.
In this article, you will learn how Acreto integrates with Identity Providers (like Active Directory or OKTA) to authenticate your users.
An Identity Provider is a service that verifies and stores user identity information. Some examples of Identity Providers are:
In addition to an Identity Provider, you might also want to configure a 2-Factor Authentication (2FA) provider.
Using a 2FA provider will require your users to provide more than one type of credential when authenticating; for example, a password (something users know) and a code displayed via mobile phone (something users own).
Integrating an Identity Provider will allow you to:
Acreto uses Identity Providers to deliver the following features for data plane users:
Acreto sends a request to the Identity Provider each time it needs to access user information. We only store some anonymized user identity data (for example, in Active Directory it is Guid). We might also cache some user data in memory on a short-term basis.
Identity Providers are only used to authenticate an Ecosystem’s data plane users or while connecting to an Ecosystem with OpenVPN or Acreto TLS-Client.
In this article, you’ll learn how to integrate your Azure Active Directory with an Acreto Ecosystem. This process involves the following steps:
This feature is currently in beta mode.
In order to integrate Acreto with Azure Active Directory, you will need:
An Azure Active Directory integration allows your Acreto Ecosystem to utilize the user credentials stored in your Active Directory to connect to the Ecosystem using Acreto TLS Client.
It uses the LDAPS (LDAP Secure) protocol and the Domain Services which can be deployed on the Azure account to sync with AD passwords.
The LDAPS protocol is used to establish communication between the Acreto Ecosystem and the Azure Active Directory.
Administrators integrate with a Lightweight Directory Access Protocol (LDAP) directory to streamline the user login process and to automate administrative tasks, such as creating users and assigning roles. An LDAP integration allows the system to use it’s existing LDAP server as the master source of user data.
Typically, AD integration is also part of a single sign-on implementation.
The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.
In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and Azure AD.
The integration never stores LDAP passwords on the Ecosystem.
The integration uses a read-only connection that never writes to the Azure Active Directory. The integration only queries for information.
To configure your Azure Active Directory to work with Acreto, please:
1.Log in to New or Existing Ecosystem
Create Security Policy
Create a Security Policy that allows users to connect through your Identity Provider to reach all destinations.
In beta mode, all users authenticated using Identity Providers belong to default profile group Profile Group 1. This will change in future versions.
To simplify the initial configuration, we will create a policy that allows all traffic to be passed through the Ecosystem.
You should customize the Security Policy to fit your needs once the Identity Provider setup is complete. It should be configured to limit access to network resources for each group (Profile Group).
Add New Identity Provider
To add a new Identity Provider, select Objects and Identity Providers from the left menu and then click on “Add New”.
Fill the form with proper values:
OU=AADDC Users, DC=somedomain, DC=onmicrosoft, DC=com, for On-premise Windows Server AD CN=Users, DC=SOMEDOMAIN, DC=comBase DN and other values may be specific for your custom configuration. Check proper configuration in the AD control panel.
To allow users, employees or team members VPN users to authenticate in OpenVPN using Azure AD credentials, Acreto offers unique and individual URLs for every Ecosystem portal called Onboarding Portal.
To access the unique URL to that portal, please click on Edit next to previously added IdP and scroll down.
Then, click on the icon to copy the URL.
Now, provide the generated link to your users.
When the End User or Employee opens the Onboarding Portal, the Welcome Page will be presented.
The Ecosystem Admin should share this URL with the End Users, ask them to open it, and then follow instructions.
Active Directory included into Office 365 subscription sufficient for the integration?
No, Office 365 subscription covers only the free Azure Active Directory.
You need Azure Active Directory Domain Services which is an additional subscription from Microsoft.
Why is it required to enable password synchronization in Azure Active Directory Domain Services?
Enable password synchronization in Azure Active Directory Domain Services - As documented on Microsoft article Tutorial: Configure secure LDAP for an Azure Active Directory Domain Services managed domain:
Users (and service accounts) can’t perform LDAP simple binds if you have disabled NTLM password hash synchronization on your managed domain.
Acreto uses LDAP simple binds, therefore NTLM password hash synchronization feature needs to be enabled.
If you followed the first tutorial and don’t use on-premises AD the synchronization (between your Azure AD and Azure AD Domain Services) will be enabled by default. However it is needed to reset the password of all current users. It can be done by expiring all the current passwords or resetting them manually from the Azure AD Users View.
Thanks to Acreto and Azure Active Directory Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.
Also, Acreto Ecosystem Admin(s) can re-use any existing password and security policies that are already in place. For example, the Active Directory may already have account lockout and password expiration policies.
In this article, you’ll learn how to integrate your Windows Server Active Directory with an Acreto Ecosystem. This process involves the following steps:
An Active Directory integration allows your Acreto Ecosystem to utilize the user credentials stored in your Active Directory to connect to the Ecosystem using Acreto TLS Client.
The LDAPS protocol is used to establish communication between the Acreto Ecosystem and the Active Directory.
Administrators integrate with a LDAP (Lightweight Directory Access Protocol) to streamline the user login process and to automate administrative tasks, such as creating users and assigning roles. An LDAP integration allows the system to use it’s existing LDAP server as the master source of user data.
Typically, an AD integration is also part of a single sign-on implementation.
The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.
In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and AD.
%%{init:{"fontFamily":"monospace", "sequence":{"showSequenceNumbers":true}}}%%
sequenceDiagram
Employee->>Ecosystem:Here is my password.
Ecosystem->>Azure AD: is Employee's password.
Azure AD->>Ecosystem: Sure, let the Employee in!
Ecosystem->>Employee: Welcome!
The integration never stores LDAP passwords on the Ecosystem.
The integration uses a read-only connection that never writes to the Active Directory. The integration only queries for information.
To complete this procedure, you should:
Login to New or Existing Ecosystem
Create Security Policy
Create a Security Policy that allows users connecting through your Identity Provider to reach all destinations.
In beta mode, all users authenticated using Identity Providers belong to default profile group Profile Group 1. This will change in future versions.
To simplify initial configuration, we will create a policy that allows all traffic to be passed through the Ecosystem.
You should customize the Security Policy to fit your needs once the Identity Provider setup is complete. It should be configured to limit access to network resources for each group (Profile Group).
Add New Identity Provider
To add a new Identity Provider, select Objects and Identity Providers from the left menu and then click on “Add New”.
Fill the settings with connection details
Save and commit your changes
To allow users, employees or team members VPN usersto authenticate in Acreto Connect Client using AD credentials, Acreto offers unique andindividual URLs for every Ecosystem portal called Onboarding Portal.
When the VPN user opens the Onboarding Portal, the Welcome Page will be presented.
The Ecosystem Admin(s) should share this URL with the VPN Users, ask them to open it and then follow instructions.
The first step of onboarding is to recognize the user’s operating system to provide platform-specified installers and profiles.
The second step allows you to download the latest version of Acreto Connect Client and the VPN profile.
Thanks to Acreto and Active Directory Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.
Also, Acreto Ecosystem Admin(s) can re-use any existing password and security policies that are already in place. For example, the Active Directory may already have account lockout and password expiration policies.
This feature is currently in Beta.
In this article, you’ll learn how to integrate OKTA with an Acreto Ecosystem. The OKTA integration allows your Acreto Ecosystem to utilize the user credentials managed by OKTA to connect to the Ecosystem using Acreto TLS Client.
It uses the LDAPS (LDAP Secure) protocol and the OKTA LDAP Interface which can be deployed on the OKTA account.
To configure your OKTA account, you need to enable the OKTA LDAP Interface. Please go through the following procedures:
Ensure that created Third-Party Administrator account will not be challenged with OKTA Multifactor Authentication for requests originating from your Ecosystem IP addresses. You also need to whitelist the following addresses on your server section of the Identity Provider creation page in step 2.
Add New Identity Provider
To add a new Identity Provider:
Create Security Policy to allow traffic sent by your users
When you create a new Identity Provider, a new Profile Group is created with a name containing
Identity Provider name, for example: Identity Provider LDAP001 (fa45).
By default, all users authenticated with this Identity Provider are assigned to that
Profile Group.
To allow traffic from your users using that Identity Provider, select this Profile Group in the Source field of Security Policy. For detailed instructions on creating a Security Policy, see Create first security policy.
Commit your changes
To test the integration:
To get more information about end-user onboarding experience, see onboarding documentation
Thanks to Acreto and OKTA Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.
Two-Factor Authentication (2FA or MFA) - 2FA is an extra layer of security to ensure that people trying to access an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they must provide other information. For example, this second factor could come from one of the following categories:
Acreto supports the most popular form of two-factor authentication - which uses a software-generated time-based, one-time passcode (also called TOTP, or “soft-token”) and also auth-code sent to the user’s email.
First, users must download and install a free 2FA app on their smartphone or desktop. They can then use the app with any site supporting this authentication type. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app. Like hardware tokens, the soft token is typically valid for less than a minute. And because the code is generated and displayed on the same device, soft tokens remove the chance of hacker interception. That’s a big concern with SMS or voice delivery methods.
Since app-based 2FA solutions are available for mobile, wearables, or desktop platforms — and even work offline — user authentication is possible almost everywhere.
To start using MFA, you must own an application that will be your second-factor code generator. Several popular MFA (Multi-Factor Authentication) applications are available in the market:
All mentioned application uses starts supported by Acreto - choose the best tool for you and install it on your device.
Acreto uses Multifactor Authentication in two scenarios:
Both of these options are optional and can be enabled or disabled any time.
In an increasingly interconnected and threat-prone digital landscape, Multi-Factor Authentication has emerged as a “must-have” feature for organizations and individuals. By mitigating password vulnerabilities, enhancing security, complying with regulations, and offering user convenience, MFA significantly strengthens access control and protects against unauthorized access and data breaches. Implementing MFA is a proactive step towards bolstering overall cybersecurity posture and safeguarding sensitive information.
Two-Factor Authentication (2FA or MFA) - 2FA is an extra layer of security to ensure that people trying to access an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they must provide other information.
Read more about why you should enable MFA in Acreto Ecosystem in this article.
To enable MFA for Ecosystem users, there are some steps required:
To activate Multi-Factor Authentication for the Ecosystem users, login into Acreto Portal and choose your Ecosystem from the Ecosystem list.
Move to Multi-Factor Auth (1) and enable the MFA option (2). When enabled, you may change the available source of the second factor (3).
You may enable a One-time password generator like Google Auth or/and email address. In the second case, the user will receive an email message with a code on each authentication. You may find more details about the second factor in an article for users.
This setting only enables the configurable option for the user, which may choose from available methods when configuring MFA for his account.
Save and commit the settings.
When the MFA is enabled, go to the Users section and invite all users again - this will generate a special type of Acreto Connect Client profile with MFA support.
This part of the procedure is mandatory - this invitation allows users to set up their Multi-Factor access.
Choose the users from the list and send the invitation.
Working with users, you may expect many potential issues with the second factor - lost devices, forgotten passwords, etc.
The best solution for all potential issues with locked access is a reset of the MFA. However, this action is available only to Ecosystem Administrator for security reasons.
If the users need to reset the MFA, they should ask Administrator to reset MFA.
Ecosystem Administrator can then go to the Users list in Acreto Portal, choose a user, and perform Reset MFA or Reset and Logoff action.
The reset option is dedicated to users who " forgot " the MFA device/source credentials. In case of the situation when the device was stolen, the best practice is to use Reset MFA and Logoff - this will automatically close all existing Acreto sessions related to this device.
MFA is an easy-to-enable and managed feature that increases security to another level.
Two-Factor Authentication (2FA or MFA) - 2FA is an extra layer of security to ensure that people trying to access an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they must provide other information.
This article explains why you should enable MFA in Acreto.
The Administrator of your Ecosystem should Enable the MFA for you.
To get the best User Experience with Acreto MFA, you need to download and install Acreto Connect Client
If MFA is enabled in your Ecosystem, you should receive an Invitation email that allows you to set up the MFA for your account.
Click the Button Accept Invitation to start the onboarding process. Next, you see an MFA setup page - provide your username and password registered on Identity Provider ( Generic LDAP, Azure Active Directory, Windows Server AD, Google Workspace, etc.) and select one of the Multi-Factor Providers to register their Multi-factor device.
On this screen, you may also choose the second-factor method: Email or Authentication Application - more details about them in next the step.
There are two ways of receiving the second factor of authentication - Email and Authentication Application.
From now on, periodically (usually once for 24h), Acreto Connect Client will ask you about the second factor.
You must provide the token to keep the connection or establish a new one. Acreto Connect CLient will inform you about the need to authenticate with the proper window.
In an increasingly interconnected and threat-prone digital landscape, Multi-Factor Authentication has emerged as a “must-have” feature for organizations and individuals. By mitigating password vulnerabilities, enhancing security, complying with regulations, and offering user convenience, MFA significantly strengthens access control and protects against unauthorized access and data breaches. Implementing MFA is a proactive step towards bolstering overall cybersecurity posture and safeguarding sensitive information.
Two-Factor Authentication (2FA or MFA) - 2FA is an extra layer of security to ensure that people trying to access an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they must provide another information.
Read more about why you should enable MFA in Acreto Ecosystem in this article.
To start using MFA, you must own an application that will be your second-factor code generator. Several popular MFA (Multi-Factor Authentication) applications are available in the market:
All mentioned application uses starts supported by Acreto - choose the best tool for you and install it on your device.
Two-Factor Authentication (2FA) and Timeout Log in to your Acreto account, and clock on your email address in the top right corner; next, choose the Profile option.
Scroll down to the bottom of the panel, and click the Enable button in Two-Factor Authentication (2FA) to enable this feature.
The new window will show a QR code you should scan using Google Authenticator or a similar tool. Scan it, and in step #4 place the first authentication code from this app, to confirm that the setup is correct; click on Enable button.
From now on, every login to Wedge will ask you about the second factor. On the same panel, you can also define the inactivity timeout when logged out - you can choose between 5min, 10min, and 30min.
Remember to save the setting using the Update button.
When MFA for an account is activated on every login to the Ecosystem, you will need to use the second factor to confirm your credentials.
In an increasingly interconnected and threat-prone digital landscape, Multi-Factor Authentication has emerged as a “must-have” feature for organizations and individuals. By mitigating password vulnerabilities, enhancing security, complying with regulations, and offering user convenience, MFA significantly strengthens access control and protects against unauthorized access and data breaches. Implementing MFA is a proactive step towards bolstering overall cybersecurity posture and safeguarding sensitive information.
Thank you for choosing the Acreto platform. You will find several steps that you should follow.
Registering and activation of the account is the first step to start using Acreto services. This article is a guide on the standard register & confirm procedure.
If you would like to create an account on Acreto:
If you do not receive an email from Acreto within a minute or so, check your spam folder or retype your email address in the registration form.
The Administrative Contact is the person that you want to receive all notices related to any issues with your account and all general notices regarding the Acreto platform.
When you click the finish button your profile will be complete. You are now ready to set up your first Acreto Ecosystem
Ecosystem security is a methodology unique to the Acreto platform. It’s actually quite simple. Within your organization, there are many different departments, functions, and programs. Each of these areas contains specific applications, users, and devices that work together to execute organizational tasks. For example, your remote sales team may consist of and utilize Office 365, Salesforce, another internal pricing application, and of course, every sales team member. This is an Ecosystem. In a similar fashion, your Vendor Relations department may have 75 external suppliers that provide your organization with various goods and services. In order to be effective, each vendor must interact with your purchasing application(s). These vendors, your internal purchasing department, and every utilized purchasing application is an Ecosystem.
In addition to isolating Ecosystem members from the Internet, Acreto enables you to establish security policies at the Ecosystem level, allowing you to apply customized security policies for each Ecosystem. The right set of security policies for the sales team may very well differ from the needed security policies for the vendors.
Creating a new Acreto Ecosystem is simple:
You’re now ready to start configuring and connecting your Thing(s) and Gateway(s) into your Ecosystem!
Acreto allows you to create multiple Ecosystems. You can create a separate Ecosystem for each physical location and manage them from one WEDGE panel.
To switch between existing Ecosystems:
This procedure required:
Gateway is a device that allows you to connect your local network to Acreto and secure whole network traffic and end-user devices without configuring them one-by-one. Take a look at the images below to compare standard network connection with the network secured by Acreto with the Gateway method.
Gateway may be configured in IPsec or vGateway mode. Each of these configurations may be used for different purposes and in different network structures:
To create a Gateway, you need to:
Notice: To successfully test your connectivity, you also need to create a security policy that will allow traffic to go through your device.
Set specific setting for IPsec Gateway:
Tip: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using ping, traceroute, and similar tools.
Set specific setting for IPsec Gateway:
Tip: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing
When Gateway is ready you should configure the gateway device on your end to act as a gateway to the Acreto platform and pass traffic from your endpoints through the gateway device. connectivity from the gateway through Acreto using ping, traceroute, and similar tools.
When gateway device is created then verify Acreto secured connection.
We define a Thing as any individual compute device that belongs to an Ecosystem, including servers, desktops, laptops, tablets, smartphones, IoT devices, etc. Whenever you want to connect a new device, you can create a new Thing that will represent the device in your Ecosystem.
Note: To connect your local network instead of an individual device, you should create and provision a Gateway.
Before starting this process, you should make sure that you have an Acreto account with at least one Ecosystem added to your Profile.
To add a new Thing to Acreto:
Log in to your Acreto account
Identify and select which Ecosystem you’d like to connect your Thing.
Click on the Things option in the left sidebar menu.
Once your Thing panel opens, select the Add New Thing option.
An Add Device window will appear, where you can enter information about the Thing that you want to add:
Configuration tab
Descriptors tab
The Descriptors tab contains some optional informational fields that allow you to manage your Things with ease.
Next, let’s configure your Thing to connect to the Acreto platform.
To learn how to configure your Thing(s) on a variety of platforms, please refer to the Acreto Connect documentation.
Please note: it’s recommended to test your connectivity from a different device than the one you use to manage your Ecosystem at https://wedge.acreto.net.
A security policy is a set of rules that manages the network traffic in an Ecosystem. These policies allow you to decide what traffic should be allowed from or into your added Thing(s) and which should be blocked or redirected.
Acreto follows a Zero-Trust approach. This means that all network traffic is blocked by default. To allow traffic to pass through your Ecosystem you must create some security policies, as described in the next article.
In the previous step, you configured and connected your first Thing to your Ecosystem. Now, you need to create a security policy.
A security policy is a set of rules that manages network traffic in an Ecosystem. These policies allow you to decide what traffic should be allowed, inspected, or blocked.
Acreto follows a Zero-Trust approach. This means that all network traffic is blocked by default.
To allow communications to flow through an Ecosystem, you must define a set of security policies. Without a matching security policy, the traffic is blocked.
For testing purposes, we’ll guide you through the creation of an Allow all traffic security policy. To do this, you will complete an Add New Policy form as shown below.
Complete the form by entering the correct values:
Before saving, the form should look like the image below :
Your changes will not be applied until you Commit them!
Now, any Thing in a selected Profile group (Source) should be able to securely connect to any destination.
If you want to block Facebook from accessing your Ecosystem users, you should use the Application Control security policy. To create such a policy, fill out the Add New Policy form as shown below.
Click the Add button to save the configuration.
Once the new security policy has been added and is visible on the list, you must Commit your changes.
Your changes will not be applied until you commit them!
After committing your settings, any Facebook traffic now coming through the Ecosystem should be blocked.
In this article, you’ll learn how to grant access to your Ecosystem to another person. This function may be used to share access with your team or to allow Acreto Support to get access to it.
Share access only with trusted people! Anyone with Ecosystem Admin privileges may control all your network traffic.
To grant access to your Ecosystem, you will need:
To grant access to your Ecosystem, please:
The person that you shared access with can now access your Ecosystem.
To revoke access to your Ecosystem, please:
The person that you removed from the list of Associated Administrators will be not able to access your ecosystem anymore.
Associated Administrator option allows you to easily share and revoke access to your ecosystem.
The following connectivity methods are supported:
Acreto Connect Client is a simple application that allows to connect your device to Acreto Ecosystem. It is available on Windows, macOS, Android and iOS.
In this article, you’ll learn how to create and connect Thing to the Acreto ecosystem.
This Use Case allows you to securely connect client (PC, laptop, smartphone) to the office ecosystem.
To connect your Thing to the Ecosystem, you will need:
At first, you need to download and install Acreto Connect Client - a small application that allows you to connect to the Acreto ecosystem.
Your device is now connected to the Ecosystem!
Acreto Connect Client allows connecting your Thing to the Ecosystem. This method works on every platform and it’s easy to understand for Users.
Please don’t forget to create Security Policy - Policies to allow Outbound traffic for your Thing(s) to connect to the Internet, or to the other devices within your Ecosystem.
Available only for Windows platforms, the Acreto Connect Client Start Before Logon (SBL) establishes the VPN connection before logging onto Windows. The purpose of this feature is while the computer is off the office or when the user is logging onto a new computer remotely. SBL allows remote users to log to Windows using Domain Controlled credentials because the VPN tunnel to the Data-Center is always on.
This feature is available only for version 2.4.0 and newer. Update your ACC if you want to use this option.
To connect your Windows device to the Ecosystem on the log on you will need:
At first, you need to download and install the Acreto Connect Client.
Go to the download page to get Acreto Connect Client.
Go to
C:\Program Files (x86)\Acreto Connect Clientto confirm that the sbl directory exists.
Run the acc_sbl.reg file - it will add some information into your system registry.
Open the Powers Shell with Administrator privileges and run:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachineAnswer “Y” for the question in PowerShell, then run:
cd "C:\Program Files (x86)\Acreto Connect Client\sbl"
.\sbl.ps1You will receive confirmation of Acreto-SBL Service creation.
SBL feature will run any profile that you will place in C:\Program Files (x86)\Acreto Connect Client\sbl.
Create the profile in Acreto Portal.
Download the profile and place it in C:\Program Files (x86)\Acreto Connect Client\sbl directory.
If the profile requires authorization:
create auth.txt file and provide the username and password in form:
username
password
Modify your profile - search for the auth-user-pass line and change it to
auth-user-pass "C:\\Program Files (x86)\\Acreto Connect Client\\sbl\\auth.txt"
To verify that the feature works correctly, perform the test:
Verify using Acreto Portal:
Login into Acreto Portal.
Choose the proper Ecosystem.
From the left menu, choose Logs(1) > User and Things(2).
Set Refresh rate to 5S.
Restart the device with the SBL profile.
Wait for the login screen on the tested device (do not log in) and the logs, where you should receive information that the profile you placed in the config directory is connected to your Ecosystem (3).
Verify using logs:
Restart the device with the SBL profile.
Wait for a few seconds on the logon screen, then log in.
Go to C:\Program Files (x86)\Acreto Connect Client\sbl
Find the NAME OF YOUR PROFILE.log and open it to check the logs.
We highly recommend using the Split-tunnel profiles.
Once SBL starts the connection User will not be able to disconnect it. If you use the Full-tunnel profile, you will not connect using other full-tunnel profiles.
Acreto Connect Client allows connecting your Windows device to the Acreto Ecosystem using the SBL feature.
To import a profile directly to app from a web browser link, deep link is avalaible with the pattern acreto://
To import from a URL link use the format acreto://import-profile?url=<URL_TO_PROFILE>
Example:
acreto://import-profile?url=https://api-is-rock-solid.acreto.net/v2/tlsvpn/config/openvpn-udp/code/123456To import from a invite Code use the format acreto://import-profile?code=<6_DIGIT_CODE>
Example:
acreto://import-profile?code=123456To make sure that the VPN profile is opened automatically by the Acreto Connect Client, make sure that the webserver that hosts the .ovpn file sends the correct mime media type in the response HTTP header.
If the header is missing, the .ovpn file may be opened as a text file on Android and iOS devices.
On Apache servers update mime.conf file and restart the server:
sudo echo " AddType application/x-openvpn-profile .ovpn" >> /etc/apache2/mods-enabled/mime.conf
sudo systemctl restart apache2On Nginx servers update mime.types file and restart the server:
Edit mime.types config file with your favorite text editor:
nano /etc/nginx/mime.typesAdd new mime type
application/x-openvpn-profile .ovpnRestart the server
sudo systemctl reload nginxUse any Android or iOS device with Acreto Connect Client installed and tap on the deep link based on your server.
If Acreto Connect Client appeared after the click and the VPN profile is on the list everything works properly.
If your company manages the software using the Active Directory Group Policy Object or tools like Syxsense - ACC is ready to be installed by CMD. This solution lets you quickly onboard your entire team to the Acreto Ecosystem.
Installation and configuration of ACC with the GPO Rules is described in a separate article.
Acreto Connect Client installer supports parameters that allow the install of software without user action:
Powershell command:
Start-Process ".\Acreto-Connect-Client-v2.9.6.exe" -ArgumentList '/VERYSILENT /NORESTART /SUPPRESSMSGBOXES'
Windows CMD command:
.\Acreto-Connect-Client-v2.9.6.exe /VERYSILENT /NORESTART /SUPPRESSMSGBOXES
Parameters used in install command:
/VERYSILENT - instructs to proceed with installation in the background - no windows will be shown on the system GUI. Alternatively, it may be replaced by /SILENT - in this case, the installation will only show the progress window./NORESTART - disables installer option to restart user device after installation - this option is highly recommended./SUPPRESSMSGBOXES - instructs to suppress any message boxes that appear at installation time and proceed with default options. It only has an effect when combined with /SILENT or /VERYSILENT.If you need more options, please follow the official documentation for the installer.
The commands described above can be used to install or upgrade ACC. You can use them in your custom scripts or software management tool.
If your company manages the users by the Active Directory, it’s possible to provide and install Acreto Connect Client using Group Policy Object. ACC is ready to be installed and configured by GPO rules. This solution allows you to quickly onboard the whole of your team to the Acreto Ecosystem.
This article consists of two parts:
This feature is available only for version 2.4.3 and newer. Update your ACC if you want to use this option.
To complete these tutorial steps, the following items are required:
Acreto Connect Client uses *.EXE installer - this means that you cant use the default way of software installation for GPOs. To install ACC you need to create a Scheduled Task to run the installation script. Scheduler task allows to run the script and install software with administrator privileges. What’s more important - installation is completely invisible for the user.
First, create the shared folder that will be available for the users.
Download the last version of Acreto Connect Client for Windows.
1.Rename the installer to Acreto-Connect-Client.exe and place it in a shared folder. Installation script also takes care of the updates - it will read the installation version and compare it to the one existing on the users device - if the available version is newer, it will install it.
On the domain controller server, create an acreto_install.ps1 file with the below content:
# ADD YOUR VALUES HERE
$InstallPath = 'C:\Program Files (x86)\Acreto Connect Client' #local installation path
$InstallerFile = '\\SERVER\acc\Acreto-Connect-Client.exe' #ACC installer path shared in internal network
# END
IF (Test-Path -Path $InstallPath) {
#if path exists then...
$InstallPathExe = 'C:\Program Files (x86)\Acreto Connect Client\Acreto Connect Client.exe' #local installation binary
$update = ((Get-Item $InstallerFile).VersionInfo.ProductVersion) #Version of ACC available on server
$current = ((Get-Item $InstallPathExe).VersionInfo.ProductVersion) #Version of ACC available on server
IF ([System.Version]"$update" -gt [System.Version]"$current"){
#if update is available than install
& "$InstallerFile" /qn /SILENT /norestart INSTALLSTARTMENUSHORTCUTS=1 DISABLEADVTSHORTCUTS=0
& 'C:\Program Files (x86)\Acreto Connect Client\post_install.exe'-y /qn /SILENT /norestart
} ELSE {
#If thers no update, exit.
EXIT
}
} ELSE {
& "$InstallerFile" /qn /SILENT /norestart INSTALLSTARTMENUSHORTCUTS=1 DISABLEADVTSHORTCUTS=0
& 'C:\Program Files (x86)\Acreto Connect Client\post_install.exe'-y /qn /SILENT /norestart
}In Group Policy Management, create a new Group Policy under your domain.
Edit the GPO by right-clicking on it and select Edit.
Navigate to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks
Click Right Mouse Button on Scheduled Task panel and choose New > Immediate Task (At least Windows 7)
In task creation widow set:
Name: ACC installer
When running the task, use the following user account: click on Change User or Group button and inpute SYSTEM as a user and click on Check names button. As a Result you should recive the NT AUTHORITY\System.
Check: Run whether user is logged or not
Check: Run with highest privileges
Configure for: Windows 7, [..]
Go to Actions tab and click on New… tab
Action: Start a program
Program script: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe - path to the PowerShell
Add arguments: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file PATH-TO-acreto_install.ps1 - make sure that path to script will be available throught the network.
Click Ok butten and the sace whole task.
As a result, the scheduled task will be run regularly on users devices and run the installer script. Installer script working with system privileges will check if ACC needs to be installed or updated.
Acreto Connect Client is already installed on the user’s computer. To establish a connection the ACC required a profile with configuration. Create the policies to download the correct Profile for ACC.
Add the script to import the profile, navigate to User Configuration > Policies > Windows Settings > Scripts ( Logon / Logoff ):
Copy and paste the below code into acreto_profile_deep_link.ps1:
Start-Process "acreto://import-profile?code=123456"This action needs to be made on user log-on because it required Internet access to download the profile data.
Navigate to Computer Configuration > Policies > Administrative Templates > All Settings
Do the following change under settings:
Double click on Turn on Script Execution and modify its setting. Make sure that the Execution Policy is set to Allow all scripts. If you want to run only signed scripts it is also possible, but you will need to sign in with your certificate before running it.
This script will be executed on the user login. ACC import profile by the deep link. No user actions are required.
All computers should be configured to use Acreto Connect Client. The user needs to use their credentials to login into the Ecosystem (if the profile needs that).
If users were imported from the AD the credential should be the same as stored in AD.
In this article, you’ll learn how to setup Wireguard client on Gl.iNet and connect it to the Acreto ecosystem.
To connect GL.iNet router with Acreto Ecosystem, you will need:
Existing Acreto Ecosystem, if you don’t have one learn how to create it.
Access to Acreto Wedge.
GL.inet router with Wireguard client installed.
Log in to the Acreto Portal.
Choose your Ecosystem.
Create a new Wireguard gateway profile using tutorial and download the new Wireguard configurations.
Login to the GL.iNet routers Web Admin Panel.
From the left sidebar, goto VPN » Wireguard Client and click + Set up WireGuard Manually..
Goto tab Configuration and paste the Wireguard configuration from the downloaded file in previous steps.
Modify the Alloweed IPs = 0.0.0.0/0 and click Next.
Enter a description for your Wireguard connection and then click Add.
Click Connect to start the Wireguard connection.
Once connected, the Disconnect button is shown on the screen along with the recieved IP address and Data sent and recieved information.
Also the Gl.iNet Dashboard, will show the Wireguard VPN connected.
This document describes some challenges and issues identified when testing and using vGateway to connect to the Acreto platform.
Once vGateway connects to the Acreto platform, we:
This causes several issues:
Note We are not deleting vti- device/route when the tunnel goes down because
this causes a “no route to host” error. It means that any default route records in the routeing table will not be used, because they will have lower priority (higher metric) than vti- default route.
ubuntu)100.64.0.0/16 on the Route Table
100.64.0.0/16.eni- of that instance).100.64.0.0/16This article describes how to configure a Route-Based Site-to-Site IPsec VPN between an Acreto Ecosystem and the Amazon Web Services (AWS) Virtual Private Cloud (VPC) using static routing:
In order to setup IPsec Site-to-Site VPN tunnel between Acreto Ecosystem and AWS VPS you need:
Acreto as a Cloud Provider allows to connect and integrate multiple networks, both physical and virtual. All connections require stable and secure links. Virtual (EC2) Instances running on Amazon VPC can’t communicate securely with your own (remote) network by default. It is possible to connect your network to Acreto Ecosystem and then you can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection.
Acreto Ecosystem configures the routing automatically and passes the traffic between AWS VPC and your network. Additionally, the traffic is scanned by the Acreto Threat Engine to block suspicious traffic and malware.
AWS Site-to-Site VPN limitations: IPv6 traffic is not supported for VPN connections on a virtual private gateway. An AWS VPN connection does not support Path MTU Discovery. In addition, take the following into consideration when you use Site-to-Site VPN.
Use the following procedures to manually set up the AWS Site-to-Site VPN connection on Amazon AWS.
You can create a Site-to-Site VPN connection with either a virtual private gateway or a transit gateway as the target gateway.
Use existing VPC or create a new VPC using the steps below :
Login to AWS console.
Goto the region where you want to create your VPC.
Search VPC in the Services search tab.
From the VPC Dashboard, click Your VPCs under VIRTUAL PRIVATE CLOUD in the left sidebar and click Create VPC
Create a VPC with the following values:
Click Create VPC
Now create a new subnet in the VPC address range. If you want to use an existing subnet, you can skip this step and use the pre-existing subnet in subsequent steps.
From the VPC Dashboard, click Subnets under VIRTUAL PRIVATE CLOUD in the left sidebar and click Create Subnet
Select the new VPC created in the Step 1 or your existing VPC in the VPC ID options.
Create a new Subnet under Subnet settings with the below details :
Click Create Subnet button
From the VPC Dashboard, click Internet Gateway under VIRTUAL PRIVATE CLOUD in the left sidebar and click Create Internet Gateway
Give the name for the Internet gateway and click Create internet gateway
Select the Internet gateway and click Actions and Attach to VPC
Assign your VPC
Click Attach internet gateway.
Configure Route table for the above subnet to reach Acreto’s public IP through Internet Gateway.
From the VPC Dashboard, click Route Tables under VIRTUAL PRIVATE CLOUD in the left sidebar and click Create Route Table
Create a Route table with the following values:
Click Create Route Table, with parameters as shown in screenshot below:
Select the Route table created above and click Subnet association, with parameters as shown in screenshot below:
Select your Subnet and click Save associations, with parameters as shown in screenshot below:
Select the routes and click Edit routes, with parameters as shown in screenshot below:
Add route for Acreto’s Default Tunnel IP used to form the VPN through the Internet Gateway, with parameters as shown in screenshot below:
Click Save changes.
Create new Customer Gateway with Acreto’s public IP.
From the VPC Dashboard in the left side bar, goto VIRTUAL PRIVATE NETWORK (VPN) » Customer Gateways
Click Create Customer Gateway
Provide the following values :
Click Create Customer Gateway.
Create a Virtual Private gateway that will be used to form the Ipsec tunnel with Acreto.
From the VPC Dashboard in the left sidebar, goto VIRTUAL PRIVATE NETWORK (VPN) » Virtual Private Gateways
Click Create Virtual Private Gateway
Give the name and click Create Virtual Private Gateway
Select the Virtual Private Gateway and click Actions » Attach to VPC
Select your VPC and click Yes, Attach button.
From the VPC Dashboard, click Route Tables under VIRTUAL PRIVATE CLOUD in the left sidebar.
Select the route table created in Step 4
Select the Route Propagation tab and click the button Edit route propagation.
Check Enable
Click the Save button.
This step ensures that the AWS virtual hosts receive a route for the 100.64.0.0/16 network (Acreto Ecosystem Internal network) after the VPN establishes.
Create a new VPN connection and associate the previously created VGW and CGW.
From the VPC Dashboard in the left sidebar, go to VIRTUAL PRIVATE NETWORK (VPN) » Site-to-Site VPN Connections.
Click Create VPN Connection.
Provide the following values in the tunnel setting:
Click Create VPN Connection.
Select the VPN created and click the tab Tunnel Details. Copy the Outside IP address of the tunnel to form a VPN with Acreto.
This Outside IP address will be used in the next steps to configure the Acreto gateway on Wedge Ecosystem.
Create Gateway on Ecosystem by following the instruction in the link. Provide the following values:
Click the gateway created on wedge.
Click the Play button under Configuration Options to generate the strongSwan Config.
Once the Config file is generated, click the Download button to download the configuration on the local computer.
Unzip the downloaded file and copy the psk from the file ipsec.secrets
Goto AWS Site-to-Site VPN connections
Select the VPN and click Actions » Modify VPN Tunnel Option
Select the tunnel used to create the VPN with Acreto.
Update the password copied from the ipsec.secrets file from strongSwan config file downloaded from Wedge
In the same window “Modify VPN Tunnel Options” scroll down and select the following action under tunnel configuration:
Click Save
Configure Route table to set the default route to VPN tunnel
From the VPC Dashboard, click Route Tables under VIRTUAL PRIVATE CLOUD in the left sidebar
Select the Route table and click Edit routes
Add the following route :
Click Save changes.
Once the tunnel connection is successfully established, the status of the connection will be up.
To verify on AWS, navigate to the VPN created under VIRTUAL PRIVATE NETWORK (VPN) » Site-to-Site VPN Connections .
Verify the following:
Do a traceroute or equivalent command from an internal server to public IP like 4.2.2.2. It should show Acreto’s IP in the path.
Acreto IPsec Gateway allows to set up VPN tunnel to connect Acreto Ecosystem with Amazon Web Services (AWS) Virtual Private Cloud (VPC).
This article describes configuring a Route-Based Site-to-Site IPsec VPN between an Acreto Ecosystem and Azure network.
To set up an IPsec Site-to-Site VPN tunnel between Acreto Ecosystem and Azure, you need:
Use the following procedures to set up the Azure Site-to-Site VPN connection manually.
Use an existing virtual private network or create a new virtual private network using the steps below:
Wait for the deployment to finish and the Virtual Network to be created.
Create the virtual network gateway for your virtual network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
The next step is to create a local gateway representing your local network.
This step creates a Site-to-Site VPN connection between your VPN device and the virtual network gateway.
Wait for the deployment to finish and the connection created.
Next, download the VPN configurations from Azure to use it to configure the Acreto gateway.
Create Gateway on Ecosystem by following the instruction in the link. Provide the following values:
Goto Objects » Gateways
Add New Gateway
Provide the following information :
Read the PSK information from the Acreto gateway created in the previous steps.
Update the new PSK from the previous step and update the VPN connection on Azure.
What is Azure Site-to-Site connection?
Acreto IPsec Gateway allows to set up VPN tunnel to connect Acreto Ecosystem with Azure VPN Gateway.
This article describes configuring a Route-Based Site-to-Site IPsec VPN between an Acreto Ecosystem and the Amazon Web Services (AWS) Transit Gateway to access multiple VPCs.
To setup an IPsec Site-to-Site VPN tunnel between Acreto Ecosystem and AWS VPS, you need:
Acreto, as a Cloud Provider, allows to connect and integrate multiple physical and virtual networks. All connections require stable and secure links. Virtual (EC2) Instances running on Amazon VPC can’t communicate securely with your own (remote) network by default. However, it is possible to connect your network to Acreto Ecosystem. Then, you can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection and configuring routing to pass traffic through the connection.
Acreto Ecosystem configures the routing automatically and passes the traffic between AWS VPC and your network. Additionally, the traffic is scanned by the Acreto Threat Engine to block suspicious traffic and malware.
Use the following procedures to manually set up the AWS Site-to-Site VPN connection transit gateway on Amazon AWS.
Create a new Customer Gateway with Acreto’s public IP.
From the VPC Dashboard in the left sidebar, go to VIRTUAL PRIVATE NETWORK (VPN) » Customer Gateways
Click Create Customer Gateway
Provide the following values :
Click Create Customer Gateway.
Create a Transit gateway that will be used to form the IPsec tunnel with Acreto.
From the VPC Dashboard in the left sidebar, go to TRANSIT GATEWAYS » Transit Gateways.
Click Create Transit Gateway.
Give the name and click Create Transit Gateway
Wait for a few minutes to get the state of Transit Gateway to Available.
Create a Transit gateway attachment that will attach to the primary VPC.
From the VPC Dashboard in the left sidebar, go to TRANSIT GATEWAYS » Transit Gateways Attachment
Click Create Transit Gateway Attachment
Provide the following values
Click Create Transit Gateway attachment
Create a new VPN connection and associate the previously created Virtual Gateway in Step 2 and Customer Gateway in Step 1.
From the VPC Dashboard in the left sidebar, go to VIRTUAL PRIVATE NETWORK (VPN) » Site-to-Site VPN Connections.
Click Create VPN Connection.
Provide the following values in the tunnel setting:
Click Create VPN Connection.
Select the VPN created and click the tab Tunnel Details. Copy the Outside IP address of the tunnel to form a VPN with Acreto.
This Outside IP address will be used in the next steps to configure the Acreto gateway on Wedge Ecosystem.
Create Gateway on Ecosystem by following the instructions in the link. Provide the following values:
Click the gateway created on the Wedge.
Click the Play button under Configuration Options to generate the strongSwan Config.
Once the Config file is generated, click the Download button to download the configuration on the local computer.
Unzip the downloaded file and copy the PSK from the file ipsec.secrets
Goto AWS Site-to-Site VPN connections
Select the VPN and click Actions » Modify VPN Tunnel Option
Select the tunnel used to create the VPN with Acreto.
Update the password copied from the ipsec.secrets file from strongSwan config file downloaded from Wedge
In the same window “Modify VPN Tunnel Options” scroll down and select the following action under tunnel configuration:
Click Save
Configure the Route table to set the default route to the VPN tunnel.
From the VPC Dashboard, click Transit Gateway Route Table under TRANSIT GATEWAYS in the left sidebar
Select the Transit gateway Route table entry.
Select tab Routes and click Create Static Route
Click Create Static Route
From the VPC Dashboard, click Route Tables under VIRTUAL PRIVATE CLOUD in the left sidebar
Select the Route table and click Edit routes. Add the following values :
Click Save changes.
to TRANSIT GATEWAYS » Transit Gateways Attachment
Click Create Transit Gateway Attachment
Provide the following values
.
Click Create Transit Gateway attachment
Configure Routes from the new VPC transit gateway attachment appears in the Transit Gateway Route table.
From the VPC Dashboard, click Transit Gateway Route Table under TRANSIT GATEWAYS in the left sidebar
Select the Transit gateway Route table entry.
Select tab Routes
Check the Static route from the new VPC Transit Gateway attachment is available
Follow Step 1.9 to add the route for Acreto subnet 100.64.0.0/16 through the transit gateway.
Once the tunnel connection is successfully established, the status of the connection will be up.
To verify on AWS, navigate to the VPN created under VIRTUAL PRIVATE NETWORK (VPN) » Site-to-Site VPN Connections. Verify the following:
Connect a Remote user with the Acreto Connect Client and access the resources in the VPC connected using Transit Gateway.
Acreto Gateway allows setting up an IPsec VPN tunnel with AWS Transit Gateway, which can be used to access resources in multiple VPCs.
This article illustrates a Dual VPN setup and explains how to connect the secondary tunnel from your environment to the second Ecosystem which can act as a backup in case of failure of the Primary ISP or Ecosystem. With this setup, when the first tunnel is down, the traffic will automatically start going through the second tunnel to the backup Ecosystem.
Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.
To proceed with the FortiGate configuration, you will need a few values from an existing committed Acreto Gateway:
All of these may be found within the Gateway details panel - view the below animation for further instruction.
This step is required for policy routing to work. Any dummy/unused IPs can be used for interfaces.
Traffic will be matched with the policy on top if both tunnels are up.
After this setup, there are two tunnels created from FortiGate to Acreto Primary and Secondary Ecosystem through Primary and Secondary tunnel respectively. If the primary tunnel goes down, all traffic will start going from the backup tunnel, which in this case is the Secondary tunnel.
Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.
To proceed with the FortiGate configuration, you will need a few values from an existing committed Acreto Gateway:
All of these may be found within the Gateway details panel - view the below animation for further instruction.
Use VPN Wizard to create all basic configurations.
<Tunnel_name>_remote.
When the configuration is complete, all network traffic on the selected interface and the selected subnet(s) is redirected through Acreto.
This article will show you how to use CLI to connect the FortiGate managed network to the Acreto Ecosystem.
This step is optional, skip it if you already own the Gateway.
Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.
To proceed with the Fortigate configuration, you will need a few values from an existing committed Acreto Gateway:
All of these may be found within the Gateway details panel - view the below animation for further instruction.
Use the following commands to create a VPN through CLI.
Log in to the Fortigate CLI.
Configure IPsec VPN Phase-1
config vpn ipsec phase1-interface
edit AcretoGate
set interface <wan_interface>
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha512
set ike-version 2
set keylife 10800
set remote-gw acreto-peer-ip (Copy from Wedge Dashboard)
set psksecret psk (Copy from Wedge Dashboard)
set dhgrp 16
set localid local-id (Copy from Wedge Dashboard)
next
endConfigure IPsec VPN Phase-2
config vpn ipsec phase2-interface
edit AcretoGate
set phase1name AcretoGate
set proposal aes256-sha512 aes256gcm
set dhgrp 16
set keepalive enable
set keylifeseconds 3600
next
endCreate addresses for all local addresses/subnets
config firewall address
edit AcretoGate_local_1
set allow-routing enable
set subnet 192.168.1.0 255.255.255.0
next
edit AcretoGate_local_2
set allow-routing enable
set subnet 192.168.2.0 255.255.255.0
next
endCreate an address group to add all the addresses created in the previous step
config firewall addrgrp
edit AcretoGate_local_grp
set member AcretoGate_local_1 AcretoGate_local_2
next
endOutbound Policy for traffic originating from Local lan interface to internet through Acreto VPN
config firewall policy
edit 0
set name Outbound_toAcreto
set srcintf lan_interface_ip
set dstintf AcretoGate
set srcaddr AcretoGate_local_grp
set dstaddr all
set action accept
set schedule always
set service ALL
next
end Inbound Policy for traffic coming from Acreto VPN to Local lan
config firewall policy
edit 0
set name Inbound_fromAcreto
set srcintf AcretoGate
set dstintf lan_interface_ip
set srcaddr all
set dstaddr AcretoGate_local_grp
set action accept
set schedule always
set service ALL
next
endScenario 1: When traffic from all local subnet/interfaces need to pass through the tunnel
Add Static Route
config router static
edit 0
set dst Acreto_PeerIP
set device wan_interface
Set gateway ISP_Gateway
next
edit 0
set dst 0.0.0.0 0.0.0.0
set device AcretoGate
set distance 4
next
endScenario 2: When traffic from a specific subnet/interface needs to pass through the tunnel.
Add IP at the tunnel interface
config system interface
edit "AcretoGate"
set ip 2.2.2.2 255.255.255.255
set remote-ip 2.2.2.3 255.255.255.255
next
endAdd Static Route to direct the traffic through the tunnel with a higher administrative distance
config router static
edit 0
set distance 254
set device AcretoGate
set dst 0.0.0.0 0.0.0.0
next
endAdd Policy Route to direct the specific traffic through the tunnel
config router policy
edit 0
set input-device lan_interface
set srcaddr AcretoGate_local_grp
set dstaddr all
set output-device AcretoGate
Set gateway 2.2.2.3
next
endRun the following command to bring the tunnel up bash diagnose vpn tunnel up AcretoGate
diagnose vpn tunnel up AcretoGatediagnose vpn ike gateway list name AcretoGatediagnose vpn tunnel list name AcretoGateOnce the VPN connection is successfully established, all the internet traffic will be routed through Acreto.
If you didn’t do it yet, you need to create a new Gateway device on the Acreto platform.
Login to the Acreto platform at wedge.acreto.net
Select your ecosystem and go to Objects using the left menu.
Click Add new Object and select Gateway.
Fill at least:
Name: the name of the IPSec connection needs to be compatible with Strongswan connection name requirements (basically, only letters and numbers)
Category: IoT
Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted)
Local Networks: - your local network addresses that should be routed through this gateway
Note: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using ping, traceroute, and similar tools.
Save the created Gateway by pressing Add.
Add a security policy that will allow communication from the Gateway device to the Internet.
Commit pending changes (top of the screen)
Note: to successfully test your connectivity, you also need to create a
security policy that will allow traffic going through your device.
Log in to the Acreto platform at wedge.acreto.net
Select your ecosystem and go to Objects using the left menu
Open the gateway object which you want to use by clicking on its “Info” button.
Generate the IPsec strongSwan config using Configuration Options > Bare Metal, OS and Software
Then Click on [Play Button]
Copy the link to the IPsec strongSwan config file
Execute the following commands on your Linux shell
curl -fsSL https://kb.acreto.net/reference-material/downloads/acreto-ipsec.sh | sudo bash -s -- [URL_to_strongswan_config]where [URL_to_strongswan_config] is the URL copied in previous step.
Example:
curl -fsSL https://kb.acreto.net/reference-material/downloads/acreto-ipsec.sh | sudo bash -s -- https://api-is-rock-solid.acreto.net/v2/gateways/ipsec/config/strongswan?_token=s.WNJJeTxWsIeXMkgeIA96SOe8Ensure that traffic goes through Acreto (with traceroute or mtr)
Execute the command:
mtr 8.8.8.8The ouput should indicate that packets go through 100.65.0.x:
Host Loss% Snt Last Avg Best Wrst StDev
1. 100.65.0.30 0.0% 9 225.1 225.1 224.6 225.8 0.3
2. 100.65.0.1 0.0% 8 225.9 227.5 225.7 237.1 3.9
3. ???
4. nyk-b2-link.telia.net 0.0% 8 226.0 226.9 226.0 228.3 0.7
5. 72.14.218.254 0.0% 8 227.1 227.8 226.4 230.4 1.2
6. 108.170.248.97 0.0% 8 227.1 227.2 226.8 227.9 0.4
7. 108.170.227.211 0.0% 8 226.5 226.9 226.0 227.7 0.6
8. dns.google 0.0% 8 226.7 227.6 226.7 229.2 0.8Restart IPsec service with the following command: ipsec restart
Wait approximately 10 seconds, and check the status of IPsec: ipsec statusall
If the connection did not start, try to take it up manually:
CONN=`grep '^conn .*' /etc/ipsec.d/*.conf|cut -d' ' -f2`; echo $CONN
ipsec up $CONNIt should display information useful for debugging purposes.
Ensure everything works fine with:
ipsec statusall
ip address show
ip route showCheck if you have Internet access
In case you Internet connection if very unstable or your ISP changes your public IP, then you may consider running an IPsec watchdog that verifies every minute if the tunnel is passing the traffic to Acreto Ecosystem.
Please download the script and follow the steps from the comments section at the beginning of this script.
Click on the button and save the script in your home directory:
Get ipsec-watchdog.shor open the terminal and download the script directly to your vGateway using the command:
cd /etc/ipsec.d/
wget https://kb.acreto.net/reference-material/downloads/ipsec-watchdog.shIf you didn’t do it yet, you need to create a new Gateway device on the Acreto platform.
Log in to the Acreto platform at wedge.acreto.net
Select your ecosystem and go to Objects using the left menu.
Click Add new Object and select Gateway.
Fill at least:
Name: - the name of IPSec connection, needs to be compatible with Strongswan connection name requirements (basically, only letters and numbers)
Category: IoT
Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted)
Local Networks: - your local network addresses that should be routed through this gateway
Note: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using ping, traceroute, and similar tools.
Save the created Gateway by pressing Add.
Add security policy that will allow communication from the Gateway device to the Internet.
Commit pending changes (top of the screen)
Note: to successfully test your connectivity, you also need to create a security policy that will allow traffic going through your device.
Log in to the Acreto platform at wedge.acreto.net
Select your ecosystem and go to Objects using the left menu
Open the gateway object which you want to use by clicking on its “Info” button.
Download Strongswan configuration using Configuration Options > Software Clients with Config
Download Strongswan configuration to your device.
Log in to your device.
Set up time/date server, to do that use the following command:
sudo timedatectl set-ntp on
ntpdate -s ntp.ubuntu.comInstall required packages:
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
apt-utils \
ifupdown2 \
inetutils-ping \
strongswan \
kmod \
openssl \
libstrongswan-standard-pluginsLog in to your device.
Unzip downloaded config file and copy respective files to their location:
unzip -x 10b6c4d8-0e9a-f5c7-c4c9-7edd6a6493ed.zip
sudo cp -r etc/* /etcEnsure the files are in proper location
/etc/ipsec.d/[connection uuid].conf/etc/ipsec.d/leftifupdown.sh/etc/ipsec.secretsTo work in gateway mode, you need to configure IPsec to use VTI devices.
Modify /etc/strongswan.d/charon.conf - leave all on defaults except for the
following:
install_routes = no
install_virtual_ip = no
ignore_routing_tables = 220Modify connection file /etc/ipsec.d/*.conf to enable VTI support -
uncomment mark and leftupdown options:
# uncomment this line for policy routing configuration
mark=105
# uncomment this line for policy routing configuration
leftupdown=/etc/ipsec-leftupdown.shDetermine connection name as defined in ipsec configuration:
CONN=`grep '^conn .*' /etc/ipsec.d/*.conf|cut -d' ' -f2`; echo $CONNCreate a routing file that will contain (remote) networks which should be routed through the Acreto platform - by default, it would be a default gateway:
cat > /etc/ipsec.d/$CONN.route << EOF
0.0.0.0/0
EOFEnable IP forwarding
echo net.ipv4.ip_forward=1 > /etc/sysctl.d/10_ac_ip_forward.conf
systemctl restart systemd-sysctlsed -i'' -e s/auto=route/auto=start/ /etc/ipsec.d/*.confRestart ipsec service with following command:
ipsec restartWait approximately 10 seconds, and check status of ipsec:
ipsec statusallIf the connection did not start, try to take it up manually:
CONN=`grep '^conn .*' /etc/ipsec.d/*.conf|cut -d' ' -f2`; echo $CONN
ipsec up $CONNIt should display information useful for debugging purposes.
Ensure everything works fine with:
ipsec statusall
ip address show
ip route show
Check if you have Internet access enabled.Check if you have Internet access enabled.
Ensure that traffic goes through our platform (with traceroute, mtr,). Verify with the command below
Tunnel verification command
mtr 8.8.8.8Expected output after successful tunnel creation
Host Loss% Snt Last Avg Best Wrst StDev
1. 100.65.0.30 0.0% 9 225.1 225.1 224.6 225.8 0.3
2. 100.65.0.1 0.0% 8 225.9 227.5 225.7 237.1 3.9
3. ???
4. nyk-b2-link.telia.net 0.0% 8 226.0 226.9 226.0 228.3 0.7
5. 72.14.218.254 0.0% 8 227.1 227.8 226.4 230.4 1.2
6. 108.170.248.97 0.0% 8 227.1 227.2 226.8 227.9 0.4
7. 108.170.227.211 0.0% 8 226.5 226.9 226.0 227.7 0.6
8. dns.google 0.0% 8 226.7 227.6 226.7 229.2 0.8This section describes how to configure two IPSec VPN tunnels on a PA-200 firewall running version 9.1.x. Refer to Palo Alto Networks documentation for additional information about the web interface.
The ethernet1/2 interface is connected to the internal corporate network. This interface will act as a gateway to the internal corporate network. The ethernet1/1 interface is the external interface. The internal network configuration will be in a trust security zone, and the external network interface configuration will be in an untrust security zone. Also, ensure that both interfaces use the same Virtual Router service.
To configure the IPSec VPN tunnels on PA-200, complete the following tasks:
For this task, you will create a new Virtual Router. To configure the new Virtual Router:
It is recommended to use separate zones to setup IPsec tunnels with PAN.
To configure trust and untrust zones, execute the following commands:
Configure the external network interface on PAN to be an untrust zone.
Configure the internal network interface on PAN to be a trust zone.
Configure the tunnel interface on the external interface (ethernet1/1). Ensure the tunnel is configured in the untrust security zone. In this example, the tunnel interface is named tunnel.1 with a source IP address 10.1.203.93.
To configure the primary tunnel interface:
Create an IKE crypto profile that specifies the security settings for the IKE phase 1 negotiations.
To create an IKE crypto profile:
Create IKE gateways using the Acreto Gateway IP address. In this case: 104.193.146.132.
To create the primary IKE gateway:
Note: To view the Acreto Web Portal information, complete the following steps:
Create an IPSec crypto profile that specifies the security parameters for the IKE phase 2 negotiations.
To create an IPSec crypto profile:
Configure the IPSec VPN Tunnel using the Acreto Gateway Address. In this case, 104.193.146.132
To create the IPSec VPN tunnel:
Defining two policy-based forwarding rules to route the traffic from the Palo Alto Network appliance into the tunnel.
To define the primary policy-based forwarding rule:
Once completing the above step, the IPsec tunnel will be established between PAN and the Acreto IPsec Gateway. To check the status of the tunnel, navigate to Network → IPSec Tunnels and view the tunnel status. A green color status signifies that the tunnel is established correctly.
To validate the network traffic going from PAN to the Acreto IPsec gateway, routes must be configured in the virtual router in PAN. Execute the following steps to configure the routes:
Defining the Security Policy to allow the traffic from the Palo Alto Network to outside.
To define the Security Policy rule:
In this section, the connectivity between PAN and Acreto gateway will be verified.
SSH to the PAN device.
Run the following command below:
ping source <tunnel.1 IP address> host 8.8.8.8
The ping should work with a sample output like below:
PING 8.8.8.8 (8.8.8.8) from 10.1.203.93 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp\_seq=1 ttl=116 time=7.98 ms
64 bytes from 8.8.8.8: icmp\_seq=2 ttl=116 time=4.76 ms
64 bytes from 8.8.8.8: icmp\_seq=3 ttl=116 time=4.24 ms
64 bytes from 8.8.8.8: icmp\_seq=4 ttl=116 time=4.90 ms
64 bytes from 8.8.8.8: icmp\_seq=5 ttl=116 time=4.99 msYou should be able to see these traffic logs in the Acreto Reports dashboard. Navigate to the Ecosystem and from the left panel, select Reports. Below is a sample of the reports from the Acreto Web Portal:
This article will help you connect and secure your pfSense installation with Acreto Ecosystem.
Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.
To proceed with the pfSense configuration, you will need a few values from an existing committed Acreto Gateway:
All of these may be found within the Gateway details panel - view the below animation for further instruction.
Log in to your pfSense panel.
Go to VPN > IPsec. Click on Add P1 to configure the Phase 1 settings.
In the following window, configure VPN Phase1 settings as below:
Click Save to save the configuration.
Click on Show Phase 2 Entries and Click on Add P2.
In the next window, configure the Phase 2 setting as below:
Click on Save.
Click on Apply Changes to save the configuration.
Go to Firewall > Rules and select LAN
Click on Add button to add a new rule.
In the next window, configure policy as below:
Go to Firewall > NAT.
Select Outbound, and in the Mapping section click on the Add button.
In the next window, configure the rule as below:
Click on Save
Click on Apply Changes to save the NAT rule.
In the same window, select mode Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below) in Outbound NAT Mode.
Click on Apply Changes to save settings.
Go to Status > IPsec.
The following window will show the status of the VPN as below. Click on Connect VPN if the tunnel is down.
Go to Diagnostics » Ping.
In the next windows, check ping as below:
Ping should be successful, and logs on the Wedge dashboard should show the same record.
Go to VPN > IPsec and click on Advanced Setting.
In IPsec bypass rules, enter the source and destinations of your local traffic, which doesn’t need to go through Acreto VPN.
Once the VPN connection is successfully established, all the internet traffic will be routed through the Acreto.
In this article, you will learn how to connect your Sonicwall to the Acreto Ecosystem. To make it possible and secure, we will use the IPSec VPN connection.
Create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (use /32 prefix for public interface). This allows testing connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.
To proceed with the Sonicwall configuration, you will need a few values from an existing committed Acreto Gateway:
All the details may be found within the Gateway details panel - please check the video below for further instructions.
To configure the IPsec VPN using tunnel interface, proceed with the following steps:
Goto MANAGE » VPN » Base Settings.
Under the VPN Policies click the ADD button
Under the General tab, enter the following values:
Goto Proposals
Advanced Settings
Click the OK button.
Next, we will create the tunnel interface that will be used to route the traffic.
Goto MANAGE » Network » Interfaces
In the middle of the screen, for the field Add Interface, select VPN Tunnel Interface.
Create a new interface with the following values:
Click the OK button.
To allow the traffic from the LAN subnet to route through the tunnel interface, perform the following steps:
Goto MANAGE » Network » Routing
Under the tab Route Policies, click the Add button
Create a new rule with the following values under General:
Click the OK button
Verify existing or create a new access rule to allow the desired traffic
Goto MANAGE » Rules » Access Rules
Click the Add button
Under General, provide the following values:
Click the OK button
Once the tunnel connection is successfully established, its status will change to UP.
To verify the status on Sonicwall, navigate to goto MANAGE » VPN » Base Settings
The status of the VPN policy should be Green.
The active VPN tunnel will be shown in the list.
Execute tracert 1.1.1.1 (or traceroute 1.1.1.1) on internal server check the route to external host 1.1.1.1. It should show Acreto’s IP in the path.
Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.
In this article, you will learn how to connect your Sonicwall to the Acreto Ecosystem. To make it possible and secure, we will use the IPSec VPN connection.
Create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (use /32 prefix for public interface). This allows testing connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.
To proceed with the Sonicwall configuration, you will need a few values from an existing committed Acreto Gateway:
All the details may be found within the Gateway details panel - please check the video below for further instructions.
To configure the IPsec VPN using tunnel interface, proceed with the following steps:
Goto NETWORK » IPsec VPN » Rules and Settings.
Click the ADD button.
Under the General tab, enter the following values:
Goto Proposals
Advanced Settings
Click the OK button.
Next, we will create the tunnel interface that will be used to route the traffic.
Goto NETWORK » System » Interfaces.
Click the Add Interface button and select VPN Tunnel Interface
Create a new interface with the following values:
Click the OK button.
To allow the traffic from the LAN subnet to route through the tunnel interface, perform the following steps:
Goto POLICY » Rules and Policies » Route Policy
Create a new rule with the following values under General tab:
Click Next Hop tab and give the following values :
Verify existing or create a new access rule to allow the desired traffic
Goto POLICY » Rules and Policies » Security Policy
Click the Add button
Under General, provide the following values:
Once the tunnel connection is successfully established, its status will change to UP.
To verify the status on Sonicwall, navigate to goto NETWORK » IPsec VPN » Rules and Settings » Active Tunnels tab.
The active VPN tunnel will be shown in the list.
Execute tracert 1.1.1.1 (or traceroute 1.1.1.1) on internal server check the route to external host 1.1.1.1. It should show Acreto’s IP in the path.
Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.
This article will help you connect your Sophos XG with Acreto Ecosystem through the IPsec tunnel.
Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.
To proceed with the Sophos configuration, you will need a few values from an existing committed Acreto Gateway:
All of these may be found within the Gateway details panel - view the below animation for further instruction.
Log in to the Sophos Firewall panel as a user with an administrator role.
From the left side navigation, choose Configure > VPN (1).
Move to the IPsec policies tab (2) and click on the Add button (3) to create a new policy.
Fill the creation form with the following values:
General Settings
Phase1
Click on the Save button to create the policy.
Goto VPN from left side navigator
Select tab IPsec connections and click Add button
Configure VPN with the following setting:
General Settings
Encryption
Local gateway
Remote gateway
Upon saving, the tunnel will try to establish a connection with Acreto, and upon successful connection, the tunnel will come up.
Goto Network from left side navigator
Select tab Network
Click the blue bar on the wan interface. It will unfold the new VPN tunnel interface formed
Click the tunnel interface and add some random IP
Click Save.
Goto Rules and policies from left side navigator
Select tab Firewall rules and click Add firewall rule to add a new firewall rule
Create the firewall rule with values as below
Rule name: to_acreto
Action: Accept
Source Zone: LAN
Source network and devices: Any
During Scheduled time: All the time
Destination zones: Any
Destination network: Any
Services: Any
Verify the connection is going through Acreto.
From any server in the internal subnet, do traceroute or mtr and verify if traffic is going through Acreto.
Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.
Forticloud management connection was lost after connecting to Acreto.
When FortiGate is set up to route all traffic through Acreto, it may lose connection with FortiGuard/FortiCloud management servers.
When the default route is set towards Acreto, FortiGate sends all the FortiCloud connections through Acreto. However, while sending these requests, FortiGate uses its WAN IP as the source of the connection, which may not be allowed in Acreto EcoSystem.
To fix the issue, apply the solutions listed below:
Alternatively, this issue can be resolved at the Customer location by setting Fortigate’s LAN IP as the source address for Fortiguard by following the steps below :
Login to Fortigate Dashboard
Goto Network > Interfaces > select the LAN interface
Copy the IP address of the LAN interface of FortiGate (Gateway IP for the LAN network)
Login to CLI of FortiGate.
Run the following commands:
config system fortiguard
set source-ip <ip_address_lan_interface>
endAny one of the above solutions will restore the connection with FortiCloud.
In this article, you will learn how to connect to the Acreto ecosystem with your Unifi USG/Edgerouter using IPSec VPN.
Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here. If you already have one, make sure that it’s IPsec type and jump to How-to.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.
To proceed with the Ubiquiti configuration, you will need a few values from an existing committed Acreto Gateway:
All of these may be found within the Gateway details panel - view the below animation for further instruction.
Login into Ubiquiti and enter Configuration mode
configureEnable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.
set vpn ipsec auto-firewall-nat-exclude enable.Create the IKE / Phase 1 (P1) Security Associations (SAs) by providing the following values
set vpn ipsec ike-group AcretoGate key-exchange ikev2
set vpn ipsec ike-group AcretoGate lifetime 10800
set vpn ipsec ike-group AcretoGate proposal 1 dh-group 16
set vpn ipsec ike-group AcretoGate proposal 1 encryption aes256
set vpn ipsec ike-group AcretoGate proposal 1 hash sha256Create the ESP / Phase 2 (P2) SAs.
set vpn ipsec esp-group AcretoGate lifetime 3600
set vpn ipsec esp-group AcretoGate proposal 1 encryption aes256
set vpn ipsec esp-group AcretoGate proposal 1 hash sha256
set vpn ipsec esp-group AcretoGate compression disableExecute the below command using values from previous steps: Configure the below steps with values for Gateway address, Preshared key and Peer Id collected in Step 1.
set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS authentication mode pre-shared-secret
set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS authentication pre-shared-secret PRE-SHARED_KEY
set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS description ipsec
set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS authentication id PEER_IDCopy the WAN IP and router address from the Ubiquiti gateway device
Use the above WAN IP and conFigure the Peer with the below commands
set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS local-address LOCAL_WAN_INTERFACE Link the SAs created in the above steps to the remote peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS ike-group AcretoGate
set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS vti bind vti0
set vpn ipsec site-to-site peer GATEWAY_IP_ADDRESS vti esp-group AcretoGateConfigure a static route to route gateway address to the internet directly. Use router address copied from step 6.
set protocols static route GATEWAY_IP_ADDRESS next-hop ROUTER_IP_ADDRESSConfigure default static route to send all traffic to Acreto VPN.
set protocols static interface-route 0.0.0.0/0 next-hop-interface vti0Commit the changes and save the configuration.
commit ; saveOnce the VPN connection is successfully established, all the internet traffic will be routed through Acreto.
This article will show you how to configure the Watchguard to connect to the Acreto Ecosystem. This configuration will be made by using IPsec VPN.
Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.
To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway, or similar tools.
To proceed with the Watchguard configuration, you will need a few values from an existing committed Acreto Gateway:
All of these may be found within the Gateway details panel - view the below animation for further instruction.
Create Phase 2 proposal - Navigate to VPN > Phase 2 Proposals and click ADD button
Create Phase 2 with the following values and SAVE
To set up IPsec VPN navigate to VPN > BOVPN Virtual Interfaces and click ADD from the right pane
Select Remote Endpoint Type as Cloud VPN or Third-Party Gateway
Provide the Preshared key copied from the Wedge dashboard in Step 1 and click ADD button to configure Gateway Endpoint
Configure Local gateway - Select Interface By Domain Name and provide the Peer ID copied from Wedge dashboard in Step 1.
Configure Remote gateway with values copied in Step 1 and click OK
Click Phase 1 Settings tab
the following values
Select Acreto from Phase 2 proposal and ADD and SAVE.
Once the VPN connection is successfully established, all the internet traffic will be routed through Acreto.
WireGuard is a modern VPN protocol that aims to be faster, more secure, and more useful than older solutions like OpenVPN or IPsec.
To connect to the Ecosystem using WireGuard, you will need:
WireGuard-Gateway-01(2)
To complete the configuration based on your operating system, please follow the appropriate guide below:
Ensure that you choose the correct instructions for your system to avoid any issues during the setup process.
WireGuard is a modern VPN protocol that aims to be faster, more secure, and more useful than older solutions like OpenVPN or IPsec.
This article is a continuation of Wireguard Configuration article. Please ensure that you finish all steps described in this article.
At this point, the machine is connected to Acreto Ecosystem by the WireGuard gateway. You may confirm that by checking logs available in Acreto Portal > Logs > Gateways.
WireGuard is a modern VPN protocol that aims to be faster, more secure, and more useful than older solutions like OpenVPN or IPsec.
This article is a continuation of Wireguard Configuration article. Please ensure that you finish all steps described in this article.
Be aware that the configuration of Wireguard for Linux requires additional steps in compared to Windows/macOS. Configuration files created by Wedge require additional modification before use.
Type IP a in the terminal to check available interfaces. Note down the IP address of the interface used to connect to the Internet. In the screenshot below, it’s 10.0.2.15/24.
ip a in the terminal to check available interfaces. Note down the IP address of the interface used to connect to the Internet. In the screenshot below, it’s 10.0.2.15/24.
$ sudo apt install wireguard
apt install wireguard10.0.2.15/24.10.0.2.0/24.
sudo mv ./path-to-file/donwloaded-file.conf /etc/wireguard/wg0.confsudo nano /etc/wireguard/wg0.conf:
0.0.0.0/0.
wg-quick: sudo wg-quick up wg0
sudo wg.
sudo systemctl start wg-quick@wg0sudo wg-quick down wg0At this point, the machine is connected to the Acreto Ecosystem by the WireGuard gateway. You may confirm that by checking logs available in Acreto Portal > Logs > Gateways.
Learn how to configure Acreto vGateway and deploy on a wide range of platforms.
In this article, you’ll learn how to run Acreto vGateway on a Windows Server machine. This process involves the following steps:
In this example, our target is to connect the existing virtual server to Acreto Ecosystem. The selected server works as a Virtual Machine based on Windows Server 2019 Hyper-V. In the same data center/cloud exist also other servers connected to different internal LANs but using the same Internet Router. The existing configuration was presented in the below diagram.
To connect the selected server to Acreto Ecosystem we will use the vGateway - a small virtual machine-generated by Acreto Wedge. This machine will be installed on the same host that other virtual machines in Data Center and connected to the same internal network. Also, network routing will be changed to redirect “external traffic” from/to the selected server thru Acreto vGateway.
The step-by-step procedure will be described in the below article.
To run vGatway on Hyper-V, you will need:
Hyper-V feature is disabled by default in Windows Server. If you are sure that this option is already turned on on your machine you may skip this step.
To turn on Hyper-V on Windows Server:
ipsec statusalltraceroute 8.8.8.8Thanks to the Hyper-v technology you were able to install Acreto vGateway in just a few steps. Users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.
Also, Acreto Ecosystem Admin(s) can re-use any existing password and security policies that are already in place. For example, the Active Directory may already have account lockout and password expiration policies.
In this document, you’ll become familiar with the concepts and basic features of Acreto vGateway.
Acreto vGateway is a software appliance that allows simple connectivity between branch offices, on-premise data centers, cloud platforms, and Acreto.
vGateway uses 2 network interfaces:
vGateway acts as a gateway, allowing bidirectional communication between Acreto and the local network using an IPsec connection.
Devices (workstations, VMs, servers, etc.) in the local network should use vGateway’s LAN IP address as their default gateway. vGateway forwards traffic coming to its LAN interface to Acreto, and then sends traffic received from Acreto to its local destination.
Acreto vGateway is supported on the following platforms:
vGateway LAN interface should be connected to the LAN network. All devices in the LAN network should use vGateway as a default gateway.
vGateway WAN interface should be connected to the internet router.
Acreto vGateway communicates with Acreto using IPv4 and IPsec protocol. To allow networking connectivity, the firewall needs to allow communication on the following ports and protocols:
You can find a list of IP networks used by Acreto on IPv4 and IPv6 subnets page.
Acreto vGateway can be installed behind NAT. However, if you are installing more than one vGateway behind the same NAT device, each of them must get a different public IP address.
In addition, the NAT device should have IPsec Passthrough enabled.
In a deployment involving two vGateway devices (192.0.2.10, 192.0.2.11), the NAT device needs to have at least two public IP addresses (198.51.100.10, 198.51.100.11) and define Source NAT rules to assign a different public IP address to each vGateway. In this case:
The recommended way to configure Acreto vGateway is to modify configuration at https://wedge.acreto.net, and then generate and download a new image.
Acreto vGateway is a Linux-based solution. Administrators can connect and manage vGateways using SSH protocol and standard Linux tools. To get access credentials for your vGateway, please contact support.
vGateways with configuration modified by administrators might not be supported by Acreto.
The network configuration of Acreto vGateway is implemented using Netplan configuration files, placed in /etc/netplan. Refer to the Netplan website for more information.
IPsec connections are established using a Strongswan ipsec.conf configuration format, placed in /etc/ipsec.d/*.conf on the vGateway. The list of subnets that should be routed through Acreto is stored in /etc/ipsec.d/*.route files.
You can find other connectivity options on the Connect to the Acreto platform page.
Acreto vGateway uses OpenSource software that is part of Ubuntu Linux. You can find more licensing information on the Ubuntu website, at https://ubuntu.com/licensing.
Failed to power on virtual machine XXXXXX . Unsupported or invalid disk type 23 for ‘scsi0:1’. Ensure that the disk has been imported.
This issue occurs if a virtual machine that is meant for VMware Hosted products such as VMware Workstation, VMware Player or VMware Fusion is powered-on on an ESX/ESXi host.
The underlying format used to store virtual machines on VMware Hosted products differs from the format used to store virtual machines on ESX/ESXi hosts.
The .vmdk file needs to be converted to the accepted the ESXi format using the steps below:
Upload the .vmdk file to datastore in ESXi
Connect to the ESX/ESXi host via SSH
Run the below commands to convert the file
cd vmfs
cd volumes
cd datastore1
vmkfstools -i xxxxxx.vmdk xxxx-New.vmdkAfter successful conversion new file will be generated.
This article shows how to setup vGateway on Azure to connect your network to Acreto Ecosystem.
To set up the vGateway on Azure first it is needed to configure the Gateway object.
Please follow the steps in Gateway creation guide with the vGateway as a type of a gateway.
To generate an Azure the image you need to:
To install the generated vhd image on Azure we need to proceed with uploading the image to Azure according to official documentation.
Start the VM with the uploaded image.
Once the VM is up and running, you should be able to SSH to it with password authentication as:
acretoacreto.ioChange your password after the first login
Test the network connectivity
IPsec status showing the tunnel status
ipsec statusallTraceroute to check if the traffic goes through Acreto Ecosystem
traceroute 8.8.8.8More information about checking the connectivity can be found under Connectivity Check the article where a dedicated tool is available.
This article shows how to set up vGateway on VirtualBox to connect your network to Acreto Ecosystem.
To set up the vGateway on VirtualBox first it is needed to configure the Gateway object.
Please follow the steps in Gateway creation guide with the vGateway as a type of a gateway.
To generate a VirtualBox vid image you need to:
To install the generated vdi image we need a machine with a VirtualBox hypervisor installed.
Create a new VM from vdi image by opening the Machine > New menu.
Start the VM.
Once booted log in as:
acretoacreto.ioChange your password after the first login
Test the network connectivity
IPsec status showing the tunnel status
ipsec statusallTraceroute to check if the traffic goes through Acreto Ecosystem
traceroute 8.8.8.8More information about checking the connectivity can be found under Connectivity Check article where a dedicated tool is available.
This article explains how to set up a vGateway on Raspberry Pi to connect your network to an Acreto Ecosystem.
To set up the vGateway on Raspberry Pi, you must first configure the Gateway object.
Please follow the steps below to create and configure a new Gateway that will be used as vGateway.
192.168.200.1/24To simplify testing, add the IP addresses of every interface connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using Ping, Traceroute, or similar tools.
To successfully test your connectivity, you also need to create a security policy that will allow traffic to go through your device.
To proceed with this step, you should have at least one Gateway configured as vGateway in your Ecosystem. From the left-side menu, select Objects > Gateways to display the list of existing gateways.
To generate a Raspberry Pi configuration image, you must:
To proceed with this step, you must have an image file generated by Acreto or a URL to the image for your vGateway.
To install the image, you must first proceed with flashing the SD card.
Download the write_image.sh script.
Click on the button and save the script in your home directory:
Get write_image.shor open the terminal and download the script using the command:
wget https://kb.acreto.net/reference-material/downloads/write_image.shTake the SD card out of your Raspberry Pi device.
Insert the SD card into your computer.
Use the write_image.sh script to write the image onto the SD card.
if you have an image file downloaded locally:
./write_image.sh image-file.zip /dev/sdbif you want to use the URL of an image directly:
./write_image.sh https://aws1-vgateway-images.s3.amazonaws.com/vgateway-raspberry-pi4.s.nAH2xOL8HyJIK1g8v4HEsNCt.img.zip /dev/sdbwhere /dev/sdb is the location of your SD card
Once finished, take the SD card from your computer and plug it into your device.
Restart the Raspberry device and wait until it boots from the SD Card.
Log in to your WEDGE account.
From the left menu choose the Logs > Gateways option.
As one of the last inputs, you should see information about the established connection from your Gateway.
More information about checking the connectivity can be found in the Connectivity Check article, where a dedicated tool is available.
To proceed with this step, you must have an image file generated by Acreto.
Take the SD card out of your Raspberry Pi device.
Insert the SD card into your computer, wait until it is visible in the system.
Unzip the file downloaded from WEDGE, make sure that you can see the *.img file.
Go to Raspberry Pi Software Page.
Download the last version of Raspberry Pi Imager.
Run downloaded *.exe file and install it.
If Raspberry Pi Imager doesn’t start after installation, run it manually. You should see the window presented below:
Click on the Choose OS button and select the Use custom option.
Select a downloaded image using the explorer window.
Click on the Select Storage button and choose your SD Card.
Double-check the settings and if they’re OK, click on the Write button.
The writer will warn you about erasing the current content of the SD Card, click on the YES button to continue.
Now the Writing process will start, it may take a few minutes.
When writing ends, you should see the below information.
Once finished, take the SD card from your computer and plug it into your device.
Restart the Raspberry device and wait until it boots from the SD Card.
Log in to your WEDGE account.
From the left menu choose the Logs > Gateways option.
As one of the last inputs, you should see information about the established connection from your Gateway.
More information about checking the connectivity can be found in the Connectivity Check article, where a dedicated tool is available.
By default, the Raspberry Pi has only one Ethernet adapter. But to connect your network, you’ll need an additional Ethernet adapter.
Acreto recommends using a USB Ethernet dongle facing the LAN network.
Learn how to setup OpenVPN to connect to Acreto Ecosystem on a wide range of platforms
In this article, you’ll learn how to set up an OpenVPN client on Gl.iNet and connect it to the Acreto ecosystem.
To connect GL.iNet router with Acreto Ecosystem, you will need:
Existing Acreto Ecosystem, if you don’t have one learn how to create it.
Access to Acreto Wedge.
GL.inet router with OpenVPN client installed.
Log in to the Acreto Portal.
Choose your Ecosystem.
Create a new VPN profile using tutorial or use the existing profile.
Download the Acreto VPN profile
Login to the GL.iNet routers Web Admin Panel.
From the left sidebar, goto VPN » OpenVPN Client and click Add a New OpenVPN Configuration.
Add a new OpenVPN configuration.
Upload your VPN configuration file from Acreto.
Enter a description for your VPN configuration file and then click Submit to finish the upload process.
Click Connect to start the VPN connection.
Once connected, the Disconnect button is shown on the screen along with the recieved IP address and Data sent and recieved information.
At this point, the machine is connected to Acreto Ecosystem. You may confirm that by checking logs available in Acreto Acreto Portal > Logs > User and Things.
This guide will help you to configure the Acreto Security connection on your Android device with the help of the OpenVPN app.
Android doesn’t have built-in OpenVPN support. It is required to download OpenVPN app from Google Play store.
1. Go to the Google Play Store
2. Search for the OpenVPN Connect application
3. Install the OpenVPN Connect application
4. Once the application is installed, download the configuration
Open the https://wedge.acreto.net in your favorite browser.
Add a thing named laptop on Acreto Ecosystem - check how to do it
Open the laptop thing details:
Click on Download OpenVPN config file to save the configuration.
5. Launch the application from your home screen or menu
On the following window, select FILE tab.
6. A similar permissions prompt window should be received
7. Click Allow and navigate to the folder with OpenVPN config file
By default, it should be in the downloads folder.
Make sure that OVPN is selected (see image below), then select the files you want to import and press IMPORT button on the upper-right corner.
8. Enter any title for the connection
Select Connect after import
Then press the Add button.
9. When asked for permissions
Click the OK button.
10. When prompt for a certificate
Click on Continue button.
11. The connection is successful
The connection stats window should be visible.
There you can see extensive information about your connection, such as current data throughput or duration.
12. To disconnect
Simply press the switch button next to the OpenVPN profile name and toggle it off.
This guide will help you to configure the Acreto Security connection on your Apple mobile device with the help of the OpenVPN app.
1. Go to the App Store on your iPad/iPhone
2. Enter OpenVPN connect in the search bar
3. Tap on the GET button
4. Once the application is installed, download the configuration
Open the https://wedge.acreto.net in your favorite browser.
Add a thing named laptop on Acreto Ecosystem - check how to do it
Open the laptop thing details:
Click on Download OpenVPN config file to save the configuration.
5. Launch the application from your home screen or menu
Select whether you wish to enable push notifications.
Accept the OpenVPN Policy Agreement
6. Go to home screen and open Files
7. Navigate to the folder with OpenVPN config file
Select the Share button in the upper right-hand corner.
Press Copy to OpenVPN
8. Add the VPN profile
Ensure the OpenVPN profile selected is correct, then press ADD.
9. Name the connection
Feel free to specify the profile name, by changing the field
Be sure to check the box Connect after import
10. When asked for permissions
Click Allow to allow OpenVPN to add VPN connections.
Click Yes to allow OpenVPN to enable the VPN connection.
If all went well, you should see the following
11. To disconnect
Tap on the same button you used to connect.
This article will demonstrate how to secure your Ubuntu system with an Acreto Secured Connection. To create an additional layer of security, we’ll use the OpenVPN application.
Before proceeding to the installation, make sure that you’ve added at least one Thing to your Ecosystem - if not, check how to do it.
Acreto Wedge offers a ready-to-use script that will install and configure the Acreto client on your Ubuntu system:
sudo ./acreto-connect.shOnce the script finishes downloading your device should be connected to Acreto.
Don’t want to manage the VPN setup automatically?
How to connect to OpenVPN manually using the terminal:
ctrl + alt + t).sudo apt-get install openvpncd /etc/openvpncurl -k --silent --request POST -H 'Accept: text/plain' \
https://api-is-rock-solid.acreto.net/v2/tlsvpn/config?_token=SECRETsudo apt-get install ca-certificatessudo openvpn [file name]sudo openvpn acreto.ovpnctrl + c.This article will show you how to secure your MacOS device with Acreto Secured Connection. To create an additional layer of security we will use the Tunnelblick app.
The Tunnelblick application is a recommended option for connecting to ACRETO servers on your Mac.
1. Download the Tunnelblick
Tunnelblick provides free, user-friendly control of OpenVPN client connections for macOS.
2. Download the OpenVPN configuration
Add a thing named laptop on Acreto Ecosystem - check how to do it
Open the laptop thing details:
Save the file as-is, or change the name to acreto-thing.ovpn
3. To begin the installation of OpenVPN for macOS
Navigate to your Downloads folder and double-click the Tunnelblick image (DMg) file you just downloaded
4. Double-click on the Tunnelblick icon in the Tunnelblick disk image Finder window
5. A dialog box will appear
Tunnelblick is an app downloaded from the Internet. Are you sure you want to open it?
Click Open
6. The installer will ask for your password. Enter it and click OK:
7. After the installation completes, you will see a pop-up notification:
Installation succeeded. Tunnelblick was successfully installed. Do you wish to launch Tunnelblick now? (An administrator username and password will be required so Tunnelblick can be secured.).
Click Launch
8. Alternatively, you can click on the Tunnelblick icon on the status bar
and click VPN details:
9. A dialog box will appear:
There are no configurations installed.
Click I have configuration files
10. A pop-up will appear with instructions on how to import configuration files:
Click OK
11. Drag and drop the previously downloaded .ovpn file
From your Downloads folder, copy->paste or drag and drop to the Configurations tab on the Tunnelblick.
12. A new pop-up will appear
The Installer will ask if you want to install the configuration profile for your current user only, or for all users on your Mac.
Select your preferred option: [All Users] / [Cancel] / [Only Me]
13. You will be asked to enter your password again.
14. A new pop-up warning will appear about comp-lzo deprecation.
You can safely check the Do not warn about this again and click OK.
15. Select the server and click Connect.
16. You are connected to the VPN
17. Check your IP address
Browse to https://www.myip.com/ and verify your IP and network (should be different than your ISP).
18. Disconnect
Click on the Tunnelblick icon in your menu bar and select Disconnect from the drop-down menu.
This article will show you how to secure your Microsoft Windows with Acreto Secured Connection. To create an additional layer of security we will use the OpenVPN application.
Use these steps to set up a VPN on a computer running Windows 10.
You can set up a manual OpenVPN connection by using the OpenVPN application.
1. Download the OpenVPN GUI application
https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe
2. Open the installer file
3. Follow the setup wizard
4. Once the application is installed, download the configuration
Add a thing named laptop on Acreto Ecosystem - check how to do it
Open the laptop thing details:
Save the file as-is, or change the name to acreto-thing.ovpn
5. Go to the folder where the configurations are downloaded
6. Click and drag to select the OpenVPN configuration downloaded
7. Right-click on them and select Copy
8. Find the OpenVPN config folder
Right-click the OpenVPN GUI shortcut on your desktop and select Open file location.
9. Once you’re there, click the parent OpenVPN folder in the address bar
10. Extract the configuration file you need to this directory:
c:/Program Files/OpenVPN/config11. Open the OpenVPN config folder
12. Paste the copied configuration files in the folder
13. Click Continue to allow the files to be extracted to the folder
14. Note: How to prevent possible DNS leaks (optional)
If you are using Windows 10, add an extra line in the configuration files.
To do that, open the downloaded .ovpn configuration file with any text editor and paste this line:
block-outside-dnsDon’t forget to save the file before proceeding to the next steps of this tutorial.
15. Run OpenVPN
Now that the configuration files have been loaded into the proper folder for the application to detect them, let’s open the OpenVPN GUI app itself.
Double-click the shortcut on your desktop.
16. Allow the application to make necessary changes to your device
17. The application will start running in the system tray
It’s the area near your clock:
It might also be in the hidden system tray area:
18. Right-click on the application icon, hover over one of the servers, and click Connect
19. The connection log window will pop up
You don’t need to provide any passwords.
20. In a few seconds, the application will connect, and its window will disappear.
The system tray icon will turn green and indicate that you are connected when you hover over it:
21. Check Internet access and IP
Browse to https://www.myip.com/ and verify your IP and network (should be different than your ISP)
Acreto offers a comprehensive solution for businesses seeking to safeguard their access to corporate Google applications and data. This is achieved by channeling all traffic to these applications through Acreto’s advanced threat engine and instituting a restriction rule on Google to accept traffic from Acreto’s IP address exclusively. With Acreto, enterprises can be assured of a secure and reliable connection to their essential Google assets.
This document outlines a clear and easy-to-follow process for businesses to secure their corporate Google access with the help of Acreto.
Google Administrators must enforce the IP restriction rule using Context-Aware access under the Admin console to allow access only from Acreto Ecosystem IP.
When this step is done, access to Google based services will be restricted to the IP address of Acreto, only users connected by Acreto Connect Client can access it.
With this step, the IP enforcement configuration on Google is complete.
Once onboarding of all the users on Acreto is complete, the administrators can Turn-On the Context-Aware Access for everyone.
When this step is done access restriction rule will be applied to all users.
Once the user or device is connected by Acreto Connect Client, the traffic goes through Acreto Ecosystem, which is thoroughly scanned against any threat or malware. Also, the traffic leaving Acreto gains Acreto’s Exit IP as the source, meeting the Google CAA access criteria.
All traffic that comes from the user to Google is now additionaly secured.
As the administrator, I need to restrict access for OWA (Outlook Web Access) or other site/URL based on the IIS server on port 443.
Windows Server provides IP Address and Domain Restrictions feature to define and manage rules that allow or deny access to content for a specific IP address, a range of IP addresses, or a domain name or names. This feature may be combined with Acreto Ecosystem to restrict access only for users/devices connected through Acreto.
To complete this procedure those elements may be required:
To configure the behavior for allowing specific IP addresses, use the following steps:
To configure the behavior that IIS will use when denying IP addresses, use the following steps:
References: https://docs.microsoft.com/…#configuring-iis-to-deny-access-based-on-http-requests
By following these steps, restrictive access to OWA can be achieved. This solution allows access only to specific internal users while blocking it for everybody else.
After connecting the Azure network to Acreto and sending all traffic through Acreto vGateway, Azure Active Directory Domain Services managed domain fails to synchronize with Microsoft Windows Active Directory servers.
In Azure, you can see an alert:
Name: The managed domain has not completed synchronization with Azure AD for a long time
Severity: Critical
ID: AADDS500In Azure, you can see an alert:
Name: The managed domain is experiencing a network error
Severity: Critical
ID: AADDS104Most likely, your Azure network’s routing table has a default route (0.0.0.0/0) defined that routes all traffic through Acreto vGateway.
It means that also communication required to synchronize with Azure AD DS is sent through Acreto, and is SNAT’ed (its source IP address is replaced) to Acreto Allocated IP address.
Microsoft detects that synchronization traffic goes from a different source IP address than expected, and blocks that traffic. This breaks synchronization between Azure AD DS and the target server.
See Azure virtual network design for details.
Create routing configuration that will route IP addresses from Azure service tags through standard Azure gateway, while keeping default route pointing to Acreto vGateway. You can download a list of Azure IP Ranges and Service Tags – Public Cloud.
See User-defined routes for more details.
Please refer to the following additional material:
Windows activation fails when all the Internet traffic goes through Acreto.
This article describes how to resolve the KMS activation problem you might experience when you force all the traffic to go through Acreto.
You enable forced tunneling on Azure virtual network subnets to direct all Internet-bound traffic back to your on-premises network. In this scenario, the Azure virtual machines (VMs) that run Windows fail to activate Windows.
The Azure Windows VMs need to connect to the Azure KMS server for Windows activation. The activation requires that the activation request come from an Azure public IP address. The activation fails in the forced tunneling scenario because the activation request comes from Acreto instead of from an Azure public IP address.
Use the Azure custom route to route activation traffic to the Azure KMS server to resolve this problem.
The IP address of the KMS server for the Azure Global cloud is 23.102.135.246. Its DNS name is kms.core.windows.net. If you use other Azure platforms such as Azure Germany, you must use the IP address of the corresponding KMS server. For more information, see the following table:
| Platform | KMS DNS | IP |
|---|---|---|
| Azure Global | kms.core.windows.net | 23.102.135.246 |
| Azure Germany | kms.core.cloudapi.de | 51.4.143.248 |
| Azure US Government | kms.core.usgovcloudapi.net | 23.97.0.13 |
| Azure China 21Vianet | kms.core.chinacloudapi.cn | 42.159.7.249 |
Update the route table of the Subnet where Windows VM was created :
Login to Azure portal
Goto you Virtual network whose subnet’s route table needs to be modified.
In the virtual network menu bar, choose Subnets.
Select the subnet for which the route table needs to be updated.
In the Route table, add the following route :
Select Save.
With the custom route, the Window activation traffic goes directly to the Azure KMS server, and the process will be successfully completed.
When using Rasberry PI as a vGateway device, you may use a built WiFi card to create a WiFi Access point. This procedure requires modification of image created for Ecosystem you by Wedge.
Generate an image for your Raspberry device and install it on your device - check how to do it
Log in to the device.
Update system and install Hostpad
sudo apt-get update -y
sudo apt-get install -y hostapdGo to /etc/hostapd/ and check dose the file hostapd.conf exist. Edit it by adding config of your Access Point:
interface=wlan0
ssid=acreto
hw_mode=g
channel=1
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=acreto#1234
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMPGo to /etc/ipsec.d/ adn create the ipsec-leftupdown.sh file withe this content:
#! /bin/bash
# This script creates a new vti interface and adds routes based on data passed from Strongswan.
# To use, add to "conn..." section of ipsec config file:
# leftupdown=/path/to/ipsec-leftupdown.sh
set -o nounset
set -o errexit
VTI_IF="vti-${PLUTO_CONNECTION:0:10}"
VTI_IF="${VTI_IF/./}"
# Create run directory
RUNDIR=/var/run/acreto ; mkdir -p $RUNDIR
# Read configuration from config file
networks_right=''
if [ -f /etc/ipsec.d/$PLUTO_CONNECTION.route ] ; then
networks_right=`cat /etc/ipsec.d/$PLUTO_CONNECTION.route`
else
echo WARN: Routing info file /etc/ipsec.d/$PLUTO_CONNECTION.route not found
fi
# Determine gateway to use to reach ${PLUTO_PEER}
function detectGateway {
# Find a route with a 'via' address
local gateway=""
# Start with default route
# Note that we exclude gateways that are on vti- devices
[ -z "$gateway" ] && gateway=`ip route show default | grep -v 'dev vti-' | egrep -o1 'via (([0-9]{1,3}.){3}[0-9]{1,3})' | head -1 |cut -d' ' -f2 `
# Try 'ip route get'
# It's not first rule because it doesn't survive link change
[ -z "$gateway" ] && gateway=`ip route get $1 | grep -v 'dev vti-' | egrep -o 'via (([0-9]{1,3}.){3}[0-9]{1,3})' |cut -d' ' -f2`
# Fallback to a previously detected gateway
[ -z "$gateway" ] && gateway=`cat $RUNDIR/local-gateway.conf` || true
# Save detected gateway
[ ! -z "$gateway" ] && echo $gateway > $RUNDIR/local-gateway.conf
echo $gateway
}
set -x
gateway=`detectGateway ${PLUTO_PEER}`
case "${PLUTO_VERB}" in
up-client)
if ip tunnel show "${VTI_IF}" ; then
op=change
else
op=add
fi
ip tunnel $op "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_IF}" up
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
for net in $networks_right ; do
if [ $net == '0.0.0.0/0' ] ; then
# Ensure that PEER is always accessible if we set up default route (and ignore errors)
[ ! -z "$gateway" ] && ip route replace ${PLUTO_PEER} via $gateway || true
# Ensure we don't have any other default gateway defined
while ip route show default|grep -q default ; do
ip route del default
done
fi
ip route add $net dev ${VTI_IF}
done
;;
down-client)
# Ensure that PEER is always accessible if we set up default route (and ignore errors)
[ ! -z "$gateway" ] && ip route replace ${PLUTO_PEER} via $gateway || true
# Nothing else to do here:
# 1. We don't delete the tunnel interface and routing setup because it causes connection reset, as down-client is called whenever a connectionis renegotiated, and it makes apps (like mtr) break.
# 2. We also don't remove the specific route to our gateway to be able to re-establish the connection.
# 3. We also don't recover the default gateway, as we want to block all traffic if the tunnel is down.
;;
esacGo to /etc/netplan/ and check does the 50-acreto.yaml file (or common) exist. Edit it by adding Access Point configuration:
network:
version: 2
+ renderer: NetworkManager
ethernets:
eth0:
dhcp4: yes
+ wifis:
- eth1:
+ wlan0:
addresses:
- 10.153.250.1/29
+ dhcp4: true
+ optional: true
+ access-points:
+ "acreto":
+ password: "acreto#1234"
+ mode: apAfter all of the modifications content of the folder should look like this:
Custom /boot/firmware/strongswan.zip contents
❯ tree custom
custom
└── etc
├── default
│ └── hostapd <-- added one line
├── hostapd
│ └── hostapd.conf <-- all WiFi settings
├── ipsec.d
│ ├── 402fd2ced4.conf
│ ├── 402fd2ced4.route
│ └── ipsec-leftupdown.sh <-- added iptables commands to flush rules
├── ipsec.secrets
├── netplan
│ └── 50-acreto.yaml <-- added configuration for ap mode and IP
└── sysctl.d
└── 10_ac_ip_forward.confRestart the device to provide all of the changes.
Try to connect to the acreto wifi network using acreto#1234 as a password.
After the device restart, you should be able to connect to the Acreto WiFi network. All traffic will go thru the Ecosystem and should be visible in logs.
The company wants to restrict access to Office 365 in the following ways.
Apply these configurations to O365 in a simple fashion. (e.g. from a centralized GUI without having to log into MSFT console)
Acreto solution allows us to secure access to Office365/OneDrive using Microsoft Azure AD.
Acreto will provide the policy configurations to control the following:
To solve the described issue you will need:
Make sure that you have all the required elements before you will start.
As a first step you need to create a secure connection between end-user and acreto - use one of two possible solutions:
No matter which way you choose, after you connect to Acreto your external IP address should be masked with Acreto gateway - this means that any Internet service or website will be not able to see your real IP address. Acreto will mask your IP with an address that you may find in WEDGE panel - go to Allocated IP’s and then find Default Exit position - this is your Secured IP address.
Make this IP address to be the only address that should be allowed to access Office365/OneDrive services in your organization.
If you already secured your internet connection with Acreto it’s time to make a security rule on Microsoft Azure ActiveDirectory.
1.Login to Azure panel as a user with administrator right and click on Azure Active Directory icon:
2. Choose the “Security” option marked on the screen below.
3.Create Named location - named and defined IP address range that will be allowed to access Office365/OneDrive.
To do this click on Named location on side menu (marked as “1”) and then click on + New location (marked as “2”).
4. Fill new location form with readable name and choose options and save:
5.Create a security rule to limit access to Office365/OneDrive
Choose Conditional Acces option from the side menu and click on ** + New policy ** button.
The form of policy creation is advanced and offers many options, in this scenario we will use a minimal amount of options that allow us to get a working configuration.
That’s a minimum required configuration necessary to make a goal of this case.
6. Make sure that Enable policy: On. -
This option is displayed on the bottom right part of the screen and it decided does the whole configuration is on.
If you can’t turn the rule on it’s possible that you need to disable Security Defaults
7. Double-check all rules and click on the save button.
To verify does the created access rules works we do a two-part test:
In both tests, we will use a user account managed by Azure AD. This account is added to the created rule of conditional access.
At the first test, we will check dose it possible to log in to Office365 from an internet connection that is not secured with Acreto.
The login page should return information that the User is not able to log in because does not meet the criteria to access this resource. This means that created security rule work.
In the second test user use Acreto secured internet connection and trying to login to office.com
The login page works in a standard way and allows the user to access his account.
Thanks to Acreto and Azure AD conditional access rules you can create advanced security solutions.
The Domain Name System (DNS) translates user-friendly domain names (like acreto.io) into IP addresses that computers use to communicate. Traditionally, DNS queries and responses have been transmitted without encryption, making them vulnerable to interception, manipulation, or surveillance. DNS encryption methods, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt, have emerged to address these vulnerabilities by enhancing privacy and data security during DNS resolution.
While DNS encryption enhances user privacy by protecting DNS queries from eavesdropping, it also introduces certain security challenges. Encrypted DNS can make it difficult for organizations to monitor DNS traffic, potentially hindering efforts to prevent malware infections, restrict access to harmful websites, or enforce network policies. This privacy versus security dilemma often forces network administrators to strike a balance maintaining user anonymity and ensuring proper control of network activity.
In some cases, end-users utilizing platforms or browsers that implement encrypted DNS may experience issues reaching resources defined in internal DNS servers (available when connected to the Ecosystem) when the administrator has redirected default DNS using DNAT rules.
This challenge arises due to the aforementioned Privacy vs. Security Dilemma. The Ecosystem cannot decrypt the DNS request, meaning it cannot be properly redirected using a DNAT rule. As a result, encrypted DNS requests are dropped, and users receive an error message.
Since there is no universal standard for encryption, and no feature allowing decryption of encrypted requests (which would defeat the purpose of encryption), the only reliable solution is to turn off all DNS encryption methods on the device. Remember that privacy is not the same as security. If traffic is encrypted, it may be harder to protect the user and their devices.
Below, you will find a brief guide on how to disable the most popular DNS encryption methods.
DNS over HTTPS (DoH)
about:config, search for network.trr.mode, and set it to 5 (disable DoH).chrome://flags/, search for “Secure DNS”, and disable it.Settings > Network & Internet > Change Adapter Options, then disable Secure DNS in the advanced settings.DNS over TLS (DoT)
Settings > Network & Internet > Advanced > Private DNS, and set it to “Off”./etc/systemd/resolved.conf and set DNSOverTLS=no.DNSCrypt
DNS encryption methods like DoH, DoT, and DNSCrypt are potent tools for enhancing privacy in an increasingly surveillance-prone online world. However, they also come with trade-offs impacting network security and administrative control. While encryption can provide privacy, turning it off when the Acreto Ecosystem is protecting the whole network ensures effective security measures can be applied.
Acreto Support User Management - as an Ecosystem administrator, you may create user accounts or import them from LDAP / identity providers (like Azure Active Directory, Okta ) and invite them to start using Acreto by email or link.
Before you invite users to Acreto, make sure that Identity provider is present and configured in your Ecosystem.
Acreto allows inviting users that exist in LDAP/Identity provider service(s) connected to the Ecosystem and have an email address in account details.
To invite user by e-mail:
Acreto allows inviting users that exist in LDAP/Identity provider service connected to the Ecosystem.
To invite user by the link:
Done! Any user that gets this link and has LDAP/Identytiy provider credentials may configure and connect to Acreto.