From 5f1a86e78ba5351d3b3128dcd2ca0ed81503549a Mon Sep 17 00:00:00 2001 From: William Lam Date: Thu, 9 May 2019 06:50:22 -0700 Subject: [PATCH] Added Get/New/Remove functions for Policy Based VPN --- Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psd1 | 8 +- Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 | 297 ++++++++++++++++++- 2 files changed, 296 insertions(+), 9 deletions(-) diff --git a/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psd1 b/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psd1 index c18be71..3f6f507 100644 --- a/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psd1 +++ b/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psd1 @@ -36,7 +36,13 @@ Description = 'PowerShell Module for Managing NSX-T on VMware Cloud on AWS' PowerShellVersion = '6.0' # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -FunctionsToExport = 'Connect-NSXTProxy', 'Get-NSXTSegment', 'New-NSXTSegment', 'Remove-NSXTSegment', 'Get-NSXTGroup', 'New-NSXTGroup', 'Remove-NSXTGroup', 'Get-NSXTService', 'New-NSXTService', 'Get-NSXTFirewall', 'New-NSXTFirewall', 'Remove-NSXTFirewall', 'Get-NSXTDistFirewallSection', 'Get-NSXTDistFirewall', 'New-NSXTDistFirewall', 'Remove-NSXTDistFirewall', 'Get-NSXTRouteTable', 'Get-NSXTOverviewInfo', 'Get-NSXTInfraScope', 'Get-NSXTInfraGroup', 'New-NSXTRouteBasedVPN', 'Get-NSXTRouteBasedVPN', 'Remove-NSXTRouteBasedVPN', 'Remove-NSXTService', 'New-NSXTDistFirewallSection', 'Get-NSXTDistFirewallSection' +FunctionsToExport = 'Connect-NSXTProxy', 'Get-NSXTSegment', 'New-NSXTSegment', 'Remove-NSXTSegment', ` +'Get-NSXTGroup', 'New-NSXTGroup', 'Remove-NSXTGroup', 'Get-NSXTService', 'New-NSXTService', ` +'Get-NSXTFirewall', 'New-NSXTFirewall', 'Remove-NSXTFirewall', 'Get-NSXTDistFirewallSection', ` +'Get-NSXTDistFirewall', 'New-NSXTDistFirewall', 'Remove-NSXTDistFirewall', 'Get-NSXTRouteTable', ` +'Get-NSXTOverviewInfo', 'Get-NSXTInfraScope', 'Get-NSXTInfraGroup', 'New-NSXTRouteBasedVPN', ` +'Get-NSXTRouteBasedVPN', 'Remove-NSXTRouteBasedVPN', 'Remove-NSXTService', 'New-NSXTDistFirewallSection', 'Get-NSXTDistFirewallSection', ` +'New-NSXTPolicyBasedVPN', 'Get-NSXTPolicyBasedVPN', 'Remove-NSXTPolicyBasedVPN' # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. CmdletsToExport = @() diff --git a/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 b/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 index f3ea7e6..0a7b5bd 100644 --- a/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 +++ b/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 @@ -2089,20 +2089,32 @@ Function Get-NSXTRouteBasedVPN { if($requests.StatusCode -eq 200) { $groups = ($requests.Content | ConvertFrom-Json).results - if ($PSBoundParameters.ContainsKey("Name")){ $groups = $groups | where {$_.display_name -eq $Name} } $results = @() foreach ($group in $groups) { - $tmp = [pscustomobject] @{ - Name = $group.display_name; - ID = $group.id; - Path = $group.path; - RoutingConfigPath = $group.l3vpn_session.routing_config_path; + if($group.l3vpn_session.resource_type -eq "RouteBasedL3VpnSession") { + $tmp = [pscustomobject] @{ + Name = $group.display_name; + ID = $group.id; + Path = $group.path; + Routing_Config_Path = $group.l3vpn_session.routing_config_path; + Local_IP = $group.local_address; + Remote_Public_IP = $group.remote_public_address; + Tunnel_IP_Address = $group.l3vpn_session.tunnel_subnets.ip_addresses + IKE_Version = $group.ike_version; + IKE_Encryption = $group.ike_encryption_algorithms; + IKE_Digest = $group.ike_digest_algorithms; + Tunnel_Encryption = $group.tunnel_encryption_algorithms; + Tunnel_Digest = $group.tunnel_digest_algorithms; + DH_Group = $group.dh_groups; + Created_by = $group._create_user; + Last_Modified_by = $group._last_modified_user; + } + $results+=$tmp } - $results+=$tmp } $results } @@ -2194,4 +2206,273 @@ Function Remove-NSXTRouteBasedVPN { Write-Host "Successfully removed NSX-T BGP Neighbor" } } -} \ No newline at end of file +} + +Function New-NSXTPolicyBasedVPN { +<# +.NOTES +=========================================================================== +Created by: William Lam +Date: 05/09/2019 +Organization: VMware +Blog: http://www.virtuallyghetto.com +Twitter: @lamw +=========================================================================== + +.SYNOPSIS + Creates a new NSX-T Policy Based VPN +.DESCRIPTION + This cmdlet creates a new NSX-T Policy Based VPN +.EXAMPLE + New-NSXTPolicyBasedVPN -Name Policy1 ` + -LocalIP 18.194.102.229 ` + -RemotePublicIP 3.122.124.16 ` + -RemotePrivateIP 169.254.90.1 ` + -SequenceNumber 0 ` + -SourceIPs @("192.168.4.0/24", "192.168.5.0/24") ` + -DestinationIPs @("172.204.10.0/24", "172.204.20.0/24") ` + -TunnelEncryption AES_256 ` + -TunnelDigestEncryption SHA2_256 ` + -IKEEncryption AES_256 ` + -IKEDigestEncryption SHA2_256 ` + -DHGroup GROUP14 ` + -IKEVersion IKE_V1 ` + -PresharedPassword VMware123. ` + -Troubleshoot +#> + param( + [Parameter(Mandatory=$true)][String]$Name, + [Parameter(Mandatory=$true)][String]$LocalIP, + [Parameter(Mandatory=$true)][String]$RemotePublicIP, + [Parameter(Mandatory=$true)][String]$RemotePrivateIP, + [Parameter(Mandatory=$True)]$SequenceNumber, + [Parameter(Mandatory=$true)][String[]]$SourceIPs, + [Parameter(Mandatory=$true)][String[]]$DestinationIPs, + [Parameter(Mandatory=$true)][String][ValidateSet("AES_128","AES_256","AES_GCM_128","AES_GCM_192","AES_GCM_256")]$TunnelEncryption, + [Parameter(Mandatory=$true)][String][ValidateSet("SHA1","SHA2_256")]$TunnelDigestEncryption, + [Parameter(Mandatory=$true)][String][ValidateSet("AES_128","AES_256","AES_GCM_128","AES_GCM_192","AES_GCM_256")]$IKEEncryption, + [Parameter(Mandatory=$true)][String][ValidateSet("SHA1","SHA2_256")]$IKEDigestEncryption, + [Parameter(Mandatory=$true)][String][ValidateSet("GROUP2","GROUP5","GROUP14","GROUP15","GROUP16")]$DHGroup, + [Parameter(Mandatory=$true)][String][ValidateSet("IKE_V1","IKE_V2","IKE_FLEX")]$IKEVersion, + [Parameter(Mandatory=$true)][String]$PresharedPassword, + [Switch]$Troubleshoot + ) + + If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { + + $generatedId = (New-Guid).Guid + + $sources = @() + foreach ($source in $SourceIPs) { + $tmp = @{ subnet = $source} + $sources+=$tmp + } + + $destinations = @() + foreach ($destination in $DestinationIPs) { + $tmp = @{ subnet = $destination} + $destinations+=$tmp + } + + $payload = @{ + display_name = $Name; + enabled = $true; + local_address = $LocalIP; + remote_private_address = $RemotePrivateIP; + remote_public_address = $RemotePublicIP; + passphrases = @("$PresharedPassword"); + tunnel_digest_algorithms = @("$TunnelDigestEncryption"); + tunnel_encryption_algorithms = @("$TunnelEncryption"); + ike_digest_algorithms = @("$IKEDigestEncryption"); + ike_encryption_algorithms = @("$IKEEncryption"); + enable_perfect_forward_secrecy = $true; + dh_groups = @("$DHGroup"); + ike_version = $IKEVersion; + + l3vpn_session = @{ + resource_type = "PolicyBasedL3VpnSession"; + rules = @( + @{ + id = $generatedId; + display_name = $generatedId; + sequence_number = $SequenceNumber; + sources = @($sources) + destinations = @($destinations) + } + ) + } + } + $body = $payload | ConvertTo-Json -Depth 5 + + $method = "put" + $policyBasedVPNURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns/$Name" + + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $METHOD`n$policyBasedVPNURL`n" + } + + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $policyBasedVPNURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $policyBasedVPNURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in configuring Policy Based VPN" + Write-Error "`n($_.Exception.Message)`n" + break + } + } + + if($requests.StatusCode -eq 200) { + Write-Host "Successfully created Policy Based VPN" + ($requests.Content | ConvertFrom-Json) + } + } +} + +Function Get-NSXTPolicyBasedVPN { +<# +.NOTES +=========================================================================== +Created by: William Lam +Date: 05/09/2019 +Organization: VMware +Blog: http://www.virtuallyghetto.com +Twitter: @lamw +=========================================================================== + +.SYNOPSIS + Returns all NSX-T Policy Based VPN Tunnels +.DESCRIPTION + This cmdlet retrieves all NSX-T Policy Based VPN Tunnels description +.EXAMPLE + Get-NSXTPolicyBasedVPN +.EXAMPLE + Get-NSXTPolicyBasedVPN -Name "VPN-T1" +#> + param( + [Parameter(Mandatory=$false)][String]$Name, + [Switch]$Troubleshoot + ) + + If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { + $method = "GET" + $policyBaseVPNURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns" + + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$routeBaseVPNURL`n" + } + + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $policyBaseVPNURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $policyBaseVPNURL -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in retrieving NSX-T Policy Based VPN Tunnels" + Write-Error "`n($_.Exception.Message)`n" + break + } + } + + if($requests.StatusCode -eq 200) { + $groups = ($requests.Content | ConvertFrom-Json).results + if ($PSBoundParameters.ContainsKey("Name")){ + $groups = $groups | where {$_.display_name -eq $Name} + } + + $results = @() + foreach ($group in $groups) { + if($group.l3vpn_session.resource_type -eq "PolicyBasedL3VpnSession") { + $tmp = [pscustomobject] @{ + Name = $group.display_name; + ID = $group.id; + Path = $group.path; + Local_IP = $group.local_address; + Remote_Public_IP = $group.remote_public_address; + Tunnel_IP_Address = $group.remote_private_address; + IKE_Version = $group.ike_version; + IKE_Encryption = $group.ike_encryption_algorithms; + IKE_Digest = $group.ike_digest_algorithms; + Tunnel_Encryption = $group.tunnel_encryption_algorithms; + Tunnel_Digest = $group.tunnel_digest_algorithms; + DH_Group = $group.dh_groups; + IP_Sources = $group.l3vpn_session.rules.sources.subnet; + IP_Destinations = $group.l3vpn_session.rules.destinations.subnet + Created_by = $group._create_user; + Last_Modified_by = $group._last_modified_user; + } + $results+=$tmp + } + } + $results + } + } +} + +Function Remove-NSXTPolicyBasedVPN { +<# + .NOTES + =========================================================================== + Created by: William Lam + Date: 05/09/2019 + Organization: VMware + Blog: http://www.virtuallyghetto.com + Twitter: @lamw + =========================================================================== + + .SYNOPSIS + Removes a policy based VPN Tunnel + .DESCRIPTION + This cmdlet removes a policy based VPN Tunnel + .EXAMPLE + Remove-NSXTPolicyBasedVPN -Name "Policy1" -Troubleshoot +#> + Param ( + [Parameter(Mandatory=$True)]$Name, + [Switch]$Troubleshoot + ) + + If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { + $TunnelId = (Get-NSXTPolicyBasedVPN -Name $Name).ID + + # Delete IPSEC tunnel + $method = "DELETE" + $deleteVPNtunnelURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns/$TunnelId" + + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$deleteVPNtunnelURL`n" + } + + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $deleteVPNtunnelURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $deleteVPNtunnelURL -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in removing NSX-T VPN Tunnel: $Name" + Write-Error "`n($_.Exception.Message)`n" + break + } + } + + if($requests.StatusCode -eq 200) { + Write-Host "Successfully removed NSX-T VPN Tunnel: $Name" + } + } +}