voltron/PowerCLI-Example-Scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added Get/New/Remove functions for Policy Based VPN

Browse Source
This commit is contained in:
William Lam
2019-05-09 06:50:22 -07:00
parent f4fc007bd5
commit 5f1a86e78b
2 changed files with 296 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psd1
View File

@@ -36,7 +36,13 @@ Description = 'PowerShell Module for Managing NSX-T on VMware Cloud on AWS'
PowerShellVersion = '6.0' PowerShellVersion = '6.0'
# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
FunctionsToExport = 'Connect-NSXTProxy', 'Get-NSXTSegment', 'New-NSXTSegment', 'Remove-NSXTSegment', 'Get-NSXTGroup', 'New-NSXTGroup', 'Remove-NSXTGroup', 'Get-NSXTService', 'New-NSXTService', 'Get-NSXTFirewall', 'New-NSXTFirewall', 'Remove-NSXTFirewall', 'Get-NSXTDistFirewallSection', 'Get-NSXTDistFirewall', 'New-NSXTDistFirewall', 'Remove-NSXTDistFirewall', 'Get-NSXTRouteTable', 'Get-NSXTOverviewInfo', 'Get-NSXTInfraScope', 'Get-NSXTInfraGroup', 'New-NSXTRouteBasedVPN', 'Get-NSXTRouteBasedVPN', 'Remove-NSXTRouteBasedVPN', 'Remove-NSXTService', 'New-NSXTDistFirewallSection', 'Get-NSXTDistFirewallSection' FunctionsToExport = 'Connect-NSXTProxy', 'Get-NSXTSegment', 'New-NSXTSegment', 'Remove-NSXTSegment', `
'Get-NSXTGroup', 'New-NSXTGroup', 'Remove-NSXTGroup', 'Get-NSXTService', 'New-NSXTService', `
'Get-NSXTFirewall', 'New-NSXTFirewall', 'Remove-NSXTFirewall', 'Get-NSXTDistFirewallSection', `
'Get-NSXTDistFirewall', 'New-NSXTDistFirewall', 'Remove-NSXTDistFirewall', 'Get-NSXTRouteTable', `
'Get-NSXTOverviewInfo', 'Get-NSXTInfraScope', 'Get-NSXTInfraGroup', 'New-NSXTRouteBasedVPN', `
'Get-NSXTRouteBasedVPN', 'Remove-NSXTRouteBasedVPN', 'Remove-NSXTService', 'New-NSXTDistFirewallSection', 'Get-NSXTDistFirewallSection', `
'New-NSXTPolicyBasedVPN', 'Get-NSXTPolicyBasedVPN', 'Remove-NSXTPolicyBasedVPN'
# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
CmdletsToExport = @() CmdletsToExport = @()

297
Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1
View File

@@ -2089,20 +2089,32 @@ Function Get-NSXTRouteBasedVPN {
if($requests.StatusCode -eq 200) { if($requests.StatusCode -eq 200) {
$groups = ($requests.Content | ConvertFrom-Json).results $groups = ($requests.Content | ConvertFrom-Json).results
if ($PSBoundParameters.ContainsKey("Name")){ if ($PSBoundParameters.ContainsKey("Name")){
$groups = $groups | where {$_.display_name -eq $Name} $groups = $groups | where {$_.display_name -eq $Name}
} }
$results = @() $results = @()
foreach ($group in $groups) { foreach ($group in $groups) {
$tmp = [pscustomobject] @{ if($group.l3vpn_session.resource_type -eq "RouteBasedL3VpnSession") {
Name = $group.display_name; $tmp = [pscustomobject] @{
ID = $group.id; Name = $group.display_name;
Path = $group.path; ID = $group.id;
RoutingConfigPath = $group.l3vpn_session.routing_config_path; Path = $group.path;
Routing_Config_Path = $group.l3vpn_session.routing_config_path;
Local_IP = $group.local_address;
Remote_Public_IP = $group.remote_public_address;
Tunnel_IP_Address = $group.l3vpn_session.tunnel_subnets.ip_addresses
IKE_Version = $group.ike_version;
IKE_Encryption = $group.ike_encryption_algorithms;
IKE_Digest = $group.ike_digest_algorithms;
Tunnel_Encryption = $group.tunnel_encryption_algorithms;
Tunnel_Digest = $group.tunnel_digest_algorithms;
DH_Group = $group.dh_groups;
Created_by = $group._create_user;
Last_Modified_by = $group._last_modified_user;
}
$results+=$tmp
} }
$results+=$tmp
} }
$results $results
} }
@@ -2194,4 +2206,273 @@ Function Remove-NSXTRouteBasedVPN {
Write-Host "Successfully removed NSX-T BGP Neighbor" Write-Host "Successfully removed NSX-T BGP Neighbor"
} }
} }
} }
Function New-NSXTPolicyBasedVPN {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 05/09/2019
Organization: VMware
Blog: http://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Creates a new NSX-T Policy Based VPN
.DESCRIPTION
This cmdlet creates a new NSX-T Policy Based VPN
.EXAMPLE
New-NSXTPolicyBasedVPN -Name Policy1 `
-LocalIP 18.194.102.229 `
-RemotePublicIP 3.122.124.16 `
-RemotePrivateIP 169.254.90.1 `
-SequenceNumber 0 `
-SourceIPs @("192.168.4.0/24", "192.168.5.0/24") `
-DestinationIPs @("172.204.10.0/24", "172.204.20.0/24") `
-TunnelEncryption AES_256 `
-TunnelDigestEncryption SHA2_256 `
-IKEEncryption AES_256 `
-IKEDigestEncryption SHA2_256 `
-DHGroup GROUP14 `
-IKEVersion IKE_V1 `
-PresharedPassword VMware123. `
-Troubleshoot
#>
param(
[Parameter(Mandatory=$true)][String]$Name,
[Parameter(Mandatory=$true)][String]$LocalIP,
[Parameter(Mandatory=$true)][String]$RemotePublicIP,
[Parameter(Mandatory=$true)][String]$RemotePrivateIP,
[Parameter(Mandatory=$True)]$SequenceNumber,
[Parameter(Mandatory=$true)][String[]]$SourceIPs,
[Parameter(Mandatory=$true)][String[]]$DestinationIPs,
[Parameter(Mandatory=$true)][String][ValidateSet("AES_128","AES_256","AES_GCM_128","AES_GCM_192","AES_GCM_256")]$TunnelEncryption,
[Parameter(Mandatory=$true)][String][ValidateSet("SHA1","SHA2_256")]$TunnelDigestEncryption,
[Parameter(Mandatory=$true)][String][ValidateSet("AES_128","AES_256","AES_GCM_128","AES_GCM_192","AES_GCM_256")]$IKEEncryption,
[Parameter(Mandatory=$true)][String][ValidateSet("SHA1","SHA2_256")]$IKEDigestEncryption,
[Parameter(Mandatory=$true)][String][ValidateSet("GROUP2","GROUP5","GROUP14","GROUP15","GROUP16")]$DHGroup,
[Parameter(Mandatory=$true)][String][ValidateSet("IKE_V1","IKE_V2","IKE_FLEX")]$IKEVersion,
[Parameter(Mandatory=$true)][String]$PresharedPassword,
[Switch]$Troubleshoot
)
If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else {
$generatedId = (New-Guid).Guid
$sources = @()
foreach ($source in $SourceIPs) {
$tmp = @{ subnet = $source}
$sources+=$tmp
}
$destinations = @()
foreach ($destination in $DestinationIPs) {
$tmp = @{ subnet = $destination}
$destinations+=$tmp
}
$payload = @{
display_name = $Name;
enabled = $true;
local_address = $LocalIP;
remote_private_address = $RemotePrivateIP;
remote_public_address = $RemotePublicIP;
passphrases = @("$PresharedPassword");
tunnel_digest_algorithms = @("$TunnelDigestEncryption");
tunnel_encryption_algorithms = @("$TunnelEncryption");
ike_digest_algorithms = @("$IKEDigestEncryption");
ike_encryption_algorithms = @("$IKEEncryption");
enable_perfect_forward_secrecy = $true;
dh_groups = @("$DHGroup");
ike_version = $IKEVersion;
l3vpn_session = @{
resource_type = "PolicyBasedL3VpnSession";
rules = @(
@{
id = $generatedId;
display_name = $generatedId;
sequence_number = $SequenceNumber;
sources = @($sources)
destinations = @($destinations)
}
)
}
}
$body = $payload | ConvertTo-Json -Depth 5
$method = "put"
$policyBasedVPNURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns/$Name"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $METHOD`n$policyBasedVPNURL`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $policyBasedVPNURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $policyBasedVPNURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in configuring Policy Based VPN"
Write-Error "`n($_.Exception.Message)`n"
break
}
}
if($requests.StatusCode -eq 200) {
Write-Host "Successfully created Policy Based VPN"
($requests.Content | ConvertFrom-Json)
}
}
}
Function Get-NSXTPolicyBasedVPN {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 05/09/2019
Organization: VMware
Blog: http://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Returns all NSX-T Policy Based VPN Tunnels
.DESCRIPTION
This cmdlet retrieves all NSX-T Policy Based VPN Tunnels description
.EXAMPLE
Get-NSXTPolicyBasedVPN
.EXAMPLE
Get-NSXTPolicyBasedVPN -Name "VPN-T1"
#>
param(
[Parameter(Mandatory=$false)][String]$Name,
[Switch]$Troubleshoot
)
If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else {
$method = "GET"
$policyBaseVPNURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$routeBaseVPNURL`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $policyBaseVPNURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $policyBaseVPNURL -Method $method -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in retrieving NSX-T Policy Based VPN Tunnels"
Write-Error "`n($_.Exception.Message)`n"
break
}
}
if($requests.StatusCode -eq 200) {
$groups = ($requests.Content | ConvertFrom-Json).results
if ($PSBoundParameters.ContainsKey("Name")){
$groups = $groups | where {$_.display_name -eq $Name}
}
$results = @()
foreach ($group in $groups) {
if($group.l3vpn_session.resource_type -eq "PolicyBasedL3VpnSession") {
$tmp = [pscustomobject] @{
Name = $group.display_name;
ID = $group.id;
Path = $group.path;
Local_IP = $group.local_address;
Remote_Public_IP = $group.remote_public_address;
Tunnel_IP_Address = $group.remote_private_address;
IKE_Version = $group.ike_version;
IKE_Encryption = $group.ike_encryption_algorithms;
IKE_Digest = $group.ike_digest_algorithms;
Tunnel_Encryption = $group.tunnel_encryption_algorithms;
Tunnel_Digest = $group.tunnel_digest_algorithms;
DH_Group = $group.dh_groups;
IP_Sources = $group.l3vpn_session.rules.sources.subnet;
IP_Destinations = $group.l3vpn_session.rules.destinations.subnet
Created_by = $group._create_user;
Last_Modified_by = $group._last_modified_user;
}
$results+=$tmp
}
}
$results
}
}
}
Function Remove-NSXTPolicyBasedVPN {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 05/09/2019
Organization: VMware
Blog: http://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Removes a policy based VPN Tunnel
.DESCRIPTION
This cmdlet removes a policy based VPN Tunnel
.EXAMPLE
Remove-NSXTPolicyBasedVPN -Name "Policy1" -Troubleshoot
#>
Param (
[Parameter(Mandatory=$True)]$Name,
[Switch]$Troubleshoot
)
If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else {
$TunnelId = (Get-NSXTPolicyBasedVPN -Name $Name).ID
# Delete IPSEC tunnel
$method = "DELETE"
$deleteVPNtunnelURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns/$TunnelId"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$deleteVPNtunnelURL`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $deleteVPNtunnelURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $deleteVPNtunnelURL -Method $method -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in removing NSX-T VPN Tunnel: $Name"
Write-Error "`n($_.Exception.Message)`n"
break
}
}
if($requests.StatusCode -eq 200) {
Write-Host "Successfully removed NSX-T VPN Tunnel: $Name"
}
}
}