13.04.2008
Updated 23.04.2008
Vyatta VC4 - Advanced VPN Site-to-Site Connections - Part 8 - Configure IPIP/IPsec in Case of Scenario 1 Using IPsec ESP in Tunnel Mode and as IPIP Tunnel Endpoints Private IP Addresses from the Loopback Interfaces
- 1. Vyatta HQ IPIP/IPsec Config
- 2. Vyatta Branch1 IPIP/IPsec Config
- 3. Vyatta Branch2 IPIP/IPsec Config
- 4. Make The hub-and-spoke Topology a Mesh One
In Part 7 we've configured GRE/IPsec, now let's configure IPIP/IPsec in case of Scenario 1. If you do not recall what was Scenario 1 take a look here. As in Part 7, due to the reasons mentioned there, we will use for the IPIP tunnel endpoints private IP addresses from the loopback interfaces and IPsec ESP in tunnel mode. So we are going to use the working configuration (adjusting it for IPIP tunnels) suggested by Stig for GRE/IPsec on vyatta.org/forum. You may like to read the entire thread.
As before I will enable VMware Network AdapterVMnet5, see Figure110.
Figure110: VMware Network Adapter VMnet5 Enabled
And I will start a Wireshark capture on the VMnet5 interface on the host machine(see Figure111, make sure "Capture packets in promiscous mode " is selected) . Doing so, I will have central point of view over the traffic sent between Vyatta VC4 machines, I will see the IKE negotiations, the IPsec traffic and so on. This is very useful for troubleshooting and we can actually see how things work.
Figure111: Start a Wireshark capture on the VMnet5 interface on the host machine
1. Vyatta HQ IPIP/IPsec Config
On the Vyatta HQ machine, since we are using a hub-and-spoke topology and Vyatta HQ is the hub, we will create two IPIP tunnels, one to Branch1 and the other to Branch2. Also we will create two IPsec VPN site-to-site connections, one to Branch1(to protect the IPIP tunnel between HQ and Branch1), and the other to Branch2(to protect the IPIP tunnel between HQ and Branch2).
Configure the loopback interface with two IP addresses which will serve as local IPIP tunnel endpoints(one for the IPIP tunnel between HQ and Branch1 and the other for the IPIP tunnel between HQ and Branch2). And commit your settings.
set interfaces loopback lo address 192.168.200.1/24 set interfaces loopback lo address 192.168.210.1/24 commit
Configure two IPIP tunnels. The remote-ip (remote tunnel endpoint) will be the IP address configured on the loopback interface of Vyatta Branch1 for the IPIP tunnel between HQ and Branch1, and respectively the IP address configured on the loopback interface of Vyatta Branch2 for the IPIP tunnel between HQ and Branch2. In practice you may shrink the IP address ranges from the tunnel interfaces from /24 to /30(since these are point-to-point tunnels). I will not commit my settings yet, because I want to protect the tunnels first, so that no packet can travel in clear.
set interfaces tunnel tun1 set interfaces tunnel tun1 address 192.168.111.1/24 set interfaces tunnel tun1 description "IPIP Tunnel to Branch1" set interfaces tunnel tun1 encapsulation ipip set interfaces tunnel tun1 local-ip 192.168.200.1 set interfaces tunnel tun1 remote-ip 192.168.220.1
set interfaces tunnel tun2 set interfaces tunnel tun2 address 192.168.121.1/24 set interfaces tunnel tun2 description "IPIP Tunnel to Branch2" set interfaces tunnel tun2 encapsulation ipip set interfaces tunnel tun2 local-ip 192.168.210.1 set interfaces tunnel tun2 remote-ip 192.168.230.1
And the VPN configuration. I've configured an ike-group and an esp-group (by default IPsec ESP in tunnel mode is used). And two IPsec VPN site-to-site connections, one to Branch1(to protect the IPIP tunnel between HQ and Branch1), and the other to Branch2(to protect the IPIP tunnel between HQ and Branch2). Note the local and remote subnets in both cases (actually we do not need to specify the entire /24 ranges, only communications from 192.168.200.1 to 192.168.220.1 need to be protected and from 192.168.210.1 to 192.168.230.1 respectively). Since this is a simple test, I will use pre-shared keys for authentication. I will commit my configuration.
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-IPIP proposal 1 set vpn ipsec ike-group IKE-IPIP proposal 1 encryption aes128 set vpn ipsec ike-group IKE-IPIP proposal 1 hash sha1 set vpn ipsec ike-group IKE-IPIP proposal 1 dh-group 5 set vpn ipsec ike-group IKE-IPIP lifetime 28800
set vpn ipsec esp-group ESP-IPIP proposal 1 set vpn ipsec esp-group ESP-IPIP proposal 1 encryption aes128 set vpn ipsec esp-group ESP-IPIP proposal 1 hash sha1 set vpn ipsec esp-group ESP-IPIP pfs set vpn ipsec esp-group ESP-IPIP lifetime 3600
set vpn ipsec site-to-site peer 192.168.50.3 authentication mode pre-shared-secret edit vpn ipsec site-to-site peer 192.168.50.3 set authentication pre-shared-secret 12345 set ike-group IKE-IPIP set local-ip 192.168.50.2 set tunnel 1 local-subnet 192.168.200.0/24 set tunnel 1 remote-subnet 192.168.220.0/24 set tunnel 1 esp-group ESP-IPIP top
set vpn ipsec site-to-site peer 192.168.50.4 authentication mode pre-shared-secret edit vpn ipsec site-to-site peer 192.168.50.4 set authentication pre-shared-secret 67890 set ike-group IKE-IPIP set local-ip 192.168.50.2 set tunnel 1 local-subnet 192.168.210.0/24 set tunnel 1 remote-subnet 192.168.230.0/24 set tunnel 1 esp-group ESP-IPIP top commit
And we will run OSPF through these tunnels to discover the networks behind the other Vyatta VC4 machines.
set protocols ospf area 100 set protocols ospf area 100 network 192.168.10.0/24 set protocols ospf area 100 network 192.168.111.0/24 set protocols ospf area 100 network 192.168.121.0/24 set protocols ospf log-adjacency-changes commit
2. Vyatta Branch1 IPIP/IPsec Config
On the Vyatta Branch1 machine, which will be a spoke, we will create one IPIP tunnel, to Vyatta HQ. And one IPsec VPN site-to-site connection, to Vyatta HQ(to protect the IPIP tunnel between Branch1 and HQ).
Configure the loopback interface with one IP address which will serve as the local IPIP tunnel endpoint(for the IPIP tunnel between Vyatta Branch1 and Vyatta HQ). And commit your settings.
set interfaces loopback lo address 192.168.220.1/24 commit
Configure the IPIP tunnel. The remote-ip (remote tunnel endpoint) will be the first IP address configured on the loopback interface of Vyatta HQ. As before, I will not commit my settings yet, because I want to protect the tunnel first, so that no packet can travel in clear.
set interfaces tunnel tun1 set interfaces tunnel tun1 address 192.168.111.2/24 set interfaces tunnel tun1 description "IPIP Tunnel to HQ" set interfaces tunnel tun1 encapsulation ipip set interfaces tunnel tun1 local-ip 192.168.220.1 set interfaces tunnel tun1 remote-ip 192.168.200.1
And the VPN configuration. I've configured an ike-group and an esp-group. And one IPsec VPN site-to-site connection, to HQ(to protect the IPIP tunnel between HQ and Branch1). Note the local and remote subnets (actually we do not need to specify the entire /24 ranges, only communications from 192.168.220.1 to 192.168.200.1 need to be protected). I will commit my configuration.
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-IPIP proposal 1 set vpn ipsec ike-group IKE-IPIP proposal 1 encryption aes128 set vpn ipsec ike-group IKE-IPIP proposal 1 hash sha1 set vpn ipsec ike-group IKE-IPIP proposal 1 dh-group 5 set vpn ipsec ike-group IKE-IPIP lifetime 28800
set vpn ipsec esp-group ESP-IPIP proposal 1 set vpn ipsec esp-group ESP-IPIP proposal 1 encryption aes128 set vpn ipsec esp-group ESP-IPIP proposal 1 hash sha1 set vpn ipsec esp-group ESP-IPIP pfs set vpn ipsec esp-group ESP-IPIP lifetime 3600
set vpn ipsec site-to-site peer 192.168.50.2 authentication mode pre-shared-secret edit vpn ipsec site-to-site peer 192.168.50.2 set authentication pre-shared-secret 12345 set ike-group IKE-IPIP set local-ip 192.168.50.3 set tunnel 1 local-subnet 192.168.220.0/24 set tunnel 1 remote-subnet 192.168.200.0/24 set tunnel 1 esp-group ESP-IPIP top commit
And we will run OSPF through this tunnel to discover the networks behind the other Vyatta VC4 machines.
set protocols ospf area 100 set protocols ospf area 100 network 192.168.30.0/24 set protocols ospf area 100 network 192.168.111.0/24 set protocols ospf log-adjacency-changes commit
3. Vyatta Branch2 IPIP/IPsec Config
On the Vyatta Branch2 machine, which will be a spoke, we will create one IPIP tunnel, to Vyatta HQ. And one IPsec VPN site-to-site connection, to Vyatta HQ(to protect the IPIP tunnel between Branch2 and HQ).
Configure the loopback interface with one IP address which will serve as the local IPIP tunnel endpoint(for the IPIP tunnel between Vyatta Branch2 and Vyatta HQ). And commit your settings.
set interfaces loopback lo address 192.168.230.1/24 commit
Configure the IPIP tunnel. The remote-ip (remote tunnel endpoint) will be the second IP address configured on the loopback interface of Vyatta HQ. As before, I will not commit my settings yet, because I want to protect the tunnel first, so that no packet can travel in clear.
set interfaces tunnel tun1 set interfaces tunnel tun1 address 192.168.121.2/24 set interfaces tunnel tun1 description "IPIP Tunnel to HQ" set interfaces tunnel tun1 encapsulation ipip set interfaces tunnel tun1 local-ip 192.168.230.1 set interfaces tunnel tun1 remote-ip 192.168.210.1
And the VPN configuration. I've configured an ike-group and an esp-group. And one IPsec VPN site-to-site connection, to HQ(to protect the IPIP tunnel between HQ and Branch2). Note the local and remote subnets (actually we do not need to specify the entire /24 ranges, only communications from 192.168.230.1 to 192.168.210.1 need to be protected). I will commit my configuration.
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-IPIP proposal 1 set vpn ipsec ike-group IKE-IPIP proposal 1 encryption aes128 set vpn ipsec ike-group IKE-IPIP proposal 1 hash sha1 set vpn ipsec ike-group IKE-IPIP proposal 1 dh-group 5 set vpn ipsec ike-group IKE-IPIP lifetime 28800
set vpn ipsec esp-group ESP-IPIP proposal 1 set vpn ipsec esp-group ESP-IPIP proposal 1 encryption aes128 set vpn ipsec esp-group ESP-IPIP proposal 1 hash sha1 set vpn ipsec esp-group ESP-IPIP pfs set vpn ipsec esp-group ESP-IPIP lifetime 3600
set vpn ipsec site-to-site peer 192.168.50.2 authentication mode pre-shared-secret edit vpn ipsec site-to-site peer 192.168.50.2 set authentication pre-shared-secret 67890 set ike-group IKE-IPIP set local-ip 192.168.50.4 set tunnel 1 local-subnet 192.168.230.0/24 set tunnel 1 remote-subnet 192.168.210.0/24 set tunnel 1 esp-group ESP-IPIP top commit
And we will run OSPF through this tunnel to discover the networks behind the other Vyatta VC4 machines.
set protocols ospf area 100 set protocols ospf area 100 network 192.168.40.0/24 set protocols ospf area 100 network 192.168.121.0/24 set protocols ospf log-adjacency-changes commit
If we take a look at the Wireshark capture, we will notice that it recorded some activity, a sign that our "tunnels" are working. In Figure112 we can spot the IKE Phase II and II negotiations between HQ and Branch1, and between HQ and Branch2.
Figure112: Wireshark Capture IPIP/IPsec
Let's check the routing table on the Vyatta HQ, Vyatta Branch1 and Vyatta Branch2, see Figure113, Figure114 and Figure115 . We can notice that every Vyatta VC4 machine is now aware of the networks behind the other Vyatta VC4 machines. And spot the kernel routes we were talking about in Part 7. If we were using IPsec ESP in transport mode with Vyatta VC4, we would not specify the "remote-subnet " and the "local-subnet". However, for example on Vyatta HQ, for the site-to-site VPN connection between Vyatta HQ and Vyatta Branch1, Openswan will add a kernel route that would say that 192.168.50.3/32 is directly connected, eth0. Yes, that's true in case of Scenario 1, but Scenario 1 is not very realistic. In practice this would be wrong, and testing Scenario 2(where the IPIP tunnel endpoint is really a remote IP address), we would notice that the VPN tunnel is not working. To make it work we would need to manually delete the kernel routes. This would be also true for IPsec ESP in tunnel mode if for example on Vyatta HQ we would enter in the VPN configuration as "remote-subnet" 192.168.50.3/32 (the remote IPIP tunnel endpoint as in Part 6) instead of 192.168.220.0/24, and as "local-subnet" 192.168.50.2/32 (the local IPIP tunnel endpoint as in Part 6) instead of 192.168.200.0/24. Again the kernel route would say that 192.168.50.3/32 is directly connected, eth0. So to make the VPN tunnel work we would need to manually delete the kernel route. With the IPIP tunnel endpoints private IP addresses from loopback interfaces, we are not particularly concerned about the kernel routes.
Figure113: Vyatta HQ IPIP/IPsec: Routing Table
Figure114: Vyatta Branch1 IPIP/IPsec: Routing Table
Figure115: Vyatta Branch2 IPIP/IPsec: Routing Table
Let's look at the OSPF information about the tunnel interfaces on the Vyatta HQ, Vyatta Branch1 and Vyatta Branch2 (note the MTU too, the default one, you can modify it if necessary), see Figure116, Figure117 and Figure118.
Figure116: Vyatta HQ IPIP/IPsec: show ip ospf interface tun1 and tun2
Figure117: Vyatta Branch1 IPIP/IPsec: show ip ospf interface tun1
Figure118: Vyatta Branch2 IPIP/IPsec: show ip ospf interface tun1
Let's look at some VPN information (IKE and IPsec SAs) on the Vyatta HQ, Vyatta Branch1 and Vyatta Branch2, see Figure119, Figure120 and Figure121.
Figure119: Vyatta HQ IPIP/IPsec: VPN Info
Figure120: Vyatta Branch1 IPIP/IPsec: VPN Info
Figure121: Vyatta Branch2 IPIP/IPsec: VPN Info
Let's see if we have connectivity between hosts located behind Vyatta VC4 machines, see Figure122, Figure123 and Figure124.
Figure122: IPIP/IPsec: Ping from a Host Behind Vyatta HQ to Hosts Behind Vyatta Branch1 and Vyatta Branch2
Figure123: IPIP/IPsec: Ping from a Host Behind Vyatta Branch1 to Hosts Behind Vyatta HQ and Vyatta Branch2
Figure124: IPIP/IPsec: Ping from a Host Behind Vyatta Branch2 to Hosts Behind Vyatta HQ and Vyatta Branch1
Things look good.
All the configuration lines entered on Vyatta HQ, Vyatta Branch1 and Vyatta Branch2 can be found here: - Vyatta HQ - Vyatta Branch1 - Vyatta Branch2
4. Make The hub-and-spoke Topology a Mesh One
If you want, you can make the hub-and-spoke topology a mesh one, by configuring an IPIP tunnel between Branch1 and Branch2, and an IPsec VPN site-to-site connection between them to protect this IPIP tunnel.
On Branch1 add:
set interfaces loopback lo address 192.168.240.1/24 commit
set interfaces tunnel tun2 set interfaces tunnel tun2 address 192.168.131.1/24 set interfaces tunnel tun2 description "IPIP Tunnel to Branch2" set interfaces tunnel tun2 encapsulation ipip set interfaces tunnel tun2 local-ip 192.168.240.1 set interfaces tunnel tun2 remote-ip 192.168.250.1
set vpn ipsec site-to-site peer 192.168.50.4 authentication mode pre-shared-secret edit vpn ipsec site-to-site peer 192.168.50.4 set authentication pre-shared-secret abcde set ike-group IKE-IPIP set local-ip 192.168.50.3 set tunnel 1 local-subnet 192.168.240.0/24 set tunnel 1 remote-subnet 192.168.250.0/24 set tunnel 1 esp-group ESP-IPIP top commit
set protocols ospf area 100 network 192.168.131.0/24 commit
On Branch2 add:
set interfaces loopback lo address 192.168.250.1/24 commit
set interfaces tunnel tun2 set interfaces tunnel tun2 address 192.168.131.2/24 set interfaces tunnel tun2 description "IPIP Tunnel to Branch1" set interfaces tunnel tun2 encapsulation ipip set interfaces tunnel tun2 local-ip 192.168.250.1 set interfaces tunnel tun2 remote-ip 192.168.240.1
set vpn ipsec site-to-site peer 192.168.50.3 authentication mode pre-shared-secret edit vpn ipsec site-to-site peer 192.168.50.3 set authentication pre-shared-secret abcde set ike-group IKE-IPIP set local-ip 192.168.50.4 set tunnel 1 local-subnet 192.168.250.0/24 set tunnel 1 remote-subnet 192.168.240.0/24 set tunnel 1 esp-group ESP-IPIP top commit
set protocols ospf area 100 network 192.168.131.0/24 commit
In Part 9 we will enter the basic configurations on the Vyatta VC4 VMs in case of Scenario 2 and test connectivity.
|