Carbonwind.net
Home
Blog
Articles
Books
Links
Tools
About
Contact
Disclaimer
Forefront TMG
ISA Server
Vyatta OFR
VPN
Virtualization
Firewalls
Cisco
Miscellaneous
Wireless

 22.04.2008
 Updated 23.04.2008
Vyatta VC4 - Advanced VPN Site-to-Site Connections - Part 9 - Basic Configuration of the Vyatta VC4 VMs(configure interfaces, set default routes, NAT rules, test connectivity) in Case of Scenario 2

 - 1. Vyatta ISP Config
 - 2. Vyatta HQ Basic Config
 - 3. VVyatta Branch1 Basic Config
 - 4. Vyatta Branch2 Basic Config

Let's test now Scenario 2. If you do not recall what was Scenario 2 take a look here. As said before, Scenario 2 is more realistic, thus it is a better testing approach providing better results.
Let's take it step by step. First let's do a basic configuration (configure the interfaces, default gateways and NAT rules) on every Vyatta VC4 machine, just to make sure that connectivity is not a problem and things work the way we want.
Since we are using a virtual environment we can easily capture traffic and actually view how packets are flowing. For this, I will enable VMware Network Adapter VMnet5, VMware Network Adapter VMnet6, VMware Network Adapter VMnet7 on the host machine, see Figure125.

VMware Network Adapters VMnet5, VMnet6 and VMnet7 Enabled
Figure125: VMware Network Adapters VMnet5, VMnet6 and VMnet7 Enabled

Also, since VMware Network Adapters VMnet5, VMnet6 and VMnet7 are enabled, I can use a SSH client from the host machine to configure the routers.

First let's configure Vyatta ISP.

 1. Vyatta ISP Config
Configure the interfaces and enable SSH:

set interfaces ethernet eth0 address 192.168.22.234/24
set interfaces ethernet eth1 address 192.168.50.1/24
set interfaces ethernet eth2 address 192.168.60.1/24
set interfaces ethernet eth3 address 192.168.70.1/24
set service ssh protocol-version 2
commit

Now I can use a SSH client to quickly enter the rest of the configuration.

Set the name of the machine and a default route to the gateway of this lab.

set system host-name ISP
set protocols static route 0.0.0.0/0 next-hop 192.168.22.1
commit

I do not want to make any changes on the gateway (192.168.22.1) to make it aware of the 192.168.50.0/24, 192.168.60.0/24 and 192.168.70.0/24 networks. Thus I will add some NAT rules on the Vyatta ISP machine, so every packet from the 192.168.50.0/24, 192.168.60.0/24 and 192.168.60.0/24 networks destined to the 192.168.22./0 network or to an Internet destination will be sourced with the IP address of eth0 interface (192.168.22.234).

set service nat rule 10 type masquerade
set service nat rule 10 source address 192.168.50.0/24
set service nat rule 10 outbound-interface eth0

set service nat rule 15 type masquerade
set service nat rule 15 source address 192.168.60.0/24
set service nat rule 15 outbound-interface eth0

set service nat rule 20 type masquerade
set service nat rule 20 source address 192.168.70.0/24
set service nat rule 20 outbound-interface eth0
commit
save

And Vyatta ISP's configuration is done.

 2. Vyatta HQ Basic Config
Now let's configure Vyatta HQ.
Configure the interfaces and enable SSH:

set interfaces ethernet eth0 address 192.168.50.2/24
set interfaces ethernet eth1 address 192.168.10.1/24
set service ssh protocol-version 2
commit

Now I can use a SSH client to quickly enter the rest of the configuration.

Set the name of the machine and a default route to the gateway.

set system host-name HQ
set protocols static route 0.0.0.0/0 next-hop 192.168.50.1
commit

Since the network behind the Vyatta HQ machine is from private IP address space, in practice we will need a NAT rule in place. In our lab, IP addresses from the 192.168.50.0/24 network act as public IP addresses. Thus I will add a NAT rule on the Vyatta HQ machine.

set service nat rule 10 type masquerade
set service nat rule 10 source address 192.168.10.0/24
set service nat rule 10 outbound-interface eth0
commit
save

Now I will check from a host behind Vyatta HQ machine if I can reach my lab's physical gateway and if I have Internet connectivity.

Ping from a host behind Vyatta HQ machine
Figure126: Ping from a host behind Vyatta HQ machine

We can capture some packets to see how they are translated when they pass through the Vyatta VC4 machines. I will start a Wireshark capture on the VMnet5 interface on the host machine, another one on my physical interface(see Figure127 and Figure128, make sure "Capture packets in promiscous mode " is selected, see Figure129 ) and another one on the VM behind Vyatta HQ.


Figure127: Wireshark Capture Menu: Interfaces

Start the Wireshark captures on the host machine
Figure128:  Start the Wireshark captures on the host machine

Start a Wireshark capture on the VMnet5 interface on the host machine
Figure129: Start a Wireshark capture on the VMnet5 interface on the host machine

In Figure130 we can see the original echo request packet sent by a VM behind Vyatta HQ to 192.168.22.1. As can be noticed an echo reply was received back. So connectivity is OK.

Wireshark Capture on the VM Behind Vyatta HQ: Ping
Figure130: Wireshark Capture on the VM Behind Vyatta HQ: Ping

In Figure131 we can spot that our NAT rule set on Vyatta HQ is working.

Wireshark Capture - The Echo Request Packet Translated by Vyatta HQ
Figure131: Wireshark Capture - The Echo Request Packet Translated by Vyatta HQ

And in Figure132 we will see that the NAT rule set on Vyatta ISP is working too.

Wireshark Capture - The Echo Request Packet Translated by Vyatta ISP
Figure132: Wireshark Capture - The Echo Request Packet Translated by Vyatta ISP

So if necessary, our physical network can be unaware of the virtual lab, thus no need for any modifications on the physical gateway.

 3. Vyatta Branch1 Basic Config
Configure the interfaces and enable SSH:

set interfaces ethernet eth0 address 192.168.60.2/24
set interfaces ethernet eth1 address 192.168.30.1/24
set service ssh protocol-version 2
commit

Now I can use a SSH client to quickly enter the rest of the configuration.

Set the name of the machine and a default route to the gateway.

set system host-name Branch1
set protocols static route 0.0.0.0/0 next-hop 192.168.60.1
commit

As in case of Vyatta HQ, I will add a NAT rule on the Vyatta Branch1 machine.

set service nat rule 10 type masquerade
set service nat rule 10 source address 192.168.30.0/24
set service nat rule 10 outbound-interface eth0
commit
save

Now I can check from a host behind Vyatta Branch1 machine if I can reach my lab's physical gateway and if I have Internet connectivity. See Figure133 .

Ping from a host behind Vyatta Branch1 machine
Figure133: Ping from a host behind Vyatta Branch1 machine

 4. Vyatta Branch2 Basic Config
Configure the interfaces and enable SSH:

set interfaces ethernet eth0 address 192.168.70.2/24
set interfaces ethernet eth1 address 192.168.40.1/24
set service ssh protocol-version 2
commit

Now I can use a SSH client to quickly enter the rest of the configuration.

Set the name of the machine and a default route to the gateway.

set system host-name Branch2
set protocols static route 0.0.0.0/0 next-hop 192.168.70.1
commit

As in case of Vyatta HQ, I will add a NAT rule on the Vyatta Branch1 machine.

set service nat rule 10 type masquerade
set service nat rule 10 source address 192.168.40.0/24
set service nat rule 10 outbound-interface eth0
commit
save

Now I can check from a host behind Vyatta Branch2 machine if I can reach my lab's physical gateway and if I have Internet connectivity. See Figure134 .

Ping from a host behind Vyatta Branch2 machine
Figure134: Ping from a host behind Vyatta Branch2 machine

Since all the Vyatta VC4 machines are up and running let's do some connectivity checks from the Vyatta HQ machine to the Vyatta Branch1 and Vyatta Branch2 machines. See Figure135 .

Connectivity Tests From Vyatta HQ
Figure135: Connectivity Tests From Vyatta HQ

So things look good. Time to proceed and configure the GRE and IPIP tunnels.

In Part 10 we will start configuring GRE and IPIP tunnels on the Vyatta VC4 VMs for Scenario 2.
Copyright ©2010 Adrian F. Dimcev