Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Unbreakable VPN using Vyatta/VyOS - HOW TO -

18,403 views

Published on

Unbreakable VPN using Vyatta/VyOS - HOW TO -

13 May, 2014
SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO

Published in: Technology
  • Be the first to comment

Unbreakable VPN using Vyatta/VyOS - HOW TO -

  1. 1. 13 May, 2014 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO
  2. 2. Basic idea for inter-cloud LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch MASTER BACKUP
  3. 3. Unbreakable VPN using Vyatta/VyOS - HOW TO -
  4. 4. Configure Clustering group 1/2 VR-1 VR-2 VR-3 VR-4 LANLAN Private Cloud A Private Cloud B VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ vSwitchvSwitch Secondary Node Secondary Node VIP: Shared Virtual IP Address VIP VIP Primary Node Primary Node
  5. 5. Configure Clustering group 2/2 VR-1 VR-2 VR-3 VR-4 vSwitch LANvSwitchLAN Private Cloud A Private Cloud B VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ Corss Monitoring Cross Monitoring
  6. 6. Configure Dual IPSec Tunneling VR-1 VR-2 VR-3 VR-4 vSwitch LANvSwitchLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/
  7. 7. Logical IP Network view (MASTER) LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch VIP: Shared Virtual IP Address VIP VIP Primary Node Primary Node
  8. 8. Logical IP Network view (BACKUP) LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch VIP: Shared Virtual IP Address VIP VIP Monitoring failure
  9. 9. Unbreakable VPN using Vyatta/VyOS - Sample Configuration TIPS-
  10. 10. Configure Clustering group 1/3 VR-1 VR-2 LAN vSwitch Primary Node Secondary Node 10.10.10.100/24 VIP Sample Configuration for VR-1 and VR-2 $ configure # set system host-name VR-1 (or VR-2) # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster pre-shared-secret SeCrEt # set cluster group CLUSTER primary VR-1 # set cluster group CLUSTER secondary VR-2 # set cluster group CLUSTER service 10.10.10.100/24/eth1 # set cluster mcast-group 239.10.10.100
  11. 11. Configure Clustering group 2/3 Sample Configuration for VR-3 and VR-4 $ configure # set system host-name VR-3 (or VR-4) # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster pre-shared-secret SeCrEt # set cluster group CLUSTER primary VR-3 # set cluster group CLUSTER secondary VR-4 # set cluster group CLUSTER service 10.20.20.100/24/eth1 # set cluster mcast-group 239.20.20.100 VR-3 VR-4 LANvSwitchSecondary Node VIP 10.20.20.100/24 Primary Node
  12. 12. Configure Clustering group 3/3 VR-1 VR-3 vSwitch LANvSwitchLAN Monitoring VR-1# set cluster monitor-dead-interval 1000 VR-1# set cluster group CLUSTER monitor 133.242.YYY.3 VR-1# commit VR-1# save VR-3# set cluster monitor-dead-interval 1000 VR-3# set cluster group CLUSTER monitor 133.242.XXX.1 VR-3# commit VR-3# save 133.242.YYY.3133.242.XXX.1
  13. 13. Configure Dual IPSec Tunneling 1/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel Sample Configuration for VR-1 and VR-3 # set vpn ipsec esp-group ESP lifetime 1800 # set vpn ipsec esp-group ESP mode tunnel # set vpn ipsec esp-group ESP pfs enable # set vpn ipsec esp-group ESP proposal 1 encryption aes256 # set vpn ipsec esp-group ESP proposal 1 hash sha1 # set vpn ipsec ike-group IKE lifetime 3600 # set vpn ipsec ike-group IKE proposal 1 encryption aes256 # set vpn ipsec ike-group IKE proposal 1 hash sha1 # set vpn ipsec ipsec-interfaces interface eth0
  14. 14. Configure Dual IPSec Tunneling 2/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1 VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret SeCrEt VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24 VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24 VR-1# commit VR-1# save 133.242.YYY.3133.242.XXX.1 10.10.10.0/24 10.20.20.0/24
  15. 15. Configure Dual IPSec Tunneling 3/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 local-address 133.242.YYY.3 VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication mode pre-shared-secret VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication pre-shared-secret SeCrEt VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 connection-type initiate VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 default-esp-group ESP VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 ike-group IKE VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 local prefix 10.20.20.0/24 VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 remote prefix 10.10.10.0/24 VR-3# commit VR-3# save 133.242.YYY.3133.242.XXX.1 10.10.10.0/24 10.20.20.0/24
  16. 16. Configure TCP-MSS modify for VPN VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-1# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24 VR-1# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp VR-1# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 VR-1# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP VR-1# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0 VR-1# commit 10.10.10.0/24 10.20.20.0/24 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.10.10.0/24 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp VR-3# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP VR-3# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0 VR-3# commit
  17. 17. Unbreakable VPN Architecure LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch MASTER BACKUP
  18. 18. Thanks for your interest. SAKURA Internet Research Center.

×