Unbreakable VPN using Vyatta/VyOS - HOW TO -

16,555 views

Published on

Unbreakable VPN using Vyatta/VyOS - HOW TO -

13 May, 2014
SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO

Published in: Technology

Unbreakable VPN using Vyatta/VyOS - HOW TO -

  1. 1. 13 May, 2014 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO
  2. 2. Basic idea for inter-cloud LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch MASTER BACKUP
  3. 3. Unbreakable VPN using Vyatta/VyOS - HOW TO -
  4. 4. Configure Clustering group 1/2 VR-1 VR-2 VR-3 VR-4 LANLAN Private Cloud A Private Cloud B VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ vSwitchvSwitch Secondary Node Secondary Node VIP: Shared Virtual IP Address VIP VIP Primary Node Primary Node
  5. 5. Configure Clustering group 2/2 VR-1 VR-2 VR-3 VR-4 vSwitch LANvSwitchLAN Private Cloud A Private Cloud B VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ Corss Monitoring Cross Monitoring
  6. 6. Configure Dual IPSec Tunneling VR-1 VR-2 VR-3 VR-4 vSwitch LANvSwitchLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/
  7. 7. Logical IP Network view (MASTER) LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch VIP: Shared Virtual IP Address VIP VIP Primary Node Primary Node
  8. 8. Logical IP Network view (BACKUP) LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch VIP: Shared Virtual IP Address VIP VIP Monitoring failure
  9. 9. Unbreakable VPN using Vyatta/VyOS - Sample Configuration TIPS-
  10. 10. Configure Clustering group 1/3 VR-1 VR-2 LAN vSwitch Primary Node Secondary Node 10.10.10.100/24 VIP Sample Configuration for VR-1 and VR-2 $ configure # set system host-name VR-1 (or VR-2) # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster pre-shared-secret SeCrEt # set cluster group CLUSTER primary VR-1 # set cluster group CLUSTER secondary VR-2 # set cluster group CLUSTER service 10.10.10.100/24/eth1 # set cluster mcast-group 239.10.10.100
  11. 11. Configure Clustering group 2/3 Sample Configuration for VR-3 and VR-4 $ configure # set system host-name VR-3 (or VR-4) # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster pre-shared-secret SeCrEt # set cluster group CLUSTER primary VR-3 # set cluster group CLUSTER secondary VR-4 # set cluster group CLUSTER service 10.20.20.100/24/eth1 # set cluster mcast-group 239.20.20.100 VR-3 VR-4 LANvSwitchSecondary Node VIP 10.20.20.100/24 Primary Node
  12. 12. Configure Clustering group 3/3 VR-1 VR-3 vSwitch LANvSwitchLAN Monitoring VR-1# set cluster monitor-dead-interval 1000 VR-1# set cluster group CLUSTER monitor 133.242.YYY.3 VR-1# commit VR-1# save VR-3# set cluster monitor-dead-interval 1000 VR-3# set cluster group CLUSTER monitor 133.242.XXX.1 VR-3# commit VR-3# save 133.242.YYY.3133.242.XXX.1
  13. 13. Configure Dual IPSec Tunneling 1/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel Sample Configuration for VR-1 and VR-3 # set vpn ipsec esp-group ESP lifetime 1800 # set vpn ipsec esp-group ESP mode tunnel # set vpn ipsec esp-group ESP pfs enable # set vpn ipsec esp-group ESP proposal 1 encryption aes256 # set vpn ipsec esp-group ESP proposal 1 hash sha1 # set vpn ipsec ike-group IKE lifetime 3600 # set vpn ipsec ike-group IKE proposal 1 encryption aes256 # set vpn ipsec ike-group IKE proposal 1 hash sha1 # set vpn ipsec ipsec-interfaces interface eth0
  14. 14. Configure Dual IPSec Tunneling 2/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1 VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret SeCrEt VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24 VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24 VR-1# commit VR-1# save 133.242.YYY.3133.242.XXX.1 10.10.10.0/24 10.20.20.0/24
  15. 15. Configure Dual IPSec Tunneling 3/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 local-address 133.242.YYY.3 VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication mode pre-shared-secret VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication pre-shared-secret SeCrEt VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 connection-type initiate VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 default-esp-group ESP VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 ike-group IKE VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 local prefix 10.20.20.0/24 VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 remote prefix 10.10.10.0/24 VR-3# commit VR-3# save 133.242.YYY.3133.242.XXX.1 10.10.10.0/24 10.20.20.0/24
  16. 16. Configure TCP-MSS modify for VPN VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-1# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24 VR-1# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp VR-1# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 VR-1# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP VR-1# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0 VR-1# commit 10.10.10.0/24 10.20.20.0/24 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.10.10.0/24 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp VR-3# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP VR-3# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0 VR-3# commit
  17. 17. Unbreakable VPN Architecure LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch MASTER BACKUP
  18. 18. Thanks for your interest. SAKURA Internet Research Center.

×