Vyos clustering ipsec

Vyos Unbreable VPN
Fig: 1
The device used here is VyOS (version 1.1.7) which is a fork from Vyatta community edition. It has Juniper like
command set. The community edition lacks both the system config sync and GUI based configuration management and
are available only in subscribed editions. The other features supported by this device are DMVPN (using NHRP, mGRE,
and IPSEC) which is a Cisco propreitary technology, zone-based or interface-based firewalling, routing protocols like
RIP, OSPF, and BGP, NAT and VLANs.
The diagram (Fig: 1) helps in configuring the lab to attain IPSEC tunnel between the two sites ‘A’ and ‘B’. Both sites are
connected over public IP addresses via an ISP. Instead of BGP since this is a lab inside VirtualBox OSPF is used for
dynamic routing purposes between the sites. There are redundant firewalls used for clustering purposes in both sites.
The cluster public IP on both sides are used for building IPSEC tunnel with revertive high availability configuration.
Revertive high availability is a technique by which the secondary member in the cluster fails back to the primary once it
is available, that is failover is made false ad failback is made true. In the cluster the internal IP is monitored over
10.x.x.2/29 and internal cluster IP 10.x.x.1/29 is used. The same way the public IP is monitored over x01.1.2.4/29 and
external cluster IP x01.1.2.1/29 is used. Both these cluster IPs are used to build the IPSEC peers. Virtual interfaces (vif)
are used to create VLANs for internal and exeternal IP ranges on both sites. Either the firewall or the interface
(primary firewall) malfunctions the secondary firewall takes over and the cluster IP moves to the vif of the secondary
firewall and the IPSEC tunnel regains. Once the primary functions properly the secondary failback to the primary
making the primary responsible for the connectivity always. The cluster dead-interval has to more than twice the value
of keepalive-interval.
The management subnet is 192.168.56.x/24. SSH service is used to login to the devices. The host and domain names are
configured accordingly on all the devices.
The virtual environment is facilitated by VirtualBox (version 5.x). All devices in it has the host only interface which is
used for its management over SSH from the host device. The second interface is internal (intnet) which is used in the
device for VLAN (vif) purposes. The environment details are funished after the configuration details.

Configuration Details
Common Configuration
System/Service
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication encrypted-password '$1$HR42KG7n$Ynpv5D8LEnJiOZPX85Wt.1'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system time-zone 'UTC'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community password ''
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community username ''
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
IPSEC
set vpn ipsec esp-group MyESP compression 'disable'
set vpn ipsec esp-group MyESP lifetime '3600'
set vpn ipsec esp-group MyESP mode 'tunnel'
set vpn ipsec esp-group MyESP pfs 'enable'
set vpn ipsec esp-group MyESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESP proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKE ikev2-reauth 'no'
set vpn ipsec ike-group MyIKE key-exchange 'ikev1'
set vpn ipsec ike-group MyIKE lifetime '28800'
set vpn ipsec ike-group MyIKE proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKE proposal 1 hash 'sha256'
Cluster
set cluster dead-interval '10000'
set cluster group cluster1 auto-failback 'true'
set cluster group cluster1 service 'ipsec'
set cluster keepalive-interval '2000'
set cluster monitor-dead-interval '20000'
set cluster pre-shared-secret 'Ma2754ni'
Site A

Router 1
set interfaces ethernet eth0 address '192.168.56.111/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '08:00:27:4a:97:c7'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 hw-id '08:00:27:9a:a2:44'
set interfaces ethernet eth1 vif 10 address '10.1.3.2/29'
set interfaces ethernet eth2 hw-id '08:00:27:78:ce:27'
set interfaces ethernet eth3 hw-id '08:00:27:24:b3:d6'
set interfaces loopback 'lo'
set protocols static route 0.0.0.0/0 next-hop '10.1.3.1'
set service ssh listen-address '192.168.56.111'
set system domain-name 'aattu.com'
set system host-name 'rtr01'
Router 2
set interfaces dummy dum1 address '101.0.0.1/32'
set interfaces ethernet eth1 hw-id '08:00:27:2e:a8:db'
set interfaces ethernet eth2 hw-id '08:00:27:84:bc:9a'
set interfaces ethernet eth3 hw-id '08:00:27:12:6f:7d'
set interfaces ethernet eth4 hw-id '08:00:27:ea:7d:c5'
set protocols ospf area 10 network '101.1.2.0/29'
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '101.0.0.1'

Firewall 1
set cluster group cluster1 monitor '101.1.2.4'
set cluster group cluster1 primary 'fwl01'
set cluster group cluster1 secondary 'fwl02'
set cluster group cluster1 service '10.1.3.1/29/eth1.10'
set cluster interface 'eth1.10'
set interfaces ethernet eth0 hw-id '08:00:27:3d:0d:98'
set interfaces ethernet eth1 hw-id '08:00:27:fa:33:5f'
set interfaces ethernet eth2 hw-id '08:00:27:0b:08:80'
set interfaces ethernet eth3 hw-id '08:00:27:c1:ce:b1'
set system host-name 'fwl01'
set vpn ipsec ipsec-interfaces interface 'eth1.101'
set vpn ipsec site-to-site peer 201.1.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 201.1.2.1 authentication pre-shared-secret 'Ma2754ni'
set vpn ipsec site-to-site peer 201.1.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 201.1.2.1 default-esp-group 'MyESP'
set vpn ipsec site-to-site peer 201.1.2.1 ike-group 'MyIKE'
set vpn ipsec site-to-site peer 201.1.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 201.1.2.1 local-address '101.1.2.1'
set vpn ipsec site-to-site peer 201.1.2.1 tunnel 101 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 201.1.2.1 tunnel 101 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 201.1.2.1 tunnel 101 local prefix '10.1.3.0/29'
set vpn ipsec site-to-site peer 201.1.2.1 tunnel 101 remote prefix '10.3.4.0/29'
Firewall 2

set interfaces ethernet eth0 hw-id '08:00:27:76:a9:82'
set interfaces ethernet eth1 hw-id '08:00:27:7f:da:5c'
set interfaces ethernet eth2 hw-id '08:00:27:7a:75:9e'
set interfaces ethernet eth3 hw-id '08:00:27:1b:df:6e'
ISP01
Router 1
set interfaces ethernet eth0 hw-id '08:00:27:ff:e4:3a'

set interfaces ethernet eth1 hw-id '08:00:27:58:6b:cc'
set interfaces ethernet eth2 hw-id '08:00:27:b2:fe:d5'
set interfaces ethernet eth3 hw-id '08:00:27:4f:96:d3'
set system domain-name 'isp01.com'
Site B
Router 1
set interfaces ethernet eth0 hw-id '08:00:27:3c:61:46'
set interfaces ethernet eth1 hw-id '08:00:27:8b:f6:b5'
set interfaces ethernet eth2 hw-id '08:00:27:58:2d:eb'
set interfaces ethernet eth3 hw-id '08:00:27:5a:1d:dc'
set protocols static route 0.0.0.0/0 next-hop '10.3.4.1'
set system domain-name 'abc.com'
Router 2

set interfaces ethernet eth1 hw-id '08:00:27:d1:93:20'
set interfaces ethernet eth2 hw-id '08:00:27:f5:5a:fd'
set interfaces ethernet eth3 hw-id '08:00:27:4f:26:39'
set interfaces ethernet eth4 hw-id '08:00:27:a7:bc:c1'
Firewall 1
set interfaces ethernet eth0 hw-id '08:00:27:99:5e:57'
set interfaces ethernet eth1 hw-id '08:00:27:94:67:64'
set interfaces ethernet eth2 hw-id '08:00:27:d1:22:ce'
set interfaces ethernet eth3 hw-id '08:00:27:79:04:f4'

Firewall 2
set interfaces ethernet eth0 hw-id '08:00:27:14:70:76'
set interfaces ethernet eth1 hw-id '08:00:27:06:01:2c'
set interfaces ethernet eth2 hw-id '08:00:27:de:60:ff'
set interfaces ethernet eth3 hw-id '08:00:27:1f:8e:fb'

Virtual Environment Details
VirtualBox Configuration
Vyos
Memory: 512 MB
Operating system: Linux 2.6, 64 bit, Debian
NIC1: Intel PRO/1000 MT Desktop (Host-Only Adapter, ‘vboxnet0’)
NIC2: el PRO/1000 MT Desktop (Internal Network, ‘intnet’)
Virutalization Parameters: VT-x/AMD-V, Nested Paging, PAE/NX, KVM Paravirtualization
Boot Order: Optical Disk, HDD
Host Configuration
Memory: 12 GB
Operating system: Ubuntu 16.04 LTS
Virtual Environment: VirtualBox 5.1.6
Disclaimer:
All of the above details in this document are only for lab environment purposes and to promote interests within the
networking/virtualization/IT Security enthusiasts. There is no intend to violate any copyrights. All the devices (host and virtual)
used here are based on the open source environment.

Vyos clustering ipsec

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Vyos clustering ipsec

Similar to Vyos clustering ipsec (20)

Recently uploaded

Recently uploaded (20)

Vyos clustering ipsec