Connecting DataCenters with OverLapping Private IP Addresses & Hiding Real Server IP For Security. Overview Connecting Multiple Data-Centers or Remote Branches to Centralized or Hub Sites is very common practice in Legacy Network Environment and Cloud Deployments.Securing the Real Server IP or handling the Overlapping IP Addresses across the Data-Centers is always a challenge and can be achieve by leveraging Encrypted Tunnels ( Site-to-Site IPSec VPN ) in combination with Nating. Brocade v5400 Router Initially v5400 Router was performing DNAT on inbound IPsec terminating Interface & Return Traffic was de-translated gracefully into IPsec Tunnel using connection tracking Table.
1. In this Topology for DNAT translation IPSec packet has been decrypted in v5400. 2. IPSec peering is established b/w 2 v5400 devices. 3. Client is targeting 172.16.1.245 sourced from 10.103.0.1, expected behavior is destination address 172.16.1.245 will translate to 10.71.68.245 in packet header. Brocade v5600 Router With the advent and Architectural changes of v5600 platform some of the key features and functionality works differently as they used to work in Vyatta v5400 like Firewall, S-S IPsec v5600 with NAT etc.let's discuss S-S IPsec VPN with DNAT as Router Behavior is changed and now functions differently, sessions/connections tracking table gets created however
the Return Traffic by passes the IPsec Tunnel after connection tracking table reverses the DNAT change.v5600 sends packet on wire without performing IPsec encryption. Upstream Device is not expecting this traffic and will most likely drop this traffic. In v5400 Router, IPsec traffic appears to originate from the interface that IPsec is connected on (i.e if IPsec is over Public with v5400 on the Bond1 IP,the traffic is tied to Bond1. v5600 does not tied IPsec traffic to an interface unless using VTI or GRE Tunnels.v5600 requires traffic be tied to an interface in order to manage source/destination. Brocade v5600 Router Version 5.2X In order to handle this behavior in v5600 5.2 code Brocade/AT&T has suggested a workaround to use local loopback as an IP for a GRE Tunnel interface and uses Policy Based Routing (PBR) to get the traffic originating from the IPsec onto an interface in order to perform NAT functions.
Vyatta 1 Interface configuration Commands set interfaces dataplane dp0p192p1 address '11.0.0.1/30' set interfaces dataplane dp0p224p1 address '10.0.0.2/30' set interfaces dataplane dp0p224p1 policy route pbr 'Backwards-DNAT' set interfaces loopback lo address '169.254.1.1/24' set interfaces tunnel tun50 address '169.254.240.1/32' set interfaces tunnel tun50 encapsulation 'gre' set interfaces tunnel tun50 local-ip '169.254.1.1' set interfaces tunnel tun50 remote-ip '169.254.1.1' Note. Logical tunnel interface is created for DNAT/SNAT.. 169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link ( https://tools.ietf.org/html/rfc3330) VPN configuration commands set security vpn ipsec esp-group ESP lifetime '30000' set security vpn ipsec esp-group ESP proposal 1 encryption 'aes128' set security vpn ipsec esp-group ESP proposal 1 hash 'sha1'
set security vpn ipsec ike-group IKE lifetime '60000' set security vpn ipsec ike-group IKE proposal 1 encryption 'aes128' set security vpn ipsec ike-group IKE proposal 1 hash 'sha1' set security vpn ipsec site-to-site peer 12.0.0.1 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 12.0.0.1 authentication pre-shared-secret 'thekey' set security vpn ipsec site-to-site peer 12.0.0.1 default-esp-group 'ESP' set security vpn ipsec site-to-site peer 12.0.0.1 ike-group 'IKE' set security vpn ipsec site-to-site peer 12.0.0.1 local-address '11.0.0.1' set security vpn ipsec site-to-site peer 12.0.0.1 tunnel 1 local prefix '172.16.1.245/30' set security vpn ipsec site-to-site peer 12.0.0.1 tunnel 1 remote prefix '10.103.0.0/24' NAT configuration commands set service nat destination rule 10 destination address '172.16.1.245' set service nat destination rule 10 inbound-interface 'tun50' set service nat destination rule 10 source address '10.103.0.1' set service nat destination rule 10 translation address '10.71.68.245' set service nat source rule 10 destination address '10.103.0.1' set service nat source rule 10 'log' set service nat source rule 10 outbound-interface 'tun50' set service nat source rule 10 source address '10.71.68.245' set service nat source rule 10 translation address '172.16.1.245' Note For bidirectional NAT, Source NAT is required else only DNAT is needed on the tunnel interface.
Protocols configuration commands set protocols static interface-route 172.16.1.245/32 next-hop-interface 'tun50' set protocols static table 50 interface-route 0.0.0.0/0 next-hop-interface 'tun50' set protocols static interface-route 10.103.0.1/32 next-hop-interface 'tun50' PBR configuration commands set policy route pbr Backwards-DNAT desc 'Get return traffic back to tunnel for DNAT' set policy route pbr Backwards-DNAT rule 10 action 'accept' set policy route pbr Backwards-DNAT rule 10 address-family 'ipv4' set policy route pbr Backwards-DNAT rule 10 destination address '10.103.0.0/24' set policy route pbr Backwards-DNAT rule 10 source address '10.71.68.0/24' set policy route pbr Backwards-DNAT rule 10 table '50' Vyatta 2 set security vpn ipsec esp-group ESP lifetime '30000' set security vpn ipsec esp-group ESP proposal 1 encryption 'aes128' set security vpn ipsec esp-group ESP proposal 1 hash 'sha1' set security vpn ipsec ike-group IKE lifetime '60000' set security vpn ipsec ike-group IKE proposal 1 encryption 'aes128' set security vpn ipsec ike-group IKE proposal 1 hash 'sha1' set security vpn ipsec site-to-site peer 11.0.0.1 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 11.0.0.1 authentication pre-shared-secret 'thekey' set security vpn ipsec site-to-site peer 11.0.0.1 default-esp-group 'ESP'
set security vpn ipsec site-to-site peer 11.0.0.1 ike-group 'IKE' set security vpn ipsec site-to-site peer 11.0.0.1 local-address '12.0.0.1' set security vpn ipsec site-to-site peer 11.0.0.1 tunnel 1 local prefix '10.103.0.0/24' set security vpn ipsec site-to-site peer 11.0.0.1 tunnel 1 remote prefix '172.16.1.245/30' AT&T VRA v5600 Router Version 18.X In VRA v5600 18.X code AT&T has introduced a concept of VFP (Virtual Feature Point) Interface to resolve the issues related to S-S IPsec and applying of Firewalls to IPsec that was not handled earlier in 5.2 code.secondly all the interface-dependent features like Nat, Firewall, PBR, TCP-MSS etc can be applied.
Mexico-VRA5600-18.x Version Version: 1801n Description: AT&T vrouter 5600 1801n License: Standard Interface configuration Commands set interfaces bonding dp0bond0 address '10.131.64.77/26' set interfaces bonding dp0bond0 vrrp vrrp-group 1 virtual-address '10.131.64.69/26' set interfaces bonding dp0bond1 address '169.57.91.203/29' set interfaces bonding dp0bond1 vrrp vrrp-group 1 virtual-address '169.57.91.205/29' set interfaces bonding dp0bond0 vif 790 address '10.131.26.193/26' set interfaces bonding dp0bond1 vif 1245 address '169.57.71.241/29' set interfaces virtual-feature-point vfp0 address '172.16.10.2/30' Note VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800'
set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer 184.173.51.133 authentication id '169.57.91.205' set security vpn ipsec site-to-site peer 184.173.51.133 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 184.173.51.133 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 184.173.51.133 authentication remote-id '184.173.51.133' set security vpn ipsec site-to-site peer 184.173.51.133 connection-type 'initiate' set security vpn ipsec site-to-site peer 184.173.51.133 default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer 184.173.51.133 ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer 184.173.51.133 local-address '169.57.91.205' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 local prefix '172.16.1.245/32' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 remote prefix '13.13.13.0/24' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 uses 'vfp0' Note.The configuration is exactly similar compare to S-S IPsec VPN on v5400 the only addition is uses vfp0. NAT configuration commands
set service nat destination rule 10 destination address '172.16.1.245' set service nat destination rule 10 inbound-interface 'vfp0' set service nat destination rule 10 source address '13.13.13.13' set service nat destination rule 10 translation address '10.131.26.194' set service nat source rule 10 description 'SERVER-Client' set service nat source rule 10 destination address '13.13.13.13' set service nat source rule 10 outbound-interface 'vfp0' set service nat source rule 10 source address '10.131.26.194' set service nat source rule 10 translation address '172.16.1.245' Note. Where 10.131.26.194 is the real Server IP & 172.16.1.245 is the fake IP advertising or declaring as a local subnet to Remote Client..DNAT is translating 172.16.1.245 if the traffic is coming via S-S VFP interface to Real Server IP. Protocols configuration commands set protocols static interface-route 13.13.13.0/24 next-hop-interface 'vfp0'set protocols static interface-route 172.16.1.245/32 next-hop-interface 'vfp0' USE-CASE-1 ( Traffic Moving from Server to Client ) Server 10.131.26.194 Initiating Traffic to Client 13.13.13.13 Using Source NAT to hide Real Server IP 10.131.26.194 to Fake IP 172.16.1.245.
SOURCE NAT ENTRIES & SESSION vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.131.26.194:1 172.16.1.245:1 icmp 60 vyatta@mexico1v56-18:~$ show nat source statistics rule pkts bytes interface used/total ---- ---- ----- --------- ---------- 10 20 1480 vfp0 0/65535 20 0 0 dp0bond1 0/65535 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 3 10.131.26.194:1 13.13.13.13:1 icmp [1] ES 15 vfp0 0 vyatta@mexico1v56-18:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 State Encrypt Hash D-H Grp A-Time L-Time IKEv ----- ------------ -------- ------- ------ ------ ----
up 3des sha1 5 0 28800 1 vyatta@mexico1v56-18:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------ 0 2 up 240.0/240.0 3des sha1 5 18893 3600 vyatta@mexico1v56-18:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- dp0bond0 10.131.64.77/26 u/u dp0bond0.790 10.131.26.193/26 u/u dp0bond1 169.57.91.203/29 u/u 2607:f0d0:1c01:3e::5/64 dp0bond1.1245 169.57.71.241/29 u/u dp0vrrp1 169.57.91.205/32 u/u dp0vrrp2 10.131.64.69/32 u/u lo 22.22.22.22/24 u/u 33.33.33.33/24 vfp0 172.16.10.2/30 u/u
USE-CASE-2 ( Traffic Moving from Client to Server ) Client 13.13.13.13 is initiating traffic to Server 10.131.26.194. Traffic is coming via S-S to Fake IP 172.16.1.245 and using DNAT on VFP0 interface translated to Real Server IP 10.131.26.194 and forwarded to Server. VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer 169.57.91.205 authentication id '184.173.51.133' set security vpn ipsec site-to-site peer 169.57.91.205 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 169.57.91.205 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 169.57.91.205 authentication remote-id '169.57.91.205' set security vpn ipsec site-to-site peer 169.57.91.205 connection-type 'respond' set security vpn ipsec site-to-site peer 169.57.91.205 default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer 169.57.91.205 ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer 169.57.91.205 local-address '184.173.51.133' set security vpn ipsec site-to-site peer 169.57.91.205 tunnel 0 allow-nat-networks 'disable'
set security vpn ipsec site-to-site peer 169.57.91.205 tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer 169.57.91.205 tunnel 0 local prefix '13.13.13.0/24' set security vpn ipsec site-to-site peer 169.57.91.205 tunnel 0 remote prefix '172.16.1.245/32' vyatta@hou2v560018x:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 169.57.91.205 184.173.51.133 State Encrypt Hash D-H Grp A-Time L-Time IKEv ----- ------------ -------- ------- ------ ------ ---- up 3des sha1 5 0 28800 1 vyatta@hou2v560018x:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 169.57.91.205 184.173.51.133 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------ 0 901 up 0.0/0.0 3des sha1 5 18515 3600
vyatta@hou2v560018x:~$ ping 172.16.1.245 interface 13.13.13.13 PING 172.16.1.245 (172.16.1.245) from 13.13.13.13 : 56(84) bytes of data. 64 bytes from 172.16.1.245: icmp_seq=1 ttl=127 time=36.2 ms 64 bytes from 172.16.1.245: icmp_seq=2 ttl=127 time=32.6 ms 64 bytes from 172.16.1.245: icmp_seq=3 ttl=127 time=33.0 ms 64 bytes from 172.16.1.245: icmp_seq=4 ttl=127 time=32.8 ms 64 bytes from 172.16.1.245: icmp_seq=5 ttl=127 time=32.9 ms ^C --- 172.16.1.245 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 32.669/33.546/36.270/1.377 ms MEXICO vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout 172.16.1.245:6986 10.131.26.194:6986 icmp 54 vyatta@mexico1v56-18:~$ show nat destination statistics rule pkts bytes interface used/total ---- ---- ----- --------- ---------- 10 10 980 vfp0 0/65535
vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 4 13.13.13.13:6986 172.16.1.245:6986 icmp [1] ES 33 vfp0 0 USE-CASE-3 ( Traffic Moving B/W Server & Client Using PBR instead of Static Route ) Protocols configuration commands delete protocols static interface-route 13.13.13.0/24 next-hop-interface 'vfp0' delete protocols static interface-route 172.16.1.245/32 next-hop-interface 'vfp0' set protocols static table 50 interface-route 0.0.0.0/0 next-hop-interface 'vfp0' PBR Policy Based Routing set interfaces bonding dp0bond0 vif 790 policy route pbr 'VFP0-DNAT' set policy route pbr VFP0-DNAT rule 10 action 'accept' set policy route pbr VFP0-DNAT rule 10 address-family 'ipv4' set policy route pbr VFP0-DNAT rule 10 destination address '13.13.13.0/24' set policy route pbr VFP0-DNAT rule 10 source address '10.131.26.192/26' set policy route pbr VFP0-DNAT rule 10 table '50'
vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.131.26.194:1 172.16.1.245:1 icmp 46 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout 172.16.1.245:18962 10.131.26.194:18962 icmp 20 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 727 13.13.13.13:18962 172.16.1.245:18962 icmp [1] ES 16 vfp0 0 728 10.131.26.194:1 13.13.13.13:1 icmp [1] ES 35 vfp0 0
USE-CASE-4 ( Traffic Moving B/W Server & Client Using VFP as IP unnumbered) set interfaces loopback lo1 address '169.254.1.1/24' set interfaces virtual-feature-point vfp0 ip unnumbered donor-interface lo1 preferred-address '169.254.1.1' Note. 169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link ( https://tools.ietf.org/html/rfc3330) vyatta@mexico1v56-18:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 State Encrypt Hash D-H Grp A-Time L-Time IKEv ----- ------------ -------- ------- ------ ------ ---- up 3des sha1 5 0 28800 1 vyatta@mexico1v56-18:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------
0 1 up 492.0/492.0 3des sha1 5 19949 3600 vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.131.26.194:1 172.16.1.245:1 icmp 53 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 1 10.131.26.194:1 13.13.13.13:1 icmp [1] ES 47 vfp0 0 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 2 13.13.13.13:19122 172.16.1.245:19122 icmp [1] ES 55 vfp0 0 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout
USE-CASE-5 ( Traffic B/W Server & 2 Remote Clients Using Separate S-S VFP Interfaces as IP unnumbered)
VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer 50.23.185.52 authentication id '169.57.91.205' set security vpn ipsec site-to-site peer 50.23.185.52 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 50.23.185.52 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 50.23.185.52 authentication remote-id '50.23.185.52' set security vpn ipsec site-to-site peer 50.23.185.52 connection-type 'respond' set security vpn ipsec site-to-site peer 50.23.185.52 default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer 50.23.185.52 ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer 50.23.185.52 local-address '169.57.91.205' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 local prefix '172.16.1.245/32' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 remote prefix '6.6.6.0/24' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 uses 'vfp1' set security vpn ipsec site-to-site peer 184.173.51.133 authentication id '169.57.91.205' set security vpn ipsec site-to-site peer 184.173.51.133 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 184.173.51.133 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 184.173.51.133 authentication remote-id '184.173.51.133' set security vpn ipsec site-to-site peer 184.173.51.133 connection-type 'initiate' set security vpn ipsec site-to-site peer 184.173.51.133 default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer 184.173.51.133 ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer 184.173.51.133 local-address '169.57.91.205' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 local prefix '172.16.1.245/32' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 remote prefix '13.13.13.0/24' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 uses 'vfp0' PBR Policy Based Routing set interfaces bonding dp0bond0 vif 790 policy route pbr 'VFP0-DNAT' set policy route pbr VFP0-DNAT rule 10 action 'accept' set policy route pbr VFP0-DNAT rule 10 address-family 'ipv4'
set policy route pbr VFP0-DNAT rule 10 destination address '13.13.13.0/24' set policy route pbr VFP0-DNAT rule 10 source address '10.131.26.192/26' set policy route pbr VFP0-DNAT rule 10 table '50' set policy route pbr VFP0-DNAT rule 20 action 'accept' set policy route pbr VFP0-DNAT rule 20 address-family 'ipv4' set policy route pbr VFP0-DNAT rule 20 destination address '6.6.6.0/24' set policy route pbr VFP0-DNAT rule 20 source address '10.131.26.192/26' set policy route pbr VFP0-DNAT rule 20 table '60' set protocols static table 50 interface-route 0.0.0.0/0 next-hop-interface 'vfp0' set protocols static table 60 interface-route 6.6.6.0/24 next-hop-interface 'vfp1' SNAT & DNAT set service nat destination rule 10 destination address '172.16.1.245' set service nat destination rule 10 inbound-interface 'vfp0' set service nat destination rule 10 source address '13.13.13.13' set service nat destination rule 10 translation address '10.131.26.194' set service nat destination rule 20 destination address '172.16.1.245' set service nat destination rule 20 inbound-interface 'vfp1' set service nat destination rule 20 source address '6.6.6.6' set service nat destination rule 20 translation address '10.131.26.194' set service nat source rule 10 description 'SERVER-Client' set service nat source rule 10 destination address '13.13.13.13' set service nat source rule 10 outbound-interface 'vfp0' set service nat source rule 10 source address '10.131.26.194' set service nat source rule 10 translation address '172.16.1.245' set service nat source rule 30 description 'SERVER-Client-Seattle' set service nat source rule 30 destination address '6.6.6.6'
set service nat source rule 30 outbound-interface 'vfp1' set service nat source rule 30 source address '10.131.26.194' set service nat source rule 30 translation address '172.16.1.245' Protocols configuration commands set interfaces loopback lo2 address '169.254.2.1/24' set interfaces virtual-feature-point vfp1 ip unnumbered donor-interface lo2 preferred-address '169.254.2.1' set protocols static table 50 interface-route 0.0.0.0/0 next-hop-interface 'vfp0' set protocols static table 60 interface-route 6.6.6.0/24 next-hop-interface 'vfp1' vyatta@mexico1v56-18:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 50.23.185.52 169.57.91.205 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------ 0 2 up 4.2K/4.2K 3des sha1 5 19281 3600 Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------ 0 1 up 4.0K/4.0K 3des sha1 5 19284 3600
vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 12 10.131.26.194:3 6.6.6.6:3 icmp [1] ES 42 vfp1 0 vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.131.26.194:3 172.16.1.245:3 icmp 27 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout 172.16.1.245:23998 10.131.26.194:23998 icmp 60 172.16.1.245:28948 10.131.26.194:28948 icmp 60 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 10 13.13.13.13:23998 172.16.1.245:23998 icmp [1] ES 60 vfp0 0 11 6.6.6.6:28948 172.16.1.245:28948 icmp [1] ES 60 vfp1 0 vyatta@mexico1v56-18:~$ show conf
Best Practice for Using Virtual Feature Point Interface in S-S IPsec VPN 1 In case of Multiple S-S IPSEC VPNs with DNAT to a Single or different Remote-Site do we need common or separate VFP interface or not? a. As per AT&T Engineering same VFPX interface can be used on multiple tunnels with same or different peers.however, this could introduce unwanted complexity and as Best Practice it would be easy to differentiate the tunnels with separate VFPX numbers. b. The second major advantage of using separate VFPX interface is applying firewall where one can have more control and flexibility of applying firewall rules to block/allow traffic based on Remote-Peer.In a nutshel use a unique vfp per IPsec tunnel and prefer to use the 'ip unnumbered' command on the vfp rather than the 'address' command 2 Requirement for PBR (Policy based Routing) and Static Routes in VFP Based S-S IPsec VPN? PBR or Static both can be used for directing the traffic to VFP Interface but AT&T engineering recommends to use PBR as its less complex.
Virtual Feature Point Flow Diagram
References https://github.com/nebosworth/ipsec_pbr_nat_workaround_5600 Created By Syed Faizullah Director Network Solutions Engineering Wanclouds Inc E: fsyed@wanclouds.net Web: www.wanclouds.net