Connecting DataCenters with OverLapping Private IP Addresses & Hiding Real Server IP For Security.

Similar documents
Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Virtual Tunnel Interface

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

VPN Definition SonicWall:

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Configuration of an IPSec VPN Server on RV130 and RV130W

Firepower Threat Defense Site-to-site VPNs

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

HOW TO CONFIGURE AN IPSEC VPN

Integration Guide. Oracle Bare Metal BOVPN

Virtual Private Cloud. User Guide. Issue 03 Date

Google Cloud VPN Interop Guide

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

Brocade Vyatta Network OS NAT Configuration Guide, 5.2R1

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

VPN Ports and LAN-to-LAN Tunnels

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

Configuring VPNs in the EN-1000

Virtual Tunnel Interface

VPN Overview. VPN Types

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Brocade Vyatta Network OS Firewall Configuration Guide, 5.2R1

The IPsec protocols. Overview

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Cisco CCIE Security Written.

EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

Brocade 5600 vrouter Firewall Configuration Guide

Configuration Example of ASA VPN with Overlapping Scenarios Contents

Firewalls, Tunnels, and Network Intrusion Detection

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Sharing IPsec with Tunnel Protection

Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00

IPSec. Overview. Overview. Levente Buttyán

Site-to-Site VPN. VPN Basics

Sample excerpt. Virtual Private Networks. Contents

Virtual Private Network

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Configuring the EN-2000 s VPN Firewall

Contents. Introduction. Prerequisites. Background Information

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

SD-WAN Deployment Guide (CVD)

Virtual Private Network. Network User Guide. Issue 05 Date

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

VPN Connection through Zone based Firewall Router Configuration Example

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

SLE in Virtual Private Networks

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR)

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Table of Contents 1 IKE 1-1

Configuring IPSec tunnels on Vocality units

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

Brocade Vyatta Network OS ALG Configuration Guide, 5.2R1

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Configuring FlexVPN Spoke to Spoke

DMVPN to Group Encrypted Transport VPN Migration

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

Virtual Private Networks (VPN)

Virtual Private Networks

IPsec Virtual Tunnel Interfaces

Brocade 5600 vrouter ALG Configuration Guide

S2S VPN with Azure Route Based

IPSec Site-to-Site VPN (SVTI)

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

HOME-SYD-RTR02 GETVPN Configuration

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

CSC 6575: Internet Security Fall 2017

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Efficient SpeedStream 5861

Deploy ERSPAN with the ExtraHop Discover Appliance and Brocade 5600 vrouter in AWS

How to Create a TINA VPN Tunnel between F- Series Firewalls

Cisco Exam Questions & Answers

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Network Security: IPsec. Tuomas Aura

Google Cloud VPN Interop Guide

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lab 9: VPNs IPSec Remote Access VPN

H3C SR6600 Routers DVPN Configuration Example

AWS VPC Cloud Environment Setup

Deploying VPN IPSec Tunnels with Cisco ASA/ASAv VTI on Oracle Cloud Infrastructure

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 7.2. AudioCodes Family of Multi-Service Business Routers (MSBR)

The EN-4000 in Virtual Private Networks

IKE and Load Balancing

BCRAN. Section 9. Cable and DSL Technologies

Abstract. Avaya Solution & Interoperability Test Lab

Transcription:

Connecting DataCenters with OverLapping Private IP Addresses & Hiding Real Server IP For Security. Overview Connecting Multiple Data-Centers or Remote Branches to Centralized or Hub Sites is very common practice in Legacy Network Environment and Cloud Deployments.Securing the Real Server IP or handling the Overlapping IP Addresses across the Data-Centers is always a challenge and can be achieve by leveraging Encrypted Tunnels ( Site-to-Site IPSec VPN ) in combination with Nating. Brocade v5400 Router Initially v5400 Router was performing DNAT on inbound IPsec terminating Interface & Return Traffic was de-translated gracefully into IPsec Tunnel using connection tracking Table.

1. In this Topology for DNAT translation IPSec packet has been decrypted in v5400. 2. IPSec peering is established b/w 2 v5400 devices. 3. Client is targeting 172.16.1.245 sourced from 10.103.0.1, expected behavior is destination address 172.16.1.245 will translate to 10.71.68.245 in packet header. Brocade v5600 Router With the advent and Architectural changes of v5600 platform some of the key features and functionality works differently as they used to work in Vyatta v5400 like Firewall, S-S IPsec v5600 with NAT etc.let's discuss S-S IPsec VPN with DNAT as Router Behavior is changed and now functions differently, sessions/connections tracking table gets created however

the Return Traffic by passes the IPsec Tunnel after connection tracking table reverses the DNAT change.v5600 sends packet on wire without performing IPsec encryption. Upstream Device is not expecting this traffic and will most likely drop this traffic. In v5400 Router, IPsec traffic appears to originate from the interface that IPsec is connected on (i.e if IPsec is over Public with v5400 on the Bond1 IP,the traffic is tied to Bond1. v5600 does not tied IPsec traffic to an interface unless using VTI or GRE Tunnels.v5600 requires traffic be tied to an interface in order to manage source/destination. Brocade v5600 Router Version 5.2X In order to handle this behavior in v5600 5.2 code Brocade/AT&T has suggested a workaround to use local loopback as an IP for a GRE Tunnel interface and uses Policy Based Routing (PBR) to get the traffic originating from the IPsec onto an interface in order to perform NAT functions.

Vyatta 1 Interface configuration Commands set interfaces dataplane dp0p192p1 address '11.0.0.1/30' set interfaces dataplane dp0p224p1 address '10.0.0.2/30' set interfaces dataplane dp0p224p1 policy route pbr 'Backwards-DNAT' set interfaces loopback lo address '169.254.1.1/24' set interfaces tunnel tun50 address '169.254.240.1/32' set interfaces tunnel tun50 encapsulation 'gre' set interfaces tunnel tun50 local-ip '169.254.1.1' set interfaces tunnel tun50 remote-ip '169.254.1.1' Note. Logical tunnel interface is created for DNAT/SNAT.. 169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link ( https://tools.ietf.org/html/rfc3330) VPN configuration commands set security vpn ipsec esp-group ESP lifetime '30000' set security vpn ipsec esp-group ESP proposal 1 encryption 'aes128' set security vpn ipsec esp-group ESP proposal 1 hash 'sha1'

set security vpn ipsec ike-group IKE lifetime '60000' set security vpn ipsec ike-group IKE proposal 1 encryption 'aes128' set security vpn ipsec ike-group IKE proposal 1 hash 'sha1' set security vpn ipsec site-to-site peer 12.0.0.1 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 12.0.0.1 authentication pre-shared-secret 'thekey' set security vpn ipsec site-to-site peer 12.0.0.1 default-esp-group 'ESP' set security vpn ipsec site-to-site peer 12.0.0.1 ike-group 'IKE' set security vpn ipsec site-to-site peer 12.0.0.1 local-address '11.0.0.1' set security vpn ipsec site-to-site peer 12.0.0.1 tunnel 1 local prefix '172.16.1.245/30' set security vpn ipsec site-to-site peer 12.0.0.1 tunnel 1 remote prefix '10.103.0.0/24' NAT configuration commands set service nat destination rule 10 destination address '172.16.1.245' set service nat destination rule 10 inbound-interface 'tun50' set service nat destination rule 10 source address '10.103.0.1' set service nat destination rule 10 translation address '10.71.68.245' set service nat source rule 10 destination address '10.103.0.1' set service nat source rule 10 'log' set service nat source rule 10 outbound-interface 'tun50' set service nat source rule 10 source address '10.71.68.245' set service nat source rule 10 translation address '172.16.1.245' Note For bidirectional NAT, Source NAT is required else only DNAT is needed on the tunnel interface.

Protocols configuration commands set protocols static interface-route 172.16.1.245/32 next-hop-interface 'tun50' set protocols static table 50 interface-route 0.0.0.0/0 next-hop-interface 'tun50' set protocols static interface-route 10.103.0.1/32 next-hop-interface 'tun50' PBR configuration commands set policy route pbr Backwards-DNAT desc 'Get return traffic back to tunnel for DNAT' set policy route pbr Backwards-DNAT rule 10 action 'accept' set policy route pbr Backwards-DNAT rule 10 address-family 'ipv4' set policy route pbr Backwards-DNAT rule 10 destination address '10.103.0.0/24' set policy route pbr Backwards-DNAT rule 10 source address '10.71.68.0/24' set policy route pbr Backwards-DNAT rule 10 table '50' Vyatta 2 set security vpn ipsec esp-group ESP lifetime '30000' set security vpn ipsec esp-group ESP proposal 1 encryption 'aes128' set security vpn ipsec esp-group ESP proposal 1 hash 'sha1' set security vpn ipsec ike-group IKE lifetime '60000' set security vpn ipsec ike-group IKE proposal 1 encryption 'aes128' set security vpn ipsec ike-group IKE proposal 1 hash 'sha1' set security vpn ipsec site-to-site peer 11.0.0.1 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 11.0.0.1 authentication pre-shared-secret 'thekey' set security vpn ipsec site-to-site peer 11.0.0.1 default-esp-group 'ESP'

set security vpn ipsec site-to-site peer 11.0.0.1 ike-group 'IKE' set security vpn ipsec site-to-site peer 11.0.0.1 local-address '12.0.0.1' set security vpn ipsec site-to-site peer 11.0.0.1 tunnel 1 local prefix '10.103.0.0/24' set security vpn ipsec site-to-site peer 11.0.0.1 tunnel 1 remote prefix '172.16.1.245/30' AT&T VRA v5600 Router Version 18.X In VRA v5600 18.X code AT&T has introduced a concept of VFP (Virtual Feature Point) Interface to resolve the issues related to S-S IPsec and applying of Firewalls to IPsec that was not handled earlier in 5.2 code.secondly all the interface-dependent features like Nat, Firewall, PBR, TCP-MSS etc can be applied.

Mexico-VRA5600-18.x Version Version: 1801n Description: AT&T vrouter 5600 1801n License: Standard Interface configuration Commands set interfaces bonding dp0bond0 address '10.131.64.77/26' set interfaces bonding dp0bond0 vrrp vrrp-group 1 virtual-address '10.131.64.69/26' set interfaces bonding dp0bond1 address '169.57.91.203/29' set interfaces bonding dp0bond1 vrrp vrrp-group 1 virtual-address '169.57.91.205/29' set interfaces bonding dp0bond0 vif 790 address '10.131.26.193/26' set interfaces bonding dp0bond1 vif 1245 address '169.57.71.241/29' set interfaces virtual-feature-point vfp0 address '172.16.10.2/30' Note VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800'

set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer 184.173.51.133 authentication id '169.57.91.205' set security vpn ipsec site-to-site peer 184.173.51.133 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 184.173.51.133 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 184.173.51.133 authentication remote-id '184.173.51.133' set security vpn ipsec site-to-site peer 184.173.51.133 connection-type 'initiate' set security vpn ipsec site-to-site peer 184.173.51.133 default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer 184.173.51.133 ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer 184.173.51.133 local-address '169.57.91.205' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 local prefix '172.16.1.245/32' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 remote prefix '13.13.13.0/24' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 uses 'vfp0' Note.The configuration is exactly similar compare to S-S IPsec VPN on v5400 the only addition is uses vfp0. NAT configuration commands

set service nat destination rule 10 destination address '172.16.1.245' set service nat destination rule 10 inbound-interface 'vfp0' set service nat destination rule 10 source address '13.13.13.13' set service nat destination rule 10 translation address '10.131.26.194' set service nat source rule 10 description 'SERVER-Client' set service nat source rule 10 destination address '13.13.13.13' set service nat source rule 10 outbound-interface 'vfp0' set service nat source rule 10 source address '10.131.26.194' set service nat source rule 10 translation address '172.16.1.245' Note. Where 10.131.26.194 is the real Server IP & 172.16.1.245 is the fake IP advertising or declaring as a local subnet to Remote Client..DNAT is translating 172.16.1.245 if the traffic is coming via S-S VFP interface to Real Server IP. Protocols configuration commands set protocols static interface-route 13.13.13.0/24 next-hop-interface 'vfp0'set protocols static interface-route 172.16.1.245/32 next-hop-interface 'vfp0' USE-CASE-1 ( Traffic Moving from Server to Client ) Server 10.131.26.194 Initiating Traffic to Client 13.13.13.13 Using Source NAT to hide Real Server IP 10.131.26.194 to Fake IP 172.16.1.245.

SOURCE NAT ENTRIES & SESSION vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.131.26.194:1 172.16.1.245:1 icmp 60 vyatta@mexico1v56-18:~$ show nat source statistics rule pkts bytes interface used/total ---- ---- ----- --------- ---------- 10 20 1480 vfp0 0/65535 20 0 0 dp0bond1 0/65535 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 3 10.131.26.194:1 13.13.13.13:1 icmp [1] ES 15 vfp0 0 vyatta@mexico1v56-18:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 State Encrypt Hash D-H Grp A-Time L-Time IKEv ----- ------------ -------- ------- ------ ------ ----

up 3des sha1 5 0 28800 1 vyatta@mexico1v56-18:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------ 0 2 up 240.0/240.0 3des sha1 5 18893 3600 vyatta@mexico1v56-18:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- dp0bond0 10.131.64.77/26 u/u dp0bond0.790 10.131.26.193/26 u/u dp0bond1 169.57.91.203/29 u/u 2607:f0d0:1c01:3e::5/64 dp0bond1.1245 169.57.71.241/29 u/u dp0vrrp1 169.57.91.205/32 u/u dp0vrrp2 10.131.64.69/32 u/u lo 22.22.22.22/24 u/u 33.33.33.33/24 vfp0 172.16.10.2/30 u/u

USE-CASE-2 ( Traffic Moving from Client to Server ) Client 13.13.13.13 is initiating traffic to Server 10.131.26.194. Traffic is coming via S-S to Fake IP 172.16.1.245 and using DNAT on VFP0 interface translated to Real Server IP 10.131.26.194 and forwarded to Server. VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer 169.57.91.205 authentication id '184.173.51.133' set security vpn ipsec site-to-site peer 169.57.91.205 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 169.57.91.205 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 169.57.91.205 authentication remote-id '169.57.91.205' set security vpn ipsec site-to-site peer 169.57.91.205 connection-type 'respond' set security vpn ipsec site-to-site peer 169.57.91.205 default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer 169.57.91.205 ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer 169.57.91.205 local-address '184.173.51.133' set security vpn ipsec site-to-site peer 169.57.91.205 tunnel 0 allow-nat-networks 'disable'

set security vpn ipsec site-to-site peer 169.57.91.205 tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer 169.57.91.205 tunnel 0 local prefix '13.13.13.0/24' set security vpn ipsec site-to-site peer 169.57.91.205 tunnel 0 remote prefix '172.16.1.245/32' vyatta@hou2v560018x:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 169.57.91.205 184.173.51.133 State Encrypt Hash D-H Grp A-Time L-Time IKEv ----- ------------ -------- ------- ------ ------ ---- up 3des sha1 5 0 28800 1 vyatta@hou2v560018x:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 169.57.91.205 184.173.51.133 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------ 0 901 up 0.0/0.0 3des sha1 5 18515 3600

vyatta@hou2v560018x:~$ ping 172.16.1.245 interface 13.13.13.13 PING 172.16.1.245 (172.16.1.245) from 13.13.13.13 : 56(84) bytes of data. 64 bytes from 172.16.1.245: icmp_seq=1 ttl=127 time=36.2 ms 64 bytes from 172.16.1.245: icmp_seq=2 ttl=127 time=32.6 ms 64 bytes from 172.16.1.245: icmp_seq=3 ttl=127 time=33.0 ms 64 bytes from 172.16.1.245: icmp_seq=4 ttl=127 time=32.8 ms 64 bytes from 172.16.1.245: icmp_seq=5 ttl=127 time=32.9 ms ^C --- 172.16.1.245 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 32.669/33.546/36.270/1.377 ms MEXICO vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout 172.16.1.245:6986 10.131.26.194:6986 icmp 54 vyatta@mexico1v56-18:~$ show nat destination statistics rule pkts bytes interface used/total ---- ---- ----- --------- ---------- 10 10 980 vfp0 0/65535

vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 4 13.13.13.13:6986 172.16.1.245:6986 icmp [1] ES 33 vfp0 0 USE-CASE-3 ( Traffic Moving B/W Server & Client Using PBR instead of Static Route ) Protocols configuration commands delete protocols static interface-route 13.13.13.0/24 next-hop-interface 'vfp0' delete protocols static interface-route 172.16.1.245/32 next-hop-interface 'vfp0' set protocols static table 50 interface-route 0.0.0.0/0 next-hop-interface 'vfp0' PBR Policy Based Routing set interfaces bonding dp0bond0 vif 790 policy route pbr 'VFP0-DNAT' set policy route pbr VFP0-DNAT rule 10 action 'accept' set policy route pbr VFP0-DNAT rule 10 address-family 'ipv4' set policy route pbr VFP0-DNAT rule 10 destination address '13.13.13.0/24' set policy route pbr VFP0-DNAT rule 10 source address '10.131.26.192/26' set policy route pbr VFP0-DNAT rule 10 table '50'

vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.131.26.194:1 172.16.1.245:1 icmp 46 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout 172.16.1.245:18962 10.131.26.194:18962 icmp 20 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 727 13.13.13.13:18962 172.16.1.245:18962 icmp [1] ES 16 vfp0 0 728 10.131.26.194:1 13.13.13.13:1 icmp [1] ES 35 vfp0 0

USE-CASE-4 ( Traffic Moving B/W Server & Client Using VFP as IP unnumbered) set interfaces loopback lo1 address '169.254.1.1/24' set interfaces virtual-feature-point vfp0 ip unnumbered donor-interface lo1 preferred-address '169.254.1.1' Note. 169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link ( https://tools.ietf.org/html/rfc3330) vyatta@mexico1v56-18:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 State Encrypt Hash D-H Grp A-Time L-Time IKEv ----- ------------ -------- ------- ------ ------ ---- up 3des sha1 5 0 28800 1 vyatta@mexico1v56-18:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------

0 1 up 492.0/492.0 3des sha1 5 19949 3600 vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.131.26.194:1 172.16.1.245:1 icmp 53 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 1 10.131.26.194:1 13.13.13.13:1 icmp [1] ES 47 vfp0 0 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 2 13.13.13.13:19122 172.16.1.245:19122 icmp [1] ES 55 vfp0 0 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout

USE-CASE-5 ( Traffic B/W Server & 2 Remote Clients Using Separate S-S VFP Interfaces as IP unnumbered)

VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer 50.23.185.52 authentication id '169.57.91.205' set security vpn ipsec site-to-site peer 50.23.185.52 authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer 50.23.185.52 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 50.23.185.52 authentication remote-id '50.23.185.52' set security vpn ipsec site-to-site peer 50.23.185.52 connection-type 'respond' set security vpn ipsec site-to-site peer 50.23.185.52 default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer 50.23.185.52 ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer 50.23.185.52 local-address '169.57.91.205' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 local prefix '172.16.1.245/32' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 remote prefix '6.6.6.0/24' set security vpn ipsec site-to-site peer 50.23.185.52 tunnel 0 uses 'vfp1' set security vpn ipsec site-to-site peer 184.173.51.133 authentication id '169.57.91.205' set security vpn ipsec site-to-site peer 184.173.51.133 authentication mode 'pre-shared-secret'

set security vpn ipsec site-to-site peer 184.173.51.133 authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer 184.173.51.133 authentication remote-id '184.173.51.133' set security vpn ipsec site-to-site peer 184.173.51.133 connection-type 'initiate' set security vpn ipsec site-to-site peer 184.173.51.133 default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer 184.173.51.133 ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer 184.173.51.133 local-address '169.57.91.205' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 local prefix '172.16.1.245/32' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 remote prefix '13.13.13.0/24' set security vpn ipsec site-to-site peer 184.173.51.133 tunnel 0 uses 'vfp0' PBR Policy Based Routing set interfaces bonding dp0bond0 vif 790 policy route pbr 'VFP0-DNAT' set policy route pbr VFP0-DNAT rule 10 action 'accept' set policy route pbr VFP0-DNAT rule 10 address-family 'ipv4'

set policy route pbr VFP0-DNAT rule 10 destination address '13.13.13.0/24' set policy route pbr VFP0-DNAT rule 10 source address '10.131.26.192/26' set policy route pbr VFP0-DNAT rule 10 table '50' set policy route pbr VFP0-DNAT rule 20 action 'accept' set policy route pbr VFP0-DNAT rule 20 address-family 'ipv4' set policy route pbr VFP0-DNAT rule 20 destination address '6.6.6.0/24' set policy route pbr VFP0-DNAT rule 20 source address '10.131.26.192/26' set policy route pbr VFP0-DNAT rule 20 table '60' set protocols static table 50 interface-route 0.0.0.0/0 next-hop-interface 'vfp0' set protocols static table 60 interface-route 6.6.6.0/24 next-hop-interface 'vfp1' SNAT & DNAT set service nat destination rule 10 destination address '172.16.1.245' set service nat destination rule 10 inbound-interface 'vfp0' set service nat destination rule 10 source address '13.13.13.13' set service nat destination rule 10 translation address '10.131.26.194' set service nat destination rule 20 destination address '172.16.1.245' set service nat destination rule 20 inbound-interface 'vfp1' set service nat destination rule 20 source address '6.6.6.6' set service nat destination rule 20 translation address '10.131.26.194' set service nat source rule 10 description 'SERVER-Client' set service nat source rule 10 destination address '13.13.13.13' set service nat source rule 10 outbound-interface 'vfp0' set service nat source rule 10 source address '10.131.26.194' set service nat source rule 10 translation address '172.16.1.245' set service nat source rule 30 description 'SERVER-Client-Seattle' set service nat source rule 30 destination address '6.6.6.6'

set service nat source rule 30 outbound-interface 'vfp1' set service nat source rule 30 source address '10.131.26.194' set service nat source rule 30 translation address '172.16.1.245' Protocols configuration commands set interfaces loopback lo2 address '169.254.2.1/24' set interfaces virtual-feature-point vfp1 ip unnumbered donor-interface lo2 preferred-address '169.254.2.1' set protocols static table 50 interface-route 0.0.0.0/0 next-hop-interface 'vfp0' set protocols static table 60 interface-route 6.6.6.0/24 next-hop-interface 'vfp1' vyatta@mexico1v56-18:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 50.23.185.52 169.57.91.205 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------ 0 2 up 4.2K/4.2K 3des sha1 5 19281 3600 Peer ID / IP Local ID / IP ------------ ------------- 184.173.51.133 169.57.91.205 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ ---------- ----- ------------- ------------ -------- -- ------ ------ 0 1 up 4.0K/4.0K 3des sha1 5 19284 3600

vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 12 10.131.26.194:3 6.6.6.6:3 icmp [1] ES 42 vfp1 0 vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout 10.131.26.194:3 172.16.1.245:3 icmp 27 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout 172.16.1.245:23998 10.131.26.194:23998 icmp 60 172.16.1.245:28948 10.131.26.194:28948 icmp 60 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 10 13.13.13.13:23998 172.16.1.245:23998 icmp [1] ES 60 vfp0 0 11 6.6.6.6:28948 172.16.1.245:28948 icmp [1] ES 60 vfp1 0 vyatta@mexico1v56-18:~$ show conf

Best Practice for Using Virtual Feature Point Interface in S-S IPsec VPN 1 In case of Multiple S-S IPSEC VPNs with DNAT to a Single or different Remote-Site do we need common or separate VFP interface or not? a. As per AT&T Engineering same VFPX interface can be used on multiple tunnels with same or different peers.however, this could introduce unwanted complexity and as Best Practice it would be easy to differentiate the tunnels with separate VFPX numbers. b. The second major advantage of using separate VFPX interface is applying firewall where one can have more control and flexibility of applying firewall rules to block/allow traffic based on Remote-Peer.In a nutshel use a unique vfp per IPsec tunnel and prefer to use the 'ip unnumbered' command on the vfp rather than the 'address' command 2 Requirement for PBR (Policy based Routing) and Static Routes in VFP Based S-S IPsec VPN? PBR or Static both can be used for directing the traffic to VFP Interface but AT&T engineering recommends to use PBR as its less complex.

Virtual Feature Point Flow Diagram

References https://github.com/nebosworth/ipsec_pbr_nat_workaround_5600 Created By Syed Faizullah Director Network Solutions Engineering Wanclouds Inc E: fsyed@wanclouds.net Web: www.wanclouds.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback