Solved

DHCP, QOS, NAT over Vyatta IPSec VPN

Posted on 2010-09-08
7
2,590 Views
Last Modified: 2012-05-10
I have built a site to site VPN using VC6, and need to do the following things over it:

Provide DHCP to local subnets on both sides (currently 192.168.0.0 and 192.168.10.0)
Configure QOS for our IP PBX
NAT everything properly

Here's the config for my West device:

firewall {
     name mplsFW {
         default-action accept
     }
 }
 interfaces {
     ethernet eth0 {
         address xxx.xxx.236.18/28
         address xxx.xxx.236.19/28
         address xxx.xxx.236.20/28
		 address xxx.xxx.236.21/28
		 address xxx.xxx.236.22/28
		 address xxx.xxx.236.23/28
		 address xxx.xxx.236.24/28
		 address xxx.xxx.236.25/28
		 address xxx.xxx.236.26/28
		 address xxx.xxx.236.27/28
		 address xxx.xxx.236.28/28
		 address xxx.xxx.236.29/28
		 address xxx.xxx.236.30/28
         hw-id xx:xx:xx:xx:xx:60
     }
     ethernet eth1 {
         address 192.168.0.1/24
         hw-id xx:xx:xx:xx:xx:61
     }
     loopback lo {
     }
 }
 service {
     https
     nat {
         rule 5 {
             destination {
                 address !192.168.10.0/24
             }
             outbound-interface eth0
             source {
                 address 192.168.0.0/24
             }
             type masquerade
         }
     }
     snmp {
         community snmp {
             network 192.168.0.0/24
             network 192.168.10.0/24
             network yyy.yyy.229.144/29
         }
         listen-address 192.168.0.1 {
         }
     }
     ssh {
         port 22
     }
 }
 system {
     domain-name xxxyyy.com
     gateway-address xxx.xxx.236.17
     host-name mplsvta
     login {
         user vyatta {
             authentication {
                 encrypted-password yyysCS7JOH4$IxxxyyyJuNXdLaGaoxxx
             }
         }
     }
     name-server xxx.xxx.xxx.10
     name-server xxx.xxx.xxx.20
     ntp-server 0.vyatta.pool.ntp.org
     package {
         auto-sync 1
         repository community {
             components main
             distribution stable
             url http://packages.vyatta.com/vyatta
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-mpls1 {
             compression disable
             lifetime 1800
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-mpls1 {
             lifetime 3600
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption aes128
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer yyy.yyy.229.145 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret "s3kr33t"
                     rsa-key-name ltlc.key
                 }
                 description yyyTunnel
                 ike-group IKE-mpls1
                 local-ip yyy.yyy.236.18
                 tunnel 1 {
                     allow-nat-networks disable
                     esp-group ESP-mpls1
                     local-subnet 192.168.0.0/24
                     remote-subnet 192.168.10.0/24
                 }
             }
         }
     }
     rsa-keys {
         rsa-key-name ltlc.key {
             rsa-key 0sAQNrF8VGmBZeV5jX6b76MC+1Ctf+EpBwYEkWX9C+aaaF1ZaE0gj6KLbJml6MZwzcr6sSoQcwEY4wVDuTjxDOL7trzFJYWUl+t3ujkAIX+UERkryKnNRpiftPQuvrqa2EtJ3I3lhQ9RTRgPzo3FuEDSDrqaYtyO69h2jNRzpmnMd4+aCLZgAcj2UeSNN/una7gv5ztsmFs9jN06SIxAXwtey4GCTCtbO7jZTZWDDG8t6te3fhm9Ty6QT22emLvptAz9ZqyMuqW+AfDzOFXN/ScQ5CdV3PEvnQdEGMCUx3qJ24ABogwhP/ggzhtnvvWcp0PsnHS/kPALoML50k3IpL9apoOUgEhAcL0soMNI34PuW
         }
     }
 }
[edit]

Open in new window


And the East :

firewall {
     name ltlcFW {
         default-action accept
     }
 }
 interfaces {
     ethernet eth0 {
         address yyy.yyy.229.145/29
         address yyy.yyy.229.146/29
         address yyy.yyy.229.147/29
         address yyy.yyy.229.148/29
         address yyy.yyy.229.149/29
         hw-id yy:yy:yy:yy:yy:01
     }
     ethernet eth1 {
         address 192.168.10.1/24
         hw-id yy:yy:yy:yy:yy:93
     }
     loopback lo {
     }
 }
 service {
     https
     nat {
         rule 5 {
             destination {
                 address !192.168.0.0/24
             }
             outbound-interface eth0
             source {
                 address 192.168.10.0/24
             }
             type masquerade
         }
     }
     snmp {
         community openip.snmp {
             network 192.168.0.0/24
             network 192.168.10.0/24
             network xxx.xxx.236.16/28
         }
         listen-address 192.168.10.1 {
         }
     }
     ssh {
     }
 }
 system {
     domain-name xxxyyy.com
     gateway-address yyy.yyy.229.150
     host-name ltlcvta
     login {
         user vyatta {
             authentication {
                 encrypted-password yyyPQ6Nd06D$ZxxxyyyE0fRHIZ2lNxxx
             }
         }
     }
     name-server yyy.yyy.yyy.130
     name-server yyy.yyy.yyy.130
     ntp-server 0.vyatta.pool.ntp.org
     package {
         repository community {
             components main
             distribution stable
             url http://packages.vyatta.com/vyatta
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-ltlc1 {
             lifetime 1800
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-ltlc1 {
             lifetime 3600
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption aes128
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer xxx.xxx.236.18 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret "s3kr33t"
                     rsa-key-name mpls.key
                 }
                 ike-group IKE-ltlc1
                 local-ip yyy.yyy.229.145
                 tunnel 1 {
                     esp-group ESP-ltlc1
                     local-subnet 192.168.10.0/24
                     remote-subnet 192.168.0.0/24
                 }
             }
         }
     }
     rsa-keys {
         rsa-key-name mpls.key {
             rsa-key 0sAQOGvfcwdIkH8lcHigqYdW6qa0RxgBW1jev366aS1Dvlx7+LpYfxrPRkFKxeJLKSDxjkISqXpO0EUbQQ4ihZNzKqjKIUNnA/ZyStmGGBQ0UQqQBH3WrJmHWz4ES3fbLvGeaqD1lS+YM2Hvebc/qJ2FlXilsYgvh6AOZEdIqf99NOpJvIU+NPyh8WubqaPXsWRdSR11KZjpgwNv1aWNHFtN9JWNODa54RcP0LyB13swRueYKZNtbBMgcvnghaVMPYeg5dmqey/RDwl/qCYlLxHUbRUp+hZyUIc12Icgm5yaBaNIafgoaX0AJOeh5C585uouylY4Ga/nz2nZKIOkcrha1ndRRIdFEVnGrqIdZT9NtCuTMZ
         }
     }
 }
[edit]

Open in new window


Right now I can ping devices on either side of the VPN, but cant access HTTP on local machines (I have a webserver on 192.168.0.5 that 192.168.10.10 can ping, but cant browse to).  Attached is an image of how I need it to work.  Ideally, I'd like the router at 192.168.0.1 to serve DHCP for 192.168.10.0.  As far as QOS, if 60% of the bandwidth was reserved for voice, that would be ideal.  Not sure how to do ToS with vyatta.  I have SIP trunks coming from the 192.168.0.0 network.  Am I close, or is this unattainable?


 


Thanks!
Untitleddrawing.png
0
Comment
Question by:lorsungcu
  • 3
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33692020
NAT would nullify everything else,...No NAT with respect to the VPN.

DHCP would be done by configuring either IP Helper Addresses on the Vyatta VPN Router (if they are capable), or if they are not capable then you would need independent DHCP Servers on each "side".

QoS would just be subject to what ever the Vyatta Device are capable of.  VPN is not a "high performer",...Yours is only going to run at 6mbps because the VPN speed will "lock-in" at the slowest part of the path.  Running VoIP is probably a bad idea if that is what the QoS is being considered for.  QoS is not going to make the VPN faster, it is only going to prioritize the VoIP over anything else,...which may cause anything else to be too slow and undependable (just my opinion),...and at our place,...our "anything else", is more important than voice calls.  

If it were me the VoIP System at each location would be independent (IP-PBX at each location),...VoIP would never leave the physical site,... and phone calls between the two locations would go over the Public Telephone System and not use VoIP.   We are a conglomerate of Televisions Stations, Newspapers, and CableTV facilities and that is how we do ours.  The VoIP System at each facility is completely independent of the others, so we do not use the "network" (via VPN) to do phone calls long distance between the facilties.

That is my 2 cents.  What you do with that is up to you.
0
 
LVL 2

Author Comment

by:lorsungcu
ID: 33695022
Routing voice calls out our respective ISPs is handled separately.  I realize there is no NAT over the VPN, I meant on either of the internet facing interfaces.  I dont think we can saturate 6Mb with voice calls.  I do think we can saturate it with file transfers and such, though.  Thus prioritizing bandwidth for voice (you know, the thing customers call to buy things) would make sense.

Thanks for the input, but I need actual vyatta advice.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33695442
Thanks for the input, but I need actual vyatta advice.
Then you should contact their product support for that.  I'm not saying to won't  "get lucky" and run across someone around here who knows,...but that is what it would be,..."luck".
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Accepted Solution

by:
Ross-C earned 500 total points
ID: 33808088
I have a very similar setup with 2  vyatta clusters at each side.

to prioritise the traffic over the vpn you can do it as the traffic enters the lan interface before it leaves the network. page 6 of the attached pdf.  as for the websites it is because the router(s) Nat configuration is expecting the requests on the external interface and not the internal one.  Apparantly to set this up its called NAT Hairpinning.  As a work around i created local dns entries for the webserver domains pointing to the local IP addresses.

Vyatta-QoSRef-R6.1-v02.pdf
0
 
LVL 11

Expert Comment

by:Ross-C
ID: 33808128
Also this guys blog was really useful to me getting started with vyatta.

http://roggyblog.blogspot.com/2009/12/setting-up-vyatta-cluster-with-vrrp-and.html

The link above covers the vpn and nat really well
0
 
LVL 2

Author Closing Comment

by:lorsungcu
ID: 33808792
Thanks, that's all I needed to know.  Ended up doing something else, but in the future, this will be helpful!
0
 
LVL 2

Author Comment

by:lorsungcu
ID: 33808804
Yeah, I've read his stuff.  Really knowledgeable guy.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HSRP needed? 4 57
stacking Catalyst 3650 20 52
Advise on connecting 3 switches via fibre 4 53
BGP recommended setup with failover 2 49
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question