troubleshooting Question

DHCP, QOS, NAT over Vyatta IPSec VPN

Avatar of lorsungcu
lorsungcu asked on
Software FirewallsInternet Protocol SecurityNetwork Architecture
7 Comments1 Solution2782 ViewsLast Modified:
I have built a site to site VPN using VC6, and need to do the following things over it:

Provide DHCP to local subnets on both sides (currently 192.168.0.0 and 192.168.10.0)
Configure QOS for our IP PBX
NAT everything properly

Here's the config for my West device:

firewall {
     name mplsFW {
         default-action accept
     }
 }
 interfaces {
     ethernet eth0 {
         address xxx.xxx.236.18/28
         address xxx.xxx.236.19/28
         address xxx.xxx.236.20/28
		 address xxx.xxx.236.21/28
		 address xxx.xxx.236.22/28
		 address xxx.xxx.236.23/28
		 address xxx.xxx.236.24/28
		 address xxx.xxx.236.25/28
		 address xxx.xxx.236.26/28
		 address xxx.xxx.236.27/28
		 address xxx.xxx.236.28/28
		 address xxx.xxx.236.29/28
		 address xxx.xxx.236.30/28
         hw-id xx:xx:xx:xx:xx:60
     }
     ethernet eth1 {
         address 192.168.0.1/24
         hw-id xx:xx:xx:xx:xx:61
     }
     loopback lo {
     }
 }
 service {
     https
     nat {
         rule 5 {
             destination {
                 address !192.168.10.0/24
             }
             outbound-interface eth0
             source {
                 address 192.168.0.0/24
             }
             type masquerade
         }
     }
     snmp {
         community snmp {
             network 192.168.0.0/24
             network 192.168.10.0/24
             network yyy.yyy.229.144/29
         }
         listen-address 192.168.0.1 {
         }
     }
     ssh {
         port 22
     }
 }
 system {
     domain-name xxxyyy.com
     gateway-address xxx.xxx.236.17
     host-name mplsvta
     login {
         user vyatta {
             authentication {
                 encrypted-password yyysCS7JOH4$IxxxyyyJuNXdLaGaoxxx
             }
         }
     }
     name-server xxx.xxx.xxx.10
     name-server xxx.xxx.xxx.20
     ntp-server 0.vyatta.pool.ntp.org
     package {
         auto-sync 1
         repository community {
             components main
             distribution stable
             url http://packages.vyatta.com/vyatta
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-mpls1 {
             compression disable
             lifetime 1800
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-mpls1 {
             lifetime 3600
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption aes128
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer yyy.yyy.229.145 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret "s3kr33t"
                     rsa-key-name ltlc.key
                 }
                 description yyyTunnel
                 ike-group IKE-mpls1
                 local-ip yyy.yyy.236.18
                 tunnel 1 {
                     allow-nat-networks disable
                     esp-group ESP-mpls1
                     local-subnet 192.168.0.0/24
                     remote-subnet 192.168.10.0/24
                 }
             }
         }
     }
     rsa-keys {
         rsa-key-name ltlc.key {
             rsa-key 0sAQNrF8VGmBZeV5jX6b76MC+1Ctf+EpBwYEkWX9C+aaaF1ZaE0gj6KLbJml6MZwzcr6sSoQcwEY4wVDuTjxDOL7trzFJYWUl+t3ujkAIX+UERkryKnNRpiftPQuvrqa2EtJ3I3lhQ9RTRgPzo3FuEDSDrqaYtyO69h2jNRzpmnMd4+aCLZgAcj2UeSNN/una7gv5ztsmFs9jN06SIxAXwtey4GCTCtbO7jZTZWDDG8t6te3fhm9Ty6QT22emLvptAz9ZqyMuqW+AfDzOFXN/ScQ5CdV3PEvnQdEGMCUx3qJ24ABogwhP/ggzhtnvvWcp0PsnHS/kPALoML50k3IpL9apoOUgEhAcL0soMNI34PuW
         }
     }
 }
[edit]

And the East :

firewall {
     name ltlcFW {
         default-action accept
     }
 }
 interfaces {
     ethernet eth0 {
         address yyy.yyy.229.145/29
         address yyy.yyy.229.146/29
         address yyy.yyy.229.147/29
         address yyy.yyy.229.148/29
         address yyy.yyy.229.149/29
         hw-id yy:yy:yy:yy:yy:01
     }
     ethernet eth1 {
         address 192.168.10.1/24
         hw-id yy:yy:yy:yy:yy:93
     }
     loopback lo {
     }
 }
 service {
     https
     nat {
         rule 5 {
             destination {
                 address !192.168.0.0/24
             }
             outbound-interface eth0
             source {
                 address 192.168.10.0/24
             }
             type masquerade
         }
     }
     snmp {
         community openip.snmp {
             network 192.168.0.0/24
             network 192.168.10.0/24
             network xxx.xxx.236.16/28
         }
         listen-address 192.168.10.1 {
         }
     }
     ssh {
     }
 }
 system {
     domain-name xxxyyy.com
     gateway-address yyy.yyy.229.150
     host-name ltlcvta
     login {
         user vyatta {
             authentication {
                 encrypted-password yyyPQ6Nd06D$ZxxxyyyE0fRHIZ2lNxxx
             }
         }
     }
     name-server yyy.yyy.yyy.130
     name-server yyy.yyy.yyy.130
     ntp-server 0.vyatta.pool.ntp.org
     package {
         repository community {
             components main
             distribution stable
             url http://packages.vyatta.com/vyatta
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-ltlc1 {
             lifetime 1800
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-ltlc1 {
             lifetime 3600
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption aes128
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer xxx.xxx.236.18 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret "s3kr33t"
                     rsa-key-name mpls.key
                 }
                 ike-group IKE-ltlc1
                 local-ip yyy.yyy.229.145
                 tunnel 1 {
                     esp-group ESP-ltlc1
                     local-subnet 192.168.10.0/24
                     remote-subnet 192.168.0.0/24
                 }
             }
         }
     }
     rsa-keys {
         rsa-key-name mpls.key {
             rsa-key 0sAQOGvfcwdIkH8lcHigqYdW6qa0RxgBW1jev366aS1Dvlx7+LpYfxrPRkFKxeJLKSDxjkISqXpO0EUbQQ4ihZNzKqjKIUNnA/ZyStmGGBQ0UQqQBH3WrJmHWz4ES3fbLvGeaqD1lS+YM2Hvebc/qJ2FlXilsYgvh6AOZEdIqf99NOpJvIU+NPyh8WubqaPXsWRdSR11KZjpgwNv1aWNHFtN9JWNODa54RcP0LyB13swRueYKZNtbBMgcvnghaVMPYeg5dmqey/RDwl/qCYlLxHUbRUp+hZyUIc12Icgm5yaBaNIafgoaX0AJOeh5C585uouylY4Ga/nz2nZKIOkcrha1ndRRIdFEVnGrqIdZT9NtCuTMZ
         }
     }
 }
[edit]

Right now I can ping devices on either side of the VPN, but cant access HTTP on local machines (I have a webserver on 192.168.0.5 that 192.168.10.10 can ping, but cant browse to).  Attached is an image of how I need it to work.  Ideally, I'd like the router at 192.168.0.1 to serve DHCP for 192.168.10.0.  As far as QOS, if 60% of the bandwidth was reserved for voice, that would be ideal.  Not sure how to do ToS with vyatta.  I have SIP trunks coming from the 192.168.0.0 network.  Am I close, or is this unattainable?


 


Thanks!
Untitleddrawing.png
ASKER CERTIFIED SOLUTION
Ross-C

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros