Solved

DHCP, QOS, NAT over Vyatta IPSec VPN

Posted on 2010-09-08
7
2,558 Views
Last Modified: 2012-05-10
I have built a site to site VPN using VC6, and need to do the following things over it:

Provide DHCP to local subnets on both sides (currently 192.168.0.0 and 192.168.10.0)
Configure QOS for our IP PBX
NAT everything properly

Here's the config for my West device:

firewall {
     name mplsFW {
         default-action accept
     }
 }
 interfaces {
     ethernet eth0 {
         address xxx.xxx.236.18/28
         address xxx.xxx.236.19/28
         address xxx.xxx.236.20/28
		 address xxx.xxx.236.21/28
		 address xxx.xxx.236.22/28
		 address xxx.xxx.236.23/28
		 address xxx.xxx.236.24/28
		 address xxx.xxx.236.25/28
		 address xxx.xxx.236.26/28
		 address xxx.xxx.236.27/28
		 address xxx.xxx.236.28/28
		 address xxx.xxx.236.29/28
		 address xxx.xxx.236.30/28
         hw-id xx:xx:xx:xx:xx:60
     }
     ethernet eth1 {
         address 192.168.0.1/24
         hw-id xx:xx:xx:xx:xx:61
     }
     loopback lo {
     }
 }
 service {
     https
     nat {
         rule 5 {
             destination {
                 address !192.168.10.0/24
             }
             outbound-interface eth0
             source {
                 address 192.168.0.0/24
             }
             type masquerade
         }
     }
     snmp {
         community snmp {
             network 192.168.0.0/24
             network 192.168.10.0/24
             network yyy.yyy.229.144/29
         }
         listen-address 192.168.0.1 {
         }
     }
     ssh {
         port 22
     }
 }
 system {
     domain-name xxxyyy.com
     gateway-address xxx.xxx.236.17
     host-name mplsvta
     login {
         user vyatta {
             authentication {
                 encrypted-password yyysCS7JOH4$IxxxyyyJuNXdLaGaoxxx
             }
         }
     }
     name-server xxx.xxx.xxx.10
     name-server xxx.xxx.xxx.20
     ntp-server 0.vyatta.pool.ntp.org
     package {
         auto-sync 1
         repository community {
             components main
             distribution stable
             url http://packages.vyatta.com/vyatta
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-mpls1 {
             compression disable
             lifetime 1800
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-mpls1 {
             lifetime 3600
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption aes128
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer yyy.yyy.229.145 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret "s3kr33t"
                     rsa-key-name ltlc.key
                 }
                 description yyyTunnel
                 ike-group IKE-mpls1
                 local-ip yyy.yyy.236.18
                 tunnel 1 {
                     allow-nat-networks disable
                     esp-group ESP-mpls1
                     local-subnet 192.168.0.0/24
                     remote-subnet 192.168.10.0/24
                 }
             }
         }
     }
     rsa-keys {
         rsa-key-name ltlc.key {
             rsa-key 0sAQNrF8VGmBZeV5jX6b76MC+1Ctf+EpBwYEkWX9C+aaaF1ZaE0gj6KLbJml6MZwzcr6sSoQcwEY4wVDuTjxDOL7trzFJYWUl+t3ujkAIX+UERkryKnNRpiftPQuvrqa2EtJ3I3lhQ9RTRgPzo3FuEDSDrqaYtyO69h2jNRzpmnMd4+aCLZgAcj2UeSNN/una7gv5ztsmFs9jN06SIxAXwtey4GCTCtbO7jZTZWDDG8t6te3fhm9Ty6QT22emLvptAz9ZqyMuqW+AfDzOFXN/ScQ5CdV3PEvnQdEGMCUx3qJ24ABogwhP/ggzhtnvvWcp0PsnHS/kPALoML50k3IpL9apoOUgEhAcL0soMNI34PuW
         }
     }
 }
[edit]

Open in new window


And the East :

firewall {
     name ltlcFW {
         default-action accept
     }
 }
 interfaces {
     ethernet eth0 {
         address yyy.yyy.229.145/29
         address yyy.yyy.229.146/29
         address yyy.yyy.229.147/29
         address yyy.yyy.229.148/29
         address yyy.yyy.229.149/29
         hw-id yy:yy:yy:yy:yy:01
     }
     ethernet eth1 {
         address 192.168.10.1/24
         hw-id yy:yy:yy:yy:yy:93
     }
     loopback lo {
     }
 }
 service {
     https
     nat {
         rule 5 {
             destination {
                 address !192.168.0.0/24
             }
             outbound-interface eth0
             source {
                 address 192.168.10.0/24
             }
             type masquerade
         }
     }
     snmp {
         community openip.snmp {
             network 192.168.0.0/24
             network 192.168.10.0/24
             network xxx.xxx.236.16/28
         }
         listen-address 192.168.10.1 {
         }
     }
     ssh {
     }
 }
 system {
     domain-name xxxyyy.com
     gateway-address yyy.yyy.229.150
     host-name ltlcvta
     login {
         user vyatta {
             authentication {
                 encrypted-password yyyPQ6Nd06D$ZxxxyyyE0fRHIZ2lNxxx
             }
         }
     }
     name-server yyy.yyy.yyy.130
     name-server yyy.yyy.yyy.130
     ntp-server 0.vyatta.pool.ntp.org
     package {
         repository community {
             components main
             distribution stable
             url http://packages.vyatta.com/vyatta
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-ltlc1 {
             lifetime 1800
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-ltlc1 {
             lifetime 3600
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption aes128
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer xxx.xxx.236.18 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret "s3kr33t"
                     rsa-key-name mpls.key
                 }
                 ike-group IKE-ltlc1
                 local-ip yyy.yyy.229.145
                 tunnel 1 {
                     esp-group ESP-ltlc1
                     local-subnet 192.168.10.0/24
                     remote-subnet 192.168.0.0/24
                 }
             }
         }
     }
     rsa-keys {
         rsa-key-name mpls.key {
             rsa-key 0sAQOGvfcwdIkH8lcHigqYdW6qa0RxgBW1jev366aS1Dvlx7+LpYfxrPRkFKxeJLKSDxjkISqXpO0EUbQQ4ihZNzKqjKIUNnA/ZyStmGGBQ0UQqQBH3WrJmHWz4ES3fbLvGeaqD1lS+YM2Hvebc/qJ2FlXilsYgvh6AOZEdIqf99NOpJvIU+NPyh8WubqaPXsWRdSR11KZjpgwNv1aWNHFtN9JWNODa54RcP0LyB13swRueYKZNtbBMgcvnghaVMPYeg5dmqey/RDwl/qCYlLxHUbRUp+hZyUIc12Icgm5yaBaNIafgoaX0AJOeh5C585uouylY4Ga/nz2nZKIOkcrha1ndRRIdFEVnGrqIdZT9NtCuTMZ
         }
     }
 }
[edit]

Open in new window


Right now I can ping devices on either side of the VPN, but cant access HTTP on local machines (I have a webserver on 192.168.0.5 that 192.168.10.10 can ping, but cant browse to).  Attached is an image of how I need it to work.  Ideally, I'd like the router at 192.168.0.1 to serve DHCP for 192.168.10.0.  As far as QOS, if 60% of the bandwidth was reserved for voice, that would be ideal.  Not sure how to do ToS with vyatta.  I have SIP trunks coming from the 192.168.0.0 network.  Am I close, or is this unattainable?


 


Thanks!
Untitleddrawing.png
0
Comment
Question by:lorsungcu
  • 3
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
NAT would nullify everything else,...No NAT with respect to the VPN.

DHCP would be done by configuring either IP Helper Addresses on the Vyatta VPN Router (if they are capable), or if they are not capable then you would need independent DHCP Servers on each "side".

QoS would just be subject to what ever the Vyatta Device are capable of.  VPN is not a "high performer",...Yours is only going to run at 6mbps because the VPN speed will "lock-in" at the slowest part of the path.  Running VoIP is probably a bad idea if that is what the QoS is being considered for.  QoS is not going to make the VPN faster, it is only going to prioritize the VoIP over anything else,...which may cause anything else to be too slow and undependable (just my opinion),...and at our place,...our "anything else", is more important than voice calls.  

If it were me the VoIP System at each location would be independent (IP-PBX at each location),...VoIP would never leave the physical site,... and phone calls between the two locations would go over the Public Telephone System and not use VoIP.   We are a conglomerate of Televisions Stations, Newspapers, and CableTV facilities and that is how we do ours.  The VoIP System at each facility is completely independent of the others, so we do not use the "network" (via VPN) to do phone calls long distance between the facilties.

That is my 2 cents.  What you do with that is up to you.
0
 
LVL 2

Author Comment

by:lorsungcu
Comment Utility
Routing voice calls out our respective ISPs is handled separately.  I realize there is no NAT over the VPN, I meant on either of the internet facing interfaces.  I dont think we can saturate 6Mb with voice calls.  I do think we can saturate it with file transfers and such, though.  Thus prioritizing bandwidth for voice (you know, the thing customers call to buy things) would make sense.

Thanks for the input, but I need actual vyatta advice.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Thanks for the input, but I need actual vyatta advice.
Then you should contact their product support for that.  I'm not saying to won't  "get lucky" and run across someone around here who knows,...but that is what it would be,..."luck".
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 11

Accepted Solution

by:
Ross-C earned 500 total points
Comment Utility
I have a very similar setup with 2  vyatta clusters at each side.

to prioritise the traffic over the vpn you can do it as the traffic enters the lan interface before it leaves the network. page 6 of the attached pdf.  as for the websites it is because the router(s) Nat configuration is expecting the requests on the external interface and not the internal one.  Apparantly to set this up its called NAT Hairpinning.  As a work around i created local dns entries for the webserver domains pointing to the local IP addresses.

Vyatta-QoSRef-R6.1-v02.pdf
0
 
LVL 11

Expert Comment

by:Ross-C
Comment Utility
Also this guys blog was really useful to me getting started with vyatta.

http://roggyblog.blogspot.com/2009/12/setting-up-vyatta-cluster-with-vrrp-and.html

The link above covers the vpn and nat really well
0
 
LVL 2

Author Closing Comment

by:lorsungcu
Comment Utility
Thanks, that's all I needed to know.  Ended up doing something else, but in the future, this will be helpful!
0
 
LVL 2

Author Comment

by:lorsungcu
Comment Utility
Yeah, I've read his stuff.  Really knowledgeable guy.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Auditors face some challenges when reviewing router and firewall configurations.  I'm going to discuss a few of them in this article.  My assumption is that there is a device hardening standard in place, which points out the key elements of configur…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now