Link to home
Start Free TrialLog in
Avatar of lorsungcu
lorsungcu

asked on

DHCP, QOS, NAT over Vyatta IPSec VPN

I have built a site to site VPN using VC6, and need to do the following things over it:

Provide DHCP to local subnets on both sides (currently 192.168.0.0 and 192.168.10.0)
Configure QOS for our IP PBX
NAT everything properly

Here's the config for my West device:

firewall {
     name mplsFW {
         default-action accept
     }
 }
 interfaces {
     ethernet eth0 {
         address xxx.xxx.236.18/28
         address xxx.xxx.236.19/28
         address xxx.xxx.236.20/28
		 address xxx.xxx.236.21/28
		 address xxx.xxx.236.22/28
		 address xxx.xxx.236.23/28
		 address xxx.xxx.236.24/28
		 address xxx.xxx.236.25/28
		 address xxx.xxx.236.26/28
		 address xxx.xxx.236.27/28
		 address xxx.xxx.236.28/28
		 address xxx.xxx.236.29/28
		 address xxx.xxx.236.30/28
         hw-id xx:xx:xx:xx:xx:60
     }
     ethernet eth1 {
         address 192.168.0.1/24
         hw-id xx:xx:xx:xx:xx:61
     }
     loopback lo {
     }
 }
 service {
     https
     nat {
         rule 5 {
             destination {
                 address !192.168.10.0/24
             }
             outbound-interface eth0
             source {
                 address 192.168.0.0/24
             }
             type masquerade
         }
     }
     snmp {
         community snmp {
             network 192.168.0.0/24
             network 192.168.10.0/24
             network yyy.yyy.229.144/29
         }
         listen-address 192.168.0.1 {
         }
     }
     ssh {
         port 22
     }
 }
 system {
     domain-name xxxyyy.com
     gateway-address xxx.xxx.236.17
     host-name mplsvta
     login {
         user vyatta {
             authentication {
                 encrypted-password yyysCS7JOH4$IxxxyyyJuNXdLaGaoxxx
             }
         }
     }
     name-server xxx.xxx.xxx.10
     name-server xxx.xxx.xxx.20
     ntp-server 0.vyatta.pool.ntp.org
     package {
         auto-sync 1
         repository community {
             components main
             distribution stable
             url http://packages.vyatta.com/vyatta
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-mpls1 {
             compression disable
             lifetime 1800
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-mpls1 {
             lifetime 3600
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption aes128
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer yyy.yyy.229.145 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret "s3kr33t"
                     rsa-key-name ltlc.key
                 }
                 description yyyTunnel
                 ike-group IKE-mpls1
                 local-ip yyy.yyy.236.18
                 tunnel 1 {
                     allow-nat-networks disable
                     esp-group ESP-mpls1
                     local-subnet 192.168.0.0/24
                     remote-subnet 192.168.10.0/24
                 }
             }
         }
     }
     rsa-keys {
         rsa-key-name ltlc.key {
             rsa-key 0sAQNrF8VGmBZeV5jX6b76MC+1Ctf+EpBwYEkWX9C+aaaF1ZaE0gj6KLbJml6MZwzcr6sSoQcwEY4wVDuTjxDOL7trzFJYWUl+t3ujkAIX+UERkryKnNRpiftPQuvrqa2EtJ3I3lhQ9RTRgPzo3FuEDSDrqaYtyO69h2jNRzpmnMd4+aCLZgAcj2UeSNN/una7gv5ztsmFs9jN06SIxAXwtey4GCTCtbO7jZTZWDDG8t6te3fhm9Ty6QT22emLvptAz9ZqyMuqW+AfDzOFXN/ScQ5CdV3PEvnQdEGMCUx3qJ24ABogwhP/ggzhtnvvWcp0PsnHS/kPALoML50k3IpL9apoOUgEhAcL0soMNI34PuW
         }
     }
 }
[edit]

Open in new window


And the East :

firewall {
     name ltlcFW {
         default-action accept
     }
 }
 interfaces {
     ethernet eth0 {
         address yyy.yyy.229.145/29
         address yyy.yyy.229.146/29
         address yyy.yyy.229.147/29
         address yyy.yyy.229.148/29
         address yyy.yyy.229.149/29
         hw-id yy:yy:yy:yy:yy:01
     }
     ethernet eth1 {
         address 192.168.10.1/24
         hw-id yy:yy:yy:yy:yy:93
     }
     loopback lo {
     }
 }
 service {
     https
     nat {
         rule 5 {
             destination {
                 address !192.168.0.0/24
             }
             outbound-interface eth0
             source {
                 address 192.168.10.0/24
             }
             type masquerade
         }
     }
     snmp {
         community openip.snmp {
             network 192.168.0.0/24
             network 192.168.10.0/24
             network xxx.xxx.236.16/28
         }
         listen-address 192.168.10.1 {
         }
     }
     ssh {
     }
 }
 system {
     domain-name xxxyyy.com
     gateway-address yyy.yyy.229.150
     host-name ltlcvta
     login {
         user vyatta {
             authentication {
                 encrypted-password yyyPQ6Nd06D$ZxxxyyyE0fRHIZ2lNxxx
             }
         }
     }
     name-server yyy.yyy.yyy.130
     name-server yyy.yyy.yyy.130
     ntp-server 0.vyatta.pool.ntp.org
     package {
         repository community {
             components main
             distribution stable
             url http://packages.vyatta.com/vyatta
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vpn {
     ipsec {
         esp-group ESP-ltlc1 {
             lifetime 1800
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-ltlc1 {
             lifetime 3600
             proposal 1 {
                 encryption aes256
             }
             proposal 2 {
                 encryption aes128
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer xxx.xxx.236.18 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret "s3kr33t"
                     rsa-key-name mpls.key
                 }
                 ike-group IKE-ltlc1
                 local-ip yyy.yyy.229.145
                 tunnel 1 {
                     esp-group ESP-ltlc1
                     local-subnet 192.168.10.0/24
                     remote-subnet 192.168.0.0/24
                 }
             }
         }
     }
     rsa-keys {
         rsa-key-name mpls.key {
             rsa-key 0sAQOGvfcwdIkH8lcHigqYdW6qa0RxgBW1jev366aS1Dvlx7+LpYfxrPRkFKxeJLKSDxjkISqXpO0EUbQQ4ihZNzKqjKIUNnA/ZyStmGGBQ0UQqQBH3WrJmHWz4ES3fbLvGeaqD1lS+YM2Hvebc/qJ2FlXilsYgvh6AOZEdIqf99NOpJvIU+NPyh8WubqaPXsWRdSR11KZjpgwNv1aWNHFtN9JWNODa54RcP0LyB13swRueYKZNtbBMgcvnghaVMPYeg5dmqey/RDwl/qCYlLxHUbRUp+hZyUIc12Icgm5yaBaNIafgoaX0AJOeh5C585uouylY4Ga/nz2nZKIOkcrha1ndRRIdFEVnGrqIdZT9NtCuTMZ
         }
     }
 }
[edit]

Open in new window


Right now I can ping devices on either side of the VPN, but cant access HTTP on local machines (I have a webserver on 192.168.0.5 that 192.168.10.10 can ping, but cant browse to).  Attached is an image of how I need it to work.  Ideally, I'd like the router at 192.168.0.1 to serve DHCP for 192.168.10.0.  As far as QOS, if 60% of the bandwidth was reserved for voice, that would be ideal.  Not sure how to do ToS with vyatta.  I have SIP trunks coming from the 192.168.0.0 network.  Am I close, or is this unattainable?


 


Thanks!
Untitleddrawing.png
Avatar of pwindell
pwindell
Flag of United States of America image

NAT would nullify everything else,...No NAT with respect to the VPN.

DHCP would be done by configuring either IP Helper Addresses on the Vyatta VPN Router (if they are capable), or if they are not capable then you would need independent DHCP Servers on each "side".

QoS would just be subject to what ever the Vyatta Device are capable of.  VPN is not a "high performer",...Yours is only going to run at 6mbps because the VPN speed will "lock-in" at the slowest part of the path.  Running VoIP is probably a bad idea if that is what the QoS is being considered for.  QoS is not going to make the VPN faster, it is only going to prioritize the VoIP over anything else,...which may cause anything else to be too slow and undependable (just my opinion),...and at our place,...our "anything else", is more important than voice calls.  

If it were me the VoIP System at each location would be independent (IP-PBX at each location),...VoIP would never leave the physical site,... and phone calls between the two locations would go over the Public Telephone System and not use VoIP.   We are a conglomerate of Televisions Stations, Newspapers, and CableTV facilities and that is how we do ours.  The VoIP System at each facility is completely independent of the others, so we do not use the "network" (via VPN) to do phone calls long distance between the facilties.

That is my 2 cents.  What you do with that is up to you.
Avatar of lorsungcu
lorsungcu

ASKER

Routing voice calls out our respective ISPs is handled separately.  I realize there is no NAT over the VPN, I meant on either of the internet facing interfaces.  I dont think we can saturate 6Mb with voice calls.  I do think we can saturate it with file transfers and such, though.  Thus prioritizing bandwidth for voice (you know, the thing customers call to buy things) would make sense.

Thanks for the input, but I need actual vyatta advice.
Thanks for the input, but I need actual vyatta advice.
Then you should contact their product support for that.  I'm not saying to won't  "get lucky" and run across someone around here who knows,...but that is what it would be,..."luck".
ASKER CERTIFIED SOLUTION
Avatar of Ross-C
Ross-C
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also this guys blog was really useful to me getting started with vyatta.

http://roggyblog.blogspot.com/2009/12/setting-up-vyatta-cluster-with-vrrp-and.html

The link above covers the vpn and nat really well
Thanks, that's all I needed to know.  Ended up doing something else, but in the future, this will be helpful!
Yeah, I've read his stuff.  Really knowledgeable guy.