asked on
DHCP, QOS, NAT over Vyatta IPSec VPN
I have built a site to site VPN using VC6, and need to do the following things over it:
Here's the config for my West device:
And the East :
Right now I can ping devices on either side of the VPN, but cant access HTTP on local machines (I have a webserver on 192.168.0.5 that 192.168.10.10 can ping, but cant browse to). Attached is an image of how I need it to work. Ideally, I'd like the router at 192.168.0.1 to serve DHCP for 192.168.10.0. As far as QOS, if 60% of the bandwidth was reserved for voice, that would be ideal. Not sure how to do ToS with vyatta. I have SIP trunks coming from the 192.168.0.0 network. Am I close, or is this unattainable?
Thanks!
Untitleddrawing.png
Provide DHCP to local subnets on both sides (currently 192.168.0.0 and 192.168.10.0)
Configure QOS for our IP PBX
NAT everything properly
Here's the config for my West device:
firewall {
name mplsFW {
default-action accept
}
}
interfaces {
ethernet eth0 {
address xxx.xxx.236.18/28
address xxx.xxx.236.19/28
address xxx.xxx.236.20/28
address xxx.xxx.236.21/28
address xxx.xxx.236.22/28
address xxx.xxx.236.23/28
address xxx.xxx.236.24/28
address xxx.xxx.236.25/28
address xxx.xxx.236.26/28
address xxx.xxx.236.27/28
address xxx.xxx.236.28/28
address xxx.xxx.236.29/28
address xxx.xxx.236.30/28
hw-id xx:xx:xx:xx:xx:60
}
ethernet eth1 {
address 192.168.0.1/24
hw-id xx:xx:xx:xx:xx:61
}
loopback lo {
}
}
service {
https
nat {
rule 5 {
destination {
address !192.168.10.0/24
}
outbound-interface eth0
source {
address 192.168.0.0/24
}
type masquerade
}
}
snmp {
community snmp {
network 192.168.0.0/24
network 192.168.10.0/24
network yyy.yyy.229.144/29
}
listen-address 192.168.0.1 {
}
}
ssh {
port 22
}
}
system {
domain-name xxxyyy.com
gateway-address xxx.xxx.236.17
host-name mplsvta
login {
user vyatta {
authentication {
encrypted-password yyysCS7JOH4$IxxxyyyJuNXdLaGaoxxx
}
}
}
name-server xxx.xxx.xxx.10
name-server xxx.xxx.xxx.20
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
url http://packages.vyatta.com/vyatta
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group ESP-mpls1 {
compression disable
lifetime 1800
proposal 1 {
encryption aes256
}
proposal 2 {
encryption 3des
hash md5
}
}
ike-group IKE-mpls1 {
lifetime 3600
proposal 1 {
encryption aes256
}
proposal 2 {
encryption aes128
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer yyy.yyy.229.145 {
authentication {
mode pre-shared-secret
pre-shared-secret "s3kr33t"
rsa-key-name ltlc.key
}
description yyyTunnel
ike-group IKE-mpls1
local-ip yyy.yyy.236.18
tunnel 1 {
allow-nat-networks disable
esp-group ESP-mpls1
local-subnet 192.168.0.0/24
remote-subnet 192.168.10.0/24
}
}
}
}
rsa-keys {
rsa-key-name ltlc.key {
rsa-key 0sAQNrF8VGmBZeV5jX6b76MC+1Ctf+EpBwYEkWX9C+aaaF1ZaE0gj6KLbJml6MZwzcr6sSoQcwEY4wVDuTjxDOL7trzFJYWUl+t3ujkAIX+UERkryKnNRpiftPQuvrqa2EtJ3I3lhQ9RTRgPzo3FuEDSDrqaYtyO69h2jNRzpmnMd4+aCLZgAcj2UeSNN/una7gv5ztsmFs9jN06SIxAXwtey4GCTCtbO7jZTZWDDG8t6te3fhm9Ty6QT22emLvptAz9ZqyMuqW+AfDzOFXN/ScQ5CdV3PEvnQdEGMCUx3qJ24ABogwhP/ggzhtnvvWcp0PsnHS/kPALoML50k3IpL9apoOUgEhAcL0soMNI34PuW
}
}
}
[edit]
And the East :
firewall {
name ltlcFW {
default-action accept
}
}
interfaces {
ethernet eth0 {
address yyy.yyy.229.145/29
address yyy.yyy.229.146/29
address yyy.yyy.229.147/29
address yyy.yyy.229.148/29
address yyy.yyy.229.149/29
hw-id yy:yy:yy:yy:yy:01
}
ethernet eth1 {
address 192.168.10.1/24
hw-id yy:yy:yy:yy:yy:93
}
loopback lo {
}
}
service {
https
nat {
rule 5 {
destination {
address !192.168.0.0/24
}
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
}
snmp {
community openip.snmp {
network 192.168.0.0/24
network 192.168.10.0/24
network xxx.xxx.236.16/28
}
listen-address 192.168.10.1 {
}
}
ssh {
}
}
system {
domain-name xxxyyy.com
gateway-address yyy.yyy.229.150
host-name ltlcvta
login {
user vyatta {
authentication {
encrypted-password yyyPQ6Nd06D$ZxxxyyyE0fRHIZ2lNxxx
}
}
}
name-server yyy.yyy.yyy.130
name-server yyy.yyy.yyy.130
ntp-server 0.vyatta.pool.ntp.org
package {
repository community {
components main
distribution stable
url http://packages.vyatta.com/vyatta
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group ESP-ltlc1 {
lifetime 1800
proposal 1 {
encryption aes256
}
proposal 2 {
encryption 3des
hash md5
}
}
ike-group IKE-ltlc1 {
lifetime 3600
proposal 1 {
encryption aes256
}
proposal 2 {
encryption aes128
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer xxx.xxx.236.18 {
authentication {
mode pre-shared-secret
pre-shared-secret "s3kr33t"
rsa-key-name mpls.key
}
ike-group IKE-ltlc1
local-ip yyy.yyy.229.145
tunnel 1 {
esp-group ESP-ltlc1
local-subnet 192.168.10.0/24
remote-subnet 192.168.0.0/24
}
}
}
}
rsa-keys {
rsa-key-name mpls.key {
rsa-key 0sAQOGvfcwdIkH8lcHigqYdW6qa0RxgBW1jev366aS1Dvlx7+LpYfxrPRkFKxeJLKSDxjkISqXpO0EUbQQ4ihZNzKqjKIUNnA/ZyStmGGBQ0UQqQBH3WrJmHWz4ES3fbLvGeaqD1lS+YM2Hvebc/qJ2FlXilsYgvh6AOZEdIqf99NOpJvIU+NPyh8WubqaPXsWRdSR11KZjpgwNv1aWNHFtN9JWNODa54RcP0LyB13swRueYKZNtbBMgcvnghaVMPYeg5dmqey/RDwl/qCYlLxHUbRUp+hZyUIc12Icgm5yaBaNIafgoaX0AJOeh5C585uouylY4Ga/nz2nZKIOkcrha1ndRRIdFEVnGrqIdZT9NtCuTMZ
}
}
}
[edit]
Right now I can ping devices on either side of the VPN, but cant access HTTP on local machines (I have a webserver on 192.168.0.5 that 192.168.10.10 can ping, but cant browse to). Attached is an image of how I need it to work. Ideally, I'd like the router at 192.168.0.1 to serve DHCP for 192.168.10.0. As far as QOS, if 60% of the bandwidth was reserved for voice, that would be ideal. Not sure how to do ToS with vyatta. I have SIP trunks coming from the 192.168.0.0 network. Am I close, or is this unattainable?
Thanks!
Untitleddrawing.png
Internet Protocol SecuritySoftware FirewallsNetwork Architecture
Last Comment
lorsungcu
ASKER
Routing voice calls out our respective ISPs is handled separately. I realize there is no NAT over the VPN, I meant on either of the internet facing interfaces. I dont think we can saturate 6Mb with voice calls. I do think we can saturate it with file transfers and such, though. Thus prioritizing bandwidth for voice (you know, the thing customers call to buy things) would make sense.
Thanks for the input, but I need actual vyatta advice.
Thanks for the input, but I need actual vyatta advice.
Thanks for the input, but I need actual vyatta advice.
Then you should contact their product support for that. I'm not saying to won't "get lucky" and run across someone around here who knows,...but that is what it would be,..."luck".
Then you should contact their product support for that. I'm not saying to won't "get lucky" and run across someone around here who knows,...but that is what it would be,..."luck".
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Also this guys blog was really useful to me getting started with vyatta.
http://roggyblog.blogspot.com/2009/12/setting-up-vyatta-cluster-with-vrrp-and.html
The link above covers the vpn and nat really well
http://roggyblog.blogspot.com/2009/12/setting-up-vyatta-cluster-with-vrrp-and.html
The link above covers the vpn and nat really well
ASKER
Thanks, that's all I needed to know. Ended up doing something else, but in the future, this will be helpful!
ASKER
Yeah, I've read his stuff. Really knowledgeable guy.
DHCP would be done by configuring either IP Helper Addresses on the Vyatta VPN Router (if they are capable), or if they are not capable then you would need independent DHCP Servers on each "side".
QoS would just be subject to what ever the Vyatta Device are capable of. VPN is not a "high performer",...Yours is only going to run at 6mbps because the VPN speed will "lock-in" at the slowest part of the path. Running VoIP is probably a bad idea if that is what the QoS is being considered for. QoS is not going to make the VPN faster, it is only going to prioritize the VoIP over anything else,...which may cause anything else to be too slow and undependable (just my opinion),...and at our place,...our "anything else", is more important than voice calls.
If it were me the VoIP System at each location would be independent (IP-PBX at each location),...VoIP would never leave the physical site,... and phone calls between the two locations would go over the Public Telephone System and not use VoIP. We are a conglomerate of Televisions Stations, Newspapers, and CableTV facilities and that is how we do ours. The VoIP System at each facility is completely independent of the others, so we do not use the "network" (via VPN) to do phone calls long distance between the facilties.
That is my 2 cents. What you do with that is up to you.