SlideShare une entreprise Scribd logo

Unbreakable VPN using Vyatta/VyOS - HOW TO -

Naoto MATSUMOTO
Naoto MATSUMOTO

Unbreakable VPN using Vyatta/VyOS - HOW TO - 13 May, 2014 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO

Technologie
1  sur  18
13 May, 2014 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO
Basic idea for inter-cloud LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch MASTER BACKUP
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Configure Clustering group 1/2 VR-1 VR-2 VR-3 VR-4 LANLAN Private Cloud A Private Cloud B VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ vSwitchvSwitch Secondary Node Secondary Node VIP: Shared Virtual IP Address VIP VIP Primary Node Primary Node
Configure Clustering group 2/2 VR-1 VR-2 VR-3 VR-4 vSwitch LANvSwitchLAN Private Cloud A Private Cloud B VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ Corss Monitoring Cross Monitoring
Configure Dual IPSec Tunneling VR-1 VR-2 VR-3 VR-4 vSwitch LANvSwitchLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/
Logical IP Network view (MASTER) LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch VIP: Shared Virtual IP Address VIP VIP Primary Node Primary Node
Logical IP Network view (BACKUP) LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch VIP: Shared Virtual IP Address VIP VIP Monitoring failure
Unbreakable VPN using Vyatta/VyOS - Sample Configuration TIPS-
Configure Clustering group 1/3 VR-1 VR-2 LAN vSwitch Primary Node Secondary Node 10.10.10.100/24 VIP Sample Configuration for VR-1 and VR-2 $ configure # set system host-name VR-1 (or VR-2) # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster pre-shared-secret SeCrEt # set cluster group CLUSTER primary VR-1 # set cluster group CLUSTER secondary VR-2 # set cluster group CLUSTER service 10.10.10.100/24/eth1 # set cluster mcast-group 239.10.10.100
Configure Clustering group 2/3 Sample Configuration for VR-3 and VR-4 $ configure # set system host-name VR-3 (or VR-4) # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster pre-shared-secret SeCrEt # set cluster group CLUSTER primary VR-3 # set cluster group CLUSTER secondary VR-4 # set cluster group CLUSTER service 10.20.20.100/24/eth1 # set cluster mcast-group 239.20.20.100 VR-3 VR-4 LANvSwitchSecondary Node VIP 10.20.20.100/24 Primary Node
Configure Clustering group 3/3 VR-1 VR-3 vSwitch LANvSwitchLAN Monitoring VR-1# set cluster monitor-dead-interval 1000 VR-1# set cluster group CLUSTER monitor 133.242.YYY.3 VR-1# commit VR-1# save VR-3# set cluster monitor-dead-interval 1000 VR-3# set cluster group CLUSTER monitor 133.242.XXX.1 VR-3# commit VR-3# save 133.242.YYY.3133.242.XXX.1
Configure Dual IPSec Tunneling 1/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel Sample Configuration for VR-1 and VR-3 # set vpn ipsec esp-group ESP lifetime 1800 # set vpn ipsec esp-group ESP mode tunnel # set vpn ipsec esp-group ESP pfs enable # set vpn ipsec esp-group ESP proposal 1 encryption aes256 # set vpn ipsec esp-group ESP proposal 1 hash sha1 # set vpn ipsec ike-group IKE lifetime 3600 # set vpn ipsec ike-group IKE proposal 1 encryption aes256 # set vpn ipsec ike-group IKE proposal 1 hash sha1 # set vpn ipsec ipsec-interfaces interface eth0
Configure Dual IPSec Tunneling 2/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1 VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret SeCrEt VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24 VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24 VR-1# commit VR-1# save 133.242.YYY.3133.242.XXX.1 10.10.10.0/24 10.20.20.0/24
Configure Dual IPSec Tunneling 3/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 local-address 133.242.YYY.3 VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication mode pre-shared-secret VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication pre-shared-secret SeCrEt VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 connection-type initiate VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 default-esp-group ESP VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 ike-group IKE VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 local prefix 10.20.20.0/24 VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 remote prefix 10.10.10.0/24 VR-3# commit VR-3# save 133.242.YYY.3133.242.XXX.1 10.10.10.0/24 10.20.20.0/24
Configure TCP-MSS modify for VPN VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-1# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24 VR-1# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp VR-1# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 VR-1# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP VR-1# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0 VR-1# commit 10.10.10.0/24 10.20.20.0/24 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.10.10.0/24 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp VR-3# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP VR-3# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0 VR-3# commit
Unbreakable VPN Architecure LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch MASTER BACKUP
Thanks for your interest. SAKURA Internet Research Center.

Recommandé

Vyos clustering ipsec
Vyos clustering ipsecVyos clustering ipsec
Vyos clustering ipsec
Gireesh Hariharasubramony
 
P4 perforce
P4 perforceP4 perforce
P4 perforce
Dinesh Vasudevan
 
Ifupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerIfupdown2: Network Interface Manager
Ifupdown2: Network Interface Manager
Cumulus Networks
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
Etsuji Nakai
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
Kvm and libvirt
Kvm and libvirtKvm and libvirt
Kvm and libvirt
plarsen67
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)
Adrian Huang
 
KVM環境におけるネットワーク速度ベンチマーク
KVM環境におけるネットワーク速度ベンチマークKVM環境におけるネットワーク速度ベンチマーク
KVM環境におけるネットワーク速度ベンチマーク
VirtualTech Japan Inc.
 

Recommandé

Vyos clustering ipsec
Vyos clustering ipsecVyos clustering ipsec
Vyos clustering ipsec
Gireesh Hariharasubramony
 
P4 perforce
P4 perforceP4 perforce
P4 perforce
Dinesh Vasudevan
 
Ifupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerIfupdown2: Network Interface Manager
Ifupdown2: Network Interface Manager
Cumulus Networks
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
Etsuji Nakai
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
Kvm and libvirt
Kvm and libvirtKvm and libvirt
Kvm and libvirt
plarsen67
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)
Adrian Huang
 
KVM環境におけるネットワーク速度ベンチマーク
KVM環境におけるネットワーク速度ベンチマークKVM環境におけるネットワーク速度ベンチマーク
KVM環境におけるネットワーク速度ベンチマーク
VirtualTech Japan Inc.
 
[오픈소스컨설팅]RHEL7/CentOS7 Pacemaker기반-HA시스템구성-v1.0
[오픈소스컨설팅]RHEL7/CentOS7 Pacemaker기반-HA시스템구성-v1.0[오픈소스컨설팅]RHEL7/CentOS7 Pacemaker기반-HA시스템구성-v1.0
[오픈소스컨설팅]RHEL7/CentOS7 Pacemaker기반-HA시스템구성-v1.0
Ji-Woong Choi
 
Junos SpaceによるJunos機器の運用管理
Junos SpaceによるJunos機器の運用管理Junos SpaceによるJunos機器の運用管理
Junos SpaceによるJunos機器の運用管理
Juniper Networks (日本)
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
Sam Kim
 
日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会
Yushiro Furukawa
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
Openstack live migration
Openstack live migrationOpenstack live migration
Openstack live migration
ymtech
 
Proxmox Clustering with CEPH
Proxmox Clustering with CEPHProxmox Clustering with CEPH
Proxmox Clustering with CEPH
FahadIbrar5
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
Adrian Huang
 
Ansible 101
Ansible 101Ansible 101
Ansible 101
YI-CHING WU
 
Multicast in OpenStack
Multicast in OpenStackMulticast in OpenStack
Multicast in OpenStack
Vikram G Hosakote
 
Cumulus networks conversion guide
Cumulus networks conversion guideCumulus networks conversion guide
Cumulus networks conversion guide
Scott Suehle
 
[NDC2017 : 박준철] Python 게임 서버 안녕하십니까 - 몬스터 슈퍼리그 게임 서버
[NDC2017 : 박준철] Python 게임 서버 안녕하십니까 - 몬스터 슈퍼리그 게임 서버[NDC2017 : 박준철] Python 게임 서버 안녕하십니까 - 몬스터 슈퍼리그 게임 서버
[NDC2017 : 박준철] Python 게임 서버 안녕하십니까 - 몬스터 슈퍼리그 게임 서버
준철 박
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Kentaro Ebisawa
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
Gene Chang
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
Adrian Huang
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower Offload
Netronome
 
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
Ji-Woong Choi
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Naoto MATSUMOTO
 
さくらのクラウドでVyOS使ってみた
さくらのクラウドでVyOS使ってみたさくらのクラウドでVyOS使ってみた
さくらのクラウドでVyOS使ってみた
SAKURA Internet Inc.
 

Contenu connexe

Tendances

New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 

Tendances (20)

[오픈소스컨설팅]RHEL7/CentOS7 Pacemaker기반-HA시스템구성-v1.0
[오픈소스컨설팅]RHEL7/CentOS7 Pacemaker기반-HA시스템구성-v1.0[오픈소스컨설팅]RHEL7/CentOS7 Pacemaker기반-HA시스템구성-v1.0
[오픈소스컨설팅]RHEL7/CentOS7 Pacemaker기반-HA시스템구성-v1.0
 
Junos SpaceによるJunos機器の運用管理
Junos SpaceによるJunos機器の運用管理Junos SpaceによるJunos機器の運用管理
Junos SpaceによるJunos機器の運用管理
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
Openstack live migration
Openstack live migrationOpenstack live migration
Openstack live migration
 
Proxmox Clustering with CEPH
Proxmox Clustering with CEPHProxmox Clustering with CEPH
Proxmox Clustering with CEPH
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
 
Ansible 101
Ansible 101Ansible 101
Ansible 101
 
Multicast in OpenStack
Multicast in OpenStackMulticast in OpenStack
Multicast in OpenStack
 
Cumulus networks conversion guide
Cumulus networks conversion guideCumulus networks conversion guide
Cumulus networks conversion guide
 
[NDC2017 : 박준철] Python 게임 서버 안녕하십니까 - 몬스터 슈퍼리그 게임 서버
[NDC2017 : 박준철] Python 게임 서버 안녕하십니까 - 몬스터 슈퍼리그 게임 서버[NDC2017 : 박준철] Python 게임 서버 안녕하십니까 - 몬스터 슈퍼리그 게임 서버
[NDC2017 : 박준철] Python 게임 서버 안녕하십니까 - 몬스터 슈퍼리그 게임 서버
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower Offload
 
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 

En vedette

Zimbra Collaboration Suite And Google Apps
Zimbra Collaboration Suite And Google AppsZimbra Collaboration Suite And Google Apps
Zimbra Collaboration Suite And Google Apps
agileware
 
Sinatra Pattern 20130415
Sinatra Pattern 20130415Sinatra Pattern 20130415
Sinatra Pattern 20130415
Naotoshi Seo
 
Vyatta Ip Services Ref Vc5 V03
Vyatta Ip Services Ref Vc5 V03Vyatta Ip Services Ref Vc5 V03
Vyatta Ip Services Ref Vc5 V03
Kittanun Nuaon
 
Vyatta lan interfaces-6.5_r1_v01
Vyatta lan interfaces-6.5_r1_v01Vyatta lan interfaces-6.5_r1_v01
Vyatta lan interfaces-6.5_r1_v01
Nguyen Van Duy
 
云网锦绣 SDN实战研讨会
云网锦绣 SDN实战研讨会云网锦绣 SDN实战研讨会
云网锦绣 SDN实战研讨会
Hardway Hou
 

En vedette (20)

Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)
 
さくらのクラウドでVyOS使ってみた
さくらのクラウドでVyOS使ってみたさくらのクラウドでVyOS使ってみた
さくらのクラウドでVyOS使ってみた
 
Vyatta 改造入門
Vyatta 改造入門Vyatta 改造入門
Vyatta 改造入門
 
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
Large Scale L2TPv3 Overlay Networking with OSPFv3(DRAFT)
 
VVyatta Core 6.5R1 Policy Base Routing mechanism MEMO
VVyatta Core 6.5R1 Policy Base Routing mechanism MEMOVVyatta Core 6.5R1 Policy Base Routing mechanism MEMO
VVyatta Core 6.5R1 Policy Base Routing mechanism MEMO
 
Unfolding - A Library for Interactive Maps and Geovisualizations
Unfolding - A Library for Interactive Maps and GeovisualizationsUnfolding - A Library for Interactive Maps and Geovisualizations
Unfolding - A Library for Interactive Maps and Geovisualizations
 
Japan Vyatta Users Group Introduction
Japan Vyatta Users Group IntroductionJapan Vyatta Users Group Introduction
Japan Vyatta Users Group Introduction
 
Unite! VYATTA APAC
Unite! VYATTA APACUnite! VYATTA APAC
Unite! VYATTA APAC
 
VyattaCore TIPS2013
VyattaCore TIPS2013VyattaCore TIPS2013
VyattaCore TIPS2013
 
Software-Based Networking & Security for the Cloud
Software-Based Networking & Security for the CloudSoftware-Based Networking & Security for the Cloud
Software-Based Networking & Security for the Cloud
 
Vyatta open cloudcampus 2011/08/02
Vyatta open cloudcampus 2011/08/02Vyatta open cloudcampus 2011/08/02
Vyatta open cloudcampus 2011/08/02
 
Zimbra Collaboration Suite And Google Apps
Zimbra Collaboration Suite And Google AppsZimbra Collaboration Suite And Google Apps
Zimbra Collaboration Suite And Google Apps
 
Sinatra Pattern 20130415
Sinatra Pattern 20130415Sinatra Pattern 20130415
Sinatra Pattern 20130415
 
Vyatta Ip Services Ref Vc5 V03
Vyatta Ip Services Ref Vc5 V03Vyatta Ip Services Ref Vc5 V03
Vyatta Ip Services Ref Vc5 V03
 
Vyatta lan interfaces-6.5_r1_v01
Vyatta lan interfaces-6.5_r1_v01Vyatta lan interfaces-6.5_r1_v01
Vyatta lan interfaces-6.5_r1_v01
 
VYATTA USERS MEETING Spring 2014 イントロダクション
VYATTA USERS MEETING Spring 2014 イントロダクションVYATTA USERS MEETING Spring 2014 イントロダクション
VYATTA USERS MEETING Spring 2014 イントロダクション
 
OVNC 2015-THE NEW IP - Open Networking Architecture with SDN & NFV
OVNC 2015-THE NEW IP - Open Networking Architecture with SDN & NFVOVNC 2015-THE NEW IP - Open Networking Architecture with SDN & NFV
OVNC 2015-THE NEW IP - Open Networking Architecture with SDN & NFV
 
Introduction to Cloud B2B Integration
Introduction to Cloud B2B IntegrationIntroduction to Cloud B2B Integration
Introduction to Cloud B2B Integration
 
云网锦绣 SDN实战研讨会
云网锦绣 SDN实战研讨会云网锦绣 SDN实战研讨会
云网锦绣 SDN实战研讨会
 
vSRX
vSRXvSRX
vSRX
 

Similaire à Unbreakable VPN using Vyatta/VyOS - HOW TO -

VXLAN: Enhancements and Network Integration
VXLAN: Enhancements and Network Integration VXLAN: Enhancements and Network Integration
VXLAN: Enhancements and Network Integration
Eddie Parra
 
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private CloudAWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
Amazon Web Services
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
LinuxCon ContainerCon CloudOpen China
 

Similaire à Unbreakable VPN using Vyatta/VyOS - HOW TO - (20)

UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO) UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
 
IPv4 over IPv6 Tunneling with IPSec [DRAFT]
IPv4 over IPv6 Tunneling with IPSec [DRAFT]IPv4 over IPv6 Tunneling with IPSec [DRAFT]
IPv4 over IPv6 Tunneling with IPSec [DRAFT]
 
VMworld 2013: Troubleshooting VXLAN and Network Services in a Virtualized Env...
VMworld 2013: Troubleshooting VXLAN and Network Services in a Virtualized Env...VMworld 2013: Troubleshooting VXLAN and Network Services in a Virtualized Env...
VMworld 2013: Troubleshooting VXLAN and Network Services in a Virtualized Env...
 
Westermo WeOS Multicast Tunneling
Westermo WeOS Multicast TunnelingWestermo WeOS Multicast Tunneling
Westermo WeOS Multicast Tunneling
 
VXLAN: Enhancements and Network Integration
VXLAN: Enhancements and Network Integration VXLAN: Enhancements and Network Integration
VXLAN: Enhancements and Network Integration
 
Deep Dive: Amazon Virtual Private Cloud
Deep Dive: Amazon Virtual Private CloudDeep Dive: Amazon Virtual Private Cloud
Deep Dive: Amazon Virtual Private Cloud
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or Containers
 
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private CloudAWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
AWS May Webinar Series - Deep Dive: Amazon Virtual Private Cloud
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs mode
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_
 
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 TunnelingUNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
UNDOCUMENTED Vyatta vRouter: IPv4 over IPv6 Tunneling
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks Support Docs: VNS3 Administration
Cohesive Networks Support Docs: VNS3 Administration
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
PLNOG 13: Jacek Wosz: User Defined Network
PLNOG 13: Jacek Wosz: User Defined NetworkPLNOG 13: Jacek Wosz: User Defined Network
PLNOG 13: Jacek Wosz: User Defined Network
 
VXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneVXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced Zone
 

Plus de Naoto MATSUMOTO

Plus de Naoto MATSUMOTO (20)

Alder Lake-S CPU Temperature Monitoring
Alder Lake-S CPU Temperature MonitoringAlder Lake-S CPU Temperature Monitoring
Alder Lake-S CPU Temperature Monitoring
 
CPU製品出荷状況と消費電力の見える化
CPU製品出荷状況と消費電力の見える化CPU製品出荷状況と消費電力の見える化
CPU製品出荷状況と消費電力の見える化
 
5Gの見える化
5Gの見える化5Gの見える化
5Gの見える化
 
2023年以降のサーバークラスタリング設計(メモ)
2023年以降のサーバークラスタリング設計(メモ)2023年以降のサーバークラスタリング設計(メモ)
2023年以降のサーバークラスタリング設計(メモ)
 
防災を考慮した水中調査の一考察
防災を考慮した水中調査の一考察防災を考慮した水中調査の一考察
防災を考慮した水中調査の一考察
 
旅するパケットの見える化
旅するパケットの見える化旅するパケットの見える化
旅するパケットの見える化
 
LTE-M/NB IoTを試してみる nRF9160/Thingy:91
LTE-M/NB IoTを試してみる nRF9160/Thingy:91LTE-M/NB IoTを試してみる nRF9160/Thingy:91
LTE-M/NB IoTを試してみる nRF9160/Thingy:91
 
災害時における無線モニタリングによる社会インフラの見える化
災害時における無線モニタリングによる社会インフラの見える化災害時における無線モニタリングによる社会インフラの見える化
災害時における無線モニタリングによる社会インフラの見える化
 
BeautifulSoup / selenium Deep dive
BeautifulSoup / selenium Deep diveBeautifulSoup / selenium Deep dive
BeautifulSoup / selenium Deep dive
 
AMDGPU ROCm Deep dive
AMDGPU ROCm Deep diveAMDGPU ROCm Deep dive
AMDGPU ROCm Deep dive
 
Network Adapter Deep dive
Network Adapter Deep diveNetwork Adapter Deep dive
Network Adapter Deep dive
 
RTL2838 DVB-T Deep dive
RTL2838 DVB-T Deep diveRTL2838 DVB-T Deep dive
RTL2838 DVB-T Deep dive
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep dive
 
ADS-B, AIS, APRS cheatsheet
ADS-B, AIS, APRS cheatsheetADS-B, AIS, APRS cheatsheet
ADS-B, AIS, APRS cheatsheet
 
curl --http3 cheatsheet
curl --http3 cheatsheetcurl --http3 cheatsheet
curl --http3 cheatsheet
 
3/4G USB modem Cheat Sheet
3/4G USB modem Cheat Sheet3/4G USB modem Cheat Sheet
3/4G USB modem Cheat Sheet
 
How To Train Your ARM(SBC)
How To Train Your ARM(SBC)How To Train Your ARM(SBC)
How To Train Your ARM(SBC)
 
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
全国におけるCOVID-19対策の見える化 ~宿泊業の場合~
 
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
我が国の電波の使用状況/携帯電話向け割当 (2019年3月1日現在)
 
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
私たちに訪れる(かもしれない)未来と計算機によるモノコトの見える化
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Unbreakable VPN using Vyatta/VyOS - HOW TO -

  • 1. 13 May, 2014 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO
  • 2. Basic idea for inter-cloud LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch MASTER BACKUP
  • 3. Unbreakable VPN using Vyatta/VyOS - HOW TO -
  • 4. Configure Clustering group 1/2 VR-1 VR-2 VR-3 VR-4 LANLAN Private Cloud A Private Cloud B VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ vSwitchvSwitch Secondary Node Secondary Node VIP: Shared Virtual IP Address VIP VIP Primary Node Primary Node
  • 5. Configure Clustering group 2/2 VR-1 VR-2 VR-3 VR-4 vSwitch LANvSwitchLAN Private Cloud A Private Cloud B VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ Corss Monitoring Cross Monitoring
  • 6. Configure Dual IPSec Tunneling VR-1 VR-2 VR-3 VR-4 vSwitch LANvSwitchLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/
  • 7. Logical IP Network view (MASTER) LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch VIP: Shared Virtual IP Address VIP VIP Primary Node Primary Node
  • 8. Logical IP Network view (BACKUP) LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch VIP: Shared Virtual IP Address VIP VIP Monitoring failure
  • 9. Unbreakable VPN using Vyatta/VyOS - Sample Configuration TIPS-
  • 10. Configure Clustering group 1/3 VR-1 VR-2 LAN vSwitch Primary Node Secondary Node 10.10.10.100/24 VIP Sample Configuration for VR-1 and VR-2 $ configure # set system host-name VR-1 (or VR-2) # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster pre-shared-secret SeCrEt # set cluster group CLUSTER primary VR-1 # set cluster group CLUSTER secondary VR-2 # set cluster group CLUSTER service 10.10.10.100/24/eth1 # set cluster mcast-group 239.10.10.100
  • 11. Configure Clustering group 2/3 Sample Configuration for VR-3 and VR-4 $ configure # set system host-name VR-3 (or VR-4) # set cluster dead-interval 1000 # set cluster group CLUSTER auto-failback true # set cluster interface eth0 # set cluster interface eth1 # set cluster keepalive-interval 200 # set cluster pre-shared-secret SeCrEt # set cluster group CLUSTER primary VR-3 # set cluster group CLUSTER secondary VR-4 # set cluster group CLUSTER service 10.20.20.100/24/eth1 # set cluster mcast-group 239.20.20.100 VR-3 VR-4 LANvSwitchSecondary Node VIP 10.20.20.100/24 Primary Node
  • 12. Configure Clustering group 3/3 VR-1 VR-3 vSwitch LANvSwitchLAN Monitoring VR-1# set cluster monitor-dead-interval 1000 VR-1# set cluster group CLUSTER monitor 133.242.YYY.3 VR-1# commit VR-1# save VR-3# set cluster monitor-dead-interval 1000 VR-3# set cluster group CLUSTER monitor 133.242.XXX.1 VR-3# commit VR-3# save 133.242.YYY.3133.242.XXX.1
  • 13. Configure Dual IPSec Tunneling 1/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel Sample Configuration for VR-1 and VR-3 # set vpn ipsec esp-group ESP lifetime 1800 # set vpn ipsec esp-group ESP mode tunnel # set vpn ipsec esp-group ESP pfs enable # set vpn ipsec esp-group ESP proposal 1 encryption aes256 # set vpn ipsec esp-group ESP proposal 1 hash sha1 # set vpn ipsec ike-group IKE lifetime 3600 # set vpn ipsec ike-group IKE proposal 1 encryption aes256 # set vpn ipsec ike-group IKE proposal 1 hash sha1 # set vpn ipsec ipsec-interfaces interface eth0
  • 14. Configure Dual IPSec Tunneling 2/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 local-address 133.242.XXX.1 VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication mode pre-shared-secret VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 authentication pre-shared-secret SeCrEt VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 connection-type initiate VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 default-esp-group ESP VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 ike-group IKE VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 local prefix 10.10.10.0/24 VR-1# set vpn ipsec site-to-site peer 133.242.YYY.3 tunnel 0 remote prefix 10.20.20.0/24 VR-1# commit VR-1# save 133.242.YYY.3133.242.XXX.1 10.10.10.0/24 10.20.20.0/24
  • 15. Configure Dual IPSec Tunneling 3/3 VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 local-address 133.242.YYY.3 VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication mode pre-shared-secret VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 authentication pre-shared-secret SeCrEt VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 connection-type initiate VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 default-esp-group ESP VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 ike-group IKE VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 local prefix 10.20.20.0/24 VR-3# set vpn ipsec site-to-site peer 133.242.XXX.1 tunnel 0 remote prefix 10.10.10.0/24 VR-3# commit VR-3# save 133.242.YYY.3133.242.XXX.1 10.10.10.0/24 10.20.20.0/24
  • 16. Configure TCP-MSS modify for VPN VR-1 VR-3 vSwitch LANvSwitchLAN IPSec Tunnel VR-1# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.20.20.0/24 VR-1# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp VR-1# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 VR-1# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP VR-1# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0 VR-1# commit 10.10.10.0/24 10.20.20.0/24 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 destination address 10.10.10.0/24 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 protocol tcp VR-3# set policy route TCP-MSS1386-ETH0 rule 1 set tcp-mss 1386 VR-3# set policy route TCP-MSS1386-ETH0 rule 1 tcp flags SYN TCP VR-3# set interfaces ethernet eth0 policy route TCP-MSS1386-ETH0 VR-3# commit
  • 17. Unbreakable VPN Architecure LANLAN Private Cloud A Private Cloud B IPSec Tunnel IPSec Tunnel VR: Virtual Router (Brocade Vyatta vRouter or VyOS) Brocade Vyatta vRouter 6.6R5: http://brocade.com/5400documentation VyOS 1.0.3 : http://vyos.net/ VR-1 VR-2 VR-3 VR-4 vSwitchvSwitch MASTER BACKUP
  • 18. Thanks for your interest. SAKURA Internet Research Center.