Sunday, 6 December 2009

Setting up a Vyatta Cluster with VRRP and IPSec Site to Site VPN

Well seeing as we have done this with the closed source alternative (PIX here)
It was time to do the decent thing and do an open source here we go..

Diagram of the lab:

Basic setup of the lab:

Vyatta Cluster Part 1 - Basic Setup from Richard Vimeo on Vimeo.

Part two of the setup:

Vyatta Cluster Part 2 - Basic Setup from Richard Vimeo on Vimeo.

This is the juicy bit, where we setup VRRP, then Clustering and finally, IPsec site to site VPN. (There is some NAT in there too!:)

Vyatta Cluster Part 3 - VRRP, Clustering,VPN etc from Richard Vimeo on Vimeo.

This is where I try and break it!

Vyatta Cluster Part 3 - Testing from Richard Vimeo on Vimeo.

As ever enjoy! and let me know what you think :)


2010 said...
This comment has been removed by a blog administrator.
Scott said...

I've been wondering how to do this for quite some time. Vyatta's guide on how to set this up was rather lacking. Thanks for help via the videos!

Roggy said...

No problem, glad you liked it, thanks for the feedback :)

Ade Bradshaw said...

Fantastic set of videos - I really like Vyatta but haven't done anything as advanced as this yet. You made it look really simple, as someone else said the official docs can be lacking sometimes

Thanks so much - really enjoyed it!

Michael Stokes said...

What if on R2 you had a dynamic IP address on the eth0; what would you set the 'local-ip' address to in the ipsec settings?

I need to have a vyatta router create site-to-site VPN to a Cisco IOS router. The IOS side work great with other cisco/juniper/adtran routers however, I am a bit stuck on dynamic ip's with vyatta.

By the way, your tutorials are by far the best I've found the web.

Roggy said...

Vyatta uses OpenSwan as its backend ipsec server.
According to the documentation to support dynamic ip the "left=" needs to be "%defaultroute" not an ipv4 address.
On vyatta you can probably do this using the "roadwarrior" method of a local ip of and an authentication id (text phrase)

However combining all this together (dynamic ip, remote subnets and ipsec) does not seem to be possible, openvpn would be the choice there however you then run into issues with cisco/juniper etc devices.

My vote would be spend the extra (if you can) and get a static ip.

Thanks for your kind words, hope you enjoy the site.

Michael Stokes said...

Thank you for the quick reply. The application for these ESX boxes are as monitor/tech plateforms that are set out to a customer site and we never know what we will get.

We currently have a reverse SSH tunnel to one of the OS's on the box but the idea situation would be for the box to 'phone home'

I've been trying to make it work with the 'auth id' and 'local-ip 0/0' however, as you have pointed out that doesn't seem to work. everything the nat stops working on the vyatta. I do see phase 1 complete on the Cisco but havn';t spent much time yet troubleshooting that as I could not figure why the nat stopped because of the VPN IPSEC enabled

Roggy said...

I would be temped to setup a local vyatta vm with openvpn. The remote (customers vm) would dial into.

That way you could have each of your customers on a unique subnet.

I have a nice EMC celerra lab coming up, but afterwards Ill do a demo of this, time permitting :)

Michael Stokes said...

great idea. I look forward to the lab meanwhile, I'll give it a shot

Roggy said...

New lab here:

R055C said...

Many thanks for the videos, this is my fist experience with vyatta and and these videos have really helped me to get started.

R055C said...

I have followed the tutorial but with VC6 as i could not locate the image you submitted to vmware. Everything works great except if i reboot node 1 of the cluster the ipsec vpn fails over ok but when node 1 comes back online the vpn drops and will not re-connect until i reboot node 2. Any suggestions would be much appreciated.

R055C said...

Sorry i've sorted it i had accidently set the same priority for the vrrp group on both nodes.

Roggy said...

You beat me to it :)

nicely done!

R055C said...

If you don't mind me asking are you able to configure dhcp on the lan behind the cluster/vrrp routers so that the active router takes over the dhcp-server role.
Many Thanks

colorblind said...

I have a question regarding VRRP.. i have put up 2 vrrp machines, configured them and set up vrrp. when i pull the physical cable from the master while pinging something out there, it of course looses the pings and gives me "distination unreachable" etc... when i does a ifconfig eth0 down on my outside interface, it failes over almost at once and works again. does a cable failure take VERY long time or is there something i am not aware of .. should read up on?

I have tried to add you to twitter but i dont get any option to DM you :S

Roggy said...

Try using the "Cluster" feature in 6.1 with a heartbeat interface and connection sync - works very well.

Ionel said...

Excellent tutorial ! I was wondering if you could do a similar lab, but in this in case R10, R11 and R2 each have two Internet connections from two different ISPs.

Patrick Schless said...

Why did you choose to go with both VRRP (LAN-side) and clustering (internet-side)?

In a scenario where R10 loses public networking (let's say it's cable gets unplugged), it seems like the public IP would switch over, but the private one would say on R10. The cluster monitors a private IP, which I believe would fail from R11 (since it doesn't have the private VIP), so the system would be unable to recover. Is that correct?

Patrick Schless said...
This comment has been removed by the author.
greenz said...

do you have the config files for this episode?