Wednesday 13 July 2011

Vyatta - Hub And Spoke - OSPF over GRE over IPSEC

So my planned more frequent updates to my blog did not exactly go to plan.

Oh well :) I'm posting today with a good one.

Today we are once again playing the role of a Managed Service Provider who is providing a Managed Cloud Service + Firewall the customer however has two Cisco 3745 routers.

We have two Hubs MSP-R1 and MSP-R2 both Vyatta and R1,R2 both IOS.


Here is a picture:




MSP-R1 - Set Up Interfaces:

interfaces {
ethernet eth0 {
address 213.111.222.1/24
description INTERNET
duplex auto
firewall {
in {
name WAN_IN
}
local {
name VYATTA_IN
}
}
hw-id 08:00:27:a2:7a:a9
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.45.1/24
description TRMSPTED
duplex auto
hw-id 08:00:27:03:40:e0
ip {
ospf {
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 08:00:27:68:d2:71
smp_affinity auto
speed auto
}
loopback lo {
address 1.1.1.1/32
}
tunnel tun0 {
address 10.10.45.1/30
description Linkto R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 1.1.1.1
multicast disable
remote-ip 2.2.2.2
ttl 255
}
tunnel tun1 {
address 10.10.45.5/30
description Linkto R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 1.1.1.1
multicast disable
remote-ip 3.3.3.3
ttl 255
}
}



MSP-R2 - Set Up Interfaces:

interfaces {
ethernet eth0 {
address 213.111.222.10/24
description INTERNET
duplex auto
hw-id 08:00:27:31:80:53
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.45.1/24
duplex auto
hw-id 08:00:27:40:cd:1e
ip {
ospf {
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
smp_affinity auto
speed auto
}
loopback lo {
address 10.10.10.10/32
}
tunnel tun0 {
address 10.10.45.9/30
description Linkto R1
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 10.10.10.10
multicast disable
remote-ip 2.2.2.2
ttl 255
}
tunnel tun1 {
address 10.10.45.13/30
description LinkTo R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 10.10.10.10
multicast disable
remote-ip 3.3.3.3
ttl 255
}
}


R1 - Spoke set up interfaces:

interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 10.10.45.2 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface Tunnel1
ip address 10.10.45.10 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 10.10.10.10
!
interface FastEthernet0/0
ip address 76.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map MSP-MAP
!
interface FastEthernet0/1
ip address 10.101.0.1 255.255.255.0
duplex auto
speed auto
!



R2 - Spoke set up interfaces:

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 10.10.45.6 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface Tunnel1
ip address 10.10.45.14 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 10.10.10.10
!
interface FastEthernet0/0
ip address 76.2.2.2 255.255.255.0
duplex auto
speed auto
no cdp enable
crypto map MSP-MAP
!
interface FastEthernet0/1
ip address 10.202.0.1 255.255.255.0
duplex auto
speed auto
!


MSP-R1 Set up VPN:

vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
dead-peer-detection {
action restart
interval 30
timeout 30
}
lifetime 28800
proposal 1 {
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
exclude 192.168.45.0/24
}
}
nat-traversal enable
site-to-site {
peer 76.1.1.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 1.1.1.1/32
remote-subnet 2.2.2.2/32
}
}
peer 76.2.2.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 1.1.1.1/32
remote-subnet 3.3.3.3/32
}
}
}
}
}

MSP-R2 Set up VPN:

vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
dead-peer-detection {
action restart
interval 30
timeout 30
}
lifetime 28800
proposal 1 {
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
exclude 192.168.45.0/24
}
}
nat-traversal enable
site-to-site {
peer 76.1.1.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.10
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 10.10.10.10/32
remote-subnet 2.2.2.2/32
}
}
peer 76.2.2.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.10
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 10.10.10.10/32
remote-subnet 3.3.3.3/32
}
}
}
}
}



R1 Set up VPN:

!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 213.111.222.1
crypto isakmp key letmein address 213.111.222.10
!
crypto ipsec transform-set MSP-TRANSFORM esp-3des esp-sha-hmac
!
crypto map MSP-MAP 10 ipsec-isakmp
set peer 213.111.222.1
set transform-set MSP-TRANSFORM
match address 101
crypto map MSP-MAP 20 ipsec-isakmp
set peer 213.111.222.10
set transform-set MSP-TRANSFORM
match address 102
!
!
access-list 101 permit 0 host 2.2.2.2 host 1.1.1.1
access-list 102 permit 0 host 2.2.2.2 host 10.10.10.10
!


R2 Set up VPN:

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 213.111.222.1
crypto isakmp key letmein address 213.111.222.10
!
!
crypto ipsec transform-set MSP-TRANSFORM esp-3des esp-sha-hmac
!
crypto map MSP-MAP 10 ipsec-isakmp
set peer 213.111.222.1
set transform-set MSP-TRANSFORM
match address 101
crypto map MSP-MAP 20 ipsec-isakmp
set peer 213.111.222.10
set transform-set MSP-TRANSFORM
match address 102
!
!
access-list 101 permit 0 host 3.3.3.3 host 1.1.1.1
access-list 102 permit 0 host 3.3.3.3 host 10.10.10.10
!




MSP-R1 - OSPF setup

protocols {
ospf {
area 0 {
network 10.10.45.0/30
network 192.168.45.0/24
network 10.10.45.4/30
}
parameters {
abr-type cisco
router-id 1.1.1.1
}
}



MSP-R2 - OSPF setup

protocols {
ospf {
area 0 {
network 192.168.45.0/24
network 10.10.45.8/30
network 10.10.45.12/30
}
parameters {
abr-type cisco
router-id 10.10.10.10
}
}



R1 - OSPF setup

router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 10.10.45.0 0.0.0.3 area 0
network 10.10.45.8 0.0.0.3 area 0
network 10.101.0.0 0.0.0.255 area 0
maximum-paths 6
!



R2 - OSPF setup

router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 10.10.45.4 0.0.0.3 area 0
network 10.10.45.12 0.0.0.3 area 0
network 10.202.0.0 0.0.0.255 area 0
maximum-paths 6
!



Proof is in the pudding -


Routing Tables


R1:

Gateway of last resort is 76.1.1.1 to network 0.0.0.0

2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
O 192.168.43.0/24 [110/11121] via 10.10.43.9, 00:00:01, Tunnel1
[110/11121] via 10.10.43.1, 00:00:01, Tunnel0
76.0.0.0/24 is subnetted, 1 subnets
C 76.1.1.0 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.10.43.8/30 is directly connected, Tunnel1
O 10.10.43.12/30 [110/11121] via 10.10.43.9, 00:00:01, Tunnel1
C 10.10.43.0/30 is directly connected, Tunnel0
O 10.10.43.4/30 [110/11121] via 10.10.43.1, 00:00:01, Tunnel0
C 10.101.0.0/24 is directly connected, FastEthernet0/1
O 10.202.0.0/24 [110/11122] via 10.10.43.1, 00:00:01, Tunnel0
[110/11122] via 10.10.43.9, 00:00:01, Tunnel1
S* 0.0.0.0/0 [1/0] via 76.1.1.1


R2:

Gateway of last resort is 76.2.2.1 to network 0.0.0.0

3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
O 192.168.43.0/24 [110/11121] via 10.10.43.5, 00:01:29, Tunnel0
[110/11121] via 10.10.43.13, 00:01:29, Tunnel1
76.0.0.0/24 is subnetted, 1 subnets
C 76.2.2.0 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 10.10.43.8/30 [110/11121] via 10.10.43.13, 00:01:29, Tunnel1
C 10.10.43.12/30 is directly connected, Tunnel1
O 10.10.43.0/30 [110/11121] via 10.10.43.5, 00:01:29, Tunnel0
C 10.10.43.4/30 is directly connected, Tunnel0
O 10.101.0.0/24 [110/11122] via 10.10.43.5, 00:01:29, Tunnel0
[110/11122] via 10.10.43.13, 00:01:29, Tunnel1