Saturday, 27 October 2012

Vyatta 6.5!

Hi all, So Vyatta 6.5 is out, have a look at the features:
(http://www.vyatta.com/downloads/documentation/VC6.5/VC65.zip)


 Policy-Based Routing (PBR)
 PBR allows incoming packets to be forwarded based on policies, rather than just on the destination address. This enables the use of policies that selectively cause packets to take different paths based on defined criteria, such as source address, packet size, protocol, etc... By implementing policies that selectively cause packets to take different paths, network administrators have a powerful new tool for organizing and managing the network. Using PBR, administrators and managers are capable of: Increasing quality of service by giving preferential treatment to bandwidth sensitive or high-priority traffic Reducing capital and operating expenses by distributing select traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost, switched paths Prioritizing critical data over non-critical data Distributing traffic down multiple circuits to avoid connection overload




 Virtual Tunnel Interface (VTI) 

  VTI is a way to represent policy-based IPsec tunnels as virtual interfaces. Vyatta's implementation of VTI mirrors proven industry standards for secure tunnel (st.xx). The advantage of representing an IPsec tunnel as an interface makes it possible to plug IPsec tunnels into the routing protocol infrastructure of a router. Therefore, it becomes possible to influence the packet path by toggling the link state of the tunnel or based on routing metrics. A VTI provides a termination point for a site-to-site IPsec VPN tunnel and allows it to behave like routable interfaces. In addition to simplifying the IPsec configuration, it enables many common routing capabilitiesto be used because the endpoint is associated with an actual interface. VTI benefits include: Simplified configuration of IPsec for protection of remote links Simplified network management and load balancing Dynamic routing through VTI No GRE overhead No need to use access lists to create a tunnel  


BGP Multipath 
 IP routing protocols are designed to select a single best path to a given destination for forwarding traffic. However, many routing protocols have enhanced support for selecting multiple paths, with certain limitations. Multiple paths are useful for traffic engineering, load sharing, load balancing and to help provide quicker failover. This also reduces the probability of a link being left unused. BGP Multipath in Vyatta Network OS 6.5 enables the installation of multiple BGP paths to a destination into the IP routing table. BGP Multipath does not affect the BGP best path selection process. One of the available paths is still designated as the best path as per the standard algorithm and configured/operational conditions. This best path is also advertised to the BGP neighbors. The Vyatta implementations of BGP Multipath will support EBGP and IBGP, but will not support EIGBP, exclusive confed-external path set or MPLS/VPN.  


IPsec for IPv6 Vyatta Network OS 6.5 delivers IPsec support for IPv6 using Internet key management protocol IKEv1. It will not deliver IPsec support for IPv6 using IKEv2. We anticipate that IKEv2 support will be introduced for both IPv4 and IPv6 in a subsequent release. Improved VRRP Commands The VRRP (Virtual Router Redundancy Protocol) operational mode commands have been modified to improve usability and ensure the commands are consistent with the command structure used throughout Vyatta Network OS.








I dont know about you but PDR is (IMHO) the best feature here - I also know the upstream work vyatta has done with Quagga to get this done and its pretty awesome. The other 2 - VTI is cool - but can be done with GRE, but its just simplier, and BGP Mutipath (not MP-BGP that would be awesome!!) is again cool but meh :)

For those that cant wait and want docuementation grab it here:
http://www.vyatta.com/downloads/documentation/VC6.5/VC65.zip


 So thank you Vyatta for 6.5 and roll on core!! 




Sources: http://www.vyatta.com/product/vyatta-network-os/whats-new

Thursday, 26 April 2012

VMware - I want these now! App Blast and Octopus

Small post - and just two small requests:

Project Octopus - Think dropbox for VMware yet enables Hybrid dropbox clouds too

Project Appblast - Like Citrix Access Gateway or Xen App but not Citrix Receiver as it is all HTML5!

Wednesday, 25 January 2012

Some Revision - EIGRP offset lists

Every so often when reading around the internet you come across a post/email with a network related problem that makes you think "hmmmm i've never had to do that" or "that sounds like an interesting problem" - I'll lab it and see if I can find the answer.

Combine that with an area that I do not normally need to work in (EIGRP) and there you go a blog post in the making!


So here is the scenrio:

You are a network admin that looks after three sites, one main site where your offices are and two datacentres.

You have 2x100mbit links to each datacentre and the databcentres have 1x1Gbit link.


The problem:

Traffic to a certain network/host at datacentre 2 is overloading the link so we as the network admins have been asked if we can use the excess capacity on the link to datacentre 1 to spread the traffic.




First we setup the lab:

R1

interface Loopback0
ip address 192.168.101.1 255.255.255.0
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.13.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 192.168.12.0
network 192.168.13.0
network 192.168.101.0
no auto-summary
!


R2

interface Loopback0
ip address 10.100.10.1 255.255.255.0
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.23.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 10.100.10.0 0.0.0.255
network 192.168.12.0
network 192.168.23.0
no auto-summary
!


R3


interface Loopback0
ip address 10.200.10.1 255.255.255.0
!
interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.13.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.23.3 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 3.3.3.3 0.0.0.0
network 10.200.10.0 0.0.0.255
network 192.168.13.0
network 192.168.23.0
no auto-summary
!




Now the offset lists:
R1

ip access-list standard LOOPBACK
permit 3.3.3.3

router eigrp 100
offset-list LOOPBACK in 4000 FastEthernet0/1



Confirming...

R1


R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.12.0/24 is directly connected, FastEthernet0/0
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback1
C 192.168.13.0/24 is directly connected, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/158720] via 192.168.12.2, 00:03:14, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
D 10.100.10.0 [90/156160] via 192.168.12.2, 00:05:48, FastEthernet0/0
D 10.200.10.0 [90/156160] via 192.168.13.3, 00:05:48, FastEthernet0/1
D 192.168.23.0/24 [90/30720] via 192.168.13.3, 00:05:48, FastEthernet0/1
[90/30720] via 192.168.12.2, 00:05:48, FastEthernet0/0
C 192.168.101.0/24 is directly connected, Loopback0



Note this bit:

3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/158720] via 192.168.12.2, 00:03:14, FastEthernet0/0

The succesor route is from 192.168.12.2 without the offset list it would be 192.168.13.3.

Here is the output from sh ip eigrp topology all-links

R1#sh ip eigrp topology all-links
IP-EIGRP Topology Table for AS(100)/ID(192.168.101.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 3.3.3.3/32, 1 successors, FD is 158720, serno 9
via 192.168.12.2 (158720/156160), FastEthernet0/0
via 192.168.13.3 (160160/132256), FastEthernet0/1
P 192.168.101.0/24, 1 successors, FD is 128256, serno 3
via Connected, Loopback0
P 10.100.10.0/24, 1 successors, FD is 156160, serno 6
via 192.168.12.2 (156160/128256), FastEthernet0/0
via 192.168.13.3 (158720/156160), FastEthernet0/1
P 192.168.12.0/24, 1 successors, FD is 28160, serno 1
via Connected, FastEthernet0/0
P 192.168.13.0/24, 1 successors, FD is 28160, serno 2
via Connected, FastEthernet0/1
P 192.168.23.0/24, 2 successors, FD is 30720, serno 7
via 192.168.12.2 (30720/28160), FastEthernet0/0
via 192.168.13.3 (30720/28160), FastEthernet0/1
P 10.200.10.0/24, 1 successors, FD is 156160, serno 4
via 192.168.13.3 (156160/128256), FastEthernet0/1
via 192.168.12.2 (158720/156160), FastEthernet0/0



Problem solved :)

Wednesday, 13 July 2011

Vyatta - Hub And Spoke - OSPF over GRE over IPSEC

So my planned more frequent updates to my blog did not exactly go to plan.

Oh well :) I'm posting today with a good one.

Today we are once again playing the role of a Managed Service Provider who is providing a Managed Cloud Service + Firewall the customer however has two Cisco 3745 routers.

We have two Hubs MSP-R1 and MSP-R2 both Vyatta and R1,R2 both IOS.


Here is a picture:




MSP-R1 - Set Up Interfaces:

interfaces {
ethernet eth0 {
address 213.111.222.1/24
description INTERNET
duplex auto
firewall {
in {
name WAN_IN
}
local {
name VYATTA_IN
}
}
hw-id 08:00:27:a2:7a:a9
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.45.1/24
description TRMSPTED
duplex auto
hw-id 08:00:27:03:40:e0
ip {
ospf {
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 08:00:27:68:d2:71
smp_affinity auto
speed auto
}
loopback lo {
address 1.1.1.1/32
}
tunnel tun0 {
address 10.10.45.1/30
description Linkto R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 1.1.1.1
multicast disable
remote-ip 2.2.2.2
ttl 255
}
tunnel tun1 {
address 10.10.45.5/30
description Linkto R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 1.1.1.1
multicast disable
remote-ip 3.3.3.3
ttl 255
}
}



MSP-R2 - Set Up Interfaces:

interfaces {
ethernet eth0 {
address 213.111.222.10/24
description INTERNET
duplex auto
hw-id 08:00:27:31:80:53
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.45.1/24
duplex auto
hw-id 08:00:27:40:cd:1e
ip {
ospf {
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
smp_affinity auto
speed auto
}
loopback lo {
address 10.10.10.10/32
}
tunnel tun0 {
address 10.10.45.9/30
description Linkto R1
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 10.10.10.10
multicast disable
remote-ip 2.2.2.2
ttl 255
}
tunnel tun1 {
address 10.10.45.13/30
description LinkTo R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 10.10.10.10
multicast disable
remote-ip 3.3.3.3
ttl 255
}
}


R1 - Spoke set up interfaces:

interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 10.10.45.2 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface Tunnel1
ip address 10.10.45.10 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 10.10.10.10
!
interface FastEthernet0/0
ip address 76.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map MSP-MAP
!
interface FastEthernet0/1
ip address 10.101.0.1 255.255.255.0
duplex auto
speed auto
!



R2 - Spoke set up interfaces:

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 10.10.45.6 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface Tunnel1
ip address 10.10.45.14 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 10.10.10.10
!
interface FastEthernet0/0
ip address 76.2.2.2 255.255.255.0
duplex auto
speed auto
no cdp enable
crypto map MSP-MAP
!
interface FastEthernet0/1
ip address 10.202.0.1 255.255.255.0
duplex auto
speed auto
!


MSP-R1 Set up VPN:

vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
dead-peer-detection {
action restart
interval 30
timeout 30
}
lifetime 28800
proposal 1 {
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
exclude 192.168.45.0/24
}
}
nat-traversal enable
site-to-site {
peer 76.1.1.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 1.1.1.1/32
remote-subnet 2.2.2.2/32
}
}
peer 76.2.2.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 1.1.1.1/32
remote-subnet 3.3.3.3/32
}
}
}
}
}

MSP-R2 Set up VPN:

vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
dead-peer-detection {
action restart
interval 30
timeout 30
}
lifetime 28800
proposal 1 {
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
exclude 192.168.45.0/24
}
}
nat-traversal enable
site-to-site {
peer 76.1.1.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.10
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 10.10.10.10/32
remote-subnet 2.2.2.2/32
}
}
peer 76.2.2.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.10
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 10.10.10.10/32
remote-subnet 3.3.3.3/32
}
}
}
}
}



R1 Set up VPN:

!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 213.111.222.1
crypto isakmp key letmein address 213.111.222.10
!
crypto ipsec transform-set MSP-TRANSFORM esp-3des esp-sha-hmac
!
crypto map MSP-MAP 10 ipsec-isakmp
set peer 213.111.222.1
set transform-set MSP-TRANSFORM
match address 101
crypto map MSP-MAP 20 ipsec-isakmp
set peer 213.111.222.10
set transform-set MSP-TRANSFORM
match address 102
!
!
access-list 101 permit 0 host 2.2.2.2 host 1.1.1.1
access-list 102 permit 0 host 2.2.2.2 host 10.10.10.10
!


R2 Set up VPN:

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 213.111.222.1
crypto isakmp key letmein address 213.111.222.10
!
!
crypto ipsec transform-set MSP-TRANSFORM esp-3des esp-sha-hmac
!
crypto map MSP-MAP 10 ipsec-isakmp
set peer 213.111.222.1
set transform-set MSP-TRANSFORM
match address 101
crypto map MSP-MAP 20 ipsec-isakmp
set peer 213.111.222.10
set transform-set MSP-TRANSFORM
match address 102
!
!
access-list 101 permit 0 host 3.3.3.3 host 1.1.1.1
access-list 102 permit 0 host 3.3.3.3 host 10.10.10.10
!




MSP-R1 - OSPF setup

protocols {
ospf {
area 0 {
network 10.10.45.0/30
network 192.168.45.0/24
network 10.10.45.4/30
}
parameters {
abr-type cisco
router-id 1.1.1.1
}
}



MSP-R2 - OSPF setup

protocols {
ospf {
area 0 {
network 192.168.45.0/24
network 10.10.45.8/30
network 10.10.45.12/30
}
parameters {
abr-type cisco
router-id 10.10.10.10
}
}



R1 - OSPF setup

router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 10.10.45.0 0.0.0.3 area 0
network 10.10.45.8 0.0.0.3 area 0
network 10.101.0.0 0.0.0.255 area 0
maximum-paths 6
!



R2 - OSPF setup

router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 10.10.45.4 0.0.0.3 area 0
network 10.10.45.12 0.0.0.3 area 0
network 10.202.0.0 0.0.0.255 area 0
maximum-paths 6
!



Proof is in the pudding -


Routing Tables


R1:

Gateway of last resort is 76.1.1.1 to network 0.0.0.0

2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
O 192.168.43.0/24 [110/11121] via 10.10.43.9, 00:00:01, Tunnel1
[110/11121] via 10.10.43.1, 00:00:01, Tunnel0
76.0.0.0/24 is subnetted, 1 subnets
C 76.1.1.0 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.10.43.8/30 is directly connected, Tunnel1
O 10.10.43.12/30 [110/11121] via 10.10.43.9, 00:00:01, Tunnel1
C 10.10.43.0/30 is directly connected, Tunnel0
O 10.10.43.4/30 [110/11121] via 10.10.43.1, 00:00:01, Tunnel0
C 10.101.0.0/24 is directly connected, FastEthernet0/1
O 10.202.0.0/24 [110/11122] via 10.10.43.1, 00:00:01, Tunnel0
[110/11122] via 10.10.43.9, 00:00:01, Tunnel1
S* 0.0.0.0/0 [1/0] via 76.1.1.1


R2:

Gateway of last resort is 76.2.2.1 to network 0.0.0.0

3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
O 192.168.43.0/24 [110/11121] via 10.10.43.5, 00:01:29, Tunnel0
[110/11121] via 10.10.43.13, 00:01:29, Tunnel1
76.0.0.0/24 is subnetted, 1 subnets
C 76.2.2.0 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 10.10.43.8/30 [110/11121] via 10.10.43.13, 00:01:29, Tunnel1
C 10.10.43.12/30 is directly connected, Tunnel1
O 10.10.43.0/30 [110/11121] via 10.10.43.5, 00:01:29, Tunnel0
C 10.10.43.4/30 is directly connected, Tunnel0
O 10.101.0.0/24 [110/11122] via 10.10.43.5, 00:01:29, Tunnel0
[110/11122] via 10.10.43.13, 00:01:29, Tunnel1

Saturday, 13 November 2010

Vyatta to Cisco - Tunneling from ASA to Vyatta Using VMware and GNS

Its been a while since my last article/lab apologies for that, hopefully I will get back to my once a week schedule (fingers crossed)

So that lab today is for connecting a Vyatta router to a Cisco ASA/PIX and creating a Lan to Lan Tunnel with some one to one src/dst NAT thrown in for good measure :)

Here is the lab:




Here is the proof that is works:

Vyatta to Cisco - Tunneling from ASA to Vyatta Using VMware and GNS from Roggy on Vimeo.




Vyatta config:

interfaces {
ethernet eth0 {
address 10.0.19.1/24
address 10.0.19.10/24
duplex auto
hw-id 00:0c:29:5d:91:c6
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.10.1/24
duplex auto
hw-id 00:0c:29:5d:91:d0
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 00:0c:29:5d:91:da
smp_affinity auto
speed auto
}
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.0.19.9 {
}
}
}
}
service {
nat {
rule 5 {
destination {
address 10.20.0.0/24
}
exclude
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
rule 100 {
outbound-interface eth0
outside-address {
address 10.0.19.10
}
source {
address 192.168.10.10
}
type source
}
rule 110 {
destination {
address 10.0.19.10
}
inbound-interface eth0
inside-address {
address 192.168.10.10
}
protocol tcp
type destination
}
rule 900 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
}
ssh {
allow-root
port 22
protocol-version v2
}
}
system {
host-name R1
login {
user vyatta {
authentication {
encrypted-password $1$Oxg1L7oM$v4Vi.4pW3Ai/fPFIzpDzC0
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
lifetime 86400
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 10.0.29.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 10.0.19.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 192.168.10.0/24
remote-subnet 10.20.0.0/24
}
}
}
}
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "webgui@1:dhcp-server@4:conntrack-sync@1:firewall@3:qos@1:webproxy@1:vrrp@1:nat@3:ipsec@2:wanloadbalance@2:cluster@1:system@3:quagga@2:dhcp-relay@1" === */




Pix Config:

!
PIX Version 8.0(2)
!
hostname FW1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.29.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list icmp extended permit icmp any any
access-list NO-NAT extended permit ip 10.20.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 10.20.0.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group icmp in interface outside
access-group icmp out interface outside
access-group icmp in interface inside
access-group icmp out interface inside
route outside 0.0.0.0 0.0.0.0 10.0.29.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-sha-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 10.0.19.1
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto map FW1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 10.0.19.1 type ipsec-l2l
tunnel-group 10.0.19.1 ipsec-attributes
pre-shared-key letmein
prompt hostname context




Enjoy!

Monday, 23 August 2010

Vyatta - Remote Access VPN with L2TP and PPTP

Hi,

I have done a remote access VPN lab before - with OpenVPN. This one is with the more widely accepted L2TP and PPTP. So accepted infact that both the iphone and ipad like it too.

So here we go how to configure a VM to allow remote access from iPhone,iPad and Windows Xp.

Part1:
Introduction
Setup

Vyatta - Remote Access VPN - L2TP,PPTP -Part1 from Roggy on Vimeo.



Part2:
Setup Continued

Vyatta - Remote Access VPN - L2TP,PPTP -Part2 from Roggy on Vimeo.



Part3:
Actually Configuring L2TP and PPTP

Vyatta - Remote Access VPN - L2TP,PPTP -Part3 from Roggy on Vimeo.



Part4:
Settting up Firewall

Vyatta - Remote Access VPN - L2TP,PPTP -Part4 from Roggy on Vimeo.

Thursday, 29 July 2010

Vyatta - Final 6.0 with updated VMtools for vSphere 4.1

So its been a busy few weeks with all the news and related blog articles on vSphere 4.1
I finally got around to extracting vmtools 8.3.x and intergrating it into the Vyatta Appliance.

There is also something different with this release, the source code for vmtools has been modified to prevent Large Recieve Offload.LRO is defined as:

In computer networking, large receive offload is a technique for increasing inbound throughput of high-bandwidth network connections by reducing CPU overhead. It works by aggregating multiple incoming packets from a single stream into a larger buffer before they are passed higher up the networking stack, thus reducing the number of packets that have to be processed. In Linux, it is generally used in conjunction with the New API (NAPI) to also reduce the number of interrupts.

There have been a few users reporting an issue with LRO and others requesting the intergration of the latest version of VMtools..so here you go:

Download Vyatta VC 6 with LRO patch and the latest VMtools


I would like a few people to test this release and let mw know how it goes before making it live on the VAM.



References:
http://www.vyatta.org/forum/viewtopic.php?t=3030&postdays=0&postorder=asc&start=105
http://nwsmith.blogspot.com/2010/07/patching-vmxnet-to-disable-lro.html
http://en.wikipedia.org/wiki/Large_receive_offload