Oh well :) I'm posting today with a good one.
Today we are once again playing the role of a Managed Service Provider who is providing a Managed Cloud Service + Firewall the customer however has two Cisco 3745 routers.
We have two Hubs MSP-R1 and MSP-R2 both Vyatta and R1,R2 both IOS.
Here is a picture:
MSP-R1 - Set Up Interfaces:
interfaces {
ethernet eth0 {
address 213.111.222.1/24
description INTERNET
duplex auto
firewall {
in {
name WAN_IN
}
local {
name VYATTA_IN
}
}
hw-id 08:00:27:a2:7a:a9
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.45.1/24
description TRMSPTED
duplex auto
hw-id 08:00:27:03:40:e0
ip {
ospf {
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 08:00:27:68:d2:71
smp_affinity auto
speed auto
}
loopback lo {
address 1.1.1.1/32
}
tunnel tun0 {
address 10.10.45.1/30
description Linkto R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 1.1.1.1
multicast disable
remote-ip 2.2.2.2
ttl 255
}
tunnel tun1 {
address 10.10.45.5/30
description Linkto R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 1.1.1.1
multicast disable
remote-ip 3.3.3.3
ttl 255
}
}
MSP-R2 - Set Up Interfaces:
interfaces {
ethernet eth0 {
address 213.111.222.10/24
description INTERNET
duplex auto
hw-id 08:00:27:31:80:53
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.45.1/24
duplex auto
hw-id 08:00:27:40:cd:1e
ip {
ospf {
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
smp_affinity auto
speed auto
}
loopback lo {
address 10.10.10.10/32
}
tunnel tun0 {
address 10.10.45.9/30
description Linkto R1
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 10.10.10.10
multicast disable
remote-ip 2.2.2.2
ttl 255
}
tunnel tun1 {
address 10.10.45.13/30
description LinkTo R2
encapsulation gre
ip {
ospf {
dead-interval 6
hello-interval 2
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 10.10.10.10
multicast disable
remote-ip 3.3.3.3
ttl 255
}
}
R1 - Spoke set up interfaces:
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 10.10.45.2 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface Tunnel1
ip address 10.10.45.10 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 10.10.10.10
!
interface FastEthernet0/0
ip address 76.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map MSP-MAP
!
interface FastEthernet0/1
ip address 10.101.0.1 255.255.255.0
duplex auto
speed auto
!
R2 - Spoke set up interfaces:
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 10.10.45.6 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface Tunnel1
ip address 10.10.45.14 255.255.255.252
ip ospf hello-interval 2
ip ospf dead-interval 6
tunnel source Loopback0
tunnel destination 10.10.10.10
!
interface FastEthernet0/0
ip address 76.2.2.2 255.255.255.0
duplex auto
speed auto
no cdp enable
crypto map MSP-MAP
!
interface FastEthernet0/1
ip address 10.202.0.1 255.255.255.0
duplex auto
speed auto
!
MSP-R1 Set up VPN:
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
dead-peer-detection {
action restart
interval 30
timeout 30
}
lifetime 28800
proposal 1 {
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
exclude 192.168.45.0/24
}
}
nat-traversal enable
site-to-site {
peer 76.1.1.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 1.1.1.1/32
remote-subnet 2.2.2.2/32
}
}
peer 76.2.2.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 1.1.1.1/32
remote-subnet 3.3.3.3/32
}
}
}
}
}
MSP-R2 Set up VPN:
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
dead-peer-detection {
action restart
interval 30
timeout 30
}
lifetime 28800
proposal 1 {
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
exclude 192.168.45.0/24
}
}
nat-traversal enable
site-to-site {
peer 76.1.1.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.10
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 10.10.10.10/32
remote-subnet 2.2.2.2/32
}
}
peer 76.2.2.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 213.111.222.10
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 10.10.10.10/32
remote-subnet 3.3.3.3/32
}
}
}
}
}
R1 Set up VPN:
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 213.111.222.1
crypto isakmp key letmein address 213.111.222.10
!
crypto ipsec transform-set MSP-TRANSFORM esp-3des esp-sha-hmac
!
crypto map MSP-MAP 10 ipsec-isakmp
set peer 213.111.222.1
set transform-set MSP-TRANSFORM
match address 101
crypto map MSP-MAP 20 ipsec-isakmp
set peer 213.111.222.10
set transform-set MSP-TRANSFORM
match address 102
!
!
access-list 101 permit 0 host 2.2.2.2 host 1.1.1.1
access-list 102 permit 0 host 2.2.2.2 host 10.10.10.10
!
R2 Set up VPN:
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 213.111.222.1
crypto isakmp key letmein address 213.111.222.10
!
!
crypto ipsec transform-set MSP-TRANSFORM esp-3des esp-sha-hmac
!
crypto map MSP-MAP 10 ipsec-isakmp
set peer 213.111.222.1
set transform-set MSP-TRANSFORM
match address 101
crypto map MSP-MAP 20 ipsec-isakmp
set peer 213.111.222.10
set transform-set MSP-TRANSFORM
match address 102
!
!
access-list 101 permit 0 host 3.3.3.3 host 1.1.1.1
access-list 102 permit 0 host 3.3.3.3 host 10.10.10.10
!
MSP-R1 - OSPF setup
protocols {
ospf {
area 0 {
network 10.10.45.0/30
network 192.168.45.0/24
network 10.10.45.4/30
}
parameters {
abr-type cisco
router-id 1.1.1.1
}
}
MSP-R2 - OSPF setup
protocols {
ospf {
area 0 {
network 192.168.45.0/24
network 10.10.45.8/30
network 10.10.45.12/30
}
parameters {
abr-type cisco
router-id 10.10.10.10
}
}
R1 - OSPF setup
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 10.10.45.0 0.0.0.3 area 0
network 10.10.45.8 0.0.0.3 area 0
network 10.101.0.0 0.0.0.255 area 0
maximum-paths 6
!
R2 - OSPF setup
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 10.10.45.4 0.0.0.3 area 0
network 10.10.45.12 0.0.0.3 area 0
network 10.202.0.0 0.0.0.255 area 0
maximum-paths 6
!
Proof is in the pudding -
Routing Tables
R1:
Gateway of last resort is 76.1.1.1 to network 0.0.0.0
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
O 192.168.43.0/24 [110/11121] via 10.10.43.9, 00:00:01, Tunnel1
[110/11121] via 10.10.43.1, 00:00:01, Tunnel0
76.0.0.0/24 is subnetted, 1 subnets
C 76.1.1.0 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.10.43.8/30 is directly connected, Tunnel1
O 10.10.43.12/30 [110/11121] via 10.10.43.9, 00:00:01, Tunnel1
C 10.10.43.0/30 is directly connected, Tunnel0
O 10.10.43.4/30 [110/11121] via 10.10.43.1, 00:00:01, Tunnel0
C 10.101.0.0/24 is directly connected, FastEthernet0/1
O 10.202.0.0/24 [110/11122] via 10.10.43.1, 00:00:01, Tunnel0
[110/11122] via 10.10.43.9, 00:00:01, Tunnel1
S* 0.0.0.0/0 [1/0] via 76.1.1.1
R2:
Gateway of last resort is 76.2.2.1 to network 0.0.0.0
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
O 192.168.43.0/24 [110/11121] via 10.10.43.5, 00:01:29, Tunnel0
[110/11121] via 10.10.43.13, 00:01:29, Tunnel1
76.0.0.0/24 is subnetted, 1 subnets
C 76.2.2.0 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 10.10.43.8/30 [110/11121] via 10.10.43.13, 00:01:29, Tunnel1
C 10.10.43.12/30 is directly connected, Tunnel1
O 10.10.43.0/30 [110/11121] via 10.10.43.5, 00:01:29, Tunnel0
C 10.10.43.4/30 is directly connected, Tunnel0
O 10.101.0.0/24 [110/11122] via 10.10.43.5, 00:01:29, Tunnel0
[110/11122] via 10.10.43.13, 00:01:29, Tunnel1
Which Vyatta Version that using?
ReplyDeletehey roggy,i have a question not about this post,but sorry i don't know where to post it so ,i will be quick :
ReplyDeletevyatta load balancing with vpn pptp,my two modem connect to the internet and i make a vpn port redirection for one of them and not work only with load balancing configuration,is there any special configuration for that ?thanks.
Its using VC 6.1
ReplyDeleteAs for VPN and LB becareful with NAT.
Vyattas LB rules already include NAT so you do normally need anything under "services NAT"
Hi Roggy, where can I contact you privately? Reason,The question that I have has technical nature and a financial aspect.
ReplyDeleteRgds,
Good to see a new post roggy thought you might have been busy for a while.
ReplyDeleteI still find myself coming back here from time to time to run through the great videos you have.
Keep up the good work I have the same problem as you trying to keep up with my own blog.
Keep it up Roggy! We all enjoy your blog.
ReplyDeleteI especially like Vyatta-related stuff.
Roggy, do you mind if I add a link on on Ubiquiti's website to your vyatta videos. Since EdgeMax is based off a fork of vyatta, many of our customers would find your videos useful too.
ReplyDeleteNo problem - I really like the Ubiquiti APs and the Edgemax :)
ReplyDeleteWhat Happened to Roggy? Where are you? Since 2012. We really miss you. Does someone know where he is now?
ReplyDelete