3. Configuration¶
3.1. License¶
For each VSR node of this setup, follow the Getting Started guide to provide a minimal Day-1 configuration and install a valid and relevant license.
A valid IPsec Application License is required. Using show license, check
that IPsec is activated.
vsr> show license
Active perpetual license for Virtual Service Router
Current activations 1/1
Connected to license server (last contact 2025-02-22 21:25:00)
Lease is valid until 2025-02-22 21:24:59
Serial number is XXXXXXXXXXXXXXX
Computer ID is OoBA4IqJDHTA7eQmwbRv
License was activated online
Support is valid until 2025-12-31 06:00:00 (standard mode)
Max throughput 20.0G (moving average 0.0G)
IPsec activated for 100000 tunnels (currently used 0)
vsr>
3.2. Network connectivity¶
3.2.1. Security Gateway node¶
Note
The following configuration is for the VRRP Master node; the matching Backup configuration should be set on the VRRP Backup node.
Hostname¶
Using the VSR CLI, let us start with setting the hostname.
vsr> edit running
vsr running config# system hostname secgw1
vsr running config# commit
secgw1 running config#
Interfaces¶
Allocate the ports that will be involved in data plane processing into the fast path:
secgw1 running config# / system fast-path
secgw1 running fast-path#! port pci-b0s4
secgw1 running fast-path# port pci-b0s5
After wiping the Day-1 configuration, set up the corresponding physical interfaces: one to connect to the internet, with a public IP address; another one to connect to the LAN; and yet another one that will be used to exchange HA synchronization data between Master and Backup nodes.
secgw1 running fast-path# del / vrf main
secgw1 running fast-path# / vrf main
secgw1 running vrf main# interface physical ntfp1
secgw1 running physical ntfp1#! port pci-b0s4
secgw1 running physical ntfp1# description ISP
secgw1 running physical ntfp1# ipv4 address 66.66.66.67/29
secgw1 running physical ntfp1# .. physical ntfp2
secgw1 running physical ntfp2#! port pci-b0s5
secgw1 running physical ntfp2# description LAN
secgw1 running physical ntfp2# ipv4 address 172.30.0.2/24
secgw1 running physical ntfp2# .. physical ntfp3
secgw1 running physical ntfp3#! port pci-b0s6
secgw1 running physical ntfp3# description IKE_HA
secgw1 running physical ntfp3# ipv4 address 10.150.0.1/30
Review the configuration and commit it:
secgw1 running physical ntfp3# show config nodefault /
vrf main
interface
physical ntfp1
port pci-b0s4
description ISP
(...)
secgw1 running physical ntfp3# commit
Configuration committed.
See also
The User’s Guide for more information about:
DNS¶
The Security Gateways require a valid DNS server to contact the license server:
secgw1 running physical ntfp3# / vrf main dns server 8.8.8.8
secgw1 running physical ntfp3# commit
Configuration committed.
VRRP¶
For VRRP, we will need to set a virtual IP address that will be the unique VPN address for road warriors, and a virtual IP address on the LAN side as well. The two instances should be grouped together in order to always have both virtual IPs (VIPs) associated with the same node.
Note
priority should be set to 150 on the Master node and left to its
default value (100) on the Backup node.
While we are at VRRP, let’s go one step ahead and configure HA for IKE — although it is not needed for bare network connectivity, and could be added later. Our VRRP group will control the HA state, meaning that the VRRP state (Master or Backup) will be the HA state for IKE, and any later change on the VRRP state will be replicated on IKE HA.
secgw1 running physical ntfp3# / vrf main interface vrrp vrrp_lan
secgw1 running vrrp vrrp_lan#! link-interface ntfp2
secgw1 running vrrp vrrp_lan#! vrid 1
secgw1 running vrrp vrrp_lan# priority 150
secgw1 running vrrp vrrp_lan# preempt-delay 60
secgw1 running vrrp vrrp_lan# track-fast-path true
secgw1 running vrrp vrrp_lan# virtual-address 172.30.0.1/24
secgw1 running vrrp vrrp_lan# .. vrrp vrrp_public
secgw1 running vrrp vrrp_public#! link-interface ntfp1
secgw1 running vrrp vrrp_public#! vrid 2
secgw1 running vrrp vrrp_public# priority 150
secgw1 running vrrp vrrp_public# preempt-delay 60
secgw1 running vrrp vrrp_public# track-fast-path true
secgw1 running vrrp vrrp_public# virtual-address 66.66.66.66/29
secgw1 running vrrp vrrp_public# / vrf main vrrp
secgw1 running vrrp# router-id secgw1
secgw1 running vrrp# group vrrp_group
secgw1 running group vrrp_group# instance vrrp_lan
secgw1 running group vrrp_group# instance vrrp_public
secgw1 running group vrrp_group# notify-ha-group ha_for_ike
secgw1 running group vrrp_group#! / ha group ha_for_ike
secgw1 running group ha_for_ike# commit
Configuration committed.
Routing¶
Our Security Gateways are directly connected to the LAN, so there is no particular routing configuration to add on the LAN side.
On the other hand, we will need to configure a BGP peering with the Internet node in order to get routes to the road warriors. No routes need to be announced from the Security Gateways to the internet, so we will filter out any route towards the eBGP peering.
secgw1 running group ha_for_ike# / vrf main routing bgp
secgw1 running bgp#! as 65001
secgw1 running bgp# router-id 66.66.66.67
secgw1 running bgp# ebgp-requires-policy false
secgw1 running bgp# neighbor 66.66.66.68
secgw1 running neighbor 66.66.66.68#! remote-as 65001
secgw1 running neighbor 66.66.66.68# neighbor-description secgw2
secgw1 running neighbor 66.66.66.68# address-family ipv4-unicast
secgw1 running ipv4-unicast# soft-reconfiguration-inbound true
secgw1 running ipv4-unicast# .. .. .. neighbor 66.66.66.69
secgw1 running neighbor 66.66.66.69#! remote-as 65002
secgw1 running neighbor 66.66.66.69# neighbor-description ISP
secgw1 running neighbor 66.66.66.69# address-family ipv4-unicast
secgw1 running ipv4-unicast# prefix-list out prefix-list-name deny_any_ipv4
secgw1 running ipv4-unicast#! prefix-list in prefix-list-name filter_bogons
secgw1 running ipv4-unicast#! soft-reconfiguration-inbound true
secgw1 running ipv4-unicast#! / routing
secgw1 running routing#! ipv4-prefix-list deny_any_ipv4 seq 10 address 0.0.0.0/0 policy deny
secgw1 running routing#! ipv4-prefix-list filter_bogons
secgw1 running ipv4-prefix-list filter_bogons#! seq 5 address 0.0.0.0/8 policy deny le 32
secgw1 running ipv4-prefix-list filter_bogons# seq 10 address 10.0.0.0/8 policy deny le 32
secgw1 running ipv4-prefix-list filter_bogons# seq 15 address 127.0.0.0/8 policy deny le 32
secgw1 running ipv4-prefix-list filter_bogons# seq 20 address 169.254.0.0/16 policy deny le 32
secgw1 running ipv4-prefix-list filter_bogons# seq 25 address 172.16.0.0/12 policy deny le 32
secgw1 running ipv4-prefix-list filter_bogons# seq 30 address 192.168.0.0/16 policy deny le 32
secgw1 running ipv4-prefix-list filter_bogons# seq 35 address 224.0.0.0/3 policy deny le 32
secgw1 running ipv4-prefix-list filter_bogons# seq 40 address 0.0.0.0/0 policy permit le 32
secgw1 running ipv4-prefix-list filter_bogons# commit
Configuration committed.
Troubleshooting¶
After committing the configuration on both Security Gateways, we can check basic connectivity between them and the state of VRRP.
secgw1 running ipv4-prefix-list filter_bogons# exit
secgw1> show interface details
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
alias loopback_main
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether de:ad:de:01:02:03 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 parentbus virtio parentdev virtio1
6: ntfp1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether de:ed:01:71:da:ed brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 65521
tun type tap pi off vnet_hdr on multi_queue numqueues 1 numdisabled 1 persist on user root group 1000000 numtxqueues 256 numrxqueues 256 gso_max_size 65536 gso_max_segs 65535
alias ISP
inet 66.66.66.67/29 scope global ntfp1
valid_lft forever preferred_lft forever
inet6 fe80::dced:1ff:fe71:daed/64 scope link
valid_lft forever preferred_lft forever
7: ntfp2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether de:ed:02:18:7f:04 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 65521
tun type tap pi off vnet_hdr on multi_queue numqueues 1 numdisabled 1 persist on user root group 1000001 numtxqueues 256 numrxqueues 256 gso_max_size 65536 gso_max_segs 65535
alias LAN
inet 172.30.0.2/24 scope global ntfp2
valid_lft forever preferred_lft forever
inet6 fe80::dced:2ff:fe18:7f04/64 scope link
valid_lft forever preferred_lft forever
8: ntfp3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether de:ed:03:b6:8f:aa brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 parentbus virtio parentdev virtio4
alias IKE_HA
inet 10.150.0.1/30 scope global ntfp3
valid_lft forever preferred_lft forever
inet6 fe80::dced:3ff:feb6:8faa/64 scope link
valid_lft forever preferred_lft forever
9: vrrp_lan@ntfp2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:5e:00:01:01 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65521
macvlan mode private bcqueuelen 1000 usedbcqueuelen 1000 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet 172.30.0.1/24 scope global vrrp_lan
valid_lft forever preferred_lft forever
10: vrrp_public@ntfp1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:5e:00:01:02 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65521
macvlan mode private bcqueuelen 1000 usedbcqueuelen 1000 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet 66.66.66.66/29 scope global vrrp_public
valid_lft forever preferred_lft forever
65535: fptun0@if2: <BROADCAST,MULTICAST,NOARP,PROMISC,UP,LOWER_UP> mtu 65521 qdisc noqueue state UP group default qlen 1000
link/ether 66:70:74:75:6e:30 brd ff:ff:ff:ff:ff:ff link-netnsid 0 promiscuity 1 minmtu 0 maxmtu 65535
vlan protocol 802.1Q id 0 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet6 fe80::6470:74ff:fe75:6e30/64 scope link
valid_lft forever preferred_lft forever
secgw1> cmd ping 10.150.0.2 count 4
PING 10.150.0.2 (10.150.0.2) 56(84) bytes of data.
64 bytes from 10.150.0.2: icmp_seq=1 ttl=64 time=1.11 ms
64 bytes from 10.150.0.2: icmp_seq=2 ttl=64 time=0.187 ms
64 bytes from 10.150.0.2: icmp_seq=3 ttl=64 time=0.197 ms
64 bytes from 10.150.0.2: icmp_seq=4 ttl=64 time=0.237 ms
--- 10.150.0.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3055ms
rtt min/avg/max/mdev = 0.187/0.433/1.114/0.394 ms
secgw1>
VRRP state on secgw1:
secgw1> show state vrf main vrrp
vrrp
enabled true
router-id secgw1
snmp-enabled false
traps-enabled false
vrrp-startup-delay 0
drop-traffic-on-backup true
group vrrp_group
instance vrrp_lan
instance vrrp_public
notify-ha-group ha_for_ike
state master
..
..
secgw1>
VRRP interfaces state on secgw1:
secgw1> show state vrf main interface vrrp
vrrp vrrp_lan
mtu 1500
promiscuous false
enabled true
ddos-protection
enabled false
..
oper-status UP
counters
in-octets 0
in-unicast-pkts 2
in-discards 0
in-errors 0
out-octets 24180
out-unicast-pkts 450
out-discards 0
out-errors 0
..
ipv4
address 172.30.0.1/24
..
ipv6
enabled false
..
network-stack
ipv4
send-redirects true
accept-redirects false
accept-source-route false
arp-announce any
arp-filter false
arp-ignore any
arp-proxy false
log-invalid-addresses false
..
ipv6
autoconfiguration true
accept-duplicate-address-detection always
accept-router-advert never
accept-redirects false
accept-segment-routing false
accept-source-route false
router-solicitations -1
use-temporary-addresses never
..
..
ethernet
mac-address 00:00:5e:00:01:01
..
state master
version 2
link-interface ntfp2
garp-delay 5
use-vmac true
vmac-xmit-base false
vrid 1
priority 150
init-state backup
preempt true
preempt-delay 60
advertisement-interval 1000
track-fast-path true
virtual-address 172.30.0.1/24
..
vrrp vrrp_public
mtu 1500
promiscuous false
enabled true
ddos-protection
enabled false
..
oper-status UP
counters
in-octets 756
in-unicast-pkts 20
in-discards 0
in-errors 0
out-octets 24180
out-unicast-pkts 450
out-discards 0
out-errors 0
..
ipv4
address 66.66.66.66/29
..
ipv6
enabled false
..
network-stack
ipv4
send-redirects true
accept-redirects false
accept-source-route false
arp-announce any
arp-filter false
arp-ignore any
arp-proxy false
log-invalid-addresses false
..
ipv6
autoconfiguration true
accept-duplicate-address-detection always
accept-router-advert never
accept-redirects false
accept-segment-routing false
accept-source-route false
router-solicitations -1
use-temporary-addresses never
..
..
ethernet
mac-address 00:00:5e:00:01:02
..
state master
version 2
link-interface ntfp1
garp-delay 5
use-vmac true
vmac-xmit-base false
vrid 2
priority 150
init-state backup
preempt true
preempt-delay 60
advertisement-interval 1000
track-fast-path true
virtual-address 66.66.66.66/29
..
secgw1>
VRRP state on secgw2:
secgw2 running ipv4-prefix-list filter_bogons# exit
secgw2> show state vrf main vrrp
vrrp
enabled true
router-id secgw2
snmp-enabled false
traps-enabled false
vrrp-startup-delay 0
drop-traffic-on-backup true
group vrrp_group
instance vrrp_lan
instance vrrp_public
notify-ha-group ha_for_ike
state backup
..
..
secgw2>
VRRP interfaces state on secgw2:
secgw2> show state vrf main interface vrrp
vrrp vrrp_lan
mtu 1500
promiscuous false
enabled true
ddos-protection
enabled false
..
oper-status UP
counters
in-octets 0
in-unicast-pkts 493
in-discards 0
in-errors 0
out-octets 108
out-unicast-pkts 2
out-discards 0
out-errors 0
..
ipv4
enabled false
..
ipv6
enabled false
..
network-stack
ipv4
send-redirects true
accept-redirects false
accept-source-route false
arp-announce any
arp-filter false
arp-ignore any
arp-proxy false
log-invalid-addresses false
..
ipv6
autoconfiguration true
accept-duplicate-address-detection always
accept-router-advert never
accept-redirects false
accept-segment-routing false
accept-source-route false
router-solicitations -1
use-temporary-addresses never
..
..
ethernet
mac-address 00:00:5e:00:01:01
..
state backup
version 2
link-interface ntfp2
garp-delay 5
use-vmac true
vmac-xmit-base false
vrid 1
priority 100
init-state backup
preempt true
preempt-delay 60
advertisement-interval 1000
track-fast-path true
virtual-address 172.30.0.1/24
..
vrrp vrrp_public
mtu 1500
promiscuous false
enabled true
ddos-protection
enabled false
..
oper-status UP
counters
in-octets 1050
in-unicast-pkts 518
in-discards 0
in-errors 0
out-octets 108
out-unicast-pkts 2
out-discards 0
out-errors 0
..
ipv4
enabled false
..
ipv6
enabled false
..
network-stack
ipv4
send-redirects true
accept-redirects false
accept-source-route false
arp-announce any
arp-filter false
arp-ignore any
arp-proxy false
log-invalid-addresses false
..
ipv6
autoconfiguration true
accept-duplicate-address-detection always
accept-router-advert never
accept-redirects false
accept-segment-routing false
accept-source-route false
router-solicitations -1
use-temporary-addresses never
..
..
ethernet
mac-address 00:00:5e:00:01:02
..
state backup
version 2
link-interface ntfp1
garp-delay 5
use-vmac true
vmac-xmit-base false
vrid 2
priority 100
init-state backup
preempt true
preempt-delay 60
advertisement-interval 1000
track-fast-path true
virtual-address 66.66.66.66/29
..
secgw2>
The routing table should look like this at this point (the Internet node is not configured yet):
secgw1> show ipv4-routes
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route
VRF main:
C>* 10.150.0.0/30 is directly connected, ntfp3, 00:09:44
C * 66.66.66.64/29 is directly connected, vrrp_public, 00:09:31
C>* 66.66.66.64/29 is directly connected, ntfp1, 00:09:44
C * 172.30.0.0/24 is directly connected, vrrp_lan, 00:09:31
C>* 172.30.0.0/24 is directly connected, ntfp2, 00:09:44
secgw1>
3.2.2. Road warrior node¶
Interfaces¶
On the road warriors, we basically need to configure one VLAN interface with a public IP address (make sure to wipe the Day-1 configuration first).
vsr> edit running
vsr running config# system
vsr running system# hostname warrior1
vsr running system# fast-path port pci-b0s4
vsr running system# del / vrf main
vsr running system# / vrf main interface physical ntfp1 port pci-b0s4
vsr running system# / vrf main interface vlan int_vlan1
vsr running vlan int_vlan1#! description ISP
vsr running vlan int_vlan1#! ipv4 address 1.1.1.1/24
vsr running vlan int_vlan1#! vlan-id 1
vsr running vlan int_vlan1#! link-interface ntfp1
vsr running vlan int_vlan1# commit
Configuration committed.
DNS¶
The road warriors require a valid DNS server to contact the license server:
warrior1 vlan int_vlan# / vrf main dns server 8.8.8.8
warrior1 vlan int_vlan# commit
Configuration committed.
Routing¶
Routing will just consist of adding a static route pointing to the Internet node in order to declare it as a default gateway.
warrior1 running vlan int_vlan1# / vrf main routing static ipv4-route 0.0.0.0/0 next-hop 1.1.1.254
warrior1 running vlan int_vlan1# commit
Configuration committed.
Troubleshooting¶
After committing the configuration, we can check the routing table of the road warrior and make sure 1.1.1.254 is the default gateway
warrior1 running vlan int_vlan1# exit
warrior1> show ipv4-routes
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route
VRF main:
S>* 0.0.0.0/0 [1/0] via 1.1.1.254, int_vlan1, 00:00:13
C>* 1.1.1.0/24 is directly connected, int_vlan1, 00:01:28
warrior1>
3.2.3. Internet node¶
Interfaces¶
This node will connect road warriors to the Security Gateways, so it must have a VLAN interface per road warrior (it will be its default gateway), an interface in the same IP subnet as the Security Gateways, and an interface enabling access to Internet.
vsr> edit running
vsr running config# system
vsr running system# hostname internet
vsr running system# fast-path
vsr running fast-path#! port pci-b0s3
vsr running fast-path# port pci-b0s4
vsr running fast-path# port pci-b0s5
vsr running fast-path# del / vrf main
vsr running fast-path# / vrf main interface physical internet
vsr running physical internet#! port pci-b0s3
vsr running physical internet# description internet_wan_access
vsr running physical internet# ipv4 dhcp enabled true
vsr running physical internet# .. physical ntfp1
vsr running physical ntfp1#! port pci-b0s4
vsr running physical ntfp1# description interco_roadwarriors
vsr running physical ntfp1# .. physical ntfp2
vsr running physical ntfp2#! port pci-b0s5
vsr running physical ntfp2# description interco_secgw
vsr running physical ntfp2# ipv4 address 66.66.66.69/29
vsr running physical ntfp2# .. vlan int_vlan1
vsr running vlan int_vlan1#! description "ipsec roadwarrior 1"
vsr running vlan int_vlan1#! ipv4 address 1.1.1.254/24
vsr running vlan int_vlan1#! vlan-id 1
vsr running vlan int_vlan1#! link-interface ntfp1
vsr running vlan int_vlan1# .. vlan int_vlan2
vsr running vlan int_vlan2#! description "ipsec roadwarrior 2"
vsr running vlan int_vlan2#! ipv4 address 2.2.2.254/24
vsr running vlan int_vlan2#! vlan-id 2
vsr running vlan int_vlan2#! link-interface ntfp1
vsr running vlan int_vlan2# commit
Configuration committed.
DNS¶
As a VSR, this node requires a valid DNS server to maintain its license active. We declare a public DNS server for that purpose:
internet vlan int_vlan2# / vrf main dns server 8.8.8.8
internet vlan int_vlan2# commit
Configuration committed.
Routing¶
Routing will consist of a BGP peering with the Security Gateways,
to announce a default gateway to each one of them with default-originate.
internet running vlan int_vlan2# / vrf main routing bgp
internet running bgp#! as 65002
internet running bgp# router-id 66.66.66.69
internet running bgp# ebgp-requires-policy false
internet running bgp# neighbor 66.66.66.67
internet running neighbor 66.66.66.67#! remote-as 65001
internet running neighbor 66.66.66.67# neighbor-description secgw1
internet running neighbor 66.66.66.67# address-family ipv4-unicast
internet running ipv4-unicast# soft-reconfiguration-inbound true
internet running ipv4-unicast# default-originate
internet running default-originate# .. .. .. .. neighbor 66.66.66.68
internet running neighbor 66.66.66.68#! remote-as 65001
internet running neighbor 66.66.66.68# neighbor-description secgw2
internet running neighbor 66.66.66.68# address-family ipv4-unicast
internet running ipv4-unicast# soft-reconfiguration-inbound true
internet running ipv4-unicast# default-originate
internet running default-originate# commit
Configuration committed.
NAT¶
As this node is the default gateway for all others, we add a NAT rule to masquerade all outgoing requests:
internet running default-originate# / vrf main nat
internet running nat# source-rule 1 outbound-interface internet translate-to output-address
internet running nat# commit
Configuration committed.
Troubleshooting¶
After committing the configuration, we can check the routing table of the Internet node.
internet running nat# exit
internet> show ipv4-routes
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route
VRF main:
S>* 0.0.0.0/0 [1/0] via 10.0.2.2, internet, 00:00:20
C>* 1.1.1.0/24 is directly connected, int_vlan1, 00:00:20
C>* 2.2.2.0/24 is directly connected, int_vlan2, 00:00:20
C>* 10.0.2.0/24 is directly connected, internet, 00:00:20
C>* 66.66.66.64/29 is directly connected, ntfp2, 00:00:20
internet>
3.2.4. LAN node¶
Interfaces and routing¶
This node, representing LAN resources, will have an interface in the LAN subnet. Additionally, in order to be able to respond to requests coming from the road warriors through the VPN, it needs a route to the 172.31.0.0/24 subnet (pool subnet) which points to the Security Gateways’ VIP.
root@hostlan:~# ip address add 172.30.0.10/24 brd + dev ntfp1
root@hostlan:~# ip link set dev ntfp1 up
root@hostlan:~# ip route add 172.31.0.0/24 via 172.30.0.1
Troubleshooting¶
Print routes:
root@hostlan:~# ip route list
172.30.0.0/24 dev ntfp1 proto kernel scope link src 172.30.0.10
172.31.0.0/24 via 172.30.0.1 dev ntfp1
root@hostlan:~#
Ping the VIP:
root@hostlan:~# ping 172.30.0.1
PING 172.30.0.1 (172.30.0.1) 56(84) bytes of data.
64 bytes from 172.30.0.1: icmp_seq=1 ttl=64 time=1.70 ms
64 bytes from 172.30.0.1: icmp_seq=2 ttl=64 time=0.341 ms
^C
--- 172.30.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.341/1.024/1.707/0.683 ms
3.2.5. Network connectivity troubleshooting¶
At this point, we can check again the routing table of the Security Gateway: a new entrie should be learnt via BGP.
secgw1> show ipv4-routes
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route
VRF main:
B>* 0.0.0.0/0 [20/0] via 66.66.66.69, ntfp1, 00:01:32
C>* 10.150.0.0/30 is directly connected, ntfp3, 00:14:47
C * 66.66.66.64/29 is directly connected, vrrp_public, 00:14:34
C>* 66.66.66.64/29 is directly connected, ntfp1, 00:14:47
C * 172.30.0.0/24 is directly connected, vrrp_lan, 00:14:34
C>* 172.30.0.0/24 is directly connected, ntfp2, 00:14:47
secgw1>
The routing table of the Backup Security Gateway should be similar, except for the VRRP-related routes.
A ping from a road warrior to the VPN address should work:
warrior1> cmd ping 66.66.66.66
PING 66.66.66.66 (66.66.66.66) 56(84) bytes of data.
64 bytes from 66.66.66.66: icmp_seq=1 ttl=63 time=1.78 ms
64 bytes from 66.66.66.66: icmp_seq=2 ttl=63 time=0.303 ms
64 bytes from 66.66.66.66: icmp_seq=3 ttl=63 time=0.307 ms
64 bytes from 66.66.66.66: icmp_seq=4 ttl=63 time=0.324 ms
^C
--- 66.66.66.66 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3044ms
rtt min/avg/max/mdev = 0.303/0.679/1.785/0.638 ms
warrior1>
A ping from a road warrior to the LAN, however, should not work at this point.
3.3. IPsec¶
3.3.1. Security Gateway node¶
The following commands will set:
a default pre-shared key, and a specific pre-shared key for user1 and user2,
an IKE template called
ike_templ1containing one proposal for an encryption algorithm, an authentication algorithm, and a Diffie-Hellman group,an IPsec template called
ipsec_templ1containing one proposal for ESP mode,a VPN configuration using these templates and defining the VPN’s address, an address pool and a security policy with protected VPN subnets.
secgw1> edit running
secgw1 running config# / vrf main ike
secgw1 running ike# pre-shared-key hq_psk secret default_psk
secgw1 running ike# pre-shared-key user1
secgw1 running pre-shared-key user1#! id user1@dev.6wind.com
secgw1 running pre-shared-key user1#! secret psk_for_user1
secgw1 running pre-shared-key user1# .. pre-shared-key user2
secgw1 running pre-shared-key user2#! id user2@dev.6wind.com
secgw1 running pre-shared-key user2#! secret psk_for_user2
secgw1 running pre-shared-key user2# .. ike-policy-template ike_templ1 ike-proposal 1
secgw1 running ike-proposal 1#! enc-alg aes128-cbc
secgw1 running ike-proposal 1#! auth-alg hmac-sha512
secgw1 running ike-proposal 1#! dh-group modp2048
secgw1 running ike-proposal 1# .. .. ipsec-policy-template ipsec_templ1 esp-proposal 1
secgw1 running esp-proposal 1#! enc-alg aes128-cbc
secgw1 running esp-proposal 1#! auth-alg hmac-sha256
secgw1 running esp-proposal 1# dh-group modp2048
secgw1 running esp-proposal 1# .. .. vpn vpn_hq ike-policy
secgw1 running ike-policy#! template ike_templ1
secgw1 running ike-policy#! keying-tries 10
secgw1 running ike-policy#! .. ipsec-policy template ipsec_templ1
secgw1 running ike-policy# ..
secgw1 running vpn vpn_hq# description vpn_access_to_hq
secgw1 running vpn vpn_hq# local-address 66.66.66.66
secgw1 running vpn vpn_hq# local-id secgw.6wind.com
secgw1 running vpn vpn_hq# vip-pool roadwarriors_ha_pool
secgw1 running vpn vpn_hq# security-policy access_to_lan local-ts subnet 172.30.0.0/24
secgw1 running vpn vpn_hq# show config nodefault / vrf main ike
ike
pre-shared-key hq_psk
secret default_psk
..
pre-shared-key user1
id user1@dev.6wind.com
secret psk_for_user1
..
pre-shared-key user2
id user2@dev.6wind.com
secret psk_for_user2
..
ike-policy-template ike_templ1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsec_templ1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
..
..
vpn vpn_hq
ike-policy
template ike_templ1
keying-tries 10
..
ipsec-policy
template ipsec_templ1
..
description vpn_access_to_hq
local-address 66.66.66.66
local-id secgw.6wind.com
vip-pool roadwarriors_ha_pool
security-policy access_to_lan
local-ts subnet 172.30.0.0/24
..
..
..
secgw1 running vpn vpn_hq# commit
Configuration committed.
IKE HA will be implemented using the following commands. Basically, the
IKE HA instance subscribes to the ha_for_ike HA group (using the
listen-ha-group command), which in turn is controlled by the VRRP group
vrrp_group, in order to inherit its state.
secgw1 running vpn vpn_hq# / vrf main ike ha
secgw1 running ha#! listen-ha-group ha_for_ike
secgw1 running ha#! local-address 10.150.0.1
secgw1 running ha#! remote-address 10.150.0.2
secgw1 running ha# pool roadwarriors_ha_pool address 172.31.0.0/24
secgw1 running ha# commit
Configuration committed.
Note
ha local-address and ha remote-address should be inverted on
secgw2 compared to secgw1.
For monitoring purposes, we also enable the IKE SNMP MIB:
secgw1 running ha# .. global-options snmp true
secgw1 running ha# commit
Configuration committed.
3.3.2. Road warrior node¶
IKE will be configured on a road warrior according to the configuration made on the Security Gateways. Typically, there should be matching IKE and IPsec proposals, the pre-shared key must be correct, the VPN address should be the VIP hosted by Security Gateways, the allowed remote subnet must be the one allowed on the Security Gateways’ side, etc.
Additionally, start-action should be set to start in order to initiate IKE
negotiations at start-up of the IKE daemon.
warrior1> edit running
warrior1 running config# / vrf main ike
warrior1 running ike# pre-shared-key hq_psk secret psk_for_user1
warrior1 running ike# ike-policy-template ike_templ1 ike-proposal 1
warrior1 running ike-proposal 1#! enc-alg aes128-cbc
warrior1 running ike-proposal 1#! auth-alg hmac-sha512
warrior1 running ike-proposal 1#! dh-group modp2048
warrior1 running ike-proposal 1# .. .. ipsec-policy-template ipsec_templ1 esp-proposal 1
warrior1 running esp-proposal 1#! enc-alg aes128-cbc
warrior1 running esp-proposal 1#! auth-alg hmac-sha256
warrior1 running esp-proposal 1# dh-group modp2048
warrior1 running esp-proposal 1# ..
warrior1 running ipsec-policy-template ipsec_templ1# start-action start
warrior1 running ipsec-policy-template ipsec_templ1# .. vpn vpn_hq ike-policy
warrior1 running ike-policy#! template ike_templ1
warrior1 running ike-policy#! keying-tries 10
warrior1 running ike-policy#! .. ipsec-policy template ipsec_templ1
warrior1 running ike-policy# ..
warrior1 running vpn vpn_hq# description vpn_access_to_hq
warrior1 running vpn vpn_hq# remote-address 66.66.66.66
warrior1 running vpn vpn_hq# local-id user1@dev.6wind.com
warrior1 running vpn vpn_hq# remote-id secgw.6wind.com
warrior1 running vpn vpn_hq# vip-request 0.0.0.0
warrior1 running vpn vpn_hq# security-policy access_to_lan remote-ts subnet 172.30.0.0/24
warrior1 running vpn vpn_hq# show config nodefault / vrf main ike
ike
pre-shared-key hq_psk
secret psk_for_user1
..
ike-policy-template ike_templ1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsec_templ1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
..
start-action start
..
vpn vpn_hq
ike-policy
template ike_templ1
keying-tries 10
..
ipsec-policy
template ipsec_templ1
..
description vpn_access_to_hq
remote-address 66.66.66.66
local-id user1@dev.6wind.com
remote-id secgw.6wind.com
vip-request 0.0.0.0
security-policy access_to_lan
remote-ts subnet 172.30.0.0/24
..
..
..
warrior1 running vpn vpn_hq# commit
Configuration committed.
3.3.3. IPsec troubleshooting¶
Note
Even though the road warriors’ pool subnet is covered by a security
policy, it should also be covered by a route. The route will not be
used to dispatch packets, but its absence will result in traffic being
discarded by the kernel before making it to the security policies.
A default route, like the one learnt by BGP in this case scenario,
is enough; otherwise, a specific static route will do the job:
/ vrf main routing static ipv4-route 172.31.0.0/24 next-hop 66.66.66.69
After committing, we can check the state of IKE on the different nodes:
Summary IKE SA from the Security Gateway (Master):
secgw1 running ha# exit
secgw1> show state vrf main ike ike-sas
ike-sas
total 2
half-open 0
..
secgw1>
Detailed IKE SA from the Security Gateway (Master):
secgw1> show ike ike-sa details
vpn_hq: #2, ESTABLISHED, IKEv2, 7a0e17fba5af1ed4_i b7d2d02835fd0952_r
local 'secgw.6wind.com' @ 66.66.66.66[500]
remote 'user2@dev.6wind.com' @ 2.2.2.2[500] [172.31.0.2]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
established 14s ago, rekeying in 14116s
access_to_lan: #2, reqid 2, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256/modp2048
installed 14s ago, rekeying in 3288s, expires in 3946s
in c7b832c7, 0 bytes, 0 packets
out c104ceb4, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.2/32
vpn_hq: #1, ESTABLISHED, IKEv2, 080d80b4b06a2b2c_i ae34351d8c1c30d0_r
local 'secgw.6wind.com' @ 66.66.66.66[500]
remote 'user1@dev.6wind.com' @ 1.1.1.1[500] [172.31.0.1]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
established 37s ago, rekeying in 13864s
access_to_lan: #1, reqid 1, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256/modp2048
installed 37s ago, rekeying in 3345s, expires in 3923s
in ca18ffbd, 0 bytes, 0 packets
out c095e9c5, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.1/32
secgw1>
State of IKE SA from Security Gateway (Master):
secgw1> show state vrf main ike ike-sa
ike-sa unique-id 2
name vpn_hq
version 2
state established
local-address 66.66.66.66
remote-address 2.2.2.2
local-port 500
remote-port 500
local-id secgw.6wind.com
remote-id user2@dev.6wind.com
initiator-spi 7a0e17fba5af1ed4
responder-spi b7d2d02835fd0952
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
established-time 263
rekey-time 13867
udp-encap false
mobike false
remote-vip 172.31.0.2
child-sa unique-id 2
name access_to_lan
state installed
reqid 2
protocol esp
udp-encap false
mobike false
spi-in c7b832c7
spi-out c104ceb4
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
esn false
bytes-in 0
packets-in 0
bytes-out 0
packets-out 0
installed-time 263
rekey-time 3039
life-time 3697
local-ts subnet 172.30.0.0/24
remote-ts subnet 172.31.0.2/32
traffic-selectors
local-ts 1 subnet 172.30.0.0/24
remote-ts 1 subnet 172.31.0.2/32
..
mode tunnel
..
..
ike-sa unique-id 1
name vpn_hq
version 2
state established
local-address 66.66.66.66
remote-address 1.1.1.1
local-port 500
remote-port 500
local-id secgw.6wind.com
remote-id user1@dev.6wind.com
initiator-spi 080d80b4b06a2b2c
responder-spi ae34351d8c1c30d0
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
established-time 286
rekey-time 13615
udp-encap false
mobike false
remote-vip 172.31.0.1
child-sa unique-id 1
name access_to_lan
state installed
reqid 1
protocol esp
udp-encap false
mobike false
spi-in ca18ffbd
spi-out c095e9c5
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
esn false
bytes-in 0
packets-in 0
bytes-out 0
packets-out 0
installed-time 286
rekey-time 3096
life-time 3674
local-ts subnet 172.30.0.0/24
remote-ts subnet 172.31.0.1/32
traffic-selectors
local-ts 1 subnet 172.30.0.0/24
remote-ts 1 subnet 172.31.0.1/32
..
mode tunnel
..
..
secgw1>
State of IKE SA from Security Gateway (Backup):
secgw2> show state vrf main ike ike-sa
ike-sa unique-id 2
name vpn_hq
version 2
state passive
local-address 66.66.66.66
remote-address 2.2.2.2
local-port 500
remote-port 500
local-id secgw.6wind.com
remote-id user2@dev.6wind.com
initiator-spi 7a0e17fba5af1ed4
responder-spi b7d2d02835fd0952
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
udp-encap false
mobike false
remote-vip 172.31.0.2
child-sa unique-id 2
name access_to_lan
state installed
reqid 2
protocol esp
udp-encap false
mobike false
spi-in c7b832c7
spi-out c104ceb4
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
esn false
bytes-in 0
packets-in 0
bytes-out 0
packets-out 0
installed-time 463
rekey-time 3117
life-time 3497
local-ts subnet 172.30.0.0/24
remote-ts subnet 172.31.0.2/32
traffic-selectors
local-ts 1 subnet 172.30.0.0/24
remote-ts 1 subnet 172.31.0.2/32
..
mode tunnel
..
..
ike-sa unique-id 1
name vpn_hq
version 2
state passive
local-address 66.66.66.66
remote-address 1.1.1.1
local-port 500
remote-port 500
local-id secgw.6wind.com
remote-id user1@dev.6wind.com
initiator-spi 080d80b4b06a2b2c
responder-spi ae34351d8c1c30d0
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
udp-encap false
mobike false
remote-vip 172.31.0.1
child-sa unique-id 1
name access_to_lan
state installed
reqid 1
protocol esp
udp-encap false
mobike false
spi-in ca18ffbd
spi-out c095e9c5
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
esn false
bytes-in 0
packets-in 0
bytes-out 0
packets-out 0
installed-time 476
rekey-time 2922
life-time 3484
local-ts subnet 172.30.0.0/24
remote-ts subnet 172.31.0.1/32
traffic-selectors
local-ts 1 subnet 172.30.0.0/24
remote-ts 1 subnet 172.31.0.1/32
..
mode tunnel
..
..
secgw2>
We can see that SPIs are synchronized between Master and Backup nodes. Note
the passive state of each IKE SA on the Backup node.
Let’s check if we have the corresponding IPsec sessions on the road warriors
side.
IKE SA from road warrior 1:
warrior1> show ike ike-sa details
vpn_hq: #1, ESTABLISHED, IKEv2, 080d80b4b06a2b2c_i ae34351d8c1c30d0_r
local 'user1@dev.6wind.com' @ 1.1.1.1[500] [172.31.0.1]
remote 'secgw.6wind.com' @ 66.66.66.66[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
established 629s ago, rekeying in 13732s
access_to_lan: #1, reqid 1, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256/modp2048
installed 629s ago, rekeying in 2815s, expires in 3331s
in c095e9c5, 0 bytes, 0 packets
out ca18ffbd, 0 bytes, 0 packets
local 172.31.0.1/32
remote 172.30.0.0/24
warrior1>
State of IKE SA from road warrior 1:
warrior1> show state vrf main ike ike-sa
ike-sa unique-id 1
name vpn_hq
version 2
state established
local-address 1.1.1.1
remote-address 66.66.66.66
local-port 500
remote-port 500
local-id user1@dev.6wind.com
remote-id secgw.6wind.com
initiator-spi 080d80b4b06a2b2c
responder-spi ae34351d8c1c30d0
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
established-time 694
rekey-time 13667
udp-encap false
mobike false
local-vip 172.31.0.1
child-sa unique-id 1
name access_to_lan
state installed
reqid 1
protocol esp
udp-encap false
mobike false
spi-in c095e9c5
spi-out ca18ffbd
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
esn false
bytes-in 0
packets-in 0
bytes-out 0
packets-out 0
installed-time 694
rekey-time 2750
life-time 3266
local-ts subnet 172.31.0.1/32
remote-ts subnet 172.30.0.0/24
traffic-selectors
local-ts 1 subnet 172.31.0.1/32
remote-ts 1 subnet 172.30.0.0/24
..
mode tunnel
..
..
warrior1>
Another look at the routing table of the road warrior shows that a new entry has been added upon receiving the 172.31.0.1 address from the pool:
warrior1> show ipv4-routes
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route
VRF main:
S>* 0.0.0.0/0 [1/0] via 1.1.1.254, int_vlan1, 02:47:41
C>* 1.1.1.0/24 is directly connected, int_vlan1, 02:47:42
C>* 172.31.0.1/32 is directly connected, int_vlan1, 01:09:35
warrior1>
Let’s send a ping request from this road warrior to the LAN:
warrior1 running config# cmd ping 172.30.0.10 source 172.31.0.1
PING 172.30.0.10 (172.30.0.10) from 172.31.0.1 : 56(84) bytes of data.
64 bytes from 172.30.0.10: icmp_seq=1 ttl=63 time=0.996 ms
64 bytes from 172.30.0.10: icmp_seq=2 ttl=63 time=0.446 ms
64 bytes from 172.30.0.10: icmp_seq=3 ttl=63 time=0.554 ms
64 bytes from 172.30.0.10: icmp_seq=4 ttl=63 time=0.501 ms
^C
--- 172.30.0.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3050ms
rtt min/avg/max/mdev = 0.446/0.624/0.996/0.218 ms
3.4. Logging¶
Logging can be useful for both troubleshooting and monitoring events on the network.
In order to enable IKE and IPsec logging at level 2, and default at level 1, we can proceed as follows:
secgw1> edit running
secgw1 running config# / vrf main ike logging authpriv
secgw1 running authpriv# default 1
secgw1 running authpriv# ike 2
secgw1 running authpriv# ipsec 2
secgw1 running authpriv# commit
Configuration committed.
See also
The User’s Guide for more information about logging.