10.2.5.1. Connections using the IPsec (inter-site tunnel) function

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
For Brocade 5600vRouter , IPsec is supported. The settings of an inter-site connection tunnel using IPsec are described.
Building up an IPsec tunnel allows connections and communications between the intra-site network of both sides, through the IPsec tunnel.

Note

As the destination of IPsec, a virtual IP address of VRRP cannot be specified. For the redundancy setting with IPsec, see ‘Operation-confirmed configuration example model <https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html>’_.

IPsec (site-to-site mode) connection

Presumed case for sample setting

  • To make VPN connections (tunnel connections) between firewall interfaces and enable communications between servers belonging to them

  • To use the IPsec function (site-to-site) as the VPN connection method

  • To set authentication parameters for IPsec, in accordance with the table below

Configuration diagram
IPsec_fig1

IPsec parameter information

Set parameters needed for IPsec negotiation and encryption at the firewall as follows.
  • Authentication information

Parameter

Value

Key management protocol IKEv1(ISAKMP + Oakley)
Phase1  
Authentication Method pre-shared key
pre-shared key password test_key_1
DH group 2
Hash Algorithm SHA1
ISAKMP SA life time 28800 seconds
key exchange mode Main mode
Phase2  
IPsec SA life time 3600 seconds
Security protocol ESP
Authentication Algorithm HMAC-SHA1
Perfect Forward Secrecy Enable
Capsuling mode Tunnel
key exchange mode Quick mode

Setting flow in a presumed case

  • Setting on the primary firewall machine

1.Creating vti0 tunnel interface
2.Setting vtun0 interface to “10.1.1.2/30”
3.For the ESP setting, set ESP-1W in accordance with the setting parameter.
4.For the IKE setting, set IKE-1W in accordance with the setting parameter.
5.Setting the mode of IPsec to site-to-site
6.Setting “153.xxx.xxx.182” as the address of the IPsec-connected opposite firewall
7.Setting IKE-1W/ESP-1W/vti0 interface to the set opposite address
8.Setting a static route so that, on network “192.168.3.128/28” belonging to the opposite firewall, communications via a tunnel are performed
  • Setting on the secondary firewall machine

1.Creating vti0 tunnel interface
2.Setting vtun0 interface to “10.1.1.1/30”
3.For the ESP setting, set ESP-1W in accordance with the setting parameter.
4.For the IKE setting, set IKE-1W in accordance with the setting parameter.
5.Setting the mode of IPsec to site-to-site
6.Setting “153.xxx.xxx.227” as the address of the IPsec-connected opposite firewall
7.Setting IKE-1W/ESP-1W/vti0 interface to the set opposite address
8.対向ファイアウォール配下のネットワーク(192.168.1.0/28)はトンネル経由の通信になるようにスタティックルート設定

Command to be entered with CLI

  • Setting on the primary firewall machine IPsec (site-to-site)

set interfaces vti vti0 address '10.1.1.2/30'
set security vpn ipsec esp-group ESP-1W lifetime '3600'
set security vpn ipsec esp-group ESP-1W proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP-1W proposal 1 hash 'sha1'
set security vpn ipsec ike-group IKE-1W lifetime '28800'
set security vpn ipsec ike-group IKE-1W proposal 1 dh-group '2'
set security vpn ipsec ike-group IKE-1W proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE-1W proposal 1 hash 'sha1'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 authentication pre-shared-secret 'test_key_1'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 ike-group 'IKE-1W'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 local-address '153.xxx.xxx.227'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 vti bind 'vti0'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 vti esp-group 'ESP-1W'
set protocols static interface-route 192.168.3.128/28 next-hop 10.1.1.1 interface 'vti0'
  • Setting on the secondary firewall machine IPsec (site-to-site)

set interfaces vti vti0 address '10.1.1.1/30'
set security vpn ipsec esp-group ESP-1W lifetime '3600'
set security vpn ipsec esp-group ESP-1W proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP-1W proposal 1 hash 'sha1'
set security vpn ipsec ike-group IKE-1W lifetime '28800'
set security vpn ipsec ike-group IKE-1W proposal 1 dh-group '2'
set security vpn ipsec ike-group IKE-1W proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE-1W proposal 1 hash 'sha1'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 authentication pre-shared-secret 'test_key_1'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 ike-group 'IKE-1W'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 local-address '153.xxx.xx.182'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 vti bind 'vti0'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 vti esp-group 'ESP-1W'
set protocols static interface-route 192.168.1.0/28 next-hop 10.1.1.2 interface 'vti0'
The configuration after completion of appropriate settings is as follows.
  • Primary firewall machine configuration

interfaces {
        vti vti0 {
                address 10.1.1.2/30
        }
}
security {
        vpn {
                ipsec {
                        esp-group ESP-1W {
                                lifetime 3600
                                proposal 1 {
                                        encryption aes256
                                        hash sha1
                                }
                        }
                        ike-group IKE-1W {
                                lifetime 28800
                                proposal 1 {
                                        dh-group 2
                                        encryption aes256
                                        hash sha1
                                }
                        }
                        site-to-site {
                                peer 153.xxx.xx.182 {
                                        authentication {
                                                pre-shared-secret test_key_1
                                        }
                                        ike-group IKE-1W
                                        local-address 153.xxx.xxx.227
                                        vti {
                                                bind vti0
                                                esp-group ESP-1W
                                        }
                                }
                        }
                }
        }
}
protocols {
        static {
                interface-route 192.168.3.128/28 {
                                  next-hop 10.1.1.1 {
                                          interface vti0
                                  }
                }
        }
}
  • Secondary firewall machine configuration

interfaces {
        vti vti0 {
                address 10.1.1.1/30
        }
}
security{
        vpn {
                ipsec {
                        esp-group ESP-1W {
                                lifetime 3600
                                proposal 1 {
                                        encryption aes256
                                        hash sha1
                                }
                        }
                        ike-group IKE-1W {
                                lifetime 28800
                                proposal 1 {
                                        dh-group 2
                                        encryption aes256
                                        hash sha1
                                }
                        }
                        site-to-site {
                                peer 153.xxx.xxx.227 {
                                        authentication {
                                                pre-shared-secret test_key_1
                                        }
                                        ike-group IKE-1W
                                        local-address 153.xxx.xx.182
                                        vti {
                                                bind vti0
                                                esp-group ESP-1W
                                        }
                                }
                        }
                }
        }
}
protocols {
        static {
                interface-route 192.168.1.0/28 {
                                  next-hop 10.1.1.2 {
                                          interface vti0
                                  }
                }
        }
}

Operation check result

It was confirmed that an IPsec tunnel was established on the both of the firewall interfaces and that communications between subordinate terminals were possible, and thus it was confirmed that settings for inter-site IPsec worked properly.
  • It was confirmed that an IPsec tunnel was established on the primary firewall machine and secondary firewall machine.

 # Tunnel status(FW1) → OK

user-admin@FW01:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xxx.182                          153.xx.xx.227

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     up     0.0/0.0        aes256        sha1      1698    3600    all

 # Tunnel status(FW2) → OK

user-admin@FW02:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xx.227                         153.xx.xx.182

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     up     0.0/0.0        aes256        sha1      1364    3600    all
  • It was confirmed that the vti interface for IPsec was functional on the primary firewall machine and secondary firewall machine.

 # vti0 interface status(FW1) → OK

user-admin@FW01:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
dp0s6            153.xxx.xxx.227/29                u/u
dp0s7            192.168.1.12/28                   u/u
vti0             10.1.1.2/30                       u/u

 # vti0 interface status(FW2) → OK


user-admin@FW02:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
dp0s8            153.xx.xxx.182/28                 u/u
dp0s11           192.168.3.140/28                  u/u
vti0             10.1.1.1/30                       u/u
  • Communications forwarded from virtual server “192.168.1.3” to the opposite virtual server were checked.

# Ping → OK

 [test-user@cent001 ~]$ ping 192.168.3.130
 PING 192.168.3.130 (192.168.3.130) 56(84) bytes of data.
 64 bytes from 192.168.3.130: icmp_seq=1 ttl=62 time=195 ms
 64 bytes from 192.168.3.130: icmp_seq=2 ttl=62 time=193 ms
 64 bytes from 192.168.3.130: icmp_seq=3 ttl=62 time=193 ms
 64 bytes from 192.168.3.130: icmp_seq=4 ttl=62 time=193 ms
 64 bytes from 192.168.3.130: icmp_seq=5 ttl=62 time=193 ms
 ^C
 --- 192.168.3.130 ping statistics ---
 5 packets transmitted, 5 received, 0% packet loss, time 4004ms
 rtt min/avg/max/mdev = 193.078/193.838/195.951/1.074 ms
 [test-user@cent001 ~]$


# FTP → OK

 [test-user@cent001 tmp]$ ftp 192.168.3.130
 Connected to 192.168.3.130 (192.168.3.130).
 220 (vsFTPd 3.0.2)
 Name (192.168.3.130:test-user):
 331 Please specify the password.
 Password:
 230 Login successful.
 Remote system type is UNIX.
 Using binary mode to transfer files.
 ftp>
 ftp>
 ftp> dir
 227 Entering Passive Mode (192,168,3,130,118,221).
 150 Here comes the directory listing.
 226 Directory send OK.
 ftp>
 ftp> put test_file
 local: test_file remote: test_file
 227 Entering Passive Mode (192,168,3,130,118,35).
 150 Ok to send data.
 226 Transfer complete.
 ftp>
 ftp> dir
 227 Entering Passive Mode (192,168,3,130,118,209).
 150 Here comes the directory listing.
 -rw-r--r--    1 1000     1000            0 Mar 23 18:12 test_file
 226 Directory send OK.
 ftp>
 ftp> bye
 221 Goodbye.