10.2.5.1. Connections using the IPsec (inter-site tunnel) function¶
Operation Confirmed Version: | |
---|---|
Brocade 5600vRouter Version4.2R1S1 |
Note
As the destination of IPsec, a virtual IP address of VRRP cannot be specified. For the redundancy setting with IPsec, see ‘Operation-confirmed configuration example model <https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html>’_.
IPsec (site-to-site mode) connection¶
Presumed case for sample setting
To make VPN connections (tunnel connections) between firewall interfaces and enable communications between servers belonging to them
To use the IPsec function (site-to-site) as the VPN connection method
To set authentication parameters for IPsec, in accordance with the table below
IPsec parameter information
Authentication information
Parameter |
Value |
Key management protocol | IKEv1(ISAKMP + Oakley) |
Phase1 | |
Authentication Method | pre-shared key |
pre-shared key password | test_key_1 |
DH group | 2 |
Hash Algorithm | SHA1 |
ISAKMP SA life time | 28800 seconds |
key exchange mode | Main mode |
Phase2 | |
IPsec SA life time | 3600 seconds |
Security protocol | ESP |
Authentication Algorithm | HMAC-SHA1 |
Perfect Forward Secrecy | Enable |
Capsuling mode | Tunnel |
key exchange mode | Quick mode |
Setting flow in a presumed case
Setting on the primary firewall machine
Setting on the secondary firewall machine
Command to be entered with CLI
Setting on the primary firewall machine IPsec (site-to-site)
set interfaces vti vti0 address '10.1.1.2/30'
set security vpn ipsec esp-group ESP-1W lifetime '3600'
set security vpn ipsec esp-group ESP-1W proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP-1W proposal 1 hash 'sha1'
set security vpn ipsec ike-group IKE-1W lifetime '28800'
set security vpn ipsec ike-group IKE-1W proposal 1 dh-group '2'
set security vpn ipsec ike-group IKE-1W proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE-1W proposal 1 hash 'sha1'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 authentication pre-shared-secret 'test_key_1'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 ike-group 'IKE-1W'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 local-address '153.xxx.xxx.227'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 vti bind 'vti0'
set security vpn ipsec site-to-site peer 153.xxx.xx.182 vti esp-group 'ESP-1W'
set protocols static interface-route 192.168.3.128/28 next-hop 10.1.1.1 interface 'vti0'
Setting on the secondary firewall machine IPsec (site-to-site)
set interfaces vti vti0 address '10.1.1.1/30'
set security vpn ipsec esp-group ESP-1W lifetime '3600'
set security vpn ipsec esp-group ESP-1W proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP-1W proposal 1 hash 'sha1'
set security vpn ipsec ike-group IKE-1W lifetime '28800'
set security vpn ipsec ike-group IKE-1W proposal 1 dh-group '2'
set security vpn ipsec ike-group IKE-1W proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE-1W proposal 1 hash 'sha1'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 authentication pre-shared-secret 'test_key_1'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 ike-group 'IKE-1W'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 local-address '153.xxx.xx.182'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 vti bind 'vti0'
set security vpn ipsec site-to-site peer 153.xxx.xxx.227 vti esp-group 'ESP-1W'
set protocols static interface-route 192.168.1.0/28 next-hop 10.1.1.2 interface 'vti0'
Primary firewall machine configuration
interfaces {
vti vti0 {
address 10.1.1.2/30
}
}
security {
vpn {
ipsec {
esp-group ESP-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
site-to-site {
peer 153.xxx.xx.182 {
authentication {
pre-shared-secret test_key_1
}
ike-group IKE-1W
local-address 153.xxx.xxx.227
vti {
bind vti0
esp-group ESP-1W
}
}
}
}
}
}
protocols {
static {
interface-route 192.168.3.128/28 {
next-hop 10.1.1.1 {
interface vti0
}
}
}
}
Secondary firewall machine configuration
interfaces {
vti vti0 {
address 10.1.1.1/30
}
}
security{
vpn {
ipsec {
esp-group ESP-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
site-to-site {
peer 153.xxx.xxx.227 {
authentication {
pre-shared-secret test_key_1
}
ike-group IKE-1W
local-address 153.xxx.xx.182
vti {
bind vti0
esp-group ESP-1W
}
}
}
}
}
}
protocols {
static {
interface-route 192.168.1.0/28 {
next-hop 10.1.1.2 {
interface vti0
}
}
}
}
Operation check result
It was confirmed that an IPsec tunnel was established on the primary firewall machine and secondary firewall machine.
# Tunnel status(FW1) → OK
user-admin@FW01:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
153.xx.xxx.182 153.xx.xx.227
Tunnel State Bytes Out/In Encrypt Hash A-Time L-Time Proto
------ ----- ------------- ------------ -------- ------ ------ -----
vti up 0.0/0.0 aes256 sha1 1698 3600 all
# Tunnel status(FW2) → OK
user-admin@FW02:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
153.xx.xx.227 153.xx.xx.182
Tunnel State Bytes Out/In Encrypt Hash A-Time L-Time Proto
------ ----- ------------- ------------ -------- ------ ------ -----
vti up 0.0/0.0 aes256 sha1 1364 3600 all
It was confirmed that the vti interface for IPsec was functional on the primary firewall machine and secondary firewall machine.
# vti0 interface status(FW1) → OK
user-admin@FW01:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
dp0s6 153.xxx.xxx.227/29 u/u
dp0s7 192.168.1.12/28 u/u
vti0 10.1.1.2/30 u/u
# vti0 interface status(FW2) → OK
user-admin@FW02:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
dp0s8 153.xx.xxx.182/28 u/u
dp0s11 192.168.3.140/28 u/u
vti0 10.1.1.1/30 u/u
Communications forwarded from virtual server “192.168.1.3” to the opposite virtual server were checked.
# Ping → OK
[test-user@cent001 ~]$ ping 192.168.3.130
PING 192.168.3.130 (192.168.3.130) 56(84) bytes of data.
64 bytes from 192.168.3.130: icmp_seq=1 ttl=62 time=195 ms
64 bytes from 192.168.3.130: icmp_seq=2 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=3 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=4 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=5 ttl=62 time=193 ms
^C
--- 192.168.3.130 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 193.078/193.838/195.951/1.074 ms
[test-user@cent001 ~]$
# FTP → OK
[test-user@cent001 tmp]$ ftp 192.168.3.130
Connected to 192.168.3.130 (192.168.3.130).
220 (vsFTPd 3.0.2)
Name (192.168.3.130:test-user):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp>
ftp> dir
227 Entering Passive Mode (192,168,3,130,118,221).
150 Here comes the directory listing.
226 Directory send OK.
ftp>
ftp> put test_file
local: test_file remote: test_file
227 Entering Passive Mode (192,168,3,130,118,35).
150 Ok to send data.
226 Transfer complete.
ftp>
ftp> dir
227 Entering Passive Mode (192,168,3,130,118,209).
150 Here comes the directory listing.
-rw-r--r-- 1 1000 1000 0 Mar 23 18:12 test_file
226 Directory send OK.
ftp>
ftp> bye
221 Goodbye.