10.2.5.3. Connections Using the OpenVPN (Inter-site Tunnel) Function¶
| Operation Confirmed Version: | |
|---|---|
| Brocade 5600vRouter Version4.2R1S1 | |
OpenVPN is an SSL VPN technology, which uses SSL/TSL technologies. For Brocade 5600vRouter, OpenVPN is supported.
This section describes the settings of an inter-site connection tunnel using OpenVPN.
Building up an OpenVPN tunnel allows connections and communications between the intra-site network of both sides, through the VPN tunnel.
OpenVPN (site-to-site mode) setting¶
Make VPN settings (inter-site connection tunnel) using the site-to-site mode of OpenVPN.
Build up the inter-site connection tunnel between the two firewall machines.
Presumed case for sample setting
To make VPN connections (tunnel connections) between firewall interfaces and enable communications between servers belonging to them
To use the OpenVPN function as the VPN connection method
To make inter-site OpenVPN connections using PSK (pre-shared key)
Configuration diagram
Note
Assume that communications between the two firewall machines have been established before OpenVPN setting.
Setting flow in a presumed case
Setting on the primary firewall machine
1.Creating vtun0 tunnel interface
2.Setting vtun0 interface to “192.168.200.1/24”
3.Setting site-to-site as the mode for inter-site tunnel connections
4.Setting “192.168.200.2” as the IP address of the opposite machine with which the tunnel is directly connected
5.Setting “192.168.2.9” as the IP address of the opposite router which builds up the tunnel
6.Creating PSK file secret to be used and making the secondary machine share it
7.For the PSK file to be used, specifying “/config/auth/secret”
8.Setting a static route so that, on network “192.168.3.0/24” belonging to the opposite firewall, communications via a tunnel are performed
Setting on the secondary firewall machine
1.Creating vtun0 tunnel interface
2.Setting vtun0 interface to “192.168.200.2/24”
3.Setting site-to-site as the mode for inter-site tunnel connections
4.Setting “192.168.200.1” as the IP address of the opposite machine with which the tunnel is directly connected
5.Setting “192.168.2.5” as the IP address of the opposite route which builds up the router
6.For the PSK file to be used, specifying “/config/auth/secret”
7.Setting a static route so that, on network “192.168.3.0/24” belonging to the opposite firewall, communications via a tunnel are performed
Preparation of PSK
The procedure for creating a PSK (pre-shard key) with the function of the firewall is described.
Create a PSK on the primary machine and copy it to the secondary machine.
To copy, use the SCP function executable on the firewall.
user-admin@vya1:/usr/sbin$ /usr/sbin/openvpn --genkey --secret /config/auth/secret
user-admin@vya1:~$
user-admin@vya1:~$
user-admin@vya1:~$ scp /config/auth/secret user-admin@192.168.2.9:/config/auth/
Welcome to Brocade vRouter
user-admin@192.168.2.9's password:
secret 100% 636 0.6KB/s 00:00
user-admin@vya1:~$
Note
If the procedure in the manual for Brocade 5600vRouter is followed to create a pre-shared key, the firewall machines need to be restarted to make them share the key files. The procedure example above, which differs from the one in the manual, presents a setting example which allows a pre-shared key to be shared without restarting.
Command to be entered with CLI
OpenVPN setting on the primary firewall machine (@vya1)
set interface openvpn vtun0 local-address '192.168.200.1'
set interface openvpn vtun0 mode 'site-to-site'
set interface openvpn vtun0 remote-address '192.168.200.2'
set interface openvpn vtun0 remote-host '192.168.2.9'
set interface openvpn vtun0 shared-secret-key-file '/config/auth/secret'
set protocols static interface-route 192.168.3.0/24 next-hop-interface 'vtun0'
OpenVPN setting on the secondary firewall machine (@vya2)
set interface openvpn vtun0 local-address '192.168.200.2'
set interface openvpn vtun0 mode 'site-to-site'
set interface openvpn vtun0 remote-address '192.168.200.1'
set interface openvpn vtun0 remote-host '192.168.2.5'
set interface openvpn vtun0 shared-secret-key-file '/config/auth/secret'
set protocols static interface-route 192.168.1.0/24 next-hop-interface 'vtun0'
Note
In the setting example, a PSK file “secret” is put under /config/auth/ and specified.
The configuration after completion of appropriate settings is as follows.
Primary firewall machine configuration
interfaces {
dataplane dp0s4 {
address 192.168.1.3/24
}
dataplane dp0s5 {
address 192.168.2.5/24
}
dataplane dp0s6 {
}
dataplane dp0s7 {
}
loopback lo
openvpn vtun0 {
local-address 192.168.200.1
mode site-to-site
remote-address 192.168.200.2
remote-host 192.168.2.9
shared-secret-key-file /config/auth/secret
}
}
protocols {
static {
interface-route 192.168.3.0/24 {
next-hop-interface vtun0
}
}
}
Secondary firewall machine configuration
interfaces {
dataplane dp0s4 {
address 192.168.3.5/24
}
dataplane dp0s5 {
address 192.168.2.9/24
}
dataplane dp0s6 {
}
dataplane dp0s7 {
}
loopback lo
openvpn vtun0 {
local-address 192.168.200.2
mode site-to-site
remote-address 192.168.200.1
remote-host 192.168.2.5
shared-secret-key-file /config/auth/secret
}
}
protocols {
static {
interface-route 192.168.1.0/24 {
next-hop-interface vtun0
}
}
}
Operation check result
Due to successful establishment of the OpenVPN tunnel between the two firewall machines, communications from the servers connected with the individual firewall machines can be performed using the OpenVPN tunnel, so the inter-site OpenVPN settings have been made properly.
#FW-1(vya1) OpenVPN tunnel status
user-admin@vya1:~$ sh openvpn site-to-site status
OpenVPN client status on vtun0
Remote CN Remote IP Tunnel IP TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK) 192.168.2.9 192.168.200.2 90.9K 90.6K N/A
#FW-2(vya2) OpenVPN tunnel status
user-admin@vya2:~$ sh openvpn site-to-site status
OpenVPN client status on vtun0
Remote CN Remote IP Tunnel IP TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK) 192.168.2.5 192.168.200.1 98.4K 99.0K N/A
#From Virtual Server under FW-1 to server -> OK
[root@localhost ~]# ping 192.168.3.3 -c 60
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=60 time=4.14 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=60 time=2.73 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=60 time=2.41 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=60 time=2.71 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=60 time=2.37 ms
(途中省略)
64 bytes from 192.168.3.3: icmp_seq=56 ttl=60 time=3.11 ms
64 bytes from 192.168.3.3: icmp_seq=57 ttl=60 time=2.66 ms
64 bytes from 192.168.3.3: icmp_seq=58 ttl=60 time=2.27 ms
64 bytes from 192.168.3.3: icmp_seq=59 ttl=60 time=3.17 ms
64 bytes from 192.168.3.3: icmp_seq=60 ttl=60 time=3.24 ms
--- 192.168.3.3 ping statistics ---
60 packets transmitted, 60 received, 0% packet loss, time 59098ms
rtt min/avg/max/mdev = 2.120/6.661/57.831/13.230 ms
[root@localhost ~]#
#From Virtual Server under FW-2 to server -> OK
test@web1:~$ ping 192.168.1.4 -c 61
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
64 bytes from 192.168.1.4: icmp_seq=1 ttl=60 time=5.14 ms
64 bytes from 192.168.1.4: icmp_seq=2 ttl=60 time=2.89 ms
64 bytes from 192.168.1.4: icmp_seq=3 ttl=60 time=2.95 ms
64 bytes from 192.168.1.4: icmp_seq=4 ttl=60 time=20.8 ms
64 bytes from 192.168.1.4: icmp_seq=5 ttl=60 time=2.40 ms
(途中省略)
64 bytes from 192.168.1.4: icmp_seq=56 ttl=60 time=2.59 ms
64 bytes from 192.168.1.4: icmp_seq=57 ttl=60 time=2.40 ms
64 bytes from 192.168.1.4: icmp_seq=58 ttl=60 time=2.37 ms
64 bytes from 192.168.1.4: icmp_seq=59 ttl=60 time=2.71 ms
64 bytes from 192.168.1.4: icmp_seq=60 ttl=60 time=2.52 ms
64 bytes from 192.168.1.4: icmp_seq=61 ttl=60 time=3.39 ms
^C
--- 192.168.1.4 ping statistics ---
61 packets transmitted, 61 received, 0% packet loss, time 60097ms
rtt min/avg/max/mdev = 2.225/5.493/57.795/11.357 ms