10.2.5.3. Connections Using the OpenVPN (Inter-site Tunnel) Function¶
Operation Confirmed Version: | |
---|---|
Brocade 5600vRouter Version4.2R1S1 |
OpenVPN (site-to-site mode) setting¶
Presumed case for sample setting
To make VPN connections (tunnel connections) between firewall interfaces and enable communications between servers belonging to them
To use the OpenVPN function as the VPN connection method
To make inter-site OpenVPN connections using PSK (pre-shared key)
Note
Assume that communications between the two firewall machines have been established before OpenVPN setting.
Setting flow in a presumed case
Preparation of PSK
user-admin@vya1:/usr/sbin$ /usr/sbin/openvpn --genkey --secret /config/auth/secret
user-admin@vya1:~$
user-admin@vya1:~$
user-admin@vya1:~$ scp /config/auth/secret user-admin@192.168.2.9:/config/auth/
Welcome to Brocade vRouter
user-admin@192.168.2.9's password:
secret 100% 636 0.6KB/s 00:00
user-admin@vya1:~$
Note
If the procedure in the manual for Brocade 5600vRouter is followed to create a pre-shared key, the firewall machines need to be restarted to make them share the key files. The procedure example above, which differs from the one in the manual, presents a setting example which allows a pre-shared key to be shared without restarting.
Command to be entered with CLI
set interface openvpn vtun0 local-address '192.168.200.1'
set interface openvpn vtun0 mode 'site-to-site'
set interface openvpn vtun0 remote-address '192.168.200.2'
set interface openvpn vtun0 remote-host '192.168.2.9'
set interface openvpn vtun0 shared-secret-key-file '/config/auth/secret'
set protocols static interface-route 192.168.3.0/24 next-hop-interface 'vtun0'
set interface openvpn vtun0 local-address '192.168.200.2'
set interface openvpn vtun0 mode 'site-to-site'
set interface openvpn vtun0 remote-address '192.168.200.1'
set interface openvpn vtun0 remote-host '192.168.2.5'
set interface openvpn vtun0 shared-secret-key-file '/config/auth/secret'
set protocols static interface-route 192.168.1.0/24 next-hop-interface 'vtun0'
Note
In the setting example, a PSK file “secret” is put under /config/auth/ and specified.
interfaces {
dataplane dp0s4 {
address 192.168.1.3/24
}
dataplane dp0s5 {
address 192.168.2.5/24
}
dataplane dp0s6 {
}
dataplane dp0s7 {
}
loopback lo
openvpn vtun0 {
local-address 192.168.200.1
mode site-to-site
remote-address 192.168.200.2
remote-host 192.168.2.9
shared-secret-key-file /config/auth/secret
}
}
protocols {
static {
interface-route 192.168.3.0/24 {
next-hop-interface vtun0
}
}
}
interfaces {
dataplane dp0s4 {
address 192.168.3.5/24
}
dataplane dp0s5 {
address 192.168.2.9/24
}
dataplane dp0s6 {
}
dataplane dp0s7 {
}
loopback lo
openvpn vtun0 {
local-address 192.168.200.2
mode site-to-site
remote-address 192.168.200.1
remote-host 192.168.2.5
shared-secret-key-file /config/auth/secret
}
}
protocols {
static {
interface-route 192.168.1.0/24 {
next-hop-interface vtun0
}
}
}
Operation check result
#FW-1(vya1) OpenVPN tunnel status
user-admin@vya1:~$ sh openvpn site-to-site status
OpenVPN client status on vtun0
Remote CN Remote IP Tunnel IP TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK) 192.168.2.9 192.168.200.2 90.9K 90.6K N/A
#FW-2(vya2) OpenVPN tunnel status
user-admin@vya2:~$ sh openvpn site-to-site status
OpenVPN client status on vtun0
Remote CN Remote IP Tunnel IP TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
None (PSK) 192.168.2.5 192.168.200.1 98.4K 99.0K N/A
#From Virtual Server under FW-1 to server -> OK
[root@localhost ~]# ping 192.168.3.3 -c 60
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=60 time=4.14 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=60 time=2.73 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=60 time=2.41 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=60 time=2.71 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=60 time=2.37 ms
(途中省略)
64 bytes from 192.168.3.3: icmp_seq=56 ttl=60 time=3.11 ms
64 bytes from 192.168.3.3: icmp_seq=57 ttl=60 time=2.66 ms
64 bytes from 192.168.3.3: icmp_seq=58 ttl=60 time=2.27 ms
64 bytes from 192.168.3.3: icmp_seq=59 ttl=60 time=3.17 ms
64 bytes from 192.168.3.3: icmp_seq=60 ttl=60 time=3.24 ms
--- 192.168.3.3 ping statistics ---
60 packets transmitted, 60 received, 0% packet loss, time 59098ms
rtt min/avg/max/mdev = 2.120/6.661/57.831/13.230 ms
[root@localhost ~]#
#From Virtual Server under FW-2 to server -> OK
test@web1:~$ ping 192.168.1.4 -c 61
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
64 bytes from 192.168.1.4: icmp_seq=1 ttl=60 time=5.14 ms
64 bytes from 192.168.1.4: icmp_seq=2 ttl=60 time=2.89 ms
64 bytes from 192.168.1.4: icmp_seq=3 ttl=60 time=2.95 ms
64 bytes from 192.168.1.4: icmp_seq=4 ttl=60 time=20.8 ms
64 bytes from 192.168.1.4: icmp_seq=5 ttl=60 time=2.40 ms
(途中省略)
64 bytes from 192.168.1.4: icmp_seq=56 ttl=60 time=2.59 ms
64 bytes from 192.168.1.4: icmp_seq=57 ttl=60 time=2.40 ms
64 bytes from 192.168.1.4: icmp_seq=58 ttl=60 time=2.37 ms
64 bytes from 192.168.1.4: icmp_seq=59 ttl=60 time=2.71 ms
64 bytes from 192.168.1.4: icmp_seq=60 ttl=60 time=2.52 ms
64 bytes from 192.168.1.4: icmp_seq=61 ttl=60 time=3.39 ms
^C
--- 192.168.1.4 ping statistics ---
61 packets transmitted, 61 received, 0% packet loss, time 60097ms
rtt min/avg/max/mdev = 2.225/5.493/57.795/11.357 ms