10.2.5.3. Connections Using the OpenVPN (Inter-site Tunnel) Function

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
OpenVPN is an SSL VPN technology, which uses SSL/TSL technologies. For Brocade 5600vRouter, OpenVPN is supported.
This section describes the settings of an inter-site connection tunnel using OpenVPN.
Building up an OpenVPN tunnel allows connections and communications between the intra-site network of both sides, through the VPN tunnel.

OpenVPN (site-to-site mode) setting

Make VPN settings (inter-site connection tunnel) using the site-to-site mode of OpenVPN.
Build up the inter-site connection tunnel between the two firewall machines.

Presumed case for sample setting

  • To make VPN connections (tunnel connections) between firewall interfaces and enable communications between servers belonging to them

  • To use the OpenVPN function as the VPN connection method

  • To make inter-site OpenVPN connections using PSK (pre-shared key)

Configuration diagram
openvpn_tunnel_fig1

Note

Assume that communications between the two firewall machines have been established before OpenVPN setting.

Setting flow in a presumed case

Setting on the primary firewall machine
1.Creating vtun0 tunnel interface
2.Setting vtun0 interface to “192.168.200.1/24”
3.Setting site-to-site as the mode for inter-site tunnel connections
4.Setting “192.168.200.2” as the IP address of the opposite machine with which the tunnel is directly connected
5.Setting “192.168.2.9” as the IP address of the opposite router which builds up the tunnel
6.Creating PSK file secret to be used and making the secondary machine share it
7.For the PSK file to be used, specifying “/config/auth/secret”
8.Setting a static route so that, on network “192.168.3.0/24” belonging to the opposite firewall, communications via a tunnel are performed

Setting on the secondary firewall machine

1.Creating vtun0 tunnel interface
2.Setting vtun0 interface to “192.168.200.2/24”
3.Setting site-to-site as the mode for inter-site tunnel connections
4.Setting “192.168.200.1” as the IP address of the opposite machine with which the tunnel is directly connected
5.Setting “192.168.2.5” as the IP address of the opposite route which builds up the router
6.For the PSK file to be used, specifying “/config/auth/secret”
7.Setting a static route so that, on network “192.168.3.0/24” belonging to the opposite firewall, communications via a tunnel are performed

Preparation of PSK

The procedure for creating a PSK (pre-shard key) with the function of the firewall is described.
Create a PSK on the primary machine and copy it to the secondary machine.
To copy, use the SCP function executable on the firewall.
user-admin@vya1:/usr/sbin$ /usr/sbin/openvpn --genkey --secret /config/auth/secret
user-admin@vya1:~$
user-admin@vya1:~$
user-admin@vya1:~$ scp /config/auth/secret user-admin@192.168.2.9:/config/auth/
Welcome to Brocade vRouter

user-admin@192.168.2.9's password:
secret                                       100%  636     0.6KB/s   00:00
user-admin@vya1:~$

Note

If the procedure in the manual for Brocade 5600vRouter is followed to create a pre-shared key, the firewall machines need to be restarted to make them share the key files. The procedure example above, which differs from the one in the manual, presents a setting example which allows a pre-shared key to be shared without restarting.

Command to be entered with CLI

OpenVPN setting on the primary firewall machine (@vya1)
set interface openvpn vtun0 local-address '192.168.200.1'
set interface openvpn vtun0 mode 'site-to-site'
set interface openvpn vtun0 remote-address '192.168.200.2'
set interface openvpn vtun0 remote-host '192.168.2.9'
set interface openvpn vtun0 shared-secret-key-file '/config/auth/secret'
set protocols static interface-route 192.168.3.0/24 next-hop-interface 'vtun0'
OpenVPN setting on the secondary firewall machine (@vya2)
set interface openvpn vtun0 local-address '192.168.200.2'
set interface openvpn vtun0 mode 'site-to-site'
set interface openvpn vtun0 remote-address '192.168.200.1'
set interface openvpn vtun0 remote-host '192.168.2.5'
set interface openvpn vtun0 shared-secret-key-file '/config/auth/secret'
set protocols static interface-route 192.168.1.0/24 next-hop-interface 'vtun0'

Note

In the setting example, a PSK file “secret” is put under /config/auth/ and specified.

The configuration after completion of appropriate settings is as follows.
Primary firewall machine configuration
interfaces {
        dataplane dp0s4 {
                address 192.168.1.3/24
        }
        dataplane dp0s5 {
                address 192.168.2.5/24
        }
        dataplane dp0s6 {
        }
        dataplane dp0s7 {
        }
        loopback lo
        openvpn vtun0 {
                local-address 192.168.200.1
                mode site-to-site
                remote-address 192.168.200.2
                remote-host 192.168.2.9
                shared-secret-key-file /config/auth/secret
        }
}
protocols {
        static {
                interface-route 192.168.3.0/24 {
                        next-hop-interface vtun0
                }
        }
}
Secondary firewall machine configuration
interfaces {
        dataplane dp0s4 {
                address 192.168.3.5/24
        }
        dataplane dp0s5 {
                address 192.168.2.9/24
        }
        dataplane dp0s6 {
        }
        dataplane dp0s7 {
        }
        loopback lo
        openvpn vtun0 {
                local-address 192.168.200.2
                mode site-to-site
                remote-address 192.168.200.1
                remote-host 192.168.2.5
                shared-secret-key-file /config/auth/secret
        }
}
protocols {
        static {
                interface-route 192.168.1.0/24 {
                        next-hop-interface vtun0
                }
        }
}

Operation check result

Due to successful establishment of the OpenVPN tunnel between the two firewall machines, communications from the servers connected with the individual firewall machines can be performed using the OpenVPN tunnel, so the inter-site OpenVPN settings have been made properly.
#FW-1(vya1) OpenVPN tunnel status

      user-admin@vya1:~$ sh openvpn site-to-site status
      OpenVPN client status on vtun0

      Remote CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
      --------------- --------------- --------------- ------- ------- ------------------------
      None (PSK)      192.168.2.9     192.168.200.2     90.9K   90.6K N/A


#FW-2(vya2) OpenVPN tunnel status

      user-admin@vya2:~$ sh openvpn site-to-site status
      OpenVPN client status on vtun0

      Remote CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
      --------------- --------------- --------------- ------- ------- ------------------------
      None (PSK)      192.168.2.5     192.168.200.1     98.4K   99.0K N/A


#From Virtual Server under FW-1 to server -> OK

      [root@localhost ~]# ping 192.168.3.3 -c 60
      PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
      64 bytes from 192.168.3.3: icmp_seq=1 ttl=60 time=4.14 ms
      64 bytes from 192.168.3.3: icmp_seq=2 ttl=60 time=2.73 ms
      64 bytes from 192.168.3.3: icmp_seq=3 ttl=60 time=2.41 ms
      64 bytes from 192.168.3.3: icmp_seq=4 ttl=60 time=2.71 ms
      64 bytes from 192.168.3.3: icmp_seq=5 ttl=60 time=2.37 ms
                              (途中省略)
      64 bytes from 192.168.3.3: icmp_seq=56 ttl=60 time=3.11 ms
      64 bytes from 192.168.3.3: icmp_seq=57 ttl=60 time=2.66 ms
      64 bytes from 192.168.3.3: icmp_seq=58 ttl=60 time=2.27 ms
      64 bytes from 192.168.3.3: icmp_seq=59 ttl=60 time=3.17 ms
      64 bytes from 192.168.3.3: icmp_seq=60 ttl=60 time=3.24 ms

      --- 192.168.3.3 ping statistics ---
      60 packets transmitted, 60 received, 0% packet loss, time 59098ms
      rtt min/avg/max/mdev = 2.120/6.661/57.831/13.230 ms
      [root@localhost ~]#

#From Virtual Server under FW-2 to server -> OK

      test@web1:~$ ping 192.168.1.4 -c 61
      PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
      64 bytes from 192.168.1.4: icmp_seq=1 ttl=60 time=5.14 ms
      64 bytes from 192.168.1.4: icmp_seq=2 ttl=60 time=2.89 ms
      64 bytes from 192.168.1.4: icmp_seq=3 ttl=60 time=2.95 ms
      64 bytes from 192.168.1.4: icmp_seq=4 ttl=60 time=20.8 ms
      64 bytes from 192.168.1.4: icmp_seq=5 ttl=60 time=2.40 ms
                              (途中省略)
      64 bytes from 192.168.1.4: icmp_seq=56 ttl=60 time=2.59 ms
      64 bytes from 192.168.1.4: icmp_seq=57 ttl=60 time=2.40 ms
      64 bytes from 192.168.1.4: icmp_seq=58 ttl=60 time=2.37 ms
      64 bytes from 192.168.1.4: icmp_seq=59 ttl=60 time=2.71 ms
      64 bytes from 192.168.1.4: icmp_seq=60 ttl=60 time=2.52 ms
      64 bytes from 192.168.1.4: icmp_seq=61 ttl=60 time=3.39 ms
      ^C
      --- 192.168.1.4 ping statistics ---
      61 packets transmitted, 61 received, 0% packet loss, time 60097ms
      rtt min/avg/max/mdev = 2.225/5.493/57.795/11.357 ms