10.3.3. Site-to-site VPN configuration example

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
  • This configuration builds intersite IPsec VPN using virtual tunnel interface (VTI).

  • As shown in the system block diagram below, redundant configuration is realized by establishing multiple VPN tunnels and using floating static to switch static routes for VTI.

  • Currently it is not possible to set VIP of VRRP at the IPsec connection destination, so we recommend this configuration example for redundant configuration.

Note

  • VTI(virtual tunnel interface)
    • A virtual tunnel interface that terminates intersite IPsec VPN tunnels. It can handle roughly the same as routable routable interfaces.

    • The virtual tunnel interface of Brocade 5600vRouter is compatible with third-party VTI / route-based VPN connections.

  • Floating static
    • By registering another communication route to the same destination and setting the distance value (priority) low, it is a route which automatically appears when the main route becomes unusable.

10.3.3.1. System diagram

C_a_1

Note

  • “CentOS 7.1.1503” is used for OS of Client/Server.

  • “vsFTPd 3.0.2” is used for FTP server.

10.3.3.2. Configuration of Firewall

Firewall Interface setting

Although the interface settings are shown to confirm the setting contents, in actuality, you need to set the interface settings on the customer portal.
Please note that if you submit the interface setting command below, an error will be returned.

Note

  • Interface settings can not be set except by customer portal.

  • FW-01
set interfaces dataplane dp0s7 address 192.168.3.156/28
set interfaces dataplane dp0s8 address 153.xx.xx.182/28
set interfaces dataplane dp0s11 address 192.168.3.140/28
  • FW-02
set interfaces dataplane dp0s7 address 192.168.3.157/28
set interfaces dataplane dp0s8 address 153.xx.xx.226/28
set interfaces dataplane dp0s11 address 192.168.3.141/28
  • FW-03
set interfaces dataplane dp0s6 address 153.xx.xx.227/29
set interfaces dataplane dp0s7 address 192.168.1.12/28

VRRP Setting

  • FW-01
set interfaces dataplane dp0s11 vrrp vrrp-group 255 advertise-interval 20
set interfaces dataplane dp0s11 vrrp vrrp-group 255 preempt true
set interfaces dataplane dp0s11 vrrp vrrp-group 255 priority 150
set interfaces dataplane dp0s11 vrrp vrrp-group 255 rfc-compatibility
set interfaces dataplane dp0s11 vrrp vrrp-group 255 version 2
set interfaces dataplane dp0s11 vrrp vrrp-group 255 virtual-address 192.168.3.139
  • FW-02
set interfaces dataplane dp0s11 vrrp vrrp-group 255 advertise-interval 20
set interfaces dataplane dp0s11 vrrp vrrp-group 255 preempt true
set interfaces dataplane dp0s11 vrrp vrrp-group 255 priority 20
set interfaces dataplane dp0s11 vrrp vrrp-group 255 rfc-compatibility
set interfaces dataplane dp0s11 vrrp vrrp-group 255 version 2
set interfaces dataplane dp0s11 vrrp vrrp-group 255 virtual-address 192.168.3.139

Note

  • There is no VRRP setting because of FW-03 single configuration.

  • About the value of advertise-interval. It has been confirmed that VRRP communication rarely becomes unstable on the base side in the initial setting (1 sec). For that reason we recommend 20 seconds or more for the set value (detection is total 20 sec × 3 times).

  • When IPsec is used, VIP of VRRP can not be specified as the connection destination.

VPN Configuration(IPsec)

The site-to-site setting using FW IPsec vti is shown below.
  • Authentication information

Parameter

Value

Key management protocol IKEv1(ISAKMP + Oakley)
Phase1  
Authentication Method pre-shared key
pre-shared key password test_key_1
DH group 2
Hash Algorithm SHA1
ISAKMP SA life time 28800 seconds
key exchange mode Main mode
Phase2  
IPsec SA life time 3600 seconds
Security protocol ESP
Authentication Algorithm HMAC-SHA1
Perfect Forward Secrecy Enable
Capsuling mode Tunnel
key exchange mode Quick mode
  • FW-01,02,03 Common configuration

Set up a IKE Group
set security vpn ipsec ike-group IKE-1W lifetime 28800
set security vpn ipsec ike-group IKE-1W proposal 1 dh-group 2
set security vpn ipsec ike-group IKE-1W proposal 1 encryption aes256
set security vpn ipsec ike-group IKE-1W proposal 1 hash sha1
DPD Configuration
set security vpn ipsec ike-group IKE-1W dead-peer-detection action clear
set security vpn ipsec ike-group IKE-1W dead-peer-detection interval 1
set security vpn ipsec ike-group IKE-1W dead-peer-detection timeout 30

Note

DPD(Dead Peer Detection)
This function detects communication disconnection of IPsec tunnel. In this configuration, checking is done at one second intervals, and if there is no response for 30 seconds, IPsec tunnel will be cleared.
Setting an ESP group.
set security vpn ipsec esp-group ESP-1W lifetime 3600
set security vpn ipsec esp-group ESP-1W proposal 1 encryption aes256
set security vpn ipsec esp-group ESP-1W proposal 1 hash sha1

Note

IKE, ESP group settings are common to all FW.
  • FW-01
VTI Conifiguretion
set interfaces vti vti0 address 10.1.1.1/30
Site-to-site Configuration
set security vpn ipsec site-to-site peer 153.xx.xx.227 authentication pre-shared-secret test_key_1
set security vpn ipsec site-to-site peer 153.xx.xx.227 ike-group IKE-1W
set security vpn ipsec site-to-site peer 153.xx.xx.227 local-address 153.xx.xx.182
set security vpn ipsec site-to-site peer 153.xx.xx.227 vti bind vti0
set security vpn ipsec site-to-site peer 153.xx.xx.227 vti esp-group ESP-1W
  • FW-02
VTI Conifiguretion
set interfaces vti vti1 address 10.2.1.1/30
Site-to-site Configuration
set security vpn ipsec site-to-site peer 153.xx.xx.227 authentication pre-shared-secret test_key_1
set security vpn ipsec site-to-site peer 153.xx.xx.227 ike-group IKE-1W
set security vpn ipsec site-to-site peer 153.xx.xx.227 local-address 153.xx.xx.226
set security vpn ipsec site-to-site peer 153.xx.xx.227 vti bind vti1
set security vpn ipsec site-to-site peer 153.xx.xx.227 vti esp-group ESP-1W
  • FW-03
VTI Conifiguretion
set interfaces vti vti0 address 10.1.1.2/30
set interfaces vti vti1 address 10.2.1.2/30
Site-to-site Configuration
set security vpn ipsec site-to-site peer 153.xx.xx.182 authentication pre-shared-secret 'test_key_1'
set security vpn ipsec site-to-site peer 153.xx.xx.182 ike-group 'IKE-1W'
set security vpn ipsec site-to-site peer 153.xx.xx.182 local-address '153.xx.xx.227'
set security vpn ipsec site-to-site peer 153.xx.xx.182 vti bind 'vti0'
set security vpn ipsec site-to-site peer 153.xx.xx.182 vti esp-group 'ESP-1W'
set security vpn ipsec site-to-site peer 153.xx.xx.226 authentication pre-shared-secret 'test_key_1'
set security vpn ipsec site-to-site peer 153.xx.xx.226 ike-group 'IKE-1W'
set security vpn ipsec site-to-site peer 153.xx.xx.226 local-address '153.xx.xx.227'
set security vpn ipsec site-to-site peer 153.xx.xx.226 vti bind 'vti1'
set security vpn ipsec site-to-site peer 153.xx.xx.226 vti esp-group 'ESP-1W'

Rooting Settings

  • FW-01
set protocols static interface-route 192.168.1.0/28 next-hop-interface dp0s7 distance 200
set protocols static interface-route 192.168.1.0/28 next-hop-interface vti0
set protocols static route 192.168.3.128/28 next-hop 192.168.3.157
  • FW-02
set protocols static interface-route 192.168.1.0/28 next-hop-interface dp0s7 distance 200
set protocols static interface-route 192.168.1.0/28 next-hop-interface vti1
set protocols static route 192.168.3.128/28 next-hop 192.168.3.156
  • FW-03
set protocols static interface-route 192.168.3.128/28 next-hop-interface vti0
set protocols static interface-route 192.168.3.128/28 next-hop-interface vti1 distance 200

Note

·When routing the route to vti of IPSec, please use the interface based routing setting. In the case of normal routing settings, there are occasions when the route to vti is not recognized in rare cases.

Confirmation of setting contents

If the above setting has been thrown correctly, you can check the output below.
  • FW-01
user-admin@FW-01# show interfaces
 interfaces {
        dataplane dp0s7 {
                address 192.168.3.156/28
        }
        dataplane dp0s8 {
                address 153.xx.xx.182/28
        }
        dataplane dp0s11 {
                address 192.168.3.140/28
                vrrp {
                        vrrp-group 255 {
                                advertise-interval 20
                                preempt true
                                priority 150
                                rfc-compatibility
                                version 2
                                virtual-address 192.168.3.139
                        }
                }
        }
        loopback lo
        vti vti0 {
                address 10.1.1.1/30
        }
 }


user-admin@FW-01# show security vpn ipsec
 ipsec {
        esp-group ESP-1W {
                lifetime 3600
                proposal 1 {
                        encryption aes256
                        hash sha1
                }
        }
        ike-group IKE-1W {
                dead-peer-detection {
                        action clear
                        interval 1
                        timeout 30
                }
                lifetime 28800
                proposal 1 {
                        dh-group 2
                        encryption aes256
                        hash sha1
                }
        }
        site-to-site {
                peer 153.xx.xx.227 {
                        authentication {
                                pre-shared-secret test_key_1
                        }
                        ike-group IKE-1W
                        local-address 153.xx.xx.182
                        vti {
                                bind vti0
                                esp-group ESP-1W
                        }
                }
        }
 }


user-admin@FW-01# show protocols
 protocols {
        static {
                interface-route 192.168.1.0/28 {
                        next-hop-interface dp0s7 {
                                distance 200
                        }
                        next-hop-interface vti0
                }
                route 192.168.3.128/28 {
                        next-hop 192.168.3.157
                }
        }
 }
  • FW-02
user-admin@FW-02# show interfaces
 interfaces {
        dataplane dp0s7 {
                address 192.168.3.157/28
        }
        dataplane dp0s8 {
                address 153.xx.xx.226/28
        }
        dataplane dp0s11 {
                address 192.168.3.141/28
                vrrp {
                        vrrp-group 255 {
                                advertise-interval 20
                                preempt true
                                priority 20
                                rfc-compatibility
                                version 2
                                virtual-address 192.168.3.139
                        }
                }
        }
        loopback lo
        vti vti1 {
                address 10.2.1.1/30
        }
 }


user-admin@FW-02# show security vpn ipsec
 ipsec {
        esp-group ESP-1W {
                lifetime 3600
                proposal 1 {
                        encryption aes256
                        hash sha1
                }
        }
        ike-group IKE-1W {
                dead-peer-detection {
                        action clear
                        interval 1
                        timeout 30
                }
                lifetime 28800
                proposal 1 {
                        dh-group 2
                        encryption aes256
                        hash sha1
                }
        }
        site-to-site {
                peer 153.xx.xx.227 {
                        authentication {
                                pre-shared-secret test_key_1
                        }
                        ike-group IKE-1W
                        local-address 153.xx.xx.226
                        vti {
                                bind vti1
                                esp-group ESP-1W
                        }
                }
        }
 }


user-admin@FW-02# show protocols
 protocols {
        static {
                interface-route 192.168.1.0/28 {
                        next-hop-interface dp0s7 {
                                distance 200
                        }
                        next-hop-interface vti1
                }
                route 192.168.3.128/28 {
                        next-hop 192.168.3.156
                }
        }
 }
  • FW-03
user-admin@FW-03# show int
 interfaces {
        dataplane dp0s6 {
                address 153.xx.xx.227/29
        }
        dataplane dp0s7 {
                address 192.168.1.12/28
        }
        loopback lo
        vti vti0 {
                address 10.1.1.2/30
        }
        vti vti1 {
                address 10.2.1.2/30
        }
 }


user-admin@FW-03# show security vpn ipsec
 ipsec {
        esp-group ESP-1W {
                lifetime 3600
                proposal 1 {
                        encryption aes256
                        hash sha1
                }
        }
        ike-group IKE-1W {
                dead-peer-detection {
                        action clear
                        interval 1
                        timeout 30
                }
                lifetime 28800
                proposal 1 {
                        dh-group 2
                        encryption aes256
                        hash sha1
                }
        }
        site-to-site {
                peer 153.xx.xx.182 {
                        authentication {
                                pre-shared-secret test_key_1
                        }
                        ike-group IKE-1W
                        local-address 153.xx.xx.227
                        vti {
                                bind vti0
                                esp-group ESP-1W
                        }
                }
                peer 153.xx.xx.226 {
                        authentication {
                                pre-shared-secret test_key_1
                        }
                        ike-group IKE-1W
                        local-address 153.xx.xx.227
                        vti {
                                bind vti1
                                esp-group ESP-1W
                        }
                }
        }
 }


user-admin@FW-03# show protocols
 protocols {
        static {
                interface-route 192.168.3.128/28 {
                        next-hop-interface vti0
                        next-hop-interface vti1 {
                                distance 200
                        }
                }
        }
 }

10.3.3.3. Flow of traffic

Communication can be performed via FW-01 at normal operation.
Communication check is done from Ping and FTP from Client to Server.
C_a_2

Status check at normal state

The status of the firewall during normal communication can be confirmed as follows.
  • VRRP status

FW-01 must be Master.
user-admin@FW-01:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s11            255    MASTER  dp0vrrp1   no     6h10m42s    <none>
FW-02 must be Backup.
user-admin@FW-02:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s11            255    BACKUP  dp0vrrp1   no     6h12m12s    <none>
  • VPN status

VPN must be established between FW-01 and FW-03.
user-admin@FW-01:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xx.227                         153.xx.xx.182

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     up     0.0/0.0        aes256        sha1      1364    3600    all
VPN must be established between FW-02 and FW-03.
user-admin@FW-02:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xx.227                         153.xx.xx.226

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     up     0.0/0.0        aes256        sha1      372     3600    all
VPN must be established between FW-03 and FW-01,02.
user-admin@FW-03:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xxx.182                          153.xx.xx.227

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     up     0.0/0.0        aes256        sha1      1698    3600    all

Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xx.226                          153.xx.xx.227

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     up     0.0/0.0        aes256        sha1      504     3600    all
  • Interface status

vti0 on FW-01 must be UP.
user-admin@FW-01:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
dp0s3            100.70.64.31/20                   u/u
dp0s4            -                                 A/D
dp0s5            -                                 A/D
dp0s6            -                                 A/D
dp0s7            192.168.3.156/28                  u/u
dp0s8            153.xx.xxx.182/28                 u/u
dp0s9            10.0.0.17/24                      u/u
dp0s10           169.254.0.8/17                    u/u
dp0s11           192.168.3.140/28                  u/u
dp0vrrp1         192.168.3.139/32                  u/u
vti0             10.1.1.1/30                       u/u
vti1 on FW-02 must be UP.
user-admin@FW-02:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
dp0s7            192.168.3.157/28                  u/u
dp0s8            153.xx.xxx.226/28                 u/u
dp0s11           192.168.3.141/28                  u/u
dp0vrrp1         -                                 A/D
vti1             10.2.1.1/30                       u/u
vti0,1 on FW-03 must be UP.
user-admin@FW-03:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
dp0s6            153.xxx.xxx.227/29                u/u
dp0s7            192.168.1.12/28                   u/u
vti0             10.1.1.2/30                       u/u
vti1             10.2.1.2/30                       u/u
  • Routing status

The route to site A (192.168.1.0/28) of FW-01 is for vti0.
user-admin@FW-01:~$ show ip route

IP Route Table for VRF "default"
Gateway of last resort is 153.xx.xx.190 to network 0.0.0.0

S    *> 0.0.0.0/0 [1/0] via 153.xx.xx.190, dp0s8
C    *> 10.0.0.0/24 is directly connected, dp0s9
C    *> 10.1.1.0/30 is directly connected, vti0
S    *> 100.70.1.64/26 [210/0] via 100.70.64.1, dp0s3
S    *> 100.70.32.64/26 [210/0] via 100.70.64.1, dp0s3
C    *> 100.70.64.0/20 is directly connected, dp0s3
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 153.xx.xx.176/28 is directly connected, dp0s8
C    *> 169.254.0.0/17 is directly connected, dp0s10
S    *> 192.168.1.0/28 [1/0] is directly connected, vti0 ★
S       192.168.1.0/28 [200/0] is directly connected, dp0s7
C    *> 192.168.3.128/28 is directly connected, dp0s11
S       192.168.3.128/28 [1/0] via 192.168.3.157, dp0s7
C    *> 192.168.3.139/32 is directly connected, dp0vrrp1
C    *> 192.168.3.144/28 is directly connected, dp0s7
The route to site A (192.168.1.0/28) of FW-02 is for vti1.
user-admin@FW-02:~$ show ip route

IP Route Table for VRF "default"
Gateway of last resort is 153.xx.xx.238 to network 0.0.0.0

S    *> 0.0.0.0/0 [1/0] via 153.xx.xx.238, dp0s8
C    *> 10.0.0.0/24 is directly connected, dp0s9
C    *> 10.2.1.0/30 is directly connected, vti1
S    *> 100.70.1.64/26 [210/0] via 100.70.64.1, dp0s3
S    *> 100.70.32.64/26 [210/0] via 100.70.64.1, dp0s3
C    *> 100.70.64.0/20 is directly connected, dp0s3
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 153.xx.xx.224/28 is directly connected, dp0s8
C    *> 169.254.0.0/17 is directly connected, dp0s10
S    *> 192.168.1.0/28 [1/0] is directly connected, vti1 ★
S       192.168.1.0/28 [200/0] is directly connected, dp0s7
C    *> 192.168.3.128/28 is directly connected, dp0s11
S       192.168.3.128/28 [1/0] via 192.168.3.156, dp0s7
C    *> 192.168.3.144/28 is directly connected, dp0s7
The route to site 3 (192.168.3.128/28) of FW-03 is for vti0.
In case of failure at FW-01(vti0), router will be switched to FW-02(vti1)
user-admin@FW-03:~$ show ip route

IP Route Table for VRF "default"
Gateway of last resort is 153.xx.xx.230 to network 0.0.0.0

S    *> 0.0.0.0/0 [1/0] via 153.xx.xx.230, dp0s6
C    *> 10.1.1.0/30 is directly connected, vti0
C    *> 10.2.1.0/30 is directly connected, vti1
S    *> 100.67.1.64/26 [210/0] via 100.67.64.1, dp0s3
S    *> 100.67.32.64/26 [210/0] via 100.67.64.1, dp0s3
C    *> 100.67.64.0/20 is directly connected, dp0s3
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 153.xx.xx.224/29 is directly connected, dp0s6
C    *> 192.168.1.0/28 is directly connected, dp0s7
S    *> 192.168.3.128/28 [1/0] is directly connected, vti0 ★
S       192.168.3.128/28 [200/0] is directly connected, vti1

Client Connection check

Verify Ping and FTP is succeeded.
  • Traffic check by Ping[OK]

[test-user@australia-cent001 ~]$ ping 192.168.3.130
PING 192.168.3.130 (192.168.3.130) 56(84) bytes of data.
64 bytes from 192.168.3.130: icmp_seq=1 ttl=62 time=195 ms
64 bytes from 192.168.3.130: icmp_seq=2 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=3 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=4 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=5 ttl=62 time=193 ms
^C
--- 192.168.3.130 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 193.078/193.838/195.951/1.074 ms
[test-user@australia-cent001 ~]$
  • Traffic check by FTP[OK]

[test-user@australia-cent001 tmp]$ ftp 192.168.3.130
Connected to 192.168.3.130 (192.168.3.130).
220 (vsFTPd 3.0.2)
Name (192.168.3.130:test-user):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp>
ftp> dir
227 Entering Passive Mode (192,168,3,130,118,221).
150 Here comes the directory listing.
226 Directory send OK.
ftp>
ftp> put test_file
local: test_file remote: test_file
227 Entering Passive Mode (192,168,3,130,118,35).
150 Ok to send data.
226 Transfer complete.
ftp>
ftp> dir
227 Entering Passive Mode (192,168,3,130,118,209).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000            0 Mar 23 18:12 test_file
226 Directory send OK.
ftp>
ftp> bye
221 Goodbye.

10.3.3.4. Flow of traffic at failure occurs

The route switches to FW-02 at failure.
Communication check is done from Ping and FTP from Client to Server.
C_a_3

Check Status When a Failure Occurs

The status of the firewall at the time of failure can be confirmed as follows.

Note

  • Since FW-01 has an instance failure, confirmation of status is skipped.

  • VRRP status

FW-02 is Master.
user-admin@FW-02:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s11            3      MASTER  dp0vrrp1   no     13s         <none>
  • VPN status

VPN must be established between FW-02 and FW-03.
user-admin@FW-02:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xx.227                         153.xx.xx.226

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     up     420.0/420.0    aes256        sha1      613     3600    all
VPN must be established between FW-02 and FW-03.
user-admin@FW-03:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xxx.182                          153.xx.xx.227

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     down   0.0/0.0        n/a           n/a       0       n/a     all

Peer ID / IP                            Local ID / IP
------------                            -------------
153.xx.xx.226                          153.xx.xx.227

    Tunnel  State  Bytes Out/In     Encrypt       Hash    A-Time  L-Time  Proto
    ------  -----  -------------  ------------  --------  ------  ------  -----
    vti     up     336.0/0.0      aes256        sha1      81      3600    all
  • Interface status

vti1 on FW-02 must be UP.
user-admin@FW-02:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
dp0s7            192.168.3.157/28                  u/u
dp0s8            153.xx.xxx.226/28                 u/u
dp0s11           192.168.3.141/28                  u/u
dp0vrrp1         -                                 A/D
vti1             10.2.1.1/30                       u/u
vti1 on FW-03 must be UP.
user-admin@FW-03:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
dp0s6            153.xxx.xxx.227/29                u/u
dp0s7            192.168.1.12/28                   u/u
vti0             10.1.1.2/30                       A/D
vti1             10.2.1.2/30                       u/u
  • Routing status

The route to site A (192.168.1.0/28) of FW-02 is for vti1.
user-admin@FW-02:~$ show ip route

IP Route Table for VRF "default"
Gateway of last resort is 153.xx.xx.238 to network 0.0.0.0

S    *> 0.0.0.0/0 [1/0] via 153.xx.xx.238, dp0s8
C    *> 10.0.0.0/24 is directly connected, dp0s9
C    *> 10.2.1.0/30 is directly connected, vti1
S    *> 100.70.1.64/26 [210/0] via 100.70.64.1, dp0s3
S    *> 100.70.32.64/26 [210/0] via 100.70.64.1, dp0s3
C    *> 100.70.64.0/20 is directly connected, dp0s3
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 153.xx.xx.224/28 is directly connected, dp0s8
C    *> 169.254.0.0/17 is directly connected, dp0s10
S    *> 192.168.1.0/28 [1/0] is directly connected, vti1 ★
S       192.168.1.0/28 [200/0] is directly connected, dp0s7
C    *> 192.168.3.128/28 is directly connected, dp0s11
S       192.168.3.128/28 [1/0] via 192.168.3.156, dp0s7
C    *> 192.168.3.144/28 is directly connected, dp0s7
The route to site 3 (192.168.3.128/28) of FW-03 is for vti1.
user-admin@FW-03:~$ show ip route

IP Route Table for VRF "default"
Gateway of last resort is 153.xx.xx.230 to network 0.0.0.0

S    *> 0.0.0.0/0 [1/0] via 153.xx.xx.230, dp0s6
C    *> 10.2.1.0/30 is directly connected, vti1
S    *> 100.67.1.64/26 [210/0] via 100.67.64.1, dp0s3
S    *> 100.67.32.64/26 [210/0] via 100.67.64.1, dp0s3
C    *> 100.67.64.0/20 is directly connected, dp0s3
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 153.xx.xx.224/29 is directly connected, dp0s6
C    *> 192.168.1.0/28 is directly connected, dp0s7
S    *> 192.168.3.128/28 [200/0] is directly connected, vti1 ★
S       192.168.3.128/28 [1/0] is directly connected, vti0 inactive

Client Connection check

Verify Ping and FTP is succeeded.
  • Traffic check by Ping[OK]

[test-user@australia-cent001 ~]$ ping 192.168.3.130
PING 192.168.3.130 (192.168.3.130) 56(84) bytes of data.
64 bytes from 192.168.3.130: icmp_seq=1 ttl=62 time=195 ms
64 bytes from 192.168.3.130: icmp_seq=2 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=3 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=4 ttl=62 time=193 ms
64 bytes from 192.168.3.130: icmp_seq=5 ttl=62 time=193 ms
^C
--- 192.168.3.130 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 193.078/193.838/195.951/1.074 ms
[test-user@australia-cent001 ~]$
  • Traffic check by FTP[OK]

[test-user@australia-cent001 tmp]$ ftp 192.168.3.130
Connected to 192.168.3.130 (192.168.3.130).
220 (vsFTPd 3.0.2)
Name (192.168.3.130:test-user):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> put test_file_2
local: test_file_2 remote: test_file_2
227 Entering Passive Mode (192,168,3,130,119,26).
150 Ok to send data.
226 Transfer complete.
ftp>
ftp> ls
227 Entering Passive Mode (192,168,3,130,117,60).
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000            0 Mar 23 18:12 test_file
-rw-r--r--    1 1000     1000            0 Mar 23 18:57 test_file_2
226 Directory send OK.
ftp>
ftp> bye
221 Goodbye.