10.3.4. Remote access VPN configuration example¶
Operation Confirmed Version: | |
---|---|
Brocade 5600vRouter Version4.2R1S1 |
System diagram¶
As a gateway of Server-01, VRRP is set up with FW-01, 02, and it has a redundant configuration.
Note
"Windows Server 2012R2" is used as OS of the Client.
"Windows default VPN client" is used as VPN client.
"CentOS 7.1.1503" is used as Server OS.
"vsFTPd 3.0.2" is used for FTP server.
Configuration of Firewall¶
Firewall Interface setting
Note
Interface settings can not be set except by customer portal.
- FW-01
set interfaces dataplane dp0s8 address 153.xx.xx.178/28
set interfaces dataplane dp0s11 address 192.168.3.28/28
- FW-02
set interfaces dataplane dp0s8 address 153.xx.xx.179/28
set interfaces dataplane dp0s11 address 192.168.3.29/28
VRRP Setting
- FW-01
set interfaces dataplane dp0s11 vrrp vrrp-group 3 advertise-interval 20
set interfaces dataplane dp0s11 vrrp vrrp-group 3 preempt false
set interfaces dataplane dp0s11 vrrp vrrp-group 3 priority 150
set interfaces dataplane dp0s11 vrrp vrrp-group 3 rfc-compatibility
set interfaces dataplane dp0s11 vrrp vrrp-group 3 version 2
set interfaces dataplane dp0s11 vrrp vrrp-group 3 virtual-address 192.168.3.27
- FW-02
set interfaces dataplane dp0s11 vrrp vrrp-group 3 advertise-interval 20
set interfaces dataplane dp0s11 vrrp vrrp-group 3 preempt false
set interfaces dataplane dp0s11 vrrp vrrp-group 3 priority 20
set interfaces dataplane dp0s11 vrrp vrrp-group 3 rfc-compatibility
set interfaces dataplane dp0s11 vrrp vrrp-group 3 version 2
set interfaces dataplane dp0s11 vrrp vrrp-group 3 virtual-address 192.168.3.27
Note
The VRRP advertise interval was recommended to be 20 seconds or longer because VRRP communication was rarely unstable on the base side in the initial setting (as of December 2016). Please design according to your system configuration (as of August 2017). (When a hello packet is not received three times in succession, a disconnection is detected). If you want to change this setting, change it from the firewall on the Backup side. When changing from the Master side, the Hello packet transmission interval to the Backup side changes, so the Backup side is also promoted to Master and both devices may become Master.
When L2TP / IPsec is used as the product specification, VIP of VRRP can not be specified as the connection destination. Therefore, when a failure occurs, VPN connection can not be automatically switched / switched off, so it is necessary to switch manually from the client side. In accordance with that, preempt of VRRP is designed to be invalidated.
VPN configureation(L2TP/IPsec)
Authentication information
Local authentication user |
test-user01 |
Local authentication password |
testpass |
Pre-shared key pass phrase |
testkey |
Note
Following authorize parameters are for testing purpose. Please configure any parameters as you like.
- FW-01
set security vpn ipsec nat-traversal enable
set security vpn ipsec nat-networks allowed-network 192.168.3.0/28
set security vpn l2tp remote-access authentication local-users username test-user01 password testpass
set security vpn l2tp remote-access authentication mode local
set security vpn l2tp remote-access client-ip-pool start 192.168.3.4
set security vpn l2tp remote-access client-ip-pool stop 192.168.3.9
set security vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testkey
set security vpn l2tp remote-access outside-address 153.xx.xx.178
set security vpn l2tp remote-access outside-nexthop 153.xx.xx.190
- FW-02
set security vpn ipsec nat-networks allowed-network 192.168.3.0/28
set security vpn ipsec nat-traversal enable
set security vpn l2tp remote-access authentication local-users username test-user01 password testpass
set security vpn l2tp remote-access authentication mode local
set security vpn l2tp remote-access client-ip-pool start 192.168.3.4
set security vpn l2tp remote-access client-ip-pool stop 192.168.3.9
set security vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testkey
set security vpn l2tp remote-access outside-address 153.xx.xx.179
set security vpn l2tp remote-access outside-nexthop 153.xx.xx.190
Confirmation of setting contents
- FW-01
user-admin@FW-01# show interfaces
interfaces {
dataplane dp0s8 {
address 153.xx.xx.178/28
}
dataplane dp0s11 {
address 192.168.3.28/28
vrrp {
vrrp-group 3 {
advertise-interval 20
preempt false
priority 150
rfc-compatibility
version 2
virtual-address 192.168.3.27
}
}
}
}
user-admin@FW-01# show security vpn ipse
vpn {
ipsec {
nat-networks {
allowed-network 192.168.3.0/28
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username test-user01 {
password "********"
}
}
mode local
}
client-ip-pool {
start 192.168.3.4
stop 192.168.3.9
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret "********"
}
}
outside-address 153.xx.xx.178
outside-nexthop 153.xx.xx.190
}
}
}
- FW-02
user-admin@FW-02# show interfaces
interfaces {
dataplane dp0s8 {
address 153.xx.xx.179/28
}
dataplane dp0s11 {
address 192.168.3.29/28
vrrp {
vrrp-group 3 {
advertise-interval 20
preempt false
priority 20
rfc-compatibility
version 2
virtual-address 192.168.3.27
}
}
}
}
user-admin@FW-02# show security vpn
vpn {
ipsec {
nat-networks {
allowed-network 192.168.3.0/28
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username test-user01 {
password "********"
}
}
mode local
}
client-ip-pool {
start 192.168.3.4
stop 192.168.3.9
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret "********"
}
}
outside-address 153.xx.xx.179
outside-nexthop 153.xx.xx.190
}
}
}
Note
Password is displayed as *"."
Client Configuration
VPN types |
Layer 2 tunneling protocol by using IPsec(L2TP/IPSec) |
Detail Setting -> L2TP |
Use pre-shared key as authentication(Key is the same as pass phrase of pre-shared key configured in FW) |
Encrypt data |
Encryption is necessary (If the server rejects it will be disconnected) |
Permit Protocols |
Challenge Handshake authentication Protocol, Microsoft CHAP Version2 |
Flow of traffic¶
Status check at normal state
VRRP status
user-admin@FW-01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s11 3 MASTER dp0vrrp1 no 47m19s <none>
user-admin@FW-02:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s11 3 BACKUP dp0vrrp1 no 47m55s <none>
VPN status
user-admin@FW-01:~$ show vpn remote-access
Active remote access VPN sessions:
User Proto Iface Tunnel IP TX byte RX byte Time
---- ----- ----- ----------- ------- ------- ----
test-user01 L2TP ppp0 192.168.3.4 402 10.8K 00h05m28s
Note
VPN connection to FW-02 will not be established.
Client Connection check
VPN connection on Client side
PS C:\Users\Administrator> ipconfig /all
※Excerpts for VPN connections only
PPP adapter VPN VPN connections(153.xx.xx.178):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VPN (153.xx.xx.178)
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.3.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
NetBIOS over Tcpip. . . . . . . . : Enabled
Traffic check by Ping[OK]
PS C:\Users\Administrator> ping 192.168.3.18
Pinging 192.168.3.18 with 32 bytes of data:
Reply from 192.168.3.18: bytes=32 time=2ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Ping statistics for 192.168.3.18:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
PS C:\Users\Administrator>
Traffic check by FTP[OK]
PS C:\Users\Administrator> ftp
ftp> open 192.168.3.18
Connected to 192.168.3.18.
220 (vsFTPd 3.0.2)
User (192.168.3.18:(none)): ftp-user
331 Please specify the password.
Password:
230 Login successful.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> put file01*
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
ftp: 4074 bytes sent in 0.00Seconds 4074000.00Kbytes/sec.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 1001 1001 4074 Mar 18 10:51 file01.log
226 Directory send OK.
ftp: 71 bytes received in 0.00Seconds 71000.00Kbytes/sec.
ftp> bye
221 Goodbye.
Flow of traffic at failure occurs¶
Note
VPN connection need to be switched by hand on Client side.
Note
Check Status When a Failure Occurs
VRRP status
user-admin@FW-01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
Note
The status is not displayed since VRRP of FW-01 is stopped.
user-admin@FW-02:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s11 3 MASTER dp0vrrp1 no 13s <none>
VPN status
user-admin@FW-02:~$ show vpn remote-access
Active remote access VPN sessions:
User Proto Iface Tunnel IP TX byte RX byte Time
---- ----- ----- ----------- ------- ------- ----
test-user01 L2TP ppp0 192.168.3.4 1.9K 12.4K 00h10m41s
Note
VPN connection to FW-01 will not be established.
Client Connection check
VPN connection on Client side
PS C:\Users\Administrator> ipconfig /all
※Excerpts for VPN connections only
PPP adapter VPN connections(153.xx.xx.179):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VPN (153.xx.xx.179)
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.3.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
NetBIOS over Tcpip. . . . . . . . : Enabled
Traffic check by Ping[OK]
PS C:\Users\Administrator> ping 192.168.3.18
Pinging 192.168.3.18 with 32 bytes of data:
Reply from 192.168.3.18: bytes=32 time=2ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Ping statistics for 192.168.3.18:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
Traffic check by FTP[OK]
PS C:\Users\Administrator> ftp
ftp> open 192.168.3.18
Connected to 192.168.3.18.
220 (vsFTPd 3.0.2)
User (192.168.3.18:(none)): ftp-user
331 Please specify the password.
Password:
230 Login successful.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 1001 1001 17604 Mar 18 10:58 file01.log
226 Directory send OK.
ftp: 71 bytes received in 0.02Seconds 4.44Kbytes/sec.
ftp> put file02*
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
ftp: 17604 bytes sent in 0.00Seconds 17604000.00Kbytes/sec.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 1001 1001 17604 Mar 18 10:58 file01.log
-rw-r--r-- 1 1001 1001 17604 Mar 18 12:06 file02.log
226 Directory send OK.
ftp: 139 bytes received in 0.00Seconds 139000.00Kbytes/sec.
ftp> bye
221 Goodbye.
PS C:\Users\Administrator>