10.3.4. Remote access VPN configuration example

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
Here describe example that Brocade 5600vRouter is a VPN gateway and a client from the VPN to the internal network is constructed.

System diagram

Here constructs a configuration that connects to the FW using the L2TP / IPsec VPN protocol from the Client.
  • As a gateway of Server-01, VRRP is set up with FW-01, 02, and it has a redundant configuration.

Note

  • "Windows Server 2012R2" is used as OS of the Client.

  • "Windows default VPN client" is used as VPN client.

  • "CentOS 7.1.1503" is used as Server OS.

  • "vsFTPd 3.0.2" is used for FTP server.

Configuration of Firewall

Firewall Interface setting

Although the interface settings are shown to confirm the setting contents, in actuality, you need to set the interface settings on the customer portal.
Please note that if you submit the interface setting command below, an error will be returned.

Note

  • Interface settings can not be set except by customer portal.

  • FW-01
set interfaces dataplane dp0s8 address 153.xx.xx.178/28
set interfaces dataplane dp0s11 address 192.168.3.28/28
  • FW-02
set interfaces dataplane dp0s8 address 153.xx.xx.179/28
set interfaces dataplane dp0s11 address 192.168.3.29/28

VRRP Setting

The redundancy settings for private segments are shown below.
Before setting up VRRP, you must configure VRRP communication permission setting on the customer portal.
  • FW-01
set interfaces dataplane dp0s11 vrrp vrrp-group 3 advertise-interval 20
set interfaces dataplane dp0s11 vrrp vrrp-group 3 preempt false
set interfaces dataplane dp0s11 vrrp vrrp-group 3 priority 150
set interfaces dataplane dp0s11 vrrp vrrp-group 3 rfc-compatibility
set interfaces dataplane dp0s11 vrrp vrrp-group 3 version 2
set interfaces dataplane dp0s11 vrrp vrrp-group 3 virtual-address 192.168.3.27
  • FW-02
set interfaces dataplane dp0s11 vrrp vrrp-group 3 advertise-interval 20
set interfaces dataplane dp0s11 vrrp vrrp-group 3 preempt false
set interfaces dataplane dp0s11 vrrp vrrp-group 3 priority 20
set interfaces dataplane dp0s11 vrrp vrrp-group 3 rfc-compatibility
set interfaces dataplane dp0s11 vrrp vrrp-group 3 version 2
set interfaces dataplane dp0s11 vrrp vrrp-group 3 virtual-address 192.168.3.27

Note

  • The VRRP advertise interval was recommended to be 20 seconds or longer because VRRP communication was rarely unstable on the base side in the initial setting (as of December 2016). Please design according to your system configuration (as of August 2017). (When a hello packet is not received three times in succession, a disconnection is detected). If you want to change this setting, change it from the firewall on the Backup side. When changing from the Master side, the Hello packet transmission interval to the Backup side changes, so the Backup side is also promoted to Master and both devices may become Master.

  • When L2TP / IPsec is used as the product specification, VIP of VRRP can not be specified as the connection destination. Therefore, when a failure occurs, VPN connection can not be automatically switched / switched off, so it is necessary to switch manually from the client side. In accordance with that, preempt of VRRP is designed to be invalidated.

VPN configureation(L2TP/IPsec)

Here explains setting for Remote Access using L2TP/IPsec of FW.
  • Authentication information

Local authentication user

test-user01

Local authentication password

testpass

Pre-shared key pass phrase

testkey

Note

  • Following authorize parameters are for testing purpose. Please configure any parameters as you like.

  • FW-01
set security vpn ipsec nat-traversal enable
set security vpn ipsec nat-networks allowed-network 192.168.3.0/28
set security vpn l2tp remote-access authentication local-users username test-user01 password testpass
set security vpn l2tp remote-access authentication mode local
set security vpn l2tp remote-access client-ip-pool start 192.168.3.4
set security vpn l2tp remote-access client-ip-pool stop 192.168.3.9
set security vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testkey
set security vpn l2tp remote-access outside-address 153.xx.xx.178
set security vpn l2tp remote-access outside-nexthop 153.xx.xx.190
  • FW-02
set security vpn ipsec nat-networks allowed-network 192.168.3.0/28
set security vpn ipsec nat-traversal enable
set security vpn l2tp remote-access authentication local-users username test-user01 password testpass
set security vpn l2tp remote-access authentication mode local
set security vpn l2tp remote-access client-ip-pool start 192.168.3.4
set security vpn l2tp remote-access client-ip-pool stop 192.168.3.9
set security vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set security vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testkey
set security vpn l2tp remote-access outside-address 153.xx.xx.179
set security vpn l2tp remote-access outside-nexthop 153.xx.xx.190

Confirmation of setting contents

If the above setting has been thrown correctly, you can check the output below.
  • FW-01
user-admin@FW-01# show interfaces
 interfaces {
       dataplane dp0s8 {
               address 153.xx.xx.178/28
       }
       dataplane dp0s11 {
               address 192.168.3.28/28
               vrrp {
                       vrrp-group 3 {
                               advertise-interval 20
                               preempt false
                               priority 150
                               rfc-compatibility
                               version 2
                               virtual-address 192.168.3.27
                       }
               }
       }
 }


user-admin@FW-01# show security vpn ipse
 vpn {
       ipsec {
               nat-networks {
                       allowed-network 192.168.3.0/28
               }
               nat-traversal enable
       }
       l2tp {
               remote-access {
                       authentication {
                               local-users {
                                       username test-user01 {
                                               password "********"
                                       }
                               }
                               mode local
                       }
                       client-ip-pool {
                               start 192.168.3.4
                               stop 192.168.3.9
                       }

                       ipsec-settings {
                               authentication {
                                       mode pre-shared-secret
                                       pre-shared-secret "********"
                               }
                       }
                       outside-address 153.xx.xx.178
                       outside-nexthop 153.xx.xx.190
               }
       }
 }
  • FW-02
user-admin@FW-02# show interfaces
 interfaces {
       dataplane dp0s8 {
               address 153.xx.xx.179/28
       }
       dataplane dp0s11 {
               address 192.168.3.29/28
               vrrp {
                       vrrp-group 3 {
                               advertise-interval 20
                               preempt false
                               priority 20
                               rfc-compatibility
                               version 2
                               virtual-address 192.168.3.27
                       }
               }
       }
 }


user-admin@FW-02# show security vpn
 vpn {
       ipsec {
               nat-networks {
                       allowed-network 192.168.3.0/28
               }
               nat-traversal enable
       }
       l2tp {
               remote-access {
                       authentication {
                               local-users {
                                       username test-user01 {
                                               password "********"
                                       }
                               }
                               mode local
                       }
                       client-ip-pool {
                               start 192.168.3.4
                               stop 192.168.3.9
                       }
                       ipsec-settings {
                               authentication {
                                       mode pre-shared-secret
                                       pre-shared-secret "********"
                               }
                       }
                       outside-address 153.xx.xx.179
                       outside-nexthop 153.xx.xx.190
               }
       }
 }

Note

  • Password is displayed as *"."

Client Configuration

Setting procedure of Windows default VPN client as follows.
-Control Panel">"Network and Internet">"Network and Sharing Center""
C_b_win_set_00
-Select new connection or network setup
C_b_win_set_01
Popup window of connection option is displayed, then select Office""
C_b_win_set_02
Select Use Internet(VPN)""
C_b_win_set_03
Select Setup Internet later""
C_b_win_set_04
Input target FW IP address as Internet Address" and any character as "Connection Name", then click "Create""
C_b_win_set_05
3.Move back to Network and Sharing Center". Click on "Change adopter setting""
C_b_win_set_06
VPN Connection created earlier will be displayed, then right-click and select Property"."
C_b_win_set_07
Configure in Security" tab, then select "OK""

VPN types

Layer 2 tunneling protocol by using IPsec(L2TP/IPSec)

Detail Setting -> L2TP

Use pre-shared key as authentication(Key is the same as pass phrase of pre-shared key configured in FW)

Encrypt data

Encryption is necessary (If the server rejects it will be disconnected)

Permit Protocols

Challenge Handshake authentication Protocol, Microsoft CHAP Version2

C_b_win_set_08
Setting up is completed.
Double click on the created connection, select VPN connection from the list of networks appearing on the right side, enter the sign-in information and select OK"."
C_b_win_set_09

Flow of traffic

When normal, VPN connection is made to FW-01.
Communication check is done from Ping and FTP from Client to Server after VPN is established.

Status check at normal state

The status of the firewall during normal communication can be confirmed as follows.
  • VRRP status

FW-01 must be Master.
user-admin@FW-01:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s11            3      MASTER  dp0vrrp1   no     47m19s      <none>
FW-02 must be Backup.
user-admin@FW-02:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s11            3      BACKUP  dp0vrrp1   no     47m55s      <none>
  • VPN status

VPN connection is established to FW-01.
user-admin@FW-01:~$ show vpn remote-access
Active remote access VPN sessions:
User            Proto Iface  Tunnel IP       TX byte RX byte  Time
----            ----- -----  -----------     ------- -------  ----
test-user01     L2TP  ppp0   192.168.3.4         402   10.8K  00h05m28s

Note

  • VPN connection to FW-02 will not be established.

Client Connection check

Verify FTP, Ping and getting IPaddress are succeeded.
  • VPN connection on Client side

IPaddress is assigned from address pool.
PS C:\Users\Administrator> ipconfig /all
※Excerpts for VPN connections only

PPP adapter VPN VPN connections(153.xx.xx.178):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN (153.xx.xx.178)
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.3.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   NetBIOS over Tcpip. . . . . . . . : Enabled
  • Traffic check by Ping[OK]

PS C:\Users\Administrator> ping 192.168.3.18

Pinging 192.168.3.18 with 32 bytes of data:
Reply from 192.168.3.18: bytes=32 time=2ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63

Ping statistics for 192.168.3.18:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms
PS C:\Users\Administrator>
  • Traffic check by FTP[OK]

PS C:\Users\Administrator> ftp
ftp> open 192.168.3.18
Connected to 192.168.3.18.
220 (vsFTPd 3.0.2)
User (192.168.3.18:(none)): ftp-user
331 Please specify the password.
Password:
230 Login successful.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> put file01*
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
ftp: 4074 bytes sent in 0.00Seconds 4074000.00Kbytes/sec.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001         4074 Mar 18 10:51 file01.log
226 Directory send OK.
ftp: 71 bytes received in 0.00Seconds 71000.00Kbytes/sec.
ftp> bye
221 Goodbye.

Flow of traffic at failure occurs

VPN connection to FW-02 will be established in case of failure occurs.
Communication check is done from Ping and FTP from Client to Server after VPN is established.

Note

  • VPN connection need to be switched by hand on Client side.

Note

As a test method of instance failure, we adopted a method to temporarily invalidate VRRP of FW-01.
Following is stop/resume any vrrp-group by following command.
# Stop
 set interfaces dataplane [INTERFACE NAME] vrrp vrrp-group [GROUP ID] disable
# Resume
 delete interfaces dataplane [INTERFACE NAME] vrrp vrrp-group [GROUP ID] disable

Check Status When a Failure Occurs

The status of the firewall at the time of failure can be confirmed as follows.
  • VRRP status

FW-01 VRRP is stopped.
user-admin@FW-01:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----

Note

  • The status is not displayed since VRRP of FW-01 is stopped.

FW-02 is Master.
user-admin@FW-02:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s11            3      MASTER  dp0vrrp1   no     13s         <none>
  • VPN status

VPN connection is established to FW-02.
user-admin@FW-02:~$ show vpn remote-access
Active remote access VPN sessions:

User            Proto Iface  Tunnel IP       TX byte RX byte  Time
----            ----- -----  -----------     ------- -------  ----
test-user01     L2TP  ppp0   192.168.3.4        1.9K   12.4K  00h10m41s

Note

  • VPN connection to FW-01 will not be established.

Client Connection check

Verify FTP, Ping and getting IPaddress are succeeded.
  • VPN connection on Client side

IPaddress is assigned from address pool.
PS C:\Users\Administrator> ipconfig /all
※Excerpts for VPN connections only

PPP adapter VPN connections(153.xx.xx.179):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN (153.xx.xx.179)
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.3.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   NetBIOS over Tcpip. . . . . . . . : Enabled
  • Traffic check by Ping[OK]

PS C:\Users\Administrator> ping 192.168.3.18

Pinging 192.168.3.18 with 32 bytes of data:
Reply from 192.168.3.18: bytes=32 time=2ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63
Reply from 192.168.3.18: bytes=32 time=1ms TTL=63

Ping statistics for 192.168.3.18:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms
  • Traffic check by FTP[OK]

PS C:\Users\Administrator> ftp
ftp> open 192.168.3.18
Connected to 192.168.3.18.
220 (vsFTPd 3.0.2)
User (192.168.3.18:(none)): ftp-user
331 Please specify the password.
Password:
230 Login successful.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001        17604 Mar 18 10:58 file01.log
226 Directory send OK.
ftp: 71 bytes received in 0.02Seconds 4.44Kbytes/sec.
ftp> put file02*
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
ftp: 17604 bytes sent in 0.00Seconds 17604000.00Kbytes/sec.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001        17604 Mar 18 10:58 file01.log
-rw-r--r--    1 1001     1001        17604 Mar 18 12:06 file02.log
226 Directory send OK.
ftp: 139 bytes received in 0.00Seconds 139000.00Kbytes/sec.
ftp> bye
221 Goodbye.
PS C:\Users\Administrator>