Virtual Router/ Firewall/ VPN

Reply
New Contributor
Posts: 2
Registered: ‎02-20-2017

Brocade vRouter 5410 6.7 R11S3 AWS VPN with Public IP Encryption Domain

Hello Community!

 

I'm having a little trouble with a new VPN configuration and was hoping the community could provide me with a few pointers.

 

I have spun up a Brocade vRouter 5410 6.7 R11S3 instance on AWS from the market place to replace an older Vyatta deployment. The customer has requests the encryption domain is a public IP address. An elastic IP is assoicated with the instance for VPN conecivity.  The Encrpytion Domain elastic IP is reserved but not assigned.  All port configurations are correct (sharing the same older Vyatta security group rules which is working).

 

I have configured a VPN to a customer site.  Phase 1 is successful, Phase 2 is stuck.

 

000 #13: "peer-1.2.3.4-tunnel-1" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 11s
000 #3: "peer-1.2.3.4-tunnel-1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27359s; newest ISAKMP; DPD active

 

I 'think' the issue is with the NAT configuration due to the Encryption Domain requirement. The customer has checked thier logs and belive it's an issue with the Encryption Domain configuration.

 

set nat destination rule 11 description 'IN Peer IP > Local IP'
set nat destination rule 11 destination address 'vRouter Elastic IP'
set nat destination rule 11 inbound-interface 'eth0'
set nat destination rule 11 log 'enable'
set nat destination rule 11 source address 'Customer Encryption Domain IP'
set nat destination rule 11 translation address 'AWS IP CIDR'
set nat source rule 11 description 'OUT Local IP > Peer IP'
set nat source rule 11 destination address 'Customer Peer IP'
set nat source rule 11 log 'enable'
set nat source rule 11 outbound-interface 'eth0'
set nat source rule 11 source address 'AWS IP CIDR'
set nat source rule 11 translation address 'AWS Encryption Domain Public IP'

 

Any assistance would be greatly appreicated!

 

Thank you in advance!

 

Scott

Brocadian
Posts: 15
Registered: ‎06-17-2015

Re: Brocade vRouter 5410 6.7 R11S3 AWS VPN with Public IP Encryption Domain

if addresses are NAT'ed between the 2 peers, then you need to enable NAT Traversal

set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network <x.x.x.x/x>
New Contributor
Posts: 2
Registered: ‎02-20-2017

Re: Brocade vRouter 5410 6.7 R11S3 AWS VPN with Public IP Encryption Domain

Sorry for my late reply and thank you for your assistance. It appears this issue was related to the P2 proposal configuration at the customers site.

 

VPN tunnel is now up and confirmed by the customer! yay!!!

 

I have a second issue where I don't see any traffic traversing the tunnel.


Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------     -----   -------------     -------     ----    -----      ------     ------     -----
1          up     0.0/0.0          3des     md5  yes      879       3600    all

 

I have run a tshark sniff against the encryption domain which returns:

 

vyatta@<vyatta EC2># tshark -i eth0 host <src enc domain>
Capturing on eth0
0.000000 <src enc domain> -> <target enc domain> TCP 74 35672 > irdmi [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=22519355 TSecr=0 WS=128
0.999696 <src enc domain> -> <target enc domain> TCP 74 35672 > irdmi [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=22520355 TSecr=0 WS=128
2.996664 <vyatta> -> <src enc domain> ICMP 102 Destination unreachable (Host unreachable)
2.996702 <vyatta> -> <src enc domain> ICMP 102 Destination unreachable (Host unreachable)
2.997134 <src enc domain> -> <target enc domain> TCP 74 35672 > irdmi [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=22522352 TSecr=0 WS=128

 

vyatta@<vyatta EC2># tshark -i eth0 host <target peer>
Capturing on eth0
0.000000 <vyatta> -> <target peer> ISAKMP 130
0.019171 <target peer> -> <vyatta> ISAKMP 130
8.888557 <vyatta> -> <target peer> UDPENCAP 43 NAT-keepalive
15.019616 <vyatta> -> <target peer> ISAKMP 130
15.038596 <target peer> -> <vyatta> ISAKMP 130

 

vyatta@<vyatta EC2># tshark -i eth0 host <target enc domain>
Capturing on eth0
0.000000 <src enc domain> -> <target enc domain> TCP 74 48098 > irdmi [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=22657355 TSecr=0 WS=128
0.000082 <vyatta mac> -> Broadcast ARP 42 Who has <target enc domain>? Tell <vyatta>
0.996197 <vyatta mac> -> Broadcast ARP 42 Who has <target enc domain>? Tell <vyatta>
0.999263 <src enc domain> -> <target enc domain> TCP 74 48098 > irdmi [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=22658355 TSecr=0 WS=128
1.996192 <vyatta mac> -> Broadcast ARP 42 Who has <target enc domain>? Tell <vyatta>
2.996722 <src enc domain> -> <target enc domain> TCP 74 48098 > irdmi [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=22660352 TSecr=0 WS=128
2.996762 <vyatta mac> -> Broadcast ARP 42 Who has <target enc domain>? Tell <vyatta>

 

Any further assistance would be greatly appreiacted.

 

Regards,

 

Scott

 

Brocadian
Posts: 15
Registered: ‎06-17-2015

Re: Brocade vRouter 5410 6.7 R11S3 AWS VPN with Public IP Encryption Domain

We'd leike to help you further with this issue, but we'll need more information from your setup. As a minimum:

- show configuration

- show interfaces

- show ip route

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.