Virtual Router/ Firewall/ VPN

Reply
New Contributor
Posts: 2
Registered: ‎09-21-2015

Redundant WAN ports

Can VYATTA provide a solution for redundant WAN ports?

As an example :  two wan ports  with ipsec for active /standby or active/active to trigger failover from one wan1 to another wan2

If it can, please share the recommended configuration.

Brocadian
Posts: 44
Registered: ‎02-09-2015

Re: Redundant WAN ports

Please let me understand if I understand your desired configuration.

 

There are a few differnt ways of handeling this, the easiest one is to have both IPsec tunnels up and use BGP to regulate flow.

 

Which version of the vRouter are you using? The 5400 will have a different configuration than the 5600. Also do you have control over the terminating end or is it handled by a VPN provider like Amazon?

New Contributor
Posts: 2
Registered: ‎09-21-2015

Re: Redundant WAN ports

Thank you for looking into this.

 

Bellow is an example of successful IP SEC configuration on Brocade-Vyatta 5600.

The request is for an SD-WAN solution.

Brocade would have two uplink ports - port 1 with IPSEC and port 2 with BGP. 

Port1 (IPSEC) is  going over Internet

Port2 (BGP) is peering with their core.

Both are going to different peer devices.

 

Q1: Based on what information (besides routes) Brocade can switch the traffic between port1 and port2 ? Can it look into application level ?

 

Q2: If port 2 (BGP session) goes down, to push all traffic over IPSEC

 

Q3: Same scenario but instead of BGP on port 2, to have IPSEC on port 2 .

 

Regards,

 

interfaces {
        dataplane dp0s3 {
                address 192.168.99.213/24
        }
        dataplane dp0s4 {
                address 192.168.40.2/24
        }
        dataplane dp0s5 {
                address 192.168.49.2/24
        }
        dataplane dp0s6 {
                address 192.168.220.2/24
        }
        loopback lo
        loopback lo1 {
                address 172.16.249.191/32
        }
 }

security {
        firewall
        vpn {
                ipsec {
                        esp-group ESPGP01 {
                                proposal 1 {
                                        encryption 3des
                                        hash md5
                                }
                        }
                        ike-group IKEGP01 {
                                lifetime 3600
                                proposal 1 {
                                        dh-group 2
                                        encryption 3des
                                        hash md5
                                }
                        }
                        site-to-site {
                                peer 10.250.91.2 {
                                        authentication {
                                                pre-shared-secret zaza
                                        }
                                        default-esp-group ESPGP01
                                        ike-group IKEGP01
                                        local-address 192.168.49.2
                                        tunnel 1 {
                                                local {
                                                        prefix 192.168.40.0/24
                                                }
                                                remote {
                                                        prefix 192.168.30.0/24
                                                }
                                        }
                                }
                        }
                }
        }
 }

 
 
 vyatta@vyatta:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.250.91.2                             192.168.49.2

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     3des     md5   2        no     1126    3600


vyatta@vyatta:~$ show vpn ike secrets
Local IP/ID                             Peer IP/ID
-----------                             -----------
192.168.49.2                            10.250.91.2
N/A                                     N/A

    Secret: "zaza"

vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.250.91.2                             192.168.49.2

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     1.2K/1.2K      3des     md5   no     1033    3600    all

vyatta@vyatta:~$ show vpn ipsec state
src 192.168.49.2 dst 10.250.91.2
        proto esp spi 0xc884ab6d reqid 16404 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(md5) 0xb2eb7a39301bb8108f767ab60d6725c8 96
        enc cbc(des3_ede) 0x239d92a1943a2fe82ba8f5cdd05a29aae219340bf155abec
src 10.250.91.2 dst 192.168.49.2
        proto esp spi 0xc3c624f6 reqid 16404 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(md5) 0xfb80311a2f50024c4866f18f38d9e528 96
        enc cbc(des3_ede) 0x032a3755b87835916f5487dc84ea2b9c3b47e5da1ff20579
vyatta@vyatta:~$


vyatta@vyatta:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

IP Route Table for VRF "default"
Gateway of last resort is 192.168.49.1 to network 0.0.0.0

S    *> 0.0.0.0/0 [1/0] via 192.168.49.1, dp0s5
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 172.16.249.191/32 is directly connected, lo1
O    *> 172.16.249.202/32 [110/20] via 192.168.49.1, dp0s5, 15:21:36
K    *> 192.168.30.0/24 is directly connected, dp0s5
C    *> 192.168.40.0/24 is directly connected, dp0s4
C    *> 192.168.49.0/24 is directly connected, dp0s5
O E2 *> 192.168.88.0/24 [110/10] via 192.168.220.1, dp0s6, 15:21:26
O E2 *> 192.168.97.0/24 [110/10] via 192.168.220.1, dp0s6, 15:21:26
C    *> 192.168.99.0/24 is directly connected, dp0s3
O E2    192.168.99.0/24 [110/10] via 192.168.220.1, dp0s6, 15:21:26
C    *> 192.168.220.0/24 is directly connected, dp0s6
O    *> 192.168.253.0/24 [110/11] via 192.168.220.1, dp0s6, 15:21:26



vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.250.91.2                             192.168.49.2

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     252.0/0.0      3des     md5   no     3591    3600    all


Vaytta ping test
vyatta@vyatta:~$ ping 192.168.30.2
PING 192.168.30.2 (192.168.30.2) 56(84) bytes of data.
64 bytes from 192.168.30.2: icmp_req=22 ttl=255 time=5.13 ms
64 bytes from 192.168.30.2: icmp_req=23 ttl=255 time=4.43 ms
64 bytes from 192.168.30.2: icmp_req=24 ttl=255 time=4.22 ms
64 bytes from 192.168.30.2: icmp_req=25 ttl=255 time=3.48 ms
64 bytes from 192.168.30.2: icmp_req=26 ttl=255 time=3.57 ms
64 bytes from 192.168.30.2: icmp_req=27 ttl=255 time=4.83 ms
64 bytes from 192.168.30.2: icmp_req=28 ttl=255 time=5.37 ms
64 bytes from 192.168.30.2: icmp_req=29 ttl=255 time=5.03 ms
Brocadian
Posts: 44
Registered: ‎02-09-2015

Re: Redundant WAN ports

Q1: You can use Policy Based Routing to direct traffic at an application level. 

 

Q2 & Q3: If you have BGP tansversing the IPsec tunnel, the routes will be automatically updated. Else you can have different weight static routes.

 

This may be a good case for submitting an RFE to impliment OpenFlow on the 5600 for SD-WAN implimentations. 

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook