Using the Brocade vRouter VPN Capabilities

One of the challenges that must be overcome as servers are migrated to a cloud service provider is the ability to continue to reach all servers and securely communicate with them for various administrative and data transfer needs. NAT can provide a limited way to access hosts in this arrangement and may be sufficient for customer access. However, there is often the possibility of other communications requirements between on-premise hosts and the servers that are now located in the cloud. This article examines the use of the Brocade vRouter in a VPN configuration to address this challenge.

The Challenge

The customer, whom we will call ACME, has decided to migrate the server workload to a cloud service provider. This type of environment is typically known as IaaS (Infrastructure as a Service). ACME will need access to the private IP addresses of its cloud servers from on-premise workstations. The communication also needs to be universally encrypted for secure transport.

The Proposal

The proposed solution is to implement a VPN to the Brocade Vyatta vRouter from an existing on premise appliance (Cisco ASA in this example).

 

Vyatta to ASA

The configuration relevant to VPN for both the Brocade Vyatta vRouter and the ASA can be found below.

Brocade vRouter Configuration

//configure the interface for IPSec
set vpn ipsec ipsec-interfaces interface eth0

//configure the phase 1 proposal
set vpn ipsec ike‐group MYIKE proposal 1
set vpn ipsec ike‐group MYIKE proposal 1 encryption aes256 
set vpn ipsec ike‐group MYIKE proposal 1 hash sha1
set vpn ipsec ike‐group MYIKE proposal 1 dh-group 2
set vpn ipsec ike‐group MYIKE lifetime 3600

//configure the phase 2 transform
set vpn ipsec esp‐group MYESP proposal 1
set vpn ipsec esp‐group MYESP proposal 1 encryption aes256 
set vpn ipsec esp‐group MYESP proposal 1 hash sha1
set vpn ipsec esp‐group MYESP pfs enable
set vpn ipsec esp‐group MYESP lifetime 1800

//configure phase 2 proposal
set vpn ipsec site‐to‐site peer 2.2.2.2 authentication mode pre‐shared‐secret
set vpn ipsec site‐to‐site peer 2.2.2.2 authentication pre‐shared‐secret VYATTAtoCISCO
set vpn ipsec site‐to‐site peer 2.2.2.2 default‐esp‐group MYESP
set vpn ipsec site‐to‐site peer 2.2.2.2 ike‐group MYIKE
set vpn ipsec site‐to‐site peer 2.2.2.2 local-address 1.1.1.1
set vpn ipsec site‐to‐site peer 2.2.2.2 tunnel 1 local prefix 172.16.34.0/24
set vpn ipsec site‐to‐site peer 2.2.2.2 tunnel 1 remote prefix 192.168.2.0/24

//commit the changes
commit

//save configuration
save

Resulting VPN Section of Configuration

[email protected]# edit vpn
[edit vpn]
[email protected]# show
 ipsec {
     esp-group MYESP {
         compression disable
         lifetime 1800
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha1
         }
     }
     ike-group MYIKE {
         lifetime 3600
         proposal 1 {
             dh-group 2
             encryption aes256
             hash sha1
         }
     }
     ipsec-interfaces {
         interface eth0
     }
     site-to-site {
         peer 2.2.2.2 {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret VYATTAtoCISCO
             }
             connection-type initiate
             default-esp-group MYESP
             ike-group MYIKE
             local-address 1.1.1.1
             tunnel 1 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 local {
                     prefix 172.16.34.0/24
                 }
                 remote {
                     prefix 192.168.2.0/24
                 }
             }
         }
     }
 }
[edit vpn]
[email protected]#

ASA Configuration

//phase 1 proposal
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600

//pre shared key
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key VYATTAtoCISCO

//crypto acl (to identify interesting traffic)
access-list CRYPTO extended permit ip 192.168.2.0 255.255.255.0 172.16.34.0 255.255.255.0

//phase 2 
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map mymap 10 match address CRYPTO
crypto map mymap 10 set pfs
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside

Verification

In addition to sending test traffic to verify the functionality, there are also commands that can be used on each device to determine the status of the VPN connection.

Vyatta vRouter Verification

//phase 1
[email protected]# run show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
  2.2.2.2                                  1.1.1.1

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     aes256   sha1  2        no     3461    3600

//phase 2
[email protected]# run show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
  2.2.2.2                                  1.1.1.1

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     33.6K/33.5K    aes256   sha1  no     1276    1800    all

ASA Verification

//phase 1
ASA# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

//phase 2
ASA# show crypto ipsec sa
interface: outside
    Crypto map tag: mymap, seq num: 10, local addr: 2.2.2.2

      access-list CRYPTO extended permit ip 192.168.2.0 255.255.255.0 172.16.34.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.34.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 2194, #pkts encrypt: 2194, #pkts digest: 2194
      #pkts decaps: 2194, #pkts decrypt: 2194, #pkts verify: 2194

Conclusion

Connecting to a private network slice at a cloud service provider will likely require some type of address translation, tunneling or both. This article has demonstrated basic use of the Brocade Vyatta vRouter to build an IPSec tunnel to a premise VPN device. ACME’s configuration is fairly straightforward but provides the flexibility required to minimize the impact of relocating servers into this type of arrangement.

Please note, there are additional firewall functions that should be considered and implemented according to the security policy of each organization.

Additional Links

Disclaimer: Travel and other associated expenses related to attending vendor sessions have been covered by the sponsoring vendors through GestaltIT. In some cases vendors may choose to provide delegates with marketing materials (cups, pens, tshirts, etc). Any deviation the site-wide disclaimer will be clearly noted at the end of the applicable article(s).

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

2 Responses to Using the Brocade vRouter VPN Capabilities

  1. Pingback: Using the Brocade vRouter VPN Capabilities

  2. Dave Ironhall says:

    Nice article. I’m a big fan of the Brocade vRouter, although there’s a steep learning curb if you’ve never used one before. Here’s a tip – use an online Brocade VPN configuration generator to help you get started quickly such as http://www.whyaws.com/tools/vyatta_vpn_gen.htm.

Comments are closed.