HA IPSec VPN with VRRP on Vyatta

Vyatta provides the capability to maintain connectivity through one IPsec tunnel by using a pair of Vyatta routers with VRRP. When one Vyatta router fails or is brought down for maintenance, the new VRRP master Vyatta router restores IPsec connectivity between the local and remote networks.

Here I will show you how to configure the Vyatta to provide HA IPSec VPN with VRRP.
The main difference of HA IPSec VPN from the standard IPSec VPN configuration is in the two scripts (ipsec-restart  and ipsec-stop) on Vyatta.The two scripts are in the directory of “/config/scripts”, which are included in the Vyatta firmware.

vyatta@vyatta:/config/scripts$ ls
ipsec-restart  ipsec-stop  vyatta-postconfig-bootup.script

vyatta@vyatta:/config/scripts$ more ipsec-restart 
#!/bin/bash
/etc/init.d/ipsec restart | logger -p info -t $(/usr/bin/basename $0)

vyatta@cvyatta:/config/scripts$ more ipsec-stop
#!/bin/bash
/etc/init.d/ipsec stop | logger -p info -t $(/usr/bin/basename $0)

The ipsec-restart script is to reinitializes the IPsec daemon.

The ipsec-stop scripts is to stop IPSec daemon so that It prevent a Vyatta router from initiating tunnels unless and until it has been elected the VRRP master.

Below is an example of HA IPSec configuration.

Vyatta 1——-VRRP master  Vyatta 2——-VRRP backup                                                      
vyatta@vyatta1:~$ show configuration commands
set interfaces ethernet eth0 address ‘192.168.107.111/24’
set interfaces ethernet eth0 duplex ‘auto’
set interfaces ethernet eth0 hw-id ’00:0c:29:71:68:06′
set interfaces ethernet eth0 smp_affinity ‘auto’
set interfaces ethernet eth0 speed ‘auto’
set interfaces ethernet eth0 vrrp vrrp-group 1 advertise-interval ‘1’
set interfaces ethernet eth0 vrrp vrrp-group 1 preempt ‘false’
set interfaces ethernet eth0 vrrp vrrp-group 1 priority ‘254’
set interfaces ethernet eth0 vrrp vrrp-group 1 run-transition-scripts backup ‘/config/scripts/ipsec-stop’
set interfaces ethernet eth0 vrrp vrrp-group 1 run-transition-scripts fault ‘/config/scripts/ipsec-stop’
set interfaces ethernet eth0 vrrp vrrp-group 1 run-transition-scripts master ‘/config/scripts/ipsec-restart’

set interfaces ethernet eth0 vrrp vrrp-group 1 sync-group ‘vgroup1’
set interfaces ethernet eth0 vrrp vrrp-group 1 virtual-address ‘192.168.107.100/24’
set interfaces ethernet eth1 address ‘192.168.174.111/24’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ’00:0c:29:71:68:10′
set interfaces ethernet eth1 smp_affinity ‘auto’
set interfaces ethernet eth1 speed ‘auto’
set interfaces ethernet eth1 vrrp vrrp-group 1 advertise-interval ‘1’
set interfaces ethernet eth1 vrrp vrrp-group 1 preempt ‘false’
set interfaces ethernet eth1 vrrp vrrp-group 1 priority ‘254’
set interfaces ethernet eth1 vrrp vrrp-group 1 sync-group ‘vgroup1’
set interfaces ethernet eth1 vrrp vrrp-group 1 virtual-address ‘192.168.174.100/24’
set service https http-redirect ‘enable’
set service ssh port ’22’
set system config-sync remote-router 192.168.174.111 password ‘vyatta’
set system config-sync remote-router 192.168.174.111 sync-map ‘SYNC’
set system config-sync remote-router 192.168.174.111 username ‘vyatta’
set system config-sync remote-router 192.168.174.222 password ‘vyatta’
set system config-sync remote-router 192.168.174.222 sync-map ‘SYNC’
set system config-sync remote-router 192.168.174.222 username ‘vyatta’
set system config-sync sync-map SYNC rule 1 action ‘include’
set system config-sync sync-map SYNC rule 1 location ‘nat’
set system config-sync sync-map SYNC rule 2 action ‘include’
set system config-sync sync-map SYNC rule 2 location ‘firewall’
set system config-sync sync-map SYNC rule 3 action ‘include’
set system config-sync sync-map SYNC rule 3 location ‘vpn’
set system gateway-address ‘192.168.107.17’
set system host-name ‘vyatta1’
set system login user root authentication encrypted-password ‘$1$NiudjUdJ$Zf7AFBBiIdHrpczGE2tuQ/’
set system login user root authentication plaintext-password ”
set system login user root level ‘admin’
set system login user vyatta authentication encrypted-password ‘$1$A/.ZAqyP$uymrdYkk8uBU.kBFMb5F6.’
set system login user vyatta level ‘admin’
set system syslog global facility all level ‘notice’
set system syslog global facility protocols level ‘debug’
set system syslog user all facility all level ’emerg’
set system time-zone ‘Australia/Sydney’
set vpn ipsec esp-group ESP-1W compression ‘disable’
set vpn ipsec esp-group ESP-1W lifetime ‘3600’
set vpn ipsec esp-group ESP-1W mode ‘tunnel’
set vpn ipsec esp-group ESP-1W pfs ‘disable’
set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-1W proposal 1 hash ‘sha1’
set vpn ipsec esp-group ESP-1W proposal 2 encryption ‘3des’
set vpn ipsec esp-group ESP-1W proposal 2 hash ‘md5’
set vpn ipsec ike-group IKE-1W lifetime ‘3600’
set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-1W proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-1W proposal 2 encryption ‘aes128’
set vpn ipsec ike-group IKE-1W proposal 2 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0v1’
set vpn ipsec site-to-site peer 192.168.107.17 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 192.168.107.17 authentication pre-shared-secret ‘vyatta’
set vpn ipsec site-to-site peer 192.168.107.17 connection-type ‘initiate’
set vpn ipsec site-to-site peer 192.168.107.17 default-esp-group ‘ESP-1W’
set vpn ipsec site-to-site peer 192.168.107.17 ike-group ‘IKE-1W’
set vpn ipsec site-to-site peer 192.168.107.17 local-address ‘192.168.107.100’
set vpn ipsec site-to-site peer 192.168.107.17 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 192.168.107.17 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 192.168.107.17 tunnel 1 local prefix ‘192.168.174.0/24’
set vpn ipsec site-to-site peer 192.168.107.17 tunnel 1 remote prefix ‘192.168.217.0/24’
vyatta@vyatta2:~$ show configuration commands
set interfaces ethernet eth0 address ‘192.168.107.222/24’
set interfaces ethernet eth0 duplex ‘auto’
set interfaces ethernet eth0 hw-id ’00:0c:29:1f:a0:4e’
set interfaces ethernet eth0 smp_affinity ‘auto’
set interfaces ethernet eth0 speed ‘auto’
set interfaces ethernet eth0 vrrp vrrp-group 1 advertise-interval ‘1’
set interfaces ethernet eth0 vrrp vrrp-group 1 preempt ‘false’

set interfaces ethernet eth0 vrrp vrrp-group 1 run-transition-scripts backup ‘/config/scripts/ipsec-stop’
set interfaces ethernet eth0 vrrp vrrp-group 1 run-transition-scripts fault ‘/config/scripts/ipsec-stop’
set interfaces ethernet eth0 vrrp vrrp-group 1 run-transition-scripts master ‘/config/scripts/ipsec-restart’

set interfaces ethernet eth0 vrrp vrrp-group 1 sync-group ‘vgroup1’
set interfaces ethernet eth0 vrrp vrrp-group 1 virtual-address ‘192.168.107.100/24’
set interfaces ethernet eth1 address ‘192.168.174.222/24’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ’00:0c:29:1f:a0:58′
set interfaces ethernet eth1 smp_affinity ‘auto’
set interfaces ethernet eth1 speed ‘auto’
set interfaces ethernet eth1 vrrp vrrp-group 1 advertise-interval ‘1’
set interfaces ethernet eth1 vrrp vrrp-group 1 preempt ‘false’

set interfaces ethernet eth1 vrrp vrrp-group 1 sync-group ‘vgroup1’
set interfaces ethernet eth1 vrrp vrrp-group 1 virtual-address ‘192.168.174.100/24’
set service https http-redirect ‘enable’
set service ssh port ’22’
set system config-sync remote-router 192.168.174.111 password ‘vyatta’
set system config-sync remote-router 192.168.174.111 sync-map ‘SYNC’
set system config-sync remote-router 192.168.174.111 username ‘vyatta’
set system config-sync remote-router 192.168.174.222 password ‘vyatta’
set system config-sync remote-router 192.168.174.222 sync-map ‘SYNC’
set system config-sync remote-router 192.168.174.222 username ‘vyatta’
set system config-sync sync-map SYNC rule 1 action ‘include’
set system config-sync sync-map SYNC rule 1 location ‘nat’
set system config-sync sync-map SYNC rule 2 action ‘include’
set system config-sync sync-map SYNC rule 2 location ‘firewall’
set system config-sync sync-map SYNC rule 3 action ‘include’
set system config-sync sync-map SYNC rule 3 location ‘vpn’
set system gateway-address ‘192.168.107.17’
set system host-name ‘vyatta2’
set system login user root authentication encrypted-password ‘$1$OR3t3Q8v$6CPPvERQ.UTsReP08zDWz0’
set system login user root authentication plaintext-password ”
set system login user root level ‘admin’
set system login user vyatta authentication encrypted-password ‘$1$WRNtOH8I$ZNGhjj20oEbDtF/cZcd4r1’
set system login user vyatta level ‘admin’
set system syslog global facility all level ‘notice’
set system syslog global facility protocols level ‘debug’
set system syslog user all facility all level ’emerg’
set system time-zone ‘Australia/Sydney’
set vpn ipsec esp-group ESP-1W compression ‘disable’
set vpn ipsec esp-group ESP-1W lifetime ‘3600’
set vpn ipsec esp-group ESP-1W mode ‘tunnel’
set vpn ipsec esp-group ESP-1W pfs ‘disable’
set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-1W proposal 1 hash ‘sha1’
set vpn ipsec esp-group ESP-1W proposal 2 encryption ‘3des’
set vpn ipsec esp-group ESP-1W proposal 2 hash ‘md5’
set vpn ipsec ike-group IKE-1W lifetime ‘3600’
set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-1W proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-1W proposal 2 encryption ‘aes128’
set vpn ipsec ike-group IKE-1W proposal 2 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0v1’
set vpn ipsec site-to-site peer 192.168.107.17 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 192.168.107.17 authentication pre-shared-secret ‘vyatta’
set vpn ipsec site-to-site peer 192.168.107.17 connection-type ‘initiate’
set vpn ipsec site-to-site peer 192.168.107.17 default-esp-group ‘ESP-1W’
set vpn ipsec site-to-site peer 192.168.107.17 ike-group ‘IKE-1W’
set vpn ipsec site-to-site peer 192.168.107.17 local-address ‘192.168.107.100’
set vpn ipsec site-to-site peer 192.168.107.17 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 192.168.107.17 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 192.168.107.17 tunnel 1 local prefix ‘192.168.174.0/24’
set vpn ipsec site-to-site peer 192.168.107.17 tunnel 1 remote prefix ‘192.168.217.0/24’

Verify VRRP and IPSec status

vyatta@vyatta1:~$ show vrrp
RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
———         —–  —–   ———  —–  ———-  —–
eth0              1      MASTER  no         no     33m40s      vgroup1
eth1              1      MASTER  no         no     33m42s      vgroup1

vyatta@vyatta1:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
————                            ————-
192.168.107.17                          192.168.107.100

Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
——  —–  ————-  ——-  —-  —–  ——  ——  —–
1       up     0.0/0.0        aes256   sha1  no     2768    3600    all

 

vyatta@vyatta:~$ show vrrp
RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
———         —–  —–   ———  —–  ———-  —–
eth0              1      BACKUP  no         no     12m2s       vgroup1
eth1              1      BACKUP  no         no     12m2s       vgroup1

vyatta@vyatta:~$ show vpn ipsec sa

Force VRRP master to backup

vyatta@vyatta1:~$ reset vrrp master interface eth0 group 1
vrrp group 1 on eth0 is in sync-group vgroup1
Forcing vyatta-eth1-1 to BACKUP…
Forcing vyatta-eth0-1 to BACKUP…

Verify VRRP and IPSec status

vyatta@vyatta1:~$ show vrrp
RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
———         —–  —–   ———  —–  ———-  —–
eth0              1      BACKUP  no         no     26s         vgroup1
eth1              1      BACKUP  no         no     26s         vgroup1

vyatta@vyatta1:~$ show vpn ipsec sa

 

vyatta@vyatta:~$ show vrrp
RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
———         —–  —–   ———  —–  ———-  —–
eth0              1      MASTER  no         no     48s         vgroup1
eth1              1      MASTER  no         no     49s         vgroup1

vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
————                            ————-
192.168.107.17                          192.168.107.100

Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
——  —–  ————-  ——-  —-  —–  ——  ——  —–
1       up     0.0/0.0        aes256   sha1  no     805     3600    all

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s