• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Setting Up Vyatta VPN with Policy PAT


The following information will direct you in setting up all your traffic sourced from your cloud environment across the VPN tunnel to the remote VPN encryption domain to appear as:

  • 1.1.1.1 for the locally source DMZ traffic
  • 2.2.2.2 for the locally sourced inside traffic.

All other traffic from the local servers from either segment destined for the public Internet should PAT to the interface eth0's (Outside) public IP address.

Topology

Local Vyatta Firewall

Interface

IP Address

Description

eth0

166.78.184.111/24

public

eth1

192.168.100.1/22

DMZ-192.168.100.0/22

eth2

172.26.26.1/24

INSIDE-172.26.26.0/24

Remote Cisco ASA Firewall

Interface

IP Address

Description

eth 0/0

192.0.2.10/28

outside

eth 0/1

192.168.10.1/24

INSIDE-192.168.10.0/24

eth 0/2

192.168.19.1/24

DMZ-192.168.19.0/24

VPN Details

Encryption Domains

Local VPN Encryption Domains

Remote VPN Encryption Domains

DMZ-192.168.100.0/22

DMZ-192.168.19.0/24

INSIDE-172.26.26.0/24

INSIDE-192.168.10.0/24

ISAKMP and IPSEC Settings

Phase 1 Settings

Phase 2 Settings

AES-256

AES-256

SHA1

SHA1

Group 5

PFS Group 5

86400 Seconds

3600 Seconds

Policy PAT Configuration

VPN PAT

PAT traffic from the local subnets to the VPN remote subnets

# Rule 10 - PAT FROM the LOCAL DMZ 192.168.100.0/22 TO REMOTE DMZ 192.168.19.0/24
# Masquerading the source IP as 1.1.1.1
set nat source rule 10 description "POLICY PAT DMZ TO VPN REMOTE DMZ"
set nat source rule 10 destination address 192.168.19.0/24
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 192.168.100.0/22
set nat source rule 10 translation address 1.1.1.1

# Rule 20 - PAT FROM the LOCAL DMZ 192.168.100.0/22 TO REMOTE INSIDE 192.168.10.0/24
# Masquerading the source IP as 1.1.1.1
set nat source rule 20 description "POLICY PAT DMZ TO VPN REMOTE INSIDE"
set nat source rule 20 destination address 192.168.10.0/24
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 192.168.100.0/22
set nat source rule 20 translation address 1.1.1.1

# Rule 30 - PAT FROM the LOCAL INSIDE 172.26.26.0/24 TO REMOTE DMZ 192.168.19.0/24
# Masquerading the source IP as 2.2.2.2
set nat source rule 30 description "POLICY PAT INSIDE TO VPN REMOTE DMZ"
set nat source rule 30 destination address 192.168.19.0/24
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.26.26.0/24
set nat source rule 30 translation address 2.2.2.2

# Rule 40 - PAT FROM the LOCAL INSIDE 172.26.26.0/24 TO REMOTE INSIDE 192.168.10.0/24
# Masquerading the source IP as 2.2.2.2
set nat source rule 40 description "POLICY PAT INSIDE TO VPN REMOTE INSIDE"
set nat source rule 40 destination address 192.168.10.0/24
set nat source rule 40 outbound-interface eth0
set nat source rule 40 source address 172.26.26.0/24
set nat source rule 40 translation address 2.2.2.2

Internet PAT

PAT traffic from the local subnets to the public Internet as the IP address of eth0 (PAT Overload Outside)

# Rule 50 - PAT all other DMZ traffic destined for the Public Internet as eth0 IP
# Masquerading the source IP as the IP Address of Eth0 (Public IP)
set nat source rule 50 description "POLICY PAT DMZ TO Internet"
set nat source rule 50 outbound-interface eth0
set nat source rule 50 source address 192.168.100.0/22
set nat source rule 50 translation address masquerade

# Rule 60 - PAT all other INSIDE traffic destined for the Public Internet as eth0 IP
# Masquerading the source IP as the IP Address of Eth0 (Public IP)
set nat source rule 60 description "POLICY PAT INSIDE TO Internet"
set nat source rule 60 outbound-interface eth0
set nat source rule 60 source address 172.26.26.0/24
set nat source rule 60 translation address masquerade

VPN Configuration

Enable the VPN daemon on the outside interface

# Enable the VPN daemon on the eth0 Interface
set vpn ipsec ipsec-interfaces interface eth0

Phase 1 Define the Policies

# Phase 1 Settings: AES-256, SHA1, Group 5, Lifetime 86400
set vpn ipsec ike-group IKE-POLICY-10 lifetime 86400
set vpn ipsec ike-group IKE-POLICY-10 proposal 1 dh-group 5
set vpn ipsec ike-group IKE-POLICY-10 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-POLICY-10 proposal 1 hash sha1

Phase 2 Define the ESP-GROUP (Like an ASA Transform Set)

# Phase 2 Settings: AES-256, SHA1, PFS Group 5, Lifetime 3600
set vpn ipsec esp-group AES-256-SHA-PFS-GROUP-5-3600 lifetime 3600
set vpn ipsec esp-group AES-256-SHA-PFS-GROUP-5-3600 mode tunnel
set vpn ipsec esp-group AES-256-SHA-PFS-GROUP-5-3600 pfs enable
set vpn ipsec esp-group AES-256-SHA-PFS-GROUP-5-3600 proposal 1 encryption aes256
set vpn ipsec esp-group AES-256-SHA-PFS-GROUP-5-3600 proposal 1 hash sha1

Phase 2 Define the Individual Peer Attributes

set vpn ipsec site-to-site peer 192.0.2.10 description "VPN TO TANGO LAB ASA-5510"
set vpn ipsec site-to-site peer 192.0.2.10 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.10 authentication pre-shared-secret netsecR@wks
set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group AES-256-SHA-PFS-GROUP-5-3600
set vpn ipsec site-to-site peer 192.0.2.10 ike-group IKE-POLICY-10
set vpn ipsec site-to-site peer 192.0.2.10 local-address 166.78.184.111

Phase 2 Define the Tunnel Attributes (Encryption Domains)

# Tunnel 1 Local DMZ to remote DMZ
# Note that policy PAT is Patting the local DMZ to 1.1.1.1
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 esp-group AES-256-SHA-PFS-GROUP-5-3600
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 1.1.1.1/32
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.19.0/24

# Tunnel 2 Local DMZ to remote INSIDE
# Note that policy PAT is Patting the local DMZ to 1.1.1.1
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 2 allow-nat-networks disable
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 2 allow-public-networks disable
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 2 esp-group AES-256-SHA-PFS-GROUP-5-3600
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 2 local prefix 1.1.1.1/32
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 2 remote prefix 192.168.10.0/24|

# Tunnel 3 Local INSIDE to remote DMZ
# Note that policy PAT is Patting the local DMZ to 2.2.2.2
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 3 allow-nat-networks disable
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 3 allow-public-networks disable
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 3 esp-group AES-256-SHA-PFS-GROUP-5-3600
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 3 local prefix 2.2.2.2/32
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 3 remote prefix 192.168.19.0/24

# Tunnel 4 Local INSIDE to remote INSIDE
# Note that policy PAT is Patting the local DMZ to 2.2.2.2
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 4 allow-nat-networks disable
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 4 allow-public-networks disable
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 4 esp-group AES-256-SHA-PFS-GROUP-5-3600
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 4 local prefix 2.2.2.2/32
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 4 remote prefix 192.168.10.0/24







© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER