The goal of this tutorial is to provide a configuration for Cisco and VyOS network devices with configured PAT (Port Address Translation) that connect two remote sides A and B through point-to-point GRE tunnel encapsulated into a IPsec tunnel. In a previous tutorial we proved that GRE tunnels in conjunction with IPsec tunnels transmit multicast traffic while data integrity, authentication and confidentiality was in place. I also provided a simple configuration of GRE, IPsec tunnel and OSPF routing protocol on the Cisco and VyOS routers. In this tutorial I will go further and provide full configuration of the all network devices including PAT and access-lists.
Picture 1 - Network Topology
Topology Description - Side A
Each side has a Layer 2 Cisco switch located in a LAN network. A switch connects hosts to its switchports. Each switchport is assigned to a particular VLAN. For instance, a host PC1 is connected to the switch SW1 and the switchport is assigned to a VLAN 100. Hosts in VLAN 100 (subnet 192.168.1.0/24) have guaranteed access to a remote subnet 192.168.2.0/24 via GRE/IPsec tunnel. A NAT access-list configured on a router R1 ensures that IP address of the host in VLAN 100 is not translated by PAT when a destination address is inside a range 192.168.2.0/24. However, if a destination address is not in a range 192.168.2.0/24, the PAT translates IP addresses of the hosts in VLAN 100 to a public IP address 188.8.131.52. For instance it happens when a user logged on the host PC1 tries to connect to the router R3 located in the Internet.
Hosts assigned to VLAN 100 have blocked access to a VLAN 300 (192.168.3.0/24) because the VLAN 300 is reserved for guests. For this reason hosts assigned to the VLAN 300 have their access limited only to the Internet. The hosts assigned to the VLAN 100 have no access to the subnet 192.168.4.0/24 configured on a remote VyOS router. The reason is that the subnet 192.168.4.0/24 is hidden behind NAT thus it is not reachable from the Internet.
Topology Description - Side B
The side A shares the similar connectivity principles with a side B. Hosts assigned to the VLAN 200 (192.168.2.0/24) can reach the hosts in a remote subnet 192.168.1.0/24 via GRE/IPsec tunnel. They can also reach the public addresses in the Internet. However in this case, their IP addresses from the subnet 192.168.2.0/24 are translated to a public IP address 184.108.40.206 by PAT. The VLAN 400 is where guests are connected. The hosts assigned to this VLAN have access only to the Internet and their IP addresses 192.168.4.0/24 are translated to an IP address 220.127.116.11. A detailed connectivity table for sides A and B is shown below.
Tab 1 - Connectivity Between Subnets
1. Internet Configuration
1.1 Router R3 Configuration
The following commands configured on a router R3 make the router to act as our simulated Internet which connects two remote sides A and B.
2. Side A Configuration
2.1 Layer2 Switch SW1 Configuration
Configure an interface Gi0/0 as a trunk port with allowed VLANs 100 and 300. Configure appropriate VLANs on access interfaces Gi0/1 and Gi0/2 and set interfaces as access ports. The actual commands are here.
2.2 Hosts PC1 and PC3 Configuration
All hosts located in infrastructure are based on Core Linux which requires additional configuration in order to keep IP settings after restart. To make configuration easier for you I have created a BASH script assign_ip.sh that configures an IP address, subnet mask and default gateway for a particular host. Just copy and paste the script to the vim editor on each PC and run the script as a user root with the command:
$ sudo bash ./assign_ip.sh pcnumber
Replace a word pcnumber with a number:
$ sudo bash ./assign_ip.sh 1
$ sudo bash ./assign_ip.sh 3
2.3 Router R1 Configuration
2.3.1 Router R1 on the Stick and Default Route
This configuration provides routing between VLANs 100 and 300 and it creates a static default route to the Internet.
2.3.2 R1 - NAT
Here we configure sub-interfaces GigabitEthernet 1/.0.100 and 1/0.300 as the NAT inside interfaces and the interface GigabitEthernet 0/0 as the NAT outside interface. The PAT configuration consists of creating a named access-list PAT that permits a translation of a subnet 192.168.3.0/24 to any subnet and it denies a translation of the subnet 192.168.1.0/24 to the subnet 192.168.2.0/24. The subnet 192.168.1.0/24 will be translated to the public address 18.104.22.168 only if traffic is not destined for a remote IPsec subnet 192.168.2.0/24. The PAT access-list is applied on the interface GigabitEthernet 0/0.
2.3.3 R1 - ISAKMP - Phase 1
2.3.4 R1 - IPSec - Phase 2
In phase two we are going to create IPSec ipsec transform set MyTS and configure encryption and the hash algorithm. This is also a place where we define IPSec mode - either a tunnel (default) or transport mode. In the tunnel mode a completely new IP delivery header is inserted in each IPSec packet while in a transport mode IP header stays untouched (except of the changed protocol type - 50 for ESP). Continue with creating a new IPsec profile named Protect-GRE. Assign transform-set MyTS is to the profile Protect-GRE and configure the lifetime. And finally assign IPSec profile to the interface tun0.
2.3.5 R1 - GRE Tunnel
GRE tunnel configuration is here.
2.3.6 R1 - OSPF Routing Protocol
OSPF routing protocol is configured here. In order to prevent sending OSPF hello multicast messages to a LAN network we configure interfaces GigabitEthernet 1/0.100 and 1/0.300 as passive interfaces.
2.3.7 R1 - Access Lists
First we create an extended named access-list incoming_traffic_g0/0. The rule 10 permits UDP packets from source IP 22.214.171.124 to a destination IP address 126.96.36.199, the destination UDP port 500. This is a port that ISAKMP protocol uses. The rule 20 permits ESP packets from the IP address 188.8.131.52 to the IP address 184.108.40.206. The rules 10 and 20 are required by IPSec tunnel. The rule 30 permits icmp echo-reply traffic from any subnet to the IP address 220.127.116.11. We need this rule to allow our hosts behind NAT to ping hosts in the Internet. The rule 40 permits established TCP traffic from any host to the IP address 18.104.22.168. This rule is needed in order to pass incoming established TCP traffic previously sent by our hosts behind NAT to the Internet. The rule 1000 blocks any other traffic. Finally, we will apply the access-list on the interface GigabitEthernet 0/0 in an incoming direction.
The extended access-list outgoing_traffic_tun0 permits outgoing traffic from the subnet 192.168.1.0/24 to the subnet 192.168.2.0/24 and it blocks any other traffic. The access-list is applied on the interface tun0. It ensures that only traffic from the subnet 192.168.1.0/24 destined for the subnet 192.168.2.0/24 is encapsulated into the GRE tunnel.
To prevent sending packets with private addresses 192.168.1.0/24 to the Internet when the IPsec tunnel fails, we need to create the access-list outgoing_traffic_gi0/0. The rule 10 ensures that any packets with source address from the subnet 192.168.1.0/24 leave the router R1. The access-list is configured in an outgoing direction on the interface GigabitEthernet0/0. The rule 1000 permits any other traffic.
The extended named access-list incoming_traffic_gi1/0.300 applied on the interface GigabitEthernet 1/0.300 for incoming packets prevents hosts on the subnet 192.168.3.0/24 to reach the hosts inside the subnet 192.168.1.0/24.
The extended named access-list incoming_traffic_gi1/0.100 applied on the interface GigabitEthernet 1/0.100 for incoming packets prevents hosts on the subnet 192.168.1.0/24 to to reach the hosts inside the subnet 192.168.3.0/24.
3. Side B Configuration
3.1 Layer 2 SW2 Configuration
The following commands configure a trunk port, access ports and VLANs on L2 switch SW2.
3.2 Hosts PC2 and PC4 Configuration
$ sudo bash ./assign_ip.sh 2
$ sudo bash ./assign_ip.sh 4
3.3 Router VyOS Configuration
3.3.1 Router VyOS on Stick and Default Static Route
First, we configure an IP address 22.214.171.124/24 on the interface eth0 and the particular IP addresses on the sub-interfaces eth1.200 and eth1.400. Then we create a default static route with the IP address 126.96.36.199 as a next hop. The actual configuration is here.
3.3.2 VyOS - NAT
We will create a source NAT with the rule 5 that excludes translation of the packets sent from the IP subnet 192.168.2.0/24 to the subnet 192.168.1.0/24. The rule 10 translates the source IP addresses of packets from the subnet 192.168.4.0/24 to a public IP address 188.8.131.52. The IP address 184.108.40.206 is configured on the outbound interface eth0. The rule 15 translates IP addresses of hosts from the subnet 192.168.2.0/24 to the IP address 220.127.116.11 when they sent traffic to the Internet. NAT configuration is here.
3.3.3 VyOS IPSec Tunnel
Enable IPSec on interface eth0.
3.3.4 R1 IKE Group - Phase 1
Create the ike-group named cisco and configure encryption, the hash algorithm, DH group and lifetime.
3.3.5 VyOS - ESP Group - Phase 2
Create the esp-group named cisco and configure encryption, the hash algorithm and lifetime. Configure tunnel peer and pre-shared key. Associate ike group cisco and esp group cisco with the peer 18.104.22.168. Configure a local address used for connection. And finally, configure GRE protocol that is going to be encapsulated inside IPSec tunnel.
3.3.6 VyOS - GRE Tunnel
3.3.7 OSPF Configuration
Here is OSPF routing protocol configuration on VyOS.
3.3.7 VyOS - Firewall Configuration
The firewall incoming_traffic consists of the rules 1, 5 and 10 with a configured default action drop. The rule 1 allows incoming established and related traffic generated by the hosts assigned to VLAN 200 and 400. The rule 5 accepts incoming packets from the IP address 22.214.171.124 to the IP address 126.96.36.199 and to the destination port UDP 500. This is the port a ISAKMP protocol uses. The rule 10 accepts incoming packets with esp protocol from the IP address 188.8.131.52 to the IP address 184.108.40.206. The firewall name incoming_traffic is applied on the interface eth0 for incoming traffic passing the firewall and traffic destined for firewall itself (keyword local).
The firewall outgoing_traffic_tun0 inspects outgoing traffic from the interface tun0. The rule 10 allows outgoing traffic from the subnet 192.168.2.0/24 to the subnet 192.168.1.0/24. All other traffic is dropped.
The firewall outgoing_traffic_eth0 with the rule 10 applied on the interface eth0 in the outgoing direction prevents packets with source addresses 192.168.2.0/24 destined for the subnet 192.168.1.0/24 to leak to the Internet when the VPN tunnel fails.
The firewall incoming_traffic_eth1_400 with the rule 10 applied on the sub-interface eth1.400 in the incoming direction blocks traffic with source IP address from the subnet 192.168.4.0/24 to the subnet 192.168.2.0/24. Similarly, the firewall incoming_traffic_eth1_200 with the rule 10 applied on the sub-interface eth1.200 in the incoming direction blocks traffic with source IP address from the subnet 192.168.2.0/24 to the subnet 192.168.4.0/24.