Tuesday, May 1, 2018

VPN net 2 Net with Edgerouter

Network topology is shown below and the following interfaces are in use on the EdgeRouters:
ER-R
  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vtun0 - 10.255.12.1/32
ER-L
  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24
  • vtun0 - 10.255.12.2/32
topology_new.png

OpenVPN Site-to-Site

Back to Top
For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.
CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
1. Generate the 2048 bit shared secret on ER-R.
generate vpn openvpn-key /config/auth/secret
Click to copy
2. Display the shared secret and copy the output to a text file.
sudo cat /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b 
<output shortened>
-----END OpenVPN Static key V1-----
3. Log in to ER-L and copy the contents of the shared secret to a new file in the /config/auth directory.
sudo cat > /config/auth/secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48fc8ac5b96655a08e041de6263a4e7b 
<output shortened>
-----END OpenVPN Static key V1-----
4. Use CTRL-D to save the file.
5. Change the file permissions and set the owner to the root user.
sudo chmod 600 /config/auth/secret
sudo chown root /config/auth/secret
Click to copy
5. Verify that the file is in the correct location and that it has the correct permissions.
ls -l /config/auth/
-rw------- 1 root vyattacf 636 Jan 1 13:00 secret
6. Log back into ER-R to continue the OpenVPN configuration.
7. Enter configuration mode.
configure
8. Add a firewall rule for the OpenVPN traffic to the local firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
Click to copy
9. Create the OpenVPN virtual tunnel interface and define the local and remote ports.
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
Click to copy
10. Define the local and remote endpoints of the tunnel.
set interfaces openvpn vtun0 remote-host 192.0.2.1
set interfaces openvpn vtun0 local-host 203.0.113.1
Click to copy
11. Define the local and remote tunnel IP addresses.
set interfaces openvpn vtun0 local-address 10.255.12.1
set interfaces openvpn vtun0 remote-address 10.255.12.2  
Click to copy
12. Link the shared secret to the virtual tunnel interface.
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
Click to copy
14. Create either static or dynamic routing entries for the remote subnet.
Static Routing
set protocols static interface-route 172.16.1.0/24 next-hop-interface vtun0
set protocols static interface-route 10.0.1.0/24 next-hop-interface vtun1
Click to copy
Dynamic routing using OSPF
set interfaces openvpn vtun0 ip ospf network point-to-point

set protocols ospf passive-interface default
set protocols ospf passive-interface-exclude vtun0
set protocols ospf parameters router-id 0.0.0.1
set protocols ospf area 0 network 10.255.12.1/32
set protocols ospf area 0 network 192.168.1.0/24
Click to copy
15.  Tweak the OpenVPN options (see the OpenVPN manual for more information).
16. Commit the changes and save the configuration.
commit ; save 

You can verify the VPN settings using the following commands from operational mode:
show firewall name WAN_LOCAL statistics 
show interfaces
show interfaces openvpn detail         
show openvpn status site-to-site
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)