I am a total newbie, sorry if this was discussed already. I am looking for a solution. We have an infrastructure hosted on aws and it connected to various partners. Basically we have 5 connections with openswan(ubuntu). I am looking for :
[list]
[]a robust and actively developed software VPN solution
[]a solution which supports active/passive high availability on aws where primary could be in availability zone A and it’s backup in availability zone B on stand by ready to step in should anything happen to primary/active
[]a solution that supports routing of public IP through the VPN (some partners won’t allow private IP as encryption domain, only public one. Vyos should know how to forward packet to correct destination translating public IP to internal IP)
[]a solution that exposes any API for remote interaction should we auto restart a tunnel
[/list]Before I dive in I wanted to find out if all listed above is possible with VyOS in aws.I kept saying AWS because I did similar search with openVPN and the active/passive scenario wasn’t possible because AWS doesn’t allow ucarp traffic
Thanks a lot for replying. I really appreciate it. Let me provide more clarification
[list]
[]a robust and actively developed software VPN solution
[This I already know based on activity on this forum][]a solution which supports active/passive high availability on aws where primary could be in availability zone A and it’s backup in availability zone B on stand by ready to step in should anything happen to primary/active
[Assuming I setup vyos on aws, I am thinking of having 2 instances running while one is primary and in use for VPN tunneling to partners infrastructure, while the other is waiting for primary to go down to step in. Both are obviously syncing configuration or I would have manually make sure they are identical in terms of configuration. That’s a high level scenario][]a solution that supports routing of public IP through the VPN (some partners won’t allow private IP as encryption domain, only public one. Vyos should know how to forward packet to correct destination translating public IP to internal IP) [Some partners instead of allowing encryption domain to be of local IP 192.x.x.x, 172.x.x.x,10.x.xx.x would use public IPs as encryption domain ei 80.x.x.x ,196.x.x.x. For example my encryption domain is 10.10.1.20 with EIP 52.x.x.x and 10.10.20.30 with EIP 54.x.x.x, my partner encryption domain is 172.20.0.10 with IP 80.x.x.x. So to send packet to partner is has to come from EIP 52.x.x.x or 54.x.x.x and vice versa, if packet coming from 80.x.x.x to 52.x.x.x is has to be routed to 10.10.1.20 ]
[]a solution that exposes any API for remote interaction should we auto restart a tunnel
[Basically, I need a way to monitor tunnel and refresh/restart it][/list]
For HA described by you, you will likely need to use BGP.
For public ips as ED i think it’s possible via dummy/loopback interfaces
For automation you can use Ansible(it support VyOS) or we have python library
Agree with Syncer…you can use BGP with secure GRE tunnels or VTI. We have done the automation of building such links with BGP and GRE tunnels etc. as well as integration with AWS and Azure using our netorc platform. You can check it out for free as its on trial at www.wanclouds.net
Thanks for your help and for pointing me to the right direction. I have started my adoption of the VyOS for VPN purpose and I must say I love it. I have also been able create some posts about it on my blog mycodingpains.com
That’s for basic usage. Today I am trying out the scenario of using it with local prefix being a public IP. But it actually seems not to be working well. Below is my config
dummy dum0 {
address 13.a.b.c/32
}
ethernet eth0 {
address dhcp
duplex auto
hw-id 02:c3:8f:2d:01:e1
smp_affinity auto
speed auto
}
loopback lo {
}[/code]
This VyOS is on AWS and the setup is very similar as the one mentioned on my blog. I am not too sure why I am getting the following error. I am in the known that I needed to create an SNAT and a DNAT but I am sure it’s not related to the tunnel coming up in the first place.
Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-1" #4025: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #4020 {using isakmp#4024}
Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-2" #4026: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #4021 {using isakmp#4024}
Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-3" #4027: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #4022 {using isakmp#4024}
Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4028: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#4024}
Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4024: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4024: received Delete SA payload: deleting ISAKMP State #4024
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4028: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4028: starting keying attempt 2 of an unlimited number
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: initiating Main Mode
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-3" #4027: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-3" #4027: starting keying attempt 45 of an unlimited number
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-2" #4026: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-2" #4026: starting keying attempt 67 of an unlimited number
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-1" #4025: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-1" #4025: starting keying attempt 68 of an unlimited number
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: received Vendor ID payload [RFC 3947]
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: enabling possible NAT-traversal with method 3
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ignoring Vendor ID payload [Cisco-Unity]
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: received Vendor ID payload [XAUTH]
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ignoring Vendor ID payload [e37cf42cb1852f6bb990b18a166c0fe0]
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: NAT-Traversal: Result using RFC 3947: i am NATed
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: received Vendor ID payload [Dead Peer Detection]
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: Peer ID is ID_IPV4_ADDR: '154.c.b.a'
Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ISAKMP SA established
I can’t seem to see where the problem is from I am still a newbie so a little enlightenment will be brutally beneficial . Lol I promise I will write a blog about this one too.
Best Regards
. Lol I promise I will write a blog about this one too.