Hello, I am an existing VyattaOS user–expecting to upgrade to VyOS soon–and am in the medical business. One of my cloud application servers needs to share TCP data with a client’s application server. I also have a self-configured Vyatta (mendocino) device in the same cloud as my application server. The client has a Cisco router. I am trying to do my initial Vyatta set-up. I am my own Information Technology department and am not formally trained in IT, but I have worked some with Vyatta commands and can usually pick up concepts reasonably quickly, with guidance
Conditions (values are sanitized):
- Data is Protected Health Information (PHI), so we need to encrypt, etc; so we plan to use site-to-site VPN.
- The client’s server application and my server application (both DICOM [Digital Communication in Medicine] nodes) both require the peer/remote application’s IP address and port to be entered into the local application’s configuration file. Only messages from known/configured IP addresses/ports are allowed into the application.
- My router’s public IP is 220.127.116.11
- My application server’s public IP is 18.104.22.168
- Gateway of these public IP’s is 22.214.171.124
- My router has a few private IP’s 10.0.24.46-49.
- My application server’s private IP is 10.0.24.9. Port is 11112.
- Gateway of the private IP’s #6 and #7 is 10.0.24.1.
- My client has told me that his public IP is 10.11.12.13.
- The client has told me that his private IP is 172.17.7.0/24.
- Our pre-shared secret is password.
- My client has indicated an added restriction, which I do not understand: “Also you will need to setup ACL’s on your device to disallow traffic to our Office LAN at our suburban location.”
- Via the VPN, I need to access only the client’s application server; I don’t need to reach any other locations on his private LAN.
- Likewise, I want the client to be able to reach only my application server IP and no other locations on my private LAN.
- I need to be able to give the client the correct IP and port for him to configure his application server properly. I think (?) that the correct IP for me to give him, if I am using NAT, may be one of the available private IP’s on my router? . . . instead of the private IP of my application server?
- And he will eventually need to give me the correct IP and port for me to insert into my application server’s config.
I would appreciate the community’s advice on proper/ideal configuration. In particular, I suspect that, in addition to site-to-site VPN, I will need NAT and firewall functionality. But I’m not sure of this necessity and am (especially) unfamiliar with configuring these items. I am also unfamiliar with the proper configuration of local-subnet and remote-subnet in the VPN tunnel. Hence the question marks scattered through my attached config.
I hope I have included enough information for you all to suggest a configuration. I have attached a sanitized config.boot that demonstrates my work up to this point.