Hub-and-Spoke Site-to-Site VPN with Vyatta and Cisco ASA


#1

Hello All,
I need to set up a VPN connection to enable 3 Remote Sites to independently establish a tunnel with a Central site. I will call them Remote_A, Remote_B and Remote_C. There will be no traffic between the remote sites.
The Central site endpoint device is a Vyatta whilst the remote site endpoints are all Cisco ASA devices.
Remote Site_A and Remote_B links will be used for data transfer to the Central site.
Remote_C link will be used to receive logs from the Central site.
Please can you advise whether to use a Hub-and-Spoke Site-to-Site VPN topology or just plain site-to-site. By plain site-to-site, I mean setup 3 independent site-to-site?
If am to use a Hub-and-Spoke Site-to-Site VPN topology, can you please share a sample config?
Many thanks


#2

Hi there,

So what you can do is create a GRE tunnel, and then wrap it into an IPSEC tunnel to secure the traffic.

I have this configuration at the moment for a HUB-SPOKE configuration. I’ll log into our VyOS device later tonight and grab the configuration for you.

I don’t use Cisco’s, but you can grab a copy of the config from somewhere and adapt it.


#3

dtakeshi,
Many thanks for the offer.
Looking forward to the config.


#4

Hi @Brambler ,

So what I done, create an IP-in-IP tunnel from each site to my data center. Then wrapped it up into a IPSEC VPN tunnel.

[IP in IP Tunnel]

edit interfaces
set tunnel tun0 address '192.168.1.2/30'
set tunnel tun0 encapsulation 'ipip'
set tunnel tun0 local-ip 'external-ip-of-branch-router'
set tunnel tun0 mtu '1420'
set tunnel tun0 multicast 'disable'
set tunnel tun0 remote-ip 'external-ip-of-dc-router'
top

[VPN Configuration]

edit vpn ipsec
set ipsec-interfaces interface 'eth0'

set esp-group anyname compression 'disable'
set esp-group anyname lifetime '3600'
set esp-group anyname mode 'transport'
set esp-group anyname pfs 'disable'
set esp-group anyname proposal 1 encryption 'aes256'
set esp-group anyname proposal 1 hash 'sha256'

set ike-group anyname ikev2-reauth 'no'
set ike-group anyname key-exchange 'ikev1'
set ike-group anyname lifetime '3600'
set ike-group anyname proposal 1 dh-group '2'
set ike-group anyname proposal 1 encryption 'aes256'
set ike-group anyname proposal 1 hash 'sha256'

set site-to-site peer external-ip-of-dc-router authentication mode 'pre-shared-secret'
set site-to-site peer external-ip-of-dc-router authentication pre-shared-secret 'super-strong-secret'
set site-to-site peer external-ip-of-dc-router connection-type 'initiate'
set site-to-site peer external-ip-of-dc-router default-esp-group 'anyname'
set site-to-site peer external-ip-of-dc-router ike-group 'anyname'
set site-to-site peer external-ip-of-dc-router ikev2-reauth 'inherit'
set site-to-site peer external-ip-of-dc-router  local-address 'external-ip-of-branch-router'
set site-to-site peer external-ip-of-dc-router tunnel 0 allow-nat-networks 'disable'
set site-to-site peer external-ip-of-dc-router tunnel 0 allow-public-networks 'disable'
set site-to-site peer external-ip-of-dc-router tunnel 0 protocol 'all'
top

My data center router is running on a different OS so I can’t show you that configuration. But if you are running VyOS everywhere, then you should almost be able to just substitute and make the required changes.

Also to advertise all the different routes between the DC and all my remote sites, I use iBGP to advertise routes between each remote site and the data center, I then use BGP on the data center router to re-advertise other routes for the other remote sites back out again, so that each site can still communicate via the data center. This for me just means that there is only ever a single tunnel coming out of the remote sites, so making it easier to manage.

If you need help, just shoot me an email or message, and I’ll be able to do that.

P.S. I’ve given you my configuration in the format that will allow you to simply change a few values and then paste it into your router.


#5

Also note that if you cannot create IPIP tunnels on your Cisco, you can also create GRE tunnels. They are done exactly the same, except for the tunnel encapsulation, you simply change that to gre as opposed to ipip.