Situation
I have to bring up a VPN connection between two sites on the network. In the server room, it seems, there were security gateways C-Terra Gateway version 4.2. The scheme is simple. The vendor even posted a recommended configuration script. But ... the vendor script uses three network interfaces, and my gateways only have two.
I brew coffee, remember my CCNA and try to use what I have - free ports in managed switches.
My network
My network is two geographically separated sites in one broadcast domain. Address space: 10.10.205.0/24:
On the hands of two security gateways C-Terra Gateway version 4.2 with the C-Terra L2 package.
About the C-Terra L2
package The package allows you to switch one or more gateway interfaces to PROMISC mode. The PROMISC interface intercepts data link frames, and C-Terra L2 encapsulates them in UDP.
Then UDP packets are encrypted (encapsulated in ESP). This creates an L2-over-L3 VPN connection. C-Terra L2 is preinstalled on all Security Gateways and is activated with a separate license.
In the recommended scenario, Security Gateways are located at the edge of the network, and a separate interface is allocated for management:
To make it easier to describe the interfaces:
- Gi0 / 0 - PROMISC interfaces;
- Gi0 / 1 - L3 WAN interfaces;
- Gi0 / 2 - dedicated management interfaces. I understand that I have to manage the second security gateway through the VPN tunnel.
Decision
The first mug of coffee ended while I was reading on Habré about 802.1Q - I recalled CCNA. The second mug has cooled down (I will heat it in the microwave) while switching the equipment, as shown in the figure:
I distinguish three types of traffic:
- Main traffic between R1 and R2 devices. I will designate it as BULK DATA and put it in VLAN 205. BULK DATA must be encrypted before transmission between sites;
- Gateway management traffic - MGMT. I will take it to VLAN 10. MGMT traffic to the gateway at the remote site must be encrypted;
- BULK DATA and MGMT after encryption I will designate as ESP DATA and put it in VLAN 100.
According to my estimates, the BULK DATA / ESP DATA transmission on the network will look like this (green lines represent unencrypted traffic, red - encrypted traffic):
MGMT transmission for gateway control at the local site:
MGMT / ESP DATA transmission for gateway control at the remote site:
5 steps of setup
Step 1. Dealing with BULK DATA
I select a separate VLAN 205 for BULK DATA. For this, I set the Gi0 / 2 interface of SW1 and SW2 devices to access mode with VLAN 205:
sw1(config)#
interface gi0/2
description BULK_TO_R1
switchport access vlan 205
no shutdown
sw2(config)#
interface gi0/2
description BULK_TO_R2
switchport access vlan 205
no shutdown
I make interfaces Gi0 / 0 of gateways GW1 and GW2 PROMISC interfaces. To pass BULK DATA to the PROMISC interface, I configure the trunk to the PROMISC interface:
sw1(config)#
interface gi0/0
description LINK_TO_PROMISC_GW1
switchport mode trunk
switchport trunk allowed vlan 205
switchport trunk encapsulation dot1q
no shutdown
sw2(config)#
interface gi0/0
description LINK_TO_PROMISC_GW2
switchport mode trunk
switchport trunk allowed vlan 205
switchport trunk encapsulation dot1q
no shutdown
Step 2. Dealing with local MGMT
According to the plan, MGMT traffic carrying VLAN 10. Address space for VLAN 10: 10.76.76.128/28.
On the SW1 and SW2 device, I create vlan10 virtual interfaces:
sw1(config)#
interface vlan10
ip address 10.76.76.129 255.255.255.240
no shutdown
sw2(config)#
interface vlan10
ip address 10.76.76.142 255.255.255.240
no shutdown
I make VLAN 10 native VLAN so as not to configure 802.1Q interfaces on the gateway:
sw1(config)#
interface gi0/1
description LINK_TO_WAN_GW1
switchport mode trunk
switchport trunk allowed vlan 10
switchport trunk native vlan 10
switchport trunk encapsulation dot1q
no shutdown
sw2(config)#
interface gi0/1
description LINK_TO_WAN_GW2
switchport mode trunk
switchport trunk allowed vlan 10
switchport trunk native vlan 10
switchport trunk encapsulation dot1q
no shutdown
Configuring Gi0 / 1 interfaces of security gateways:
GW1(config)#
interface gi0/1
ip address 10.76.76.137 255.255.255.240
no shutdown
GW2(config)#
interface gi0/1
ip address 10.76.76.138 255.255.255.240
no shutdown
Now GW1 is available via SSH from SW1 device:
sw1#ssh –l root 10.76.76.137
Password:
S-Terra Gate 4.2.18201 (amd64)
root@GW1~#
Similarly, GW2 is accessible via SSH from the SW2 device:
sw2#ssh –l root 10.76.76.138
Password:
S-Terra Gate 4.2.18201 (amd64)
root@GW2~#
Nice, poured another cup of coffee.
Step 3. Dealing with MGMT to the gateway at the remote site
MGMT traffic to the gateway at the remote site must be encrypted. To do this, I will throw VLAN 10 through the VPN. All traffic intercepted from the PROMISC interface will enter the VPN tunnel. I will add to the trunk to the PROMISC interface VLAN 10:
sw1(config)#
interface gi0/0
description LINK_TO_PROMISC_GW1
switchport trunk allowed vlan 10, 205
sw2(config)#
interface gi0/0
description LINK_TO_PROMISC_GW1
switchport trunk allowed vlan 10, 205
Don't waste half an hour troubleshooting!
The PROMISC interface should not get ESP DATA, so it is important to exclude VLAN 100 from the LINK_TO_PROMISC_GW1 and LINK_TO_PROMISC_GW2 trunks in the following options:
switchport trunk allowed vlan 1-99,101-4096
Step 4. I got to ESP DATA
I select ESP DATA in VLAN 100 on the GW1 and GW2 gateways. Address space for VLAN 100: 192.168.10.0/30
To do this, on the WAN interface Gi0 / 1 of gateways GW1 and GW2, I create an 802.1Q interface Gi0 / 1.100.
Outgoing traffic from such an interface will belong to VLAN 100:
GW1(config)#
interface gi0/1.100
ip address 192.168.10.1 255.255.255.252
no shutdown
GW2(config)#
interface gi0/1.100
ip address 192.168.10.2 255.255.255.252
no shutdown
I allow passage of VLAN 100 to trunk LINK_TO_WAN_GW1 and LINK_TO_WAN_GW2:
sw1(config)#
interface gi0/1
description LINK_TO_WAN_GW1
switchport trunk allowed vlan 10,100
sw2(config)#
interface gi0/1
description LINK_TO_WAN_GW2
switchport trunk allowed vlan 10,100
The link between devices SW1 and SW2 must also transmit tagged VLAN 100 traffic:
sw1(config)#
interface gi0/3
description LINK_TO_SW2
switchport mode trunk
switchport trunk allowed vlan 100
switchport trunk encapsulation dot1q
no shutdown
sw2(config)#
interface gi0/3
description LINK_TO_SW1
switchport mode trunk
switchport trunk allowed vlan 100
switchport trunk encapsulation dot1q
no shutdown
Step 5. Configuring C-Terra L2 and IPsec VPN with GOST
C-Terra L2 is configured in the operating system using the configuration file /opt/VPNagent/etc/l2.conf. For GW1:
vif tap0
bridge br0
capture eth0
remote 192.168.10.2
mssfix 1400
passtos
where:
capture eth0 - select the PROMISC interface, remote 192.168.10.2 - IP address of the IPsec peer (Gi0 / 1.100 interface of the GW2 gateway).
For GW2:
vif tap0
bridge br0
capture eth0
remote 192.168.10.1
mssfix 1400
passtos
Configuring IKE / IPsec parameters. For GW1:
Gateways will use hostnames as identifiers, set a predefined key for authentication (the Rules of Use for authentication need to use digital certificates, I will change them later):
GW1(config)#
crypto isakmp identity hostname
ip host GW2 192.168.10.2
crypto isakmp key KEY hostname GW2
Configuring the dead peer detection (DPD) parameters:
GW1(config)#
crypto isakmp keepalive 10 2
crypto isakmp keepalive retry-count 5
I set the IPsec Phase I parameters:
GW1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2
I set the parameters for IPsec Phase II:
GW1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel
Since frames intercepted by the PROMISC L2 interface are encapsulated in UDP, the access list that defines the traffic for encryption:
GW1(config)#
ip access-list extended LIST
permit udp host 192.168.10.1 host 192.168.10.2
I create a crypto map and bind it to Gi0 / 1.100:
GW1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 192.168.10.2
interface gi0/1.100
crypto map CMAP
I specify the default route through the IP address of the IPsec peer:
GW1(config)#
ip route 0.0.0.0 0.0.0.0 192.168.10.2
GW2 gateway configuration:
GW2(config)#
crypto isakmp identity hostname
ip host GW1 192.168.10.1
crypto isakmp key KEY hostname GW1
crypto isakmp keepalive 10 2
crypto isakmp keepalive retry-count 5
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel
ip access-list extended LIST
permit udp host 192.168.10.2 host 192.168.10.1
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 192.168.10.1
interface gi0/1.100
crypto map CMAP
ip route 0.0.0.0 0.0.0.0 192.168.10.1
Happened?
From device R1, I ping to R2:
R1#ping 10.10.205.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.205.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms</code>
R2 ICMP. ? ARP R1 R2:
<source>R1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.205.1 - aabb.cc00.5020 ARPA GigabitEthernet0/2
Internet 10.10.205.2 54 aabb.cc00.6020 ARPA GigabitEthernet0/2
R2#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.205.1 52 aabb.cc00.5020 ARPA GigabitEthernet0/2
Internet 10.10.205.2 - aabb.cc00.6020 ARPA GigabitEthernet0/2
R1 and R2 devices assume they are on the same broadcast subnet.
SW1 and SW2 devices consider that they are connected to each other by two links:
sw1#show cdp neighbors
Device ID Local Intrfce Holdtme Capability Platform Port ID
sw2 Gi0/0 146 R S I Linux Uni Gi0/0
sw2 Gi0/3 146 R S I Linux Uni Gi0/3
R1 Gi0/2 156 R B Linux Uni Gi0/2
sw2#show cdp neighbors
Device ID Local Intrfce Holdtme Capability Platform Port ID
sw1 Gi0/0 140 R S I Linux Uni Gi0/0
sw1 Gi0/3 140 R S I Linux Uni Gi0/3
R2 Gi0/2 156 R B Linux Uni Gi0/2
Trying to connect to GW2 via SSH from SW1 device:
sw1#ssh –l root 10.76.76.138
Password:
S-Terra Gate 4.2.18201 (amd64)
root@GW2~#
Conclusion: sites 1 and 2 are transparently linked into a single broadcast domain. I will check if the channel has encryption:
IPsec tunnel statistics on the GW1 device:
root@GW1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (192.168.10.1,500)-(192.168.10.2,500) active 31378 31502
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.10.1,*)-(192.168.10.2,*) 17 ESP tunn 508224 27672
An IPsec tunnel was established between 192.168.10.1 and 192.168.10.2.
I checked that only ESP traffic is transmitted between SW1 and SW2 devices, not counting STP. Here is a traffic dump from the gi0 / 3 interface of SW1:
Eventually
I drank three cups of coffee - then I did not sleep all night, but I did not have to buy new hardware and update. Maybe it was worth it, in version 4.3 the vendor brought L2 to mind. I'm thinking of taking version 4.3 for testing.
Anonymous engineer
t.me/anonimous_engineer