Clever Geek Handbook

802.1Q for GOST L2VPN management or how to save money on software updates





Situation



I have to bring up a VPN connection between two sites on the network. In the server room, it seems, there were security gateways C-Terra Gateway version 4.2. The scheme is simple. The vendor even posted a recommended configuration script. But ... the vendor script uses three network interfaces, and my gateways only have two.



I brew coffee, remember my CCNA and try to use what I have - free ports in managed switches.



My network



My network is two geographically separated sites in one broadcast domain. Address space: 10.10.205.0/24:







On the hands of two security gateways C-Terra Gateway version 4.2 with the C-Terra L2 package.

About the C-Terra L2



package The package allows you to switch one or more gateway interfaces to PROMISC mode. The PROMISC interface intercepts data link frames, and C-Terra L2 encapsulates them in UDP.

Then UDP packets are encrypted (encapsulated in ESP). This creates an L2-over-L3 VPN connection. C-Terra L2 is preinstalled on all Security Gateways and is activated with a separate license.


In the recommended scenario, Security Gateways are located at the edge of the network, and a separate interface is allocated for management:







To make it easier to describe the interfaces:



  • Gi0 / 0 - PROMISC interfaces;
  • Gi0 / 1 - L3 WAN interfaces;
  • Gi0 / 2 - dedicated management interfaces. I understand that I have to manage the second security gateway through the VPN tunnel.


Decision



The first mug of coffee ended while I was reading on Habré about 802.1Q - I recalled CCNA. The second mug has cooled down (I will heat it in the microwave) while switching the equipment, as shown in the figure:







I distinguish three types of traffic:



  • Main traffic between R1 and R2 devices. I will designate it as BULK DATA and put it in VLAN 205. BULK DATA must be encrypted before transmission between sites;
  • Gateway management traffic - MGMT. I will take it to VLAN 10. MGMT traffic to the gateway at the remote site must be encrypted;
  • BULK DATA and MGMT after encryption I will designate as ESP DATA and put it in VLAN 100.


According to my estimates, the BULK DATA / ESP DATA transmission on the network will look like this (green lines represent unencrypted traffic, red - encrypted traffic):







MGMT transmission for gateway control at the local site:







MGMT / ESP DATA transmission for gateway control at the remote site:







5 steps of setup



Step 1. Dealing with BULK DATA



I select a separate VLAN 205 for BULK DATA. For this, I set the Gi0 / 2 interface of SW1 and SW2 devices to access mode with VLAN 205: 



sw1(config)#
interface gi0/2
    description BULK_TO_R1
    switchport access vlan 205
    no shutdown

sw2(config)#
interface gi0/2
  description BULK_TO_R2
  switchport access vlan 205
  no shutdown


I make interfaces Gi0 / 0 of gateways GW1 and GW2 PROMISC interfaces. To pass BULK DATA to the PROMISC interface, I configure the trunk to the PROMISC interface: 



sw1(config)#
interface gi0/0
  description LINK_TO_PROMISC_GW1
  switchport mode trunk
  switchport trunk allowed vlan 205
  switchport trunk encapsulation dot1q
  no shutdown

sw2(config)#
interface gi0/0
  description LINK_TO_PROMISC_GW2
  switchport mode trunk
  switchport trunk allowed vlan 205
  switchport trunk encapsulation dot1q
  no shutdown






Step 2. Dealing with local MGMT



According to the plan, MGMT traffic carrying VLAN 10. Address space for VLAN 10: 10.76.76.128/28.



On the SW1 and SW2 device, I create vlan10 virtual interfaces: 



sw1(config)#
interface vlan10
  ip address 10.76.76.129 255.255.255.240
  no shutdown 

sw2(config)#
interface vlan10
  ip address 10.76.76.142 255.255.255.240
  no shutdown


I make VLAN 10 native VLAN so as not to configure 802.1Q interfaces on the gateway: 



sw1(config)#
interface gi0/1
  description LINK_TO_WAN_GW1
  switchport mode trunk
  switchport trunk allowed vlan 10
  switchport trunk native vlan 10
  switchport trunk encapsulation dot1q
  no shutdown

sw2(config)#
interface gi0/1
  description LINK_TO_WAN_GW2
  switchport mode trunk
  switchport trunk allowed vlan 10
  switchport trunk native vlan 10
  switchport trunk encapsulation dot1q
  no shutdown






Configuring Gi0 / 1 interfaces of security gateways: 



GW1(config)#
interface gi0/1
   ip address 10.76.76.137 255.255.255.240
   no shutdown

GW2(config)#
interface gi0/1
  ip address 10.76.76.138 255.255.255.240
  no shutdown


Now GW1 is available via SSH from SW1 device: 



sw1#ssh –l root 10.76.76.137
Password:
S-Terra Gate 4.2.18201 (amd64)
root@GW1~#


Similarly, GW2 is accessible via SSH from the SW2 device: 



sw2#ssh –l root 10.76.76.138
Password:
S-Terra Gate 4.2.18201 (amd64)
root@GW2~#


Nice, poured another cup of coffee.



Step 3. Dealing with MGMT to the gateway at the remote site



MGMT traffic to the gateway at the remote site must be encrypted. To do this, I will throw VLAN 10 through the VPN. All traffic intercepted from the PROMISC interface will enter the VPN tunnel. I will add to the trunk to the PROMISC interface VLAN 10: 



sw1(config)#
interface gi0/0
  description LINK_TO_PROMISC_GW1  
  switchport trunk allowed vlan 10, 205

sw2(config)#
interface gi0/0
  description LINK_TO_PROMISC_GW1  
  switchport trunk allowed vlan 10, 205


Don't waste half an hour troubleshooting!



The PROMISC interface should not get ESP DATA, so it is important to exclude VLAN 100 from the LINK_TO_PROMISC_GW1 and LINK_TO_PROMISC_GW2 trunks in the following options:



switchport trunk allowed vlan 1-99,101-4096


Step 4. I got to ESP DATA



I select ESP DATA in VLAN 100 on the GW1 and GW2 gateways. Address space for VLAN 100: 192.168.10.0/30



To do this, on the WAN interface Gi0 / 1 of gateways GW1 and GW2, I create an 802.1Q interface Gi0 / 1.100.

Outgoing traffic from such an interface will belong to VLAN 100: 



GW1(config)#
interface gi0/1.100
   ip address 192.168.10.1 255.255.255.252
   no shutdown

GW2(config)#
interface gi0/1.100
  ip address 192.168.10.2 255.255.255.252
  no shutdown






I allow passage of VLAN 100 to trunk LINK_TO_WAN_GW1 and LINK_TO_WAN_GW2: 



sw1(config)#
interface gi0/1
  description LINK_TO_WAN_GW1
  switchport trunk allowed vlan 10,100

sw2(config)#
interface gi0/1
  description LINK_TO_WAN_GW2
  switchport trunk allowed vlan 10,100


The link between devices SW1 and SW2 must also transmit tagged VLAN 100 traffic: 



sw1(config)#
interface gi0/3
  description LINK_TO_SW2
  switchport mode trunk
  switchport trunk allowed vlan 100
  switchport trunk encapsulation dot1q
  no shutdown

sw2(config)#
interface gi0/3
  description LINK_TO_SW1
  switchport mode trunk
  switchport trunk allowed vlan 100
  switchport trunk encapsulation dot1q
  no shutdown


Step 5. Configuring C-Terra L2 and IPsec VPN with GOST



C-Terra L2 is configured in the operating system using the configuration file /opt/VPNagent/etc/l2.conf. For GW1: 



vif tap0
bridge br0
capture eth0
remote 192.168.10.2
mssfix 1400
passtos


where:



capture eth0 - select the PROMISC interface, remote 192.168.10.2 - IP address of the IPsec peer (Gi0 / 1.100 interface of the GW2 gateway).



For GW2: 



vif tap0
bridge br0
capture eth0
remote 192.168.10.1
mssfix 1400
passtos


Configuring IKE / IPsec parameters. For GW1:

Gateways will use hostnames as identifiers, set a predefined key for authentication (the Rules of Use for authentication need to use digital certificates, I will change them later): 



GW1(config)#
crypto isakmp identity hostname
ip host GW2 192.168.10.2
crypto isakmp key KEY hostname GW2


Configuring the dead peer detection (DPD) parameters: 



GW1(config)#
crypto isakmp keepalive 10 2
crypto isakmp keepalive retry-count 5


I set the IPsec Phase I parameters: 



GW1(config)#
crypto isakmp policy 1
  encr gost
  hash gost3411-256-tc26
  auth pre-share
  group vko2


I set the parameters for IPsec Phase II: 



GW1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
   mode tunnel


Since frames intercepted by the PROMISC L2 interface are encapsulated in UDP, the access list that defines the traffic for encryption: 



GW1(config)#
ip access-list extended LIST
   permit udp host 192.168.10.1 host 192.168.10.2


I create a crypto map and bind it to Gi0 / 1.100: 



GW1(config)#
crypto map CMAP 1 ipsec-isakmp
  match address LIST
  set transform-set TSET
  set peer 192.168.10.2
interface gi0/1.100
  crypto map CMAP


I specify the default route through the IP address of the IPsec peer: 



GW1(config)#
ip route 0.0.0.0 0.0.0.0 192.168.10.2


GW2 gateway configuration: 



GW2(config)#
crypto isakmp identity hostname
ip host GW1 192.168.10.1
crypto isakmp key KEY hostname GW1
crypto isakmp keepalive 10 2
crypto isakmp keepalive retry-count 5
crypto isakmp policy 1
  encr gost
  hash gost3411-256-tc26
  auth pre-share
  group vko2
crypto ipsec transform-set TSET esp-gost28147-4m-imit
  mode tunnel
ip access-list extended LIST
  permit udp host 192.168.10.2 host 192.168.10.1
crypto map CMAP 1 ipsec-isakmp
  match address LIST
  set transform-set TSET
  set peer 192.168.10.1
interface gi0/1.100
  crypto map CMAP
ip route 0.0.0.0 0.0.0.0 192.168.10.1


Happened?



From device R1, I ping to R2: 



R1#ping 10.10.205.2 
Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 10.10.205.2, timeout is 2 seconds: 
!!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms</code>

R2   ICMP.  ?  ARP   R1  R2:

<source>R1#show arp 
Protocol  Address          Age (min)  Hardware Addr   Type   Interface 
Internet  10.10.205.1             -   aabb.cc00.5020  ARPA   GigabitEthernet0/2 
Internet  10.10.205.2            54   aabb.cc00.6020  ARPA   GigabitEthernet0/2

R2#show arp 
Protocol  Address          Age (min)  Hardware Addr   Type   Interface 
Internet  10.10.205.1            52   aabb.cc00.5020  ARPA   GigabitEthernet0/2 
Internet  10.10.205.2             -   aabb.cc00.6020  ARPA   GigabitEthernet0/2


R1 and R2 devices assume they are on the same broadcast subnet.



SW1 and SW2 devices consider that they are connected to each other by two links: 



sw1#show cdp neighbors
Device ID    Local Intrfce   Holdtme     Capability  Platform  Port ID 
sw2          Gi0/0           146             R S I  Linux Uni Gi0/0 
sw2          Gi0/3           146             R S I  Linux Uni Gi0/3 
R1           Gi0/2           156              R B   Linux Uni Gi0/2

sw2#show cdp neighbors
Device ID    Local Intrfce   Holdtme     Capability  Platform  Port ID 
sw1          Gi0/0           140             R S I  Linux Uni Gi0/0 
sw1          Gi0/3           140             R S I  Linux Uni Gi0/3 
R2           Gi0/2           156              R B   Linux Uni Gi0/2


Trying to connect to GW2 via SSH from SW1 device: 



sw1#ssh –l root 10.76.76.138
Password:
S-Terra Gate 4.2.18201 (amd64)
root@GW2~#


Conclusion: sites 1 and 2 are transparently linked into a single broadcast domain. I will check if the channel has encryption:



IPsec tunnel statistics on the GW1 device: 



root@GW1:~# sa_mgr show 
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections: 
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd 
1 2 (192.168.10.1,500)-(192.168.10.2,500) active 31378 31502

IPsec connections: 
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd 
1 2 (192.168.10.1,*)-(192.168.10.2,*) 17 ESP tunn 508224 27672


An IPsec tunnel was established between 192.168.10.1 and 192.168.10.2.



I checked that only ESP traffic is transmitted between SW1 and SW2 devices, not counting STP. Here is a traffic dump from the gi0 / 3 interface of SW1:







Eventually



I drank three cups of coffee - then I did not sleep all night, but I did not have to buy new hardware and update. Maybe it was worth it, in version 4.3 the vendor brought L2 to mind. I'm thinking of taking version 4.3 for testing.



Anonymous engineer

t.me/anonimous_engineer


More articles:


All Articles