Two sites, one LAN

Scenario

This lab extends a LAN over VPN link to two different sites. These sites will be connected to the Internet and routed with BGP.

eBGP to “ISP router” and iBGP between the sites.

The two “sites” are my laptops and the hosts and routers running in these “sites” are Virtualbox guests. Router guests are Vyatta 6.5, servers guests Bodhi Linux.

All the routers have an IPv4 connection to “ISP-router” which is a Cisco.

IPv6 from r1a and r2b is tunneled over IPv4 link.
L2VPN between the sites is done over IPv4 link.

The end result should be that you can connect a host to either site, using the LAN prefix 2001:98:0013:004f::/64 and that host gets IPv6 Internet-connection. The connection should have automatic failover using the other link to the “ISP router”.

Network Diagram

two-sites-one-lan

I apologise for the crappy network diagram. I drew it as Google docs presentation and it felt a bit clumsy.

Set up the Lab

Install guests (the routers) on the two hosts.
Give routers IPv4 address.
Configure IPv4 routing so that guest routers can see each other, 0/0 points to the “ISP router”.
Try that all routers can ping each other with IPv4 addresses.

L2VPN

Create L2VPN between r3a and r4b, using the IPv4 network as transport.

generate openvpn key r3a-r4b

r3a
set interfaces bridge br2
set interfaces ethernet eth4 bridge‐group bridge br2
commit
set interfaces openvpn vtun2 mode site‐to‐site
set interfaces openvpn vtun2 remote‐host 10.1.4.2
set interfaces openvpn vtun2 shared‐secret‐key‐file /home/user/r3a-r4b
set interfaces openvpn vtun2 bridge‐group bridge br2
commit

r4b
set interfaces bridge br2
set interfaces ethernet eth5 bridge‐group bridge br2
commit
set interfaces openvpn vtun2 mode site‐to‐site
set interfaces openvpn vtun2 remote‐host 10.1.3.2
set interfaces openvpn vtun2 shared‐secret‐key‐file /home/user/r3a-r4b
set interfaces openvpn vtun2 bridge‐group bridge br2

commit

Give the lab-routers their IPv6 addresses

set interfaces ethernet eth4 ipv6 address eui64 2001:98:13:4f::/64
set interfaces ethernet eth4 ipv6 router-advert prefix 2001:98:13:4f::/64
set interfaces ethernet eth4 ipv6 router-advert other-config-flag true

IPv6 tunnels

If your virtualization software and network environment allows, you may skip this phase and give r1a and r2b their IPv6 link addresses directly. In my system I have VirtualBox and the link is over wifi. It will not allow me to directly use IPv6 in this interface.

That is why I use tunnels.

Create IPv6-over-IPv4 tunnels between

“ISP-router” – r1a
“ISP-router” – r2b

IPv6 addresses for the tunnels

“ISP-router” Cisco
2001:98:0013:004e::1/126
r1a
2001:98:0013:004e::2/126

“ISP-router” Cisco
2001:98:0013:004e::5/126
r2b
2001:98:0013:004e::6/126

Cisco config
interface Tunnel3
description IPv6 tunnel to r1a
no ip address
ipv6 address 2001:98:0013:004e::1/126
ipv6 enable
tunnel source 10.1.1.1
tunnel destination 10.1.1.2
tunnel mode ipv6ip

Vyatta config for r1a
edit interfaces tunnel tun3
set address 2001:98:0013:004e::2/126
set encapsulation sit
set local-ip 10.1.1.2
set remote-ip 10.1.1.1
set description "IPv6 tunnel to cisco"
exit
commit

Adjust accordingly for r2b.

Routing

Configure IPv6 eBGP from r1a and r2b to Internet-router.

r1a
set protocols bgp 65502 neighbor 2001:98:13:4e::1 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:98:13:4e::1 remote-as 65501
set protocols bgp 65502 parameters router-id 10.1.1.2

cisco
router bgp 65501
no synchronization
bgp log-neighbor-changes
neighbor 2001:98:13:4E::2 remote-as 65502
no auto-summary
!
address-family ipv6
neighbor 2001:98:13:4E::2 activate
neighbor 2001:98:13:4E::2 next-hop-self
neighbor 2001:98:13:4E::2 soft-reconfiguration inbound
redistribute static
default-information originate
no synchronization
exit-address-family
!

Adjust accordingly for r2b

Configure IPv6 iBGP r1a – r2b

r2b
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 remote-as 65502
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 address-family ipv6-unicast nexthop-self
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 update-source 2001:98:13:4f:a00:27ff:fe97:1e3c

Adjust accordingly for r1a.
Inject the LAN prefix into BGP

r1a & r2b
set protocols bgp 65502 address-family ipv6-unicast network 2001:98:0013:004f::/64

Testing

Set up a host on both “sites”
Bring down routers, links, or the connection between sites. What happens?

My observations:

1. When I turn off routers, the routing changes to the other link immediately.

2. When I put down the main WAN link, it takes time to reroute. About a minute or two.

3. From my two “servers” the other one changes the first-hop immediately and automatically. The other one does not. Don’t know why. Both hosts are with automatic configs.

BGP AS-path prepending

BGP has its ways to choose a link to use. Which route did your routers choose to be the active one? Now we want to tell it that we would prefer to pass traffic via r1a. So put this configuration in r2b to make its path appear longer.

r2b
set policy route-map prepend-secondary rule 10 action permit
set policy route-map prepend-secondary rule 10 set as-path-prepend "65502 65502"
set protocols bgp 65502 neighbor 2001:98:13:4E::5 address-family ipv6-unicast route-map export prepend-secondary

IPv6 to go: PPTP VPN Cisco – Mac Book and an IPv6 tunnel

[Orginally posted Sep 2, 2012 10:53 AM by Antti Uitto   [ updated Sep 2, 2012 11:40 AM ]]

This article assumes that  you have a (Cisco) router that you can administer and that router is connected to both IPv4 and IPv6 networks.

It’s ok if you don’t have IPv5 yet.

We are going to make a PPTP VPN from a Mac to the router and then, using IPv4 address pair gained from VPN client pool, tunnel some IPv6. This way you can have your IPv6 address with you where ever you go.

First configure PPTP VPN service in your router.

configure terminal
vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
exit
exit
interface Virtual-Template1
ip address 192.168.34.1 255.255.255.0
peer default ip address pool PPTP-Pool
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap ms-chap-v2
exit
ip local pool PPTP-Pool 192.168.34.200 192.168.34.210

Create a PPTP VPN user.

username usr1 password PASSWORD

Insert these lines to ensure that usr1 always gets address 192.168.34.200

aaa new-model
aaa authentication ppp default local
aaa authorization network default local

username usr1 aaa attribute list usr1
aaa attribute list usr1
attribute type addr 192.168.34.200 service ppp protocol ip mandatory

Create a tunnel interface for this user

interface Tunnel200
description IPv6 tunnel to MAC
no ip address
ipv6 address 2001:98:1:49:FFFF:FFFF:FFFF:FFFD/126
ipv6 enable
tunnel source 192.168.34.1
tunnel destination 192.168.34.200
tunnel mode ipv6ip
end

Those lines make a tunnel between PPTP VPN addresses (IPv4). This tunnel will be given IPv6 address from your resources.

Next configure your Mac.

Create a normal PPTP VPN connection using the OSX’s network configuration.

Then create a file called ipv6-tunnel-up on Mac, with this in it:

sudo route delete -inet6 default
sudo ifconfig gif200 create
sudo ifconfig gif200 tunnel 192.168.34.200 192.168.34.1
sudo ifconfig gif200 inet6 alias 2001:98:1:49:FFFF:FFFF:FFFF:FFFE  prefixlen 126
sudo route add -inet6 default -interface gif200

Make this file executable by saying
chmod +x ipv6-tunnel-up

You can make things even nicer by creating a similar file ipv6-tunnel-down that kills gif200 and removes ipv6 default route.

TCP/IP by Douglas E. Comer

[Originally posted Mar 13, 2012 5:26 AM by Antti Uitto]

Just finished reading a book called “TCP/IP”.

(Original English title: Internetworking with TCP/IP Principles, Protocols and Architectures, Fourth Edition)

Catchy title pretty much tells what the book is about: it aims to give you the basics of how TCP/IP works and what is included.

This certainly is a book to read if you wan to learn about TCP/IP. I would say it is a bit dry read however. At times I found myself thinking that this info is more useful to someone coding software that uses TCP/IP rather than to someone administering networks. However, there was still plenty of useful info for a networker.

This book offers no tips and tricks, it’s all theory.

If you are impatient like me and prefer to learn from examples and configs, then some other material such as those published by Cisco Press may serve you better.

Topics covered

History of the Internet
Internet organizations
LAN and WAN technologies
IP addresses
ARP & RARP
Internet Protocol and routing
ICMP
TCP & UDP
Dynamic routing protocols
Multicast
Mobile IP
NAT & VPN
BOOTP & DHCP
DNS
Telnet, Rlogin, FTP, TFTP, SMTP….
VoIP
SNMP
Security aspects, Firewalls and IPsec
IPv6

… and a lot more …

One thing I re-learned from reading this book:
I should not buy tech books translated in my native language (Finnish). The attempts to create Finnish equivalent for some technical terms are at best irritating, but sometimes also confusing. English is the language of technology, computing and Internet and when I read geeky stuff, I will get my books in English from now on.

I am currently reading Carla Schroder’s “Linux Networking Cookbook”. Maybe a word or two about it a bit later.

And “IPv6 theory, protocol and practice” is waiting on the digital bookshelf!

Networking with Linux; what goes where?

[Originally posted Mar 13, 2012 4:38 AM by Antti Uitto]

A modern Linux distribution is an impressive tool for networking. You can rather easily set up a router, firewall or VPN gateway. If you are working with a traditional router, such as Cisco or Juniper or if you have the fabulous Vyatta router at hand, you will have one place where about everything goes: the configuration. You add commands from command line and as you commit and save them, they are stored in the configuration. After next reload, your gateway will come alive with that configuration in it.This is not quite so when working with a Linux gateway. Here too you can give most if not all your commands from CLI and they will be applied either immediately or after reloading the service in question. But mostly they do not survive a boot unless you do something. 

That something you need to do is to write these commands in config files and save them.

In Linux there is, I guess always more than one way of doing any given thing.

Here are the programs I use and the config files where I write their settings. 


What’s your setup like?
/etc/network/interfaces
– Physical interfaces
– Logical Interfaces (Vlan and Bridge)
– IP addresses/etc/rc.local
– Invoke firewall ( iptables-restore < /path/to/firewall_rules )
– VPN (OpenVPN commands)
– Tunnel interfaces (ip tu add)
– Static routes (ip route add)
– Source routing commands (ip route add & ip rule add) 

Quagga router
– Dynamic routing (RIP, OSPF, BGP)
– When you say “write”, Quagga will write it’s own config in appropriate place

/home/admin/firewall
– Iptables firewall rules for filtering and logging
– Network address translation (NAT)

/var/log/syslog
– Connection attempts logged by iptables

So there is a file where the physical and logical interfaces are configured, including their IP’s. There is another place where I like to put my VPN’s, tunnels and all the static routes. If I was to use dynamic routing, I would move all my routes to Quagga and handle them from there. But If there is no need for dynamic routing, then all the statics go to a file mentioned in the list.

I do my best to write accurate and compact descriptions for things that are in these files. It nicer like that when you have to search for something or you want to take a quick look at what is here to be found.

cat /etc/rc.local | grep descr -A 3

IPv6 Over IPv4, secured with OpenVPN

(Originally posted Mar 13, 2012 4:31 AM by Antti Uitto [ updated Apr 27, 2012 12:37 PM ]

In this lab we create a OpenVPN connection between two routers that are connected to IPv4-only network. We then connect two IPv6 sites via a sit tunnel that goes inside this protected connection.

You can tunnel IPv6 over IPv4 without using encrypted VPN connection (such as OpenVPN), just make the sit tunnel between the router’s public IPv4 addresses.

Network diagram:

INSTALL OPENVPN ON BOTH ROUTERS

sudo apt-get install openvpn

GIVE IPv6 ADDRESSES

example: host1

/etc/network/interfaces

iface eth0 inet6 static
pre-up modprobe ipv6
address 2001:22::2
netmask 64
gateway 2001:22::1

VPNs

Create key on router1

openvpn –genkey –secret router1-router2

Copy the key file to router2Run these from command line and place them in to /etc/rc.local to make persistent.router1
openvpn –remote 2.2.2.2 –port 1199 –dev tun199 –ifconfig 10.4.0.17 10.4.0.18 –verb 5 –secret /home/user/router1-router2

router2
openvpn –remote 1.1.1.1 –port 1199 –dev tun199 –ifconfig 10.4.0.18 10.4.0.17 –verb 5 –secret /home/user/router1-router2

SIT TUNNELS

Run these from command line and place them in to /etc/rc.local to make persistent.

router1
sudo ip tu ad sit199 mode sit local 10.4.0.17 remote 10.4.0.18 ttl 64
sudo ip ad ad dev sit199 2001:acdc::1/64
sudo ip li se dev sit199 up
sudo ip -6 ro ad 2001:33::/64 via 2001:acdc::2

router2
sudo ip tu ad sit199 mode sit local 10.4.0.18 remote 10.4.0.17 ttl 64
sudo ip ad ad dev sit199 2001:acdc::2/64
sudo ip li se dev sit199 up
sudo ip -6 ro ad 2001:22::/64 via 2001:acdc::1