IPsec Security Gateways: vRouters with VRF Aware IPsec

As the Internet has grown, the need for securing communications between hosts has become mandatory. Whether in transport mode or in tunneling mode, IPsec among other solutions became, nowadays, a widely used solution to secure communications between hosts.

The most common issue that is encountered when connecting two sites together using a Virtual Private Network (VPN) is trying to build a VPN with overlapping networks where both sites happen to use the same Private IP addresses. Connecting two networks with overlapping subnets, if not configured the right way, can lead to IP conflicts and traffic errors.

This blog will help you learn how to correctly address this problem and build a functional site-to-site VPN connection. The configuration we will provide in this blog enables the 6WIND Turbo IPsec vRouter to direct traffic to the correct address on the correct network.

 

A: Dealing With Overlapping Networks

Let’s consider the following use case: Two hosts located on different sites have to communicate together through a secure VPN tunnel. Each host is assigned an IP address by the local Router (192.168.1.0/24). Both networks overlap. We assume that each site uses a separate DNS server.

The following schema illustrates the case:

If HostA (192.168.1.10) uses the HostB IP address (192.168.1.20) to communicate with it or vice-versa, communication won’t be established because it considers that the destination host belongs to the same local network (192.168.1.0/24). Packets issued by HostA (or HostB) will not reach the other host on the remote site as HostA won’t get any ARP reply when trying to resolve the HostB IP address.

In order to solve this issue, it is obvious that we must convince each host that the other host is on a foreign network. That would cause them to send packets to the Router, which can then send them through the VPN tunnel.

In our described use case, this can be done by making the SiteA network appear as 10.0.1.0/24 when speaking to SiteB, and making the SiteB network appear as 20.0.1.0/24 when speaking to SiteA.

How this works in reality:

1 – When an IP packet is sent from HostA to HostB, the SRC address is set to the HostA IP address whereas the DST address is set to an IP address in the range of the new virtual network used on Site(SRC: 192.168.1.10 / DST: 20.0.1.20).

2- The packet is received by RouterA where a NAT policy rule is used to match any packet with SRC in the network range 192.168.1.0/24 and DST in the network range of 20.0.1.0/24 and to NAT the SRC address to 10.0.1.0/24.

3- The packets sent by HostA match the RouterA NAT policy rule and thus are SRC NATed (see schema), then routed in the VPN Tunnel to RouterB. 

4- Packets from RouterA arriving at RouterB are reverse NATed and the DST IP address is set to HostB IP.

5- Packets sent from HostB to HostA will take the opposite path as described in the following schema.

As described in the schema, traffic crossing the IPsec Tunnel uses the Virtual IP addresses defined in the NAT policy rules on both Routers.

Note: This setup is symmetrical and thus requires that both Routers support Policy NAT configuration. If for any reason this condition is not fit, the same result can be achieved by doing a Twice NAT policy on one side and not doing any address translation on the other side.

The following schema details how Twice NAT can be performed on one side to achieve the same results:

How this works in reality:

1 – When an IP packet is sent from HostA to HostB, the SRC address is set to the HostA IP address whereas the DST address is set to an IP address in the range of the new virtual network used on Site(SRC: 192.168.1.10 / DST: 20.0.1.20).

2- The packet is received by RouterA where a Twice NAT policy rule is used to match any packet with SRC in the network range 192.168.1.0/24 and DST in the network range of 20.0.1.0/24 and to NAT the SRC address to 10.0.1.0/24.

3- The packets sent by HostA match the RouterA NAT policy rule and thus are SRC and DST NATed (see schema), then routed in the VPN Tunnel to RouterB. 

4- Packets from RouterA arriving at RouterB are then directly routed to HostB.

5- Packets sent from HostB to HostA will take the opposite path and are reverse NATed on the RouterA as described in the schema.

 

B: Dealing With VPN Isolation- “VRF aware IPsec VPN”

We need to connect two remote sites to a datacenter through an IPsec Security Gateway. Each remote site should only be granted the right to access to its dedicated Servers in the Data Center. The Security Gateway should guarantee that the traffic between each remote Site and its dedicated servers is fully isolated from the other traffic handled by the Security Gateway.

The following drawing illustrates the targeted setup:

This setup can either represent a company network with a few servers hosted on a public cloud (data center) where isolation is required between servers to guarantee that data from one division is not accessible by the other divisions. Or it can also represent two companies co-hosting their server infrastructures in a data center with the same isolation constraints for data flows:

  • CustomerA should only be entitled to connect to Server
  • CustomerB should only be entitled to connect to ServerB.
  • ServerA and ServerB should be completely isolated.
  • Traffic from CustomerA and CustomerB to Security Gateway (DC VPN GW) should be secured.

Two main requirements have been raised in the section above:

  • Securing traffic between customer site and Data Center.
  • Isolating traffic inside the Data Center.

To fulfill the security requirement between the Customer’s site (Remote VPN Gateways) and Data Center (DC VPN Gateway), we will use IPsec Tunneling. The isolation requirement inside the DC VPN Gateway will be handled thanks to Virtual Routing and Forwarding (VRFs) and namespaces.

Two options can be foreseen to address the case. Each option uses a different segmentation approach to isolate the traffic on the server’s side. As both options are functionally equivalent, we will focus only on option B for the implementation part.

Option A

Traffic segmentation based on ports:

  • Each server is connected to a separate Networking Port.
  • Each port is located in a separate VRF (namespace).
  • Traffic crossing VRF’s is secured.

Option B

Traffic segmentation based on vLans:

  • Each server uses a dedicated vLan.
  • Each VLAN is terminated on a separate VRF.
  • Traffic crossing VRFs is secured.

 

C: Implementation (Option B)

In order to cover the most complex use case, we will consider both customers using overlapping networks. We will also terminate the VPN on the loopback 1 interface on the DC VPN Gateway.

The following schema describes the chosen setup:

Our test criteria to validate that our setup is working as expected will be the following:

  • PCs on either side should be able to successfully initiate/trigger an IPsec connection.
  • PC 10.10.10.100 behind Cust2 Remote VPN Gateway should be able to initiate connection and communicate with 100.124.2.100 in VRF 2 behind DC VPN Gateway and vice versa.
  • PC 10.10.10.100 behind Cust3 Remote VPN Gateway should be able to initiate connection and communicate with 100.124.3.100 in VRF 3 behind DC VPN Gateway and vice versa.

10.10.10.100 should be translated (port address translation) to the respective egress sub-interface IP on DC VPN Gateway when communicating with the 100.124.2.100 (incase of Cust2) and 100.124.3.100 (incase of Cust3).

 

D: Configurations

a. Linux based configurations

PC for Cust2:

ip link add name vlan2 link eth1 type vlan id 2
ip link set dev vlan2
ip link set dev vlan2 up
ip addr add 100.124.2.100/24 dev vlan2
ip route add 10.10.10.0/24 via 100.124.2.1

PC for Cust3:

ip link add name vlan3 link eth1 type vlan id 3
ip link set dev vlan3
ip link set dev vlan3 up
ip addr add 100.124.3.100/24 dev vlan3
ip route add 10.10.10.0/24 via 100.124.3.1

Remote VPN GW Cust2:

sysctl -q -w net.ipv4.conf.all.forwarding=1
sysctl -q -w net.ipv6.conf.all.forwarding=1
sysctl -q -w net.ipv4.conf.all.rp_filter=0
sysctl -q -w net.ipv4.conf.default.rp_filter=0ip link set eth1 up
ip link set eth2 up
ip addr add 10.23.1.2/24 dev eth1

# Configure VLAN
ip link add name vlan2 link eth2 type vlan id 2
ip link set dev vlan2 up
ip addr add 10.10.10.1/24 dev vlan2

# Configure SVTI
ip link add name svti2 type vti local 10.23.1.2 remote 10.23.1.1 key 0x1
ip link set dev svti2 mtu 1370
ip link set dev svti2 up

# Configure IPsec
ip xfrm state add src 10.23.1.1 dst 10.23.1.2 proto esp spi 1 mode tunnel enc ‘cbc(aes)’
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’ auth-trunc ‘hmac(sha1)’
‘0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6’ 96 flag align4 mark 0x1

ip xfrm state add src 10.23.1.2 dst 10.23.1.1 proto esp spi 2 mode tunnel enc ‘cbc(aes)’
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’ auth-trunc ‘hmac(sha1)’
‘0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6’ 96 flag align4 mark 0x1

ip xfrm policy add dir out tmpl src 10.23.1.2 dst 10.23.1.1 proto esp mode tunnel mark 0x1
ip xfrm policy add dir in tmpl src 10.23.1.1 dst 10.23.1.2 proto esp mode tunnel mark 0x1

# Add route
ip route add 100.124.2.0/24 dev svti2

Remote VPN GW Cust3:

sysctl -q -w net.ipv4.conf.all.forwarding=1
sysctl -q -w net.ipv6.conf.all.forwarding=1
sysctl -q -w net.ipv4.conf.all.rp_filter=0
sysctl -q -w net.ipv4.conf.default.rp_filter=0

ip link set eth1 up
ip link set eth2 up
ip addr add 10.23.1.3/24 dev eth1

# Configure VLAN
ip link add name vlan3 link eth2 type vlan id 3
ip link set dev vlan3 up
ip addr add 10.10.10.1/24 dev vlan3

# Configure SVTI
ip link add name svti3 type vti local 10.23.1.3 remote 10.23.1.1 key 0x1
ip link set dev svti3 mtu 1370
ip link set dev svti3 up

# Configure IPsec
ip xfrm state add src 10.23.1.1 dst 10.23.1.3 proto esp spi 1 mode tunnel enc ‘cbc(aes)’
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’ auth-trunc ‘hmac(sha1)’
‘0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6’ 96 flag align4 mark 0x1

ip xfrm state add src 10.23.1.3 dst 10.23.1.1 proto esp spi 2 mode tunnel enc ‘cbc(aes)’
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’ auth-trunc ‘hmac(sha1)’
‘0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6’ 96 flag align4 mark 0x1

ip xfrm policy add dir out tmpl src 10.23.1.3 dst 10.23.1.1 proto esp mode tunnel mark 0x1
ip xfrm policy add dir in tmpl src 10.23.1.1 dst 10.23.1.3 proto esp mode tunnel mark 0x1

# Add route
ip route add 100.124.3.0/24 dev svti3

DC VPN GW:

# Prepare netns
ip netns add vrf1
ip netns exec vrf1 sysctl -q -w net.ipv4.conf.all.forwarding=1
ip netns exec vrf1 sysctl -q -w net.ipv6.conf.all.forwarding=1
ip netns exec vrf1 sysctl -q -w net.ipv4.conf.all.rp_filter=0
ip netns exec vrf1 sysctl -q -w net.ipv4.conf.default.rp_filter=0
ip netns exec vrf1 ip link set lo up

ip netns add vrf2
ip netns exec vrf2 sysctl -q -w net.ipv4.conf.all.forwarding=1
ip netns exec vrf2 sysctl -q -w net.ipv6.conf.all.forwarding=1
ip netns exec vrf2 sysctl -q -w net.ipv4.conf.all.rp_filter=0
ip netns exec vrf2 sysctl -q -w net.ipv4.conf.default.rp_filter=0
ip netns exec vrf2 ip link set lo up

ip netns add vrf3
ip netns exec vrf3 sysctl -q -w net.ipv4.conf.all.forwarding=1
ip netns exec vrf3 sysctl -q -w net.ipv6.conf.all.forwarding=1
ip netns exec vrf3 sysctl -q -w net.ipv4.conf.all.rp_filter=0
ip netns exec vrf3 sysctl -q -w net.ipv4.conf.default.rp_filter=0
ip netns exec vrf3 ip link set lo up

### To Servers
ip link set lo up
ip addr add 1.1.1.1/32 dev lo
ip link set eth2 up
ip addr add 10.23.1.1/24 dev eth2

### To Customers
ip link set dev eth1 down
ip link set dev eth1 netns vrf1
ip netns exec vrf1 ip link set dev eth1 up

#########
### Customer 2
#####

# Create VLAN iface
ip netns exec vrf1 ip link add name vlan2 link eth1 type vlan id 2
ip netns exec vrf1 ip link set dev vlan2 netns vrf2

# Create SVTI iface
ip link add name svti2 type vti local 1.1.1.1 remote 10.23.1.2 key 0x1
ip link set dev svti2 netns vrf2

# Configure IPsec
ip xfrm state add src 10.23.1.1 dst 10.23.1.2 proto esp spi 1 mode tunnel enc ‘cbc(aes)’
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’ auth-trunc ‘hmac(sha1)’
‘0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6’ 96 flag align4 mark 0x1

ip xfrm state add src 10.23.1.2 dst 10.23.1.1 proto esp spi 2 mode tunnel enc ‘cbc(aes)’
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’ auth-trunc ‘hmac(sha1)’
‘0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6’ 96 flag align4 mark 0x1

ip xfrm policy add dir out tmpl src 10.23.1.1 dst 10.23.1.2 proto esp mode tunnel mark 0x1
ip xfrm policy add dir in tmpl src 10.23.1.2 dst 10.23.1.1 proto esp mode tunnel mark 0x1

# Configure VLAN
ip netns exec vrf2 ip link set dev vlan2 up
ip netns exec vrf2 ip addr add 100.124.2.1/24 dev vlan2

# Configure SVTI
ip netns exec vrf2 ip link set dev svti2 mtu 1370
ip netns exec vrf2 ip link set dev svti2 up

# Add route
ip netns exec vrf2 ip route add 10.10.10.0/24 dev svti2

###############
### Customer 3
#####

# Create VLAN iface
ip netns exec vrf1 ip link add name vlan3 link eth1 type vlan id 3
ip netns exec vrf1 ip link set dev vlan3 netns vrf3

# Create SVTI iface
ip link add name svti3 type vti local 1.1.1.1 remote 10.23.1.3 key 0x2
ip link set dev svti3 netns vrf3

# Configure IPsec
ip xfrm state add src 10.23.1.1 dst 10.23.1.3 proto esp spi 3 mode tunnel enc ‘cbc(aes)’
‘0xb0abdba8b782ad9d364ec81e3a7d82a2’ auth-trunc ‘hmac(sha1)’
‘0xe26609ebd00acb6a4d51fca13e49ea78a72c73e7’ 96 flag align4 mark 0x2

ip xfrm state add src 10.23.1.3 dst 10.23.1.1 proto esp spi 4 mode tunnel enc ‘cbc(aes)’
‘0xb0abdba8b782ad9d364ec81e3a7d82a2’ auth-trunc ‘hmac(sha1)’
‘0xe26609ebd00acb6a4d51fca13e49ea78a72c73e7’ 96 flag align4 mark 0x2

ip xfrm policy add dir out tmpl src 10.23.1.1 dst 10.23.1.3 proto esp mode tunnel mark 0x2
ip xfrm policy add dir in tmpl src 10.23.1.3 dst 10.23.1.1 proto esp mode tunnel mark 0x2

# Configure VLAN
ip netns exec vrf3 ip link set dev vlan3 up
ip netns exec vrf3 ip addr add 100.124.3.1/24 dev vlan3

# Configure SVTI
ip netns exec vrf3 ip link set dev svti3 mtu 1370
ip netns exec vrf3 ip link set dev svti3 up

# Add route
ip netns exec vrf3 ip route add 10.10.10.0/24 dev svti3

# Add NAT
ip netns exec vrf3 iptables -t nat -A POSTROUTING -o vlan3 -j MASQUERADE

 

b. CLI based configuration
In the following section we will provide the same configuration files based on 6WIND’s CLI. For more details on the 6WIND CLI and its syntax, please visit this link: https://doc.6wind.com/turbo-ipsec/

We will be using the configuration file “myconfig” on all devices. After saving the configuration on each device and in order to apply it, the following command should be called:

router{}apply conf myconfig
PC for Cust2:

router{}edit conf myconfig
router{conf:myconfig}vlan2
router{conf:myconfig-vlan2}interface up
router{conf:myconfig-vlan2}bind eth1 id 2
router{conf:myconfig-vlan2}ipaddress 100.124.2.100/24
router{conf:myconfig-vlan2}exitrouter{conf:myconfig}eth1
router{conf:myconfig-eth1}interface up
router{conf:myconfig-eth1}exit

router{conf:myconfig}rtg
router{conf:myconfig-rtg}route 10.10.10.0/24 100.124.2.1
router{conf:myconfig-rtg}exit

router{conf:myconfig}save

PC for Cust3:

router{}edit conf myconfig
router{conf:myconfig}vlan3
router{conf:myconfig-vlan3}interface up
router{conf:myconfig-vlan3}bind eth1 id 3
router{conf:myconfig-vlan3}ipaddress 100.124.3.100/24
router{conf:myconfig-vlan3}exit

router{conf:myconfig}eth1
router{conf:myconfig-eth1}interface up
router{conf:myconfig-eth1}exit

router{conf:myconfig}rtg
router{conf:myconfig-rtg}route 10.10.10.0/24 100.124.3.1
router{conf:myconfig-rtg}exit

router{conf:myconfig}save

Remote VPN GW Cust2:

router{}edit conf myconfig

router{conf:myconfig}eth1
router{conf:myconfig-eth1}interface up
router{conf:myconfig-eth1}ipaddress 10.23.1.2/24
router{conf:myconfig-eth1}exit

router{conf:myconfig}eth2
router{conf:myconfig-eth2}interface up
router{conf:myconfig-eth2}exit

# Configure VLAN
router{conf:myconfig}vlan2
router{conf:myconfig-vlan2}interface up
router{conf:myconfig-vlan2}bind eth2 id 2
router{conf:myconfig-vlan2}ipaddress 10.10.10.1/24
router{conf:myconfig-vlan2}exit

# Configure SVTI
router{conf:myconfig}svti2
router{conf:myconfig-svti2}interface up
router{conf:myconfig-svti2}mtu 1370
router{conf:myconfig-svti2}tunnel 10.23.1.2 10.23.1.1
router{conf:myconfig-svti2}exit

# Configure IPsec
router{conf:myconfig}sec
router{conf:myconfig-sec}ipsec enable
router{conf:myconfig-sec}vpn vpn2 static 10.23.1.2 10.23.1.1 svti svti2
router{conf:myconfig-sec}ipsec-rule vpn2_rule 0.0.0.0/0 0.0.0.0/0 any esp tunnel vpn2

router{conf:myconfig-sec}sa esp 10.23.1.2 10.23.1.1 svti svti2 0x1000 tunnel aes-cbc
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’

router{conf:myconfig-sec}sa esp 10.23.1.1 10.23.1.2 svti svti2 0x1100 tunnel aes-cbc
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’

router{conf:myconfig-sec}exit

# Add route
router{conf:myconfig}rtg
router{conf:myconfig-rtg}route 100.124.2.0/24 svti2
router{conf:myconfig-rtg}exit

router{conf:myconfig}save

Remote VPN GW Cust3:

router{}edit conf myconfig

router{conf:myconfig}eth1
router{conf:myconfig-eth1}interface up
router{conf:myconfig-eth1}ipaddress 10.23.1.3/24
router{conf:myconfig-eth1}exit

router{conf:myconfig}eth2
router{conf:myconfig-eth2}interface up
router{conf:myconfig-eth2}exit

# Configure VLAN
router{conf:myconfig}vlan3
router{conf:myconfig-vlan3}interface up
router{conf:myconfig-vlan3}bind eth2 id 3
router{conf:myconfig-vlan3}ipaddress 10.10.10.1/24
router{conf:myconfig-vlan3}exit

# Configure SVTI
router{conf:myconfig}svti3
router{conf:myconfig-svti3}interface up
router{conf:myconfig-svti3}mtu 1370
router{conf:myconfig-svti3}tunnel 10.23.1.3 10.23.1.1
router{conf:myconfig-svti3}exit

# Configure IPsec
router{conf:myconfig}sec
router{conf:myconfig-sec}ipsec enable
router{conf:myconfig-sec}vpn vpn3 static 10.23.1.3 10.23.1.1 svti svti3
router{conf:myconfig-sec}ipsec-rule vpn3_rule 0.0.0.0/0 0.0.0.0/0 any esp tunnel vpn3

router{conf:myconfig-sec}sa esp 10.23.1.3 10.23.1.1 svti svti3 0x1000 tunnel aes-cbc
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’

router{conf:myconfig-sec}sa esp 10.23.1.1 10.23.1.3 svti svti3 0x1100 tunnel aes-cbc
‘0xb0abdba8b782ad9d364ec81e3a7d82a1’

router{conf:myconfig-sec}exit

# Add route
router{conf:myconfig}rtg
router{conf:myconfig-rtg}route 100.124.3.0/24 svti3
router{conf:myconfig-rtg}exit

router{conf:myconfig}save

DC VPN GW:

router{}edit conf myconfig

# Prepare netns
router{conf:myconfig}vrf1
router{conf:myconfig-vrf1}forwarding on
router{conf:myconfig-vrf1}exit

router{conf:myconfig}vrf2
router{conf:myconfig-vrf2}forwarding on
router{conf:myconfig-vrf2}exit

router{conf:myconfig}vrf3
router{conf:myconfig-vrf3}forwarding on
router{conf:myconfig-vrf3}exit

### To Servers
router{conf:myconfig}loopback0
router{conf:myconfig-loopback0}interface up
router{conf:myconfig-loopback0}vrf-id 1
router{conf:myconfig-loopback0}ipaddress 1.1.1.1/32
router{conf:myconfig-loopback0}exit

router{conf:myconfig}eth2
router{conf:myconfig-eth2}interface up
router{conf:myconfig-eth2}ipaddress 10.23.1.1/24
router{conf:myconfig-eth2}exit

### To Customers
router{conf:myconfig}eth1
router{conf:myconfig-eth1}interface up
router{conf:myconfig-eth1}vrf-id 1
router{conf:myconfig-eth1}exit

###############
### Customer 2
#####

# Create VLAN iface
router{conf:myconfig}vlan2
router{conf:myconfig-vlan2}interface up
router{conf:myconfig-vlan2}vrf-id 2
router{conf:myconfig-vlan2}bind eth1 id 2
router{conf:myconfig-vlan2}ipaddress 100.124.2.1/24
router{conf:myconfig-vlan2}exit

# Create SVTI iface
router{conf:myconfig}svti2
router{conf:myconfig-svti2}interface up
router{conf:myconfig-svti2}vrf-id 2
router{conf:myconfig-svti2}mtu 1370
router{conf:myconfig-svti2}tunnel 1.1.1.1 10.23.1.2 link-vrf-id 0
router{conf:myconfig-svti2}exit

# Configure IPsec
router{conf:myconfig}sec
router{conf:myconfig-sec}ipsec enable
router{conf:myconfig-sec}vpn vpn2 static 10.23.1.1 10.23.1.2 vrf-id 2 svti svti2
router{conf:myconfig-sec}ipsec-rule vpn2_rule 0.0.0.0/0 0.0.0.0/0 any esp tunnel vpn2

router{conf:myconfig-sec}sa esp 10.23.1.1 10.23.1.2 vrf-id 2 svti svti2 0x1000 tunnel aes-
cbc ‘0xb0abdba8b782ad9d364ec81e3a7d82a1’

router{conf:myconfig-sec}sa esp 10.23.1.2 10.23.1.1 vrf-id 2 svti svti2 0x1100 tunnel aes-
cbc ‘0xb0abdba8b782ad9d364ec81e3a7d82a1’

router{conf:myconfig-sec}exit

###############
### Customer 3
#####

# Create VLAN iface
router{conf:myconfig}vlan3
router{conf:myconfig-vlan3}interface up
router{conf:myconfig-vlan3}vrf-id 3
router{conf:myconfig-vlan3}bind eth1 id 3
router{conf:myconfig-vlan3}ipaddress 100.124.3.1/24
router{conf:myconfig-vlan3}exit

# Create SVTI iface
router{conf:myconfig}svti3
router{conf:myconfig-svti3}interface up
router{conf:myconfig-svti3}vrf-id 3
router{conf:myconfig-svti3}mtu 1370
router{conf:myconfig-svti3}tunnel 1.1.1.1 10.23.1.3 link-vrf-id 0
router{conf:myconfig-svti3}exit

# Configure IPsec
router{conf:myconfig}sec
router{conf:myconfig-sec}ipsec enable
router{conf:myconfig-sec}vpn vpn3 static 10.23.1.1 10.23.1.3 vrf-id 3 svti svti3
router{conf:myconfig-sec}ipsec-rule vpn3_rule 0.0.0.0/0 0.0.0.0/0 any esp tunnel vpn3

router{conf:myconfig-sec}sa esp 10.23.1.1 10.23.1.3 vrf-id 3 svti svti3 0x1000 tunnel aes-
cbc ‘0xb0abdba8b782ad9d364ec81e3a7d82a1’

router{conf:myconfig-sec}sa esp 10.23.1.3 10.23.1.1 vrf-id 3 svti svti3 0x1100 tunnel aes-
cbc ‘0xb0abdba8b782ad9d364ec81e3a7d82a1’

router{conf:myconfig-sec}exit

# Add route
router{conf:myconfig}rtg
router{conf:myconfig-rtg}route 10.10.10.0/24 svti2 vrf-id 2
router{conf:myconfig-rtg}route 10.10.10.0/24 svti3 vrf-id 3
router{conf:myconfig-rtg}exit

# Add NAT
router{conf:myconfig}nat
router{conf:myconfig-nat}public interface vlan3
router{conf:myconfig-nat-vlan3}nat enable
router{conf:myconfig-nat-vlan3}exit
router{conf:myconfig-nat}exit

router{conf:myconfig}save

 

Conclusion:

Securing data when crossing public networks or even when crossing shared private networks is a mandatory requirement to protect businesses. This blog addressed the most common problems that network builders have to face when dealing with securing and isolating traffic.

We described in this blog how, by moving physical interfaces into a separate VRF, we can create an elegant solution to configurations requiring isolation. At the same time, we used IPsec to securely obfuscate the original packets and payload and thus provide secure transport for the payload and hide content from prying eyes in untrusted parts of the transit network. Of course, we can consider also adding ACLs on physical interfaces to introduce a final layer of security to our setup; this could be a subject of a next blog.

It is obvious that there is more than one solution to tackle the described problem. This blog is not aiming at listing all of these solutions; we only need to give an idea on how the problem can be addressed and how we can apply the solution on a 6WIND Turbo IPSec vRouter. Contact us to discuss how 6WIND’s vRouter can help your network security.


 

Karim Mchirki is Pre-Sales Engineer at 6WIND.