IPsec-VPP Case

introduction introduction this guide provides a comprehensive, step by step tutorial for establishing secure ip security (ipsec) vpn tunnels on the asterfusion et2500 open intelligent gateway by leveraging the high performance vpp data plane, you will learn how to build encrypted networks that are both secure and scalable what this guide will accomplish what this guide will accomplish by following this guide, you will learn how to deploy robust vpn architectures ranging from simple point to point connections to complex multi site enterprise networks the scenarios covered are scenario 1 site to site vpn (direct connection) establishing a standard point to point tunnel between two gateways scenario 2 hub and spoke vpn (multi site) configuring a central hub gateway to accept concurrent connections from multiple branch offices scenario 3 nat traversal (nat t) deploying a branch gateway behind a nat device using id masquerading scenario 1 site to site vpn (direct connection) scenario 1 site to site vpn (direct connection) 1\ scenario overview we establish a standard tunnel between two sites to optimize the process, we assign distinct roles site b (responder) configures parameters and passively waits site a (initiator) configures parameters and triggers the negotiation by binding the policy to the interface 2\ network topology plan role device wan ip (underlay) lan ip (overlay) protected subnet site a (initiator) asternos 192 168 200 166 20 20 20 1 20 20 20 0/24 site b (responder) asternos 192 168 200 177 10 10 10 1 10 10 10 0/24 3\ configuration steps step 1 initialize network (interfaces & routing) sonic# configure terminal # example on site a ( 166) # example on site a ( 166) sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 192 168 200 166/24 sonic(config if 1)# exit sonic(config)# ip route 0 0 0 0/0 192 168 200 1 # (perform symmetrical configuration on site b 177) # (perform symmetrical configuration on site b 177) sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 192 168 200 177/24 sonic(config if 1)# exit sonic(config)# ip route 0 0 0 0/0 192 168 200 1 step 2 configure site b (responder 177) define the policy globally, then bind it to the interface to enable listening # define global policy # define global policy sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 192 168 200 177 sonic(config ipsec test)# ike remote type ip4 data 192 168 200 166 # traffic selector (local 10 x < > remote 20 x) # traffic selector (local 10 x < > remote 20 x) sonic(config ipsec test)# ike traffic selector local ip4 addr start 10 10 10 0 addr end 10 10 10 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 20 20 20 0 addr end 20 20 20 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 192 168 200 177 dst ip 192 168 200 166 next hop 192 168 200 166 remote ip 20 20 20 0/24 shared interface ethernet1 sonic(config ipsec test)# exit step 3 configure site a (initiator 166) define the policy globally the final step of binding it to the interface triggers the negotiation # 1 define global policy # 1 define global policy sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 192 168 200 166 sonic(config ipsec test)# ike remote type ip4 data 192 168 200 177 # traffic selector (local 20 x < > remote 10 x) # traffic selector (local 20 x < > remote 10 x) sonic(config ipsec test)# ike traffic selector local ip4 addr start 20 20 20 0 addr end 20 20 20 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 10 10 10 0 addr end 10 10 10 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 192 168 200 166 dst ip 192 168 200 177 next hop 192 168 200 177 remote ip 10 10 10 0/24 shared interface ethernet1 sonic(config ipsec test)# exit # 2 bind to wan interface (triggers connection) # 2 bind to wan interface (triggers connection) sonic(config)# interface ethernet 1 sonic(config if 1)# ipsec test peer ip4 192 168 200 177 sonic(config if 1)# exit 4\ verification scenario 2 hub and spoke vpn (multi site) scenario 2 hub and spoke vpn (multi site) 1\ scenario overview hub ( 188) responder configures policies globally and binds them to the interface to listen spokes ( 166 / 177) initiators configure policies globally and trigger negotiation by binding to the interface 2\ network topology plan role device wan ip (underlay) lan ip (overlay) protected subnet hub (hq) asternos 192 168 200 188 30 30 30 1 30 30 30 0/24 spoke 1 asternos 192 168 200 166 20 20 20 1 20 20 20 0/24 spoke 2 asternos 192 168 200 177 10 10 10 1 10 10 10 0/24 3\ configuration steps step 1 initialize hub network ( 188) # wan # wan sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 192 168 200 188/24 sonic(config if 1)# no shutdown sonic(config if 1)# exit # lan # lan sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 30 30 30 1/24 sonic(config if 2)# no shutdown sonic(config if 2)# exit # route # route sonic(config)# ip route 0 0 0 0/0 192 168 200 1 sonic(config)# exit step 2 configure hub (responder 188) define two separate policies (one for each spoke) and bind both to the wan interface # policy 1 for spoke 1 # policy 1 for spoke 1 sonic(config)# ipsec peer spoke1 sonic(config ipsec peer spoke1)# shared key mic string test1234 sonic(config ipsec peer spoke1)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec peer spoke1)# ike local type ip4 data 192 168 200 188 sonic(config ipsec peer spoke1)# ike remote type ip4 data 192 168 200 166 # selector hub (30 x) < > spoke 1 (20 x) # selector hub (30 x) < > spoke 1 (20 x) sonic(config ipsec peer spoke1)# ike traffic selector local ip4 addr start 30 30 30 0 addr end 30 30 30 255 sonic(config ipsec peer spoke1)# ike traffic selector remote ip4 addr start 20 20 20 0 addr end 20 20 20 255 sonic(config ipsec peer spoke1)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec peer spoke1)# sa tunnel ip4 src ip 192 168 200 188 dst ip 192 168 200 166 next hop 192 168 200 166 remote ip 20 20 20 0/24 shared interface ethernet1 sonic(config ipsec peer spoke1)# exit # policy 2 for spoke 2 # policy 2 for spoke 2 sonic(config)# ipsec peer spoke2 sonic(config ipsec peer spoke2)# shared key mic string test1234 # (same crypto settings) # (same crypto settings) sonic(config ipsec peer spoke2)# ike local type ip4 data 192 168 200 188 sonic(config ipsec peer spoke2)# ike remote type ip4 data 192 168 200 177 # selector hub (30 x) < > spoke 2 (10 x) # selector hub (30 x) < > spoke 2 (10 x) sonic(config ipsec peer spoke2)# ike traffic selector local ip4 addr start 30 30 30 0 addr end 30 30 30 255 sonic(config ipsec peer spoke2)# ike traffic selector remote ip4 addr start 10 10 10 0 addr end 10 10 10 255 sonic(config ipsec peer spoke2)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec peer spoke2)# sa tunnel ip4 src ip 192 168 200 188 dst ip 192 168 200 177 next hop 192 168 200 177 remote ip 10 10 10 0/24 shared interface ethernet1 sonic(config ipsec peer spoke2)# exit step 3 configure spoke 1 (initiator 166) # 1 global policy # 1 global policy sonic(config)# ipsec to hub sonic(config ipsec to hub)# shared key mic string test1234 sonic(config ipsec to hub)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec to hub)# ike local type ip4 data 192 168 200 166 sonic(config ipsec to hub)# ike remote type ip4 data 192 168 200 188 sonic(config ipsec to hub)# ike traffic selector local ip4 addr start 20 20 20 0 addr end 20 20 20 255 sonic(config ipsec to hub)# ike traffic selector remote ip4 addr start 30 30 30 0 addr end 30 30 30 255 sonic(config ipsec to hub)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec to hub)# sa tunnel ip4 src ip 192 168 200 166 dst ip 192 168 200 188 next hop 192 168 200 188 remote ip 30 30 30 0/24 shared interface ethernet1 sonic(config ipsec to hub)# exit # 2 interface binding (trigger) # 2 interface binding (trigger) sonic(config)# interface ethernet 1 sonic(config if 1)# ipsec to hub peer ip4 192 168 200 188 sonic(config if 1)# exit step 4 configure spoke 2 (initiator 177) # 1 global policy # 1 global policy sonic(config)# ipsec to hub sonic(config ipsec to hub)# shared key mic string test1234 sonic(config ipsec to hub)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec to hub)# ike local type ip4 data 192 168 200 177 sonic(config ipsec to hub)# ike remote type ip4 data 192 168 200 188 sonic(config ipsec to hub)# ike traffic selector local ip4 addr start 10 10 10 0 addr end 10 10 10 255 sonic(config ipsec to hub)# ike traffic selector remote ip4 addr start 30 30 30 0 addr end 30 30 30 255 sonic(config ipsec to hub)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec to hub)# sa tunnel ip4 src ip 192 168 200 177 dst ip 192 168 200 188 next hop 192 168 200 188 remote ip 30 30 30 0/24 shared interface ethernet1 sonic(config ipsec to hub)# exit \# 2 interface binding (trigger) \# 2 interface binding (trigger) sonic(config)# interface ethernet 1 sonic(config if 1)# ipsec to hub peer ip4 192 168 200 188 sonic(config if 1)# exit 4\ verification we verify the multi site connectivity by generating traffic from each spoke to the hub and analyzing the captured packets using wireshark a traffic generation initiate continuous udp traffic from both branch offices to the headquarters using iperf3 to generate a stable stream of encrypted packets 1\ from spoke 1 (pc a) \# send 10mbps udp traffic to hub lan (30 30 30 100) iperf3 c 30 30 30 100 u b 10m t 100 2\ from spoke 2 (pc b) \# send 10mbps udp traffic to hub lan (30 30 30 100) iperf3 c 30 30 30 100 u b 10m t 100 b capture analysis (tunnel 1 spoke 1 > hub) the screenshot below confirms that traffic from spoke 1 ( 166 ) is arriving at the hub ( 188 ) as encrypted esp packets c capture analysis (tunnel 2 spoke 2 > hub) the screenshot below confirms that traffic from spoke 2 ( 177 ) is also arriving at the hub ( 188 ) as a distinct stream of encrypted esp packets scenario 3 nat traversal (nat t) with id masquerading scenario 3 nat traversal (nat t) with id masquerading 1\ scenario overview in this scenario, the branch gateway is deployed behind a nat device (e g , an isp optical modem) and does not have a public ip address key configuration strategy (id masquerading) branch side the branch gateway "masquerades" its identity by claiming to be the nat device's public ip ( 166 ) during ike negotiation hq side the hq gateway is configured to peer with the nat device's public ip ( 166 ) directly 2\ network topology plan (linear chain) role device interface ip address function subnet protected hq (responder) asternos eth1 (wan) 192 168 200 188 public vpn gateway 10 10 10 0/24 eth2 (lan) 10 10 10 1 gateway for hq pc nat router asternos eth1 (wan) 192 168 200 166 simulates isp router n/a eth2 (lan) 192 168 100 1 simulates lan gateway branch (initiator) asternos eth1 (wan) 192 168 100 2 private ip (behind nat) 30 30 30 0/24 eth2 (lan) 30 30 30 1 gateway for branch pc 3\ configuration steps step 1 configure the intermediate nat router ( 166) this device acts purely as a nat router it translates the branch's private ip ( 100 x ) to the public wan ip ( 200 166 ) # 1 configure wan interface (public) # 1 configure wan interface (public) sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 192 168 200 166/24 sonic(config if 1)# nat zone 1 sonic(config if 1)# exit # 2 configure lan interface (private) # 2 configure lan interface (private) sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 192 168 100 1/24 sonic(config if 2)# exit # 3 configure snat rule # 3 configure snat rule # translates all traffic from 192 168 100 0/24 to public ip 192 168 200 166 # translates all traffic from 192 168 100 0/24 to public ip 192 168 200 166 sonic(config)# nat pool pool1 192 168 200 166 sonic(config)# nat binding bind1 pool1 sonic(config)# nat enable # 4 default route # 4 default route sonic(config)# ip route 0 0 0 0/0 192 168 200 1 sonic(config)# exit step 2 configure hq gateway ( 188) the hq gateway is on the public network it is configured to peer directly with the nat device's public ip sonic(config)# ipsec from branch sonic(config ipsec)# shared key mic string test1234 sonic(config ipsec)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 # identity configuration \# local my public ip ( 188) # identity configuration \# local my public ip ( 188) sonic(config ipsec)# ike local type ip4 data 192 168 200 188 # remote the nat device's public ip ( 166) \# hq expects the peer to identify as 166 # remote the nat device's public ip ( 166) \# hq expects the peer to identify as 166 sonic(config ipsec)# ike remote type ip4 data 192 168 200 166 # traffic selector (local 10 x < > remote 30 x) # traffic selector (local 10 x < > remote 30 x) sonic(config ipsec)# ike traffic selector local ip4 addr start 10 10 10 0 addr end 10 10 10 255 sonic(config ipsec)# ike traffic selector remote ip4 addr start 30 30 30 0 addr end 30 30 30 255 # sa parameters # sa parameters sonic(config ipsec)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 # tunnel definition \# dst ip points to the physically reachable nat public ip ( 166) \# next hop points to the next hop gateway (or directly to 166 if l2 connected) # tunnel definition \# dst ip points to the physically reachable nat public ip ( 166) \# next hop points to the next hop gateway (or directly to 166 if l2 connected) sonic(config ipsec)# sa tunnel ip4 src ip 192 168 200 188 dst ip 192 168 200 166 next hop 192 168 200 166 remote ip 30 30 30 0/24 shared interface ethernet1 sonic(config ipsec)# exit step 3 configure branch gateway ( 100 2) the branch gateway is behind nat it must "masquerade" its identity to match the hq's expectation sonic(config)# ipsec to hq sonic(config ipsec)# shared key mic string test1234 sonic(config ipsec)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 # identity configuration \# local masqueraded id > we claim to be the public nat ip ( 166) # identity configuration \# local masqueraded id > we claim to be the public nat ip ( 166) sonic(config ipsec)# ike local type ip4 data 192 168 200 166 # remote hq public ip ( 188) # remote hq public ip ( 188) sonic(config ipsec)# ike remote type ip4 data 192 168 200 188 # traffic selector (local 30 x < > remote 10 x) # traffic selector (local 30 x < > remote 10 x) sonic(config ipsec)# ike traffic selector local ip4 addr start 30 30 30 0 addr end 30 30 30 255 sonic(config ipsec)# ike traffic selector remote ip4 addr start 10 10 10 0 addr end 10 10 10 255 # sa parameters # sa parameters sonic(config ipsec)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 # tunnel definition \# src ip must be the real private ip ( 100 2) to send packets \# next hop points to the internal nat gateway ( 100 1) # tunnel definition \# src ip must be the real private ip ( 100 2) to send packets \# next hop points to the internal nat gateway ( 100 1) sonic(config ipsec)# sa tunnel ip4 src ip 192 168 100 2 dst ip 192 168 200 188 next hop 192 168 100 1 remote ip 10 10 10 0/24 shared interface ethernet1 sonic(config ipsec)# exit # bind to wan interface # bind to wan interface sonic(config)# interface ethernet 1 sonic(config if 1)# ipsec to hq peer ip4 192 168 200 188 sonic(config if 1)# exit 4\ verification data plane verification (nat t encapsulation) to confirm that nat traversal is functioning correctly, we perform a continuous ping from the branch side (30 x) to the hq side (10 x) and capture traffic at the nat device's wan interface generate traffic (continuous ping from branch) from a pc or the gateway on the branch side (subnet 30 30 30 0/24 ), ping a target ip on the hq side (subnet 10 10 10 0/24 ) \# from branch pc (e g , 30 30 30 100) ping 10 10 10 100 t capture packets (on nat device 166) monitor traffic on the nat device's wan interface (ethernet 1) conclusion conclusion this guide demonstrates that asternos is a robust ipsec vpn solution capable of handling site to site, hub and spoke, and nat t scenarios the validated configurations prove that the asterfusion et2500 ensures secure, encrypted connectivity across complex topologies specifically, the successful nat traversal implementation confirms the gateway's ability to reliably connect branch offices located behind isp nat devices