Part 3 – Azure BGP Network Triangulation

In this part we’ll setup the VyOS VM and configure the required networking options for IPsec and BGP within VyOS.

Home Network:

Like many folks my home network has a private IP address space (192.168.0.0/24) and my broadband provider supplies a single public IP address a.b.c.d. If you’d like to know you public IP address look on your router or go to a browser on your home machine and navigate to http://whatsmyip.org   or http://whatsmyip.net

My home router NAT’s internal private address space onto the public IP.

I have a small server the private network running HyperV within this I create two VM’s

One for VyOs and one for VM2 running a base install of CentOS

Before starting to configure the VyOS VM download the VyOS .iso from the download section of http://vyos.net. At the time of writing I used this 64bit stable release:
http://packages.vyos.net/iso/release/1.1.7/vyos-1.1.7-amd64.iso

The VyOS VM needs:
1GB RAM, 1cpu, 2GB disk drive and 3 Network Adapters: 1 external and 2 internal

The VM should be set to boot off the VyOS iso image loaded to the virtual CD

Boot the VM off the iso, when presented with the login prompt enter “vyos” for the username and password, then:

$ install image
… installation stuff …
$ reboot

After the reboot  we need to configure the VyOS for both IPsec and BGP setup so it will communicate with our two gateways we setup in part 1 and part 2

This first part is standard stuff much of this may already be setup login to the VyOS VM and enter configure mode

and the enter the commands below

set service ssh port ’22’
set system config-management commit-revisions ’20’
set system console device ttyS0 speed ‘9600’
set system host-name ‘vyos’
set system login user vyos level ‘admin’
set system ntp server ‘0.pool.ntp.org’
set system ntp server ‘1.pool.ntp.org’
set system ntp server ‘2.pool.ntp.org’
set system package auto-sync ‘1’
set system package repository community components ‘main’
set system package repository community distribution ‘helium’
set system package repository community password ”
set system package repository community url ‘http://packages.vyos.net/vyos’
set system package repository community username ”
set system syslog global facility all level ‘notice’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘UTC’

Next we define the 3 interfaces we are going to use

eth0 – connected to our external network (the internet), this is given a static IP address by my home router which always maps the MAC address ’00:15:5d:00:2b:06′ to the IP 192.168.0.197. This same IP address is used in the DMZ in the router

eth1 – Our internal network – set to 10.168.0.1

eth1 -address for BGP – set to 10.168.0.253/32   (a single IP net)

set interfaces ethernet eth0 address ‘dhcp’
set interfaces ethernet eth0 description ‘OUTSIDE’
set interfaces ethernet eth0 duplex ‘auto’
set interfaces ethernet eth0 hw-id ’00:15:5d:00:2b:06′
set interfaces ethernet eth0 smp_affinity ‘auto’
set interfaces ethernet eth0 speed ‘auto’
set interfaces ethernet eth1 address ‘10.168.0.1/24’
set interfaces ethernet eth1 description ‘INSIDE’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ’00:15:5d:00:2b:08′
set interfaces ethernet eth1 smp_affinity ‘auto’
set interfaces ethernet eth1 speed ‘auto’
set interfaces ethernet eth2 address ‘10.168.0.253/32’
set interfaces ethernet eth2 duplex ‘auto’
set interfaces ethernet eth2 hw-id ’00:15:5d:00:2b:0a’
set interfaces ethernet eth2 smp_affinity ‘auto’
set interfaces ethernet eth2 speed ‘auto’
set interfaces loopback ‘lo’

Set up the IPsec preamble for link West Europe’s gateway

set vpn ipsec esp-group atazure compression ‘disable’
set vpn ipsec esp-group atazure lifetime ‘3600’
set vpn ipsec esp-group atazure mode ‘tunnel’
set vpn ipsec esp-group atazure pfs ‘disable’
set vpn ipsec esp-group atazure proposal 1 encryption ‘aes256’
set vpn ipsec esp-group atazure proposal 1 hash ‘sha1’
set vpn ipsec ike-group atazure-ike ikev2-reauth ‘no’
set vpn ipsec ike-group atazure-ike key-exchange ‘ikev2’
set vpn ipsec ike-group atazure-ike lifetime ‘10800’
set vpn ipsec ike-group atazure-ike proposal 1 dh-group ‘2’
set vpn ipsec ike-group atazure-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group atazure-ike proposal 1 hash ‘sha1’

Set up the IPsec preamble for link North Europe’s gateway

set vpn ipsec esp-group atazurene compression ‘disable’
set vpn ipsec esp-group atazurene lifetime ‘3600’
set vpn ipsec esp-group atazurene mode ‘tunnel’
set vpn ipsec esp-group atazurene pfs ‘disable’
set vpn ipsec esp-group atazurene proposal 1 encryption ‘aes256’
set vpn ipsec esp-group atazurene proposal 1 hash ‘sha1’
set vpn ipsec ike-group atazurene-ike ikev2-reauth ‘no’
set vpn ipsec ike-group atazurene-ike key-exchange ‘ikev2’
set vpn ipsec ike-group atazurene-ike lifetime ‘10800’
set vpn ipsec ike-group atazurene-ike proposal 1 dh-group ‘2’
set vpn ipsec ike-group atazurene-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group atazurene-ike proposal 1 hash ‘sha1’

set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-traversal ‘enable’

Initiate tunnel to North Europe:

set vpn ipsec site-to-site peer p.q.r.s  authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer p.q.r.s   authentication pre-shared-secret ‘abc1234’
set vpn ipsec site-to-site peer p.q.r.s   connection-type ‘initiate’
set vpn ipsec site-to-site peer p.q.r.s   default-esp-group ‘atazurene’
set vpn ipsec site-to-site peer p.q.r.s   description ‘VNet GW Az Nrth Eur’
set vpn ipsec site-to-site peer p.q.r.s   ike-group ‘atazurene-ike’
set vpn ipsec site-to-site peer p.q.r.s   ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer p.q.r.s   local-address ‘192.168.0.197’
set vpn ipsec site-to-site peer p.q.r.s  tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer p.q.r.s  tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer p.q.r.s tunnel 1 local prefix ‘10.168.0.0/24’
set vpn ipsec site-to-site peer p.q.r.s  tunnel 1 remote prefix ‘10.0.0.0/8’

Initiate tunnel to West Europe:

set vpn ipsec site-to-site peer w.x.y.z authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer w.x.y.z authentication pre-shared-secret ‘abc1234’
set vpn ipsec site-to-site peer w.x.y.z connection-type ‘initiate’
set vpn ipsec site-to-site peer w.x.y.z default-esp-group ‘atazurene’
set vpn ipsec site-to-site peer w.x.y.z description ‘VNet GW Az Nrth Eur’
set vpn ipsec site-to-site peer w.x.y.z ike-group ‘atazurene-ike’
set vpn ipsec site-to-site peer w.x.y.z ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer w.x.y.z local-address ‘192.168.0.197’
set vpn ipsec site-to-site peer w.x.y.z tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer w.x.y.z tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer w.x.y.z tunnel 1 local prefix ‘10.168.0.0/24’
set vpn ipsec site-to-site peer w.x.y.z tunnel 1 remote prefix ‘10.0.0.0/8’

Default route – and blackhole route for BGP and set private ASN number

set protocols static route 0.0.0.0/0 next-hop ‘192.168.0.1’
set protocols static route 10.168.0.0/24 ‘blackhole’
set protocols bgp 65168 network ‘10.168.0.0/24’

BGP for West Europe

set protocols bgp 65168 neighbor 10.10.0.14 ebgp-multihop ‘8’
set protocols bgp 65168 neighbor 10.10.0.14 remote-as ‘65010’
set protocols bgp 65168 neighbor 10.10.0.14 soft-reconfiguration ‘inbound’

BGP for North Europe

set protocols bgp 65168 neighbor 10.11.0.14 ebgp-multihop ‘8’
set protocols bgp 65168 neighbor 10.11.0.14 remote-as ‘65011’
set protocols bgp 65168 neighbor 10.11.0.14 soft-reconfiguration ‘inbound’

Having don’t the above you should be set for some testing of the connectivity which is described in part 4