New Member
Posts: 4
Registered: ‎12-26-2012
Kudos: 1

connect two sites over WAN with GRE/IPSec and multiple static IP addresses

First off, I am not a networking expert.  I am trying to configure two ERL's as shown in the picture:

 

 

net-diagram.png

There are two office sites, each with 5 static IP addresses.  On R1, only 4 of them are allocated to the ERL.  Behind each ERL on eth1 is a LAN and behind each on eth2 is an IP Phone network.

 

I currently have a GRE Bridge protected with IPsec between the two sites; however, it is working sporadically.  I followed the Vyatta VPN Reference Guide on Protecting a GRE Tunnel with IPsec (pp 79-87).

 

What I want to be able to do is to have all outgoing traffic from the eth1 LAN go out using the IP address ending in .90 (currently not active on the configuration) and the IP Phone and Phone server traffic to leave via the .91 IP address.  Incoming traffic is NAT'd to the appropriate servers (and I believe that this is currently working).

 

The way that it is now, all traffic leaves via .91, as I was unable to get different subnets to use different external IP Addresses.  If I just choose Masquerade as a SNAT option in the GUI, all traffic leaves via the first listed ip address for the WAN interface.

 

Below are the relevant portions of the configuration.

 

xxxxxxx@ubnt# show -all
 interfaces {
     ethernet eth0 {
         address 50.xx.yy.92/29
         address 50.xx.yy.93/29
         address 50.xx.yy.91/29
         description WAN
         duplex auto
         speed auto
     }
     ethernet eth1 {
         address 10.x.y.1/24
         description LAN
         duplex auto
         speed auto
     }
     ethernet eth2 {
         address 192.xx.yy.1/24
         description Phones
         duplex auto
         speed auto
     }
     loopback lo {
     }
     tunnel tun0 {
         address 10.x.x.2/30
         description "GRE Tunnel to ubnt2.lockerlive.net"
         encapsulation gre
         local-ip 50.xx.yy.93
         multicast enable
         remote-ip 50.aa.bb.74
         ttl 255
     }
 }
 protocols {
     static {
         route 10.x.z.0/24 {
             next-hop 10.x.x.1 {
             }
         }
     }
 }
 service {

    nat {
         rule 1 {
             description "ssh for phones"
             destination {
                 address 50.xx.yy.91
                 port 22
             }
             inbound-interface eth0
             inside-address {
                 address 192.xx.yy.10
                 port 22
             }
             log enable
             protocol tcp
             type destination
         }
         rule 2 {
             description IAX2
             destination {
                 address 50.xx.yy.91
                 port 4569
             }
             inbound-interface eth0
             inside-address {
                 address 192.xx.yy.10
                 port 4569
             }
             log disable
             protocol tcp_udp
             type destination
         }
         rule 3 {
             description "Asterisk Manager"
             destination {
                 address 50.xx.yy.91
                 port 5038
             }
             inbound-interface eth0
             inside-address {
                 address 192.xx.yy.10
                 port 5038
             }
             log disable
             protocol tcp_udp
             type destination
         }
         rule 4 {
             description SIP
             destination {
                 address 50.xx.yy.91
                 port 5060
             }
             inbound-interface eth0
             inside-address {
                 address 192.xx.yy.10
                 port 5060
             }
             log disable
             protocol tcp_udp
             type destination
         }
         rule 5 {
             description "SIP Control"
             destination {
                 address 50.xx.yy.91
                 port 5061
             }
             inbound-interface eth0
             inside-address {
                 address 192.xx.yy.10
                 port 5061
             }
             log disable
             protocol tcp_udp
             type destination
         }
         rule 6 {
             description "HTTP for ast"
             destination {
                 address 50.xx.yy.91
                 port 80
             }
             inbound-interface eth0
             inside-address {
                 address 192.xx.yy.10
                 port 80
             }
             log disable
             protocol tcp
             type destination
         }
         rule 7 {
             description "HTTPS for ast"
             destination {
                 address 50.xx.yy.91
                 port 443
             }
             inbound-interface eth0
             inside-address {
                 address 192.xx.yy.10
                 port 443
             }
             log disable
             protocol tcp
             type destination
         }
         rule 5000 {
             description Masquerade
             log disable
             outbound-interface eth0
             outside-address {
                 address 50.xx.yy.91
             }
             type source
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
 }


 vpn {
     ipsec {
         esp-group ESP-1E {
             compression disable
             lifetime 1800
             mode tunnel
             pfs enable
             proposal 1 {
                 encryption aes256
                 hash sha1
             }
             proposal 2 {
                 encryption 3des
                 hash md5
             }
         }
         ike-group IKE-1E {
             lifetime 3600
             proposal 1 {
                 encryption aes256
                 hash sha1
             }
             proposal 2 {
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer 50.aa.bb.74 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret Some_Semi-long_Passphrase
                 }
                 connection-type initiate
                 default-esp-group ESP-1E
                 ike-group IKE-1E
                 local-ip 50.xx.yy.93
                 tunnel 1 {
                     allow-nat-networks disable
                     allow-public-networks disable
                     protocol gre
                 }
             }
         }
     }
 }

 So basically, I want to know if my GRE/IPsec tunnel is configured correctly (the other side is configured the same except with a tun0 address of 10.x.x.1 and the remote/inside addresses reversed.

 

Also, can anyone point me in the right direction to setting up the outgoing addresses?  I assume this is done in NAT.

 

To avoid confusion at this point, no firewall rules or rulesets are in place.

 

Thanks!!

New Member
Posts: 4
Registered: ‎12-26-2012
Kudos: 1

Re: connect two sites over WAN with GRE/IPSec and multiple static IP addresses

OK, so I'm pretty sure I got the outgoing address thing working with SNAT.

 

rule 5000 {
     description "Masquerade for LAN-Subnet"
     log disable
     outbound-interface eth0
     outside-address {
         address 50.xx.yy.93
     }
     protocol all
     source {
         address 10.x.y.0/24
     }
     type source
 }
 rule 5001 {
     description "Masqerade for Phones-Subnet"
     log disable
     outbound-interface eth0
     outside-address {
         address 50.xx.yy.91
     }
     source {
         address 192.xxx.yyy.0/24
     }
     type source
 }
 rule 5002 {
     description Masquerade
     log disable
     outbound-interface eth0
     outside-address {
     }
     protocol all
     type masquerade
 }

 I misunderstood the wording of the GUI and had things reversed with source and destination addresses/ports.

 

Now the next task is to get the GRE tunnel with IPsec working properly and consistently.  Any and all [helpful] advice is welcome and appreciated.

 

Thanks!

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: connect two sites over WAN with GRE/IPSec and multiple static IP addresses

[ Edited ]

@jtsmeed wrote:

...... I currently have a GRE Bridge protected with IPsec between the two sites; however, it is working sporadically. 


Which version of EdgeOS is running on the ERLs? If you like to try 1.2.0alpha2, please check here

New Member
Posts: 4
Registered: ‎12-26-2012
Kudos: 1

Re: connect two sites over WAN with GRE/IPSec and multiple static IP addresses

They are both currently running 1.1.0.  Is there a benefit to running the alpha 1.2.0?  If so, is it stable?  This is to be put in a production environment.

 

Thanks!

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: connect two sites over WAN with GRE/IPSec and multiple static IP addresses

After the upgrade, if you have to, you can swtich back to 1.1.0 with the config with one op command "set system image default-boot". So l'd figure out if your config works on 1.2.0alpha2 or not, if so, then discuss benefit and stability of 1.2.0alpha2 which has been out for more than two weeks, no major issue has been found so far.

New Member
Posts: 4
Registered: ‎12-26-2012
Kudos: 1

Re: connect two sites over WAN with GRE/IPSec and multiple static IP addresses

I may be willing to try the alpha, but that still doesn't let me know if there may be a problem with my configuration.

 

For the past couple of days, I was not able to ping one router's internal IP from the other or vice versa.  I just checked again and it is working.

 

Any feedback on the configuration itself or pointers to make this work would be greatly appreciated.  If there is some known issue in v1.1.0 with IPsec over GRE, then I will try the alpha/beta firmware.

 

For the record, the only outstanding issue is the GRE tunnel protected with IPsec.  Routing traffic over the multiple static IP's has been resolved.

 

Thanks!

 

 

Highlighted
Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: connect two sites over WAN with GRE/IPSec and multiple static IP addresses


@jtsmeed wrote:

I may be willing to try the alpha, but that still doesn't let me know if there may be a problem with my configuration.

 

For the past couple of days, I was not able to ping one router's internal IP from the other or vice versa.  I just checked again and it is working.

 

Any feedback on the configuration itself or pointers to make this work would be greatly appreciated.  If there is some known issue in v1.1.0 with IPsec over GRE, then I will try the alpha/beta firmware.

 

For the record, the only outstanding issue is the GRE tunnel protected with IPsec.  Routing traffic over the multiple static IP's has been resolved.

 

Thanks!

 


I should have said more clearer - for me, when "it is working sporadically", most of the time the configuration is fine. 1.2.0 does fix some issue which impacts IPsec stability.