IPv4 over IPv6 Tunneling with IPSec [DRAFT] 04 Feb, 2014 SAKURA Internet Research Center Senior Researcher / Naoto MATSUMOTO

1. 04 Feb, 2014
SAKURA Internet Research Center
Senior Researcher / Naoto MATSUMOTO

2. Configure IPv4/v6 Outer Tunnel
$ show version
Version:
VC6.6R1 (VyattaCore 6.6R1)
VR-1
IPv4 over IPv6 Tunnel
192.168.168.1/24 tun0
2001:db8::1/64 eth0
set system host-name VR-1
set interfaces ethernet eth0 address 2001:db8::1/64
set interfaces tunnel tun0 address 192.168.168.1/30
set interfaces tunnel tun0 encapsulation ipip6
set interfaces tunnel tun0 local-ip 2001:db8::1
set interfaces tunnel tun0 remote-ip 2001:db8::2
$ show version
Version:
VC6.6R1 (VyattaCore 6.6R1)
2001:db8::2/64 eth0
192.168.168.2/24 tun0
VR-2
set system host-name VR-2
set interfaces ethernet eth0 address 2001:db8::2/64
set interfaces tunnel tun0 address 192.168.168.2/30
set interfaces tunnel tun0 encapsulation ipip6
set interfaces tunnel tun0 local-ip 2001:db8::2
set interfaces tunnel tun0 remote-ip 2001:db8::1

3. Configure Inner IKE/ESP
VR-2
set vpn ipsec esp-group ESP lifetime 1800
set vpn ipsec esp-group ESP mode tunnel
set vpn ipsec esp-group ESP proposal 1 encryption aes256
set vpn ipsec esp-group ESP proposal 1 hash sha1
set vpn ipsec ike-group IKE lifetime 3600
set vpn ipsec ike-group IKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
IPv4 over IPv6 Tunnel
VR-1
set vpn ipsec esp-group ESP lifetime 1800
set vpn ipsec esp-group ESP mode tunnel
set vpn ipsec esp-group ESP proposal 1 encryption aes256
set vpn ipsec esp-group ESP proposal 1 hash sha1
set vpn ipsec ike-group IKE lifetime 3600
set vpn ipsec ike-group IKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0

4. Configure Inner IPSec Tunnel
10.99.99.1/24 vti0
192.168.168.1/24 tun0
192.168.168.2/24 tun0
10.99.99.2/24 vti0
IPv4 over IPv6 Tunnel
IPv4 with IPSec Tunnel
VR-1
VR-2
set interfaces vti vti0 address 10.99.99.1/24
edit vpn ipsec site-to-site peer 192.168.168.2
set authentication mode pre-shared-secret
set authentication pre-shared-secret SeCrEt
set ike-group IKE
set local-address 192.168.168.1
set vti bind vti0
set vti esp-group ESP
exit
set interfaces vti vti0 address 10.99.99.2/24
edit vpn ipsec site-to-site peer 192.168.168.1
set authentication mode pre-shared-secret
set authentication pre-shared-secret SeCrEt
set ike-group IKE
set local-address 192.168.168.2
set vti bind vti0
set vti esp-group ESP
exit

5. Configure Inner BGP Networking
10.10.10.1/24 eth1
10.99.99.1/24 vti0
10.10.10.0/24
set interfaces ethernet eth1 address 10.10.10.1/24
10.99.99.2/24 vti0
10.20.20.2/24 eth1
set interfaces ethernet eth1 address 10.20.20.2/24
IPv4 over IPv6 Tunnel
set protocols bgp 65001 neighbor 10.99.99.2 remote-as 65002
set protocols bgp 65001 network 10.10.10.0/24
VR-2
IPv4 with IPSec Tunnel
VR-1
10.20.20.0/24
set protocols bgp 65002 neighbor 10.99.99.1 remote-as 65001
set protocols bgp 65002 network 10.20.20.0/24

6. Configure Inner TCP-MSS
10.10.10.1/24 eth1
10.10.10.0/24
IPv4 over IPv6 Tunnel
IPv4 with IPSec Tunnel
VR-1
VR-2
10.20.20.2/24 eth1
10.20.20.0/24
edit policy route TCP-MSS1390-ETH1
set rule 1 destination address 10.20.20.0/24
set rule 1 source address 10.10.10.0/24
set rule 1 protocol tcp
set rule 1 set tcp-mss 1390
set rule 1 tcp flags SYN
exit
set interfaces ethernet eth1 policy route TCP-MSS1390-ETH1
commit
save
exit
reboot
edit policy route TCP-MSS1390-ETH1
set rule 1 destination address 10.10.10.0/24
set rule 1 source address 10.20.20.0/24
set rule 1 protocol tcp
set rule 1 set tcp-mss 1390
set rule 1 tcp flags SYN
exit
set interfaces ethernet eth1 policy route TCP-MSS1390-ETH1
commit
save
exit
reboot

7. Debug Tunnels
eth0 (Outer)
vti0 (Inner)

8. Thanks for your interest.
SAKURA Internet Research Center.