Router Installation and Configuration Manual/Configuring IP Tunnels

From ImageStream Router Documentation

Jump to: navigation, search
This chapter describes how to configure the ImageStream router to use the Inetics Tunnel interface to create encrypted and unencrypted tunnels across physical devices.
This chapter includes the following topics:
  • Understanding Tunnel Devices
  • Configuring SSL Tunnels using OpenVPN
  • Configuring CIPE Tunnel Devices
  • Configuring GRE Tunnel Devices

Contents

Understanding Tunnel Devices

Tunneling provides a way to encapsulate packets of a foreign protocol or network inside a transport protocol. Tunneling is implemented as a virtual interface to provide a simple interface for configuration. A tunnel interface is not tied to specific protocols, devices or network transports. Tunnels provide an architecture that is designed to support any standard point-to-point encapsulation scheme. Because tunnels are point-to-point links, you must configure a separate tunnel for each link.
Tunnel devices can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points over an IP internetwork. The Tunnel commands are used to create the Tunnel interface in the main WAN interface configuration file.
Before configuring Tunnel devices, you must configure your WAN interfaces and make the appropriate cabling connection for your needs. Refer to the hardware installation guide for your ImageStream product for information on making the WAN connection. See Chapter 7, Router Installation and Configuration Manual/Configuring a Synchronous Serial WAN Interface or the Command Reference for more detailed command descriptions and instructions.
After logging in, the main menu is displayed (your menu may look slightly different):
ISis-Router main menu 
1. Configuration menu 
2. Show interface status 
3. Advanced 
4. Router software management 
5. Backup/Restore 
6. halt/reboot 
0. Log off 
Select menu option 1, Configuration menu, and press Enter to configure the router. The Configuration menu should appear (your menu may look slightly different):
Configuration menu 
1. AAA (Password) Configuration 
2. Global configuration 
3. Network interface configuration 
4. Firewall and QOS configuration 
5. Service configuration 
6. Dynamic routing configuration 
7. Save configuration to flash 
0. ISis-Router main menu 
From the "Configuration menu", select menu option 3, Network interface configuration, and press Enter. This will open the ImageStream router's primary configuration file, wan.conf, in the default editor. The wan.conf file is also accessible from the command line in the /usr/local/sand directory.

Configuring a Simple SSL Tunnel using OPENVPN

The SSL tunnel interface mode for Inetics devices uses the OpenVPN suite and allows IP packet tunneling inside encrypted UDP or TCP packets. The protocol is designed to be lightweight and simple, and to work seamlessly with dynamic addresses, NAT and SOCKS proxies. An OpenVPN tunnel device is a standard network device and may be configured in the same manner as all physical devices and subinterfaces.
If your configuration requires dynamic routing (BGP, OSPF, RIP) or metric-based static routing failover configurations, you should use the OpenVPN SSL tunnels. Unlike CIPE tunnels or other tunnels supported by the ImageStream router, OpenVPN tunnels use the standard hardware and protocol status functions and may be used with configurations that rely on interface status.
ImageStream Linux 4.2 or later releases provide support for OpenVPN tunnels. An ImageStream router's OpenVPN implementation can interoperate with any OpenVPN client on any operating system.
The configurations listed in this section may not be suitable for use on your network. Any device names, IP addresses, tunnel keys or bandwidth values are provided as examples. You will need to change the commands in the examples below to match the settings suitable for your network.
In this example, we will create an encrypted tunnel between these two routers. The syntax of the Tunnel interface command is:
     interface Tunnel XX

where XX is a device number. The location of a Tunnel interface declaration in the interface configuration file is not important. By convention, the first Tunnel device is Tunnel0, though you may assign any number. You do not need to specify an encapsulation type, as it will be ignored. You must specify an ip address. A description field is optional.
To configure each end of the point-to-point tunnel, you must configure the tunnel addresses, the tunnel source and destination, and the authentication key. The example below shows two local networks connected via an OpenVPN tunnel to form a VPN interconnecting the 172.16.0.0/16 and 192.168.0.0/24 reserved network blocks. In the example below, 172.16.0.0/16 is the network at the main office and 192.168.0.0/24 is the network at a remote office.
Main Office Router:
! 
interface Tunnel0 
description Tunnel to Remote Office bandwidth 768000 
tunnel mode openvpn 
tunnel source 210.145.243.1 6061 
tunnel destination 63.148.135.25 6061 
tunnel key 8c34cdc8f4a2e1fb01dd5c0fdc9082e4 
ip address 192.168.150.1 255.255.255.252 
pointopoint address 192.168.150.2 
! 
ip route add 192.168.0.0/24 via 192.168.150.2 
Remote Office Router:
! 
interface Tunnel0 
description Tunnel to Remote Office bandwidth 768000 
tunnel mode openvpn 
tunnel source 63.148.135.25 6061 
tunnel destination 210.145.243.1 6061 
tunnel key 8c34cdc8f4a2e1fb01dd5c0fdc9082e4 
ip address 192.168.150.2 255.255.255.252 
pointopoint address 192.168.150.1 
! 
ip route add 172.16.0.0/16 via 192.168.150.1 
The values in the above example are explained below.
Interface Tunnel0 - Denotes the start of the configuration section for the first Tunnel device in your system. All commands that follow this line until the next ! mark will be applied to Tunnel0.
description Tunnel to Remote Office - Sets a description for this device. The description is optional used for reporting purposes in other utilities. Setting a value here does not affect the operation of the port.
bandwidth 768000 - Scales the output of the realtime statistics program to 768 Kbps. This value is optional, and should be set either to the connected link speed or to the bandwidth limit allocated by QoS rules.
tunnel mode openvpn - Sets the encapsulation type on the tunnel to OpenVPN.
tunnel source 63.148.135.25 6061 - Sets the source address of the tunnel and the UDP or TCP port used to receive the SSL tunnel's encapsulated packets. The command takes the form tunnel source ipaddress port. The IP address selected must be different from the ip address of the tunnel. The tunnel source address should be an address reachable on the network by the destination router.
tunnel destination 210.145.243.1 6061 - Sets the destination address of the tunnel and the UDP or TCP port used to send the SSL tunnel's encapsulated packets. The command takes the form tunnel destination ipaddress port. The IP address and port must match the values configured as the source on the destination router.
tunnel key 8c34cdc8f4a2e1fb01dd5c0fdc9082e4 - Sets the encryption key used by the tunnel. This command takes the form tunnel key key. This value must match the value configured on the destination router. OpenVPN uses a 2048-bit key. If the key specified is less than 2048 bits, the router will automatically replicate the value until the size reaches 2048 bits.
ip address 192.168.150.1 255.255.255.252 - Specifies the IP address and netmask for the Tunnel device. The IP addresses on the source and destination ends of the tunnel must be different from the IP address and pointtopoint address of the tunnel itself.
pointopoint address 192.168.150.2 - Specifies the remote tunnel address. This IP address must match the value configured as the IP address on the destination router.
ip route add 192.168.0.0/24 via 192.168.150.2 - Adds a static route to the 192.168.0.0 network through the Tunnel0 IP address on the main office router. Note that the command follows the Linux iproute2 syntax. Cisco IOS-style syntax commands are also accepted, as described in earlier sections.
ip route add 172.16.0.0/16 via 192.168.150.1 - Adds a static route to the 172.16.0.0 network through the IP address of the remote end of the Tunnel device. This is an alternate method of specifying a static route, but has the same effect as adding a static route through the device itself
The Tunnel interface appears as a regular interface in the router, meaning you can make modifications to the Tunnel device configuration without taking down other interfaces. You can use firewalling, bandwidth limiting, rule-based routing and other advanced features of the router with any Tunnel device you create. Like other interfaces, the tunnel device is also available via SNMP for monitoring purposes.
For easier configuration of other OpenVPN devices, including Windows clients, the options files passed to the OpenVPN program are stored in the /etc/openvpn directory on the router's file system. Each tunnel has a separate options file. Use these files as a basis for configuring other OpenVPN devices.

Configuring a Dynamically Addressed SSL Tunnel using OPENVPN

OpenVPN also supports dynamically addressed connections on one or both endpoints of a tunnel. Using the same network design from the previous example, the example below details how to configure an OpenVPN tunnel when the remote router endpoint has a dynamically assigned IP address.
The main router still uses the same static IP address as in the previous example.
Main Office Router:
! 
interface Tunnel0 
description Tunnel to Remote Office bandwidth 768000 
tunnel mode openvpn 
tunnel source 210.145.243.1 6061 
tunnel destination 0.0.0.0 6061 
tunnel options --passtos --secret /etc/openvpn/Tunnel0-key 
ip address 192.168.150.1 255.255.255.252 
pointopoint address 192.168.150.2 
! 
ip route add 192.168.0.0/24 via 192.168.150.2 
     
Remote Office Router:
! 
interface Tunnel0 
description Tunnel to Remote Office bandwidth 768000 
tunnel mode openvpn 
tunnel source 0.0.0.0 6061 
tunnel destination 210.145.243.1 6061 
tunnel options --passtos --secret /etc/openvpn/Tunnel0-key 
ip address 192.168.150.2 255.255.255.252 
pointopoint address 192.168.150.1 
! 
ip route add 172.16.0.0/16 via 192.168.150.1 
The changed values in the example are explained below.
tunnel source 0.0.0.0 6061 - Instructs OpenVPN to use the source address of the physical interface used when the router transmits traffic on the tunnel. This configuration option is used when the router has a dynamically assigned IP address.
tunnel destination 0.0.0.0 6061 - Instructs OpenVPN to accept any source address. The OpenVPN tunnel will use the port number and the key to validate the connection.
tunnel options --passtos --secret /etc/openvpn/Tunnel0-key - The tunnel options command passes any advanced command line options to the OpenVPN program. Only one tunnel options command may be used for each tunnel. Any valid OpenVPN options can be passed to this command. In the example below, the --passtos option is used to maintain any ToS settings on packets passed to the tunnel instead of stripping those options by default. The --secret option tells the router the path to the key file used for this tunnel. The key specified in the file must match the key used on the other side of the tunnel. A complete list of available options is available from the router's command line by typing openvpn -help.
The left navigation bar includes a link to examples that describe how to bridge over an OpenVPN tunnel, and how to connect an OpenVPN Windows client to ImageStream routers.

Configuring CIPE (Crypto IP Encapsulation) Tunnels

The CIPE tunnel interface mode for Inetics devices allows IP packet tunneling inside encrypted UDP packets. The protocol is designed to be lightweight and simple, and to work seamlessly with dynamic addresses, NAT and SOCKS proxies. A CIPE tunnel device is a standard network device and may be configured in the same manner as all physical devices and subinterfaces. To use CIPE mode tunnels with another manufacturer's router, the other router must support CIPE (version 3).
If your configuration requires dynamic routing (BGP, OSPF, RIP) or metric-based static routing failover configurations, you should use the OpenVPN SSL tunnels. Unlike CIPE tunnels or other tunnels supported by the ImageStream router, OpenVPN tunnels use the standard hardware and protocol status functions and may be used with configurations that rely on interface status.
CIPE tunnels are controlled by a virtual Tunnel interface configured in the interface configuration file. The interface is configured similarly to a Serial WAN interface. In the example below, we will use this configuration showing a point-to-point between two routers:
Router A:
! 
interface Serial0 
description Leased line to Mexico City encapsulation hdlc 
ip address 25.0.0.1 255.255.255.252
!
Router B:
! 
interface Serial0 
description Leased line to New York City encapsulation hdlc 
ip address 25.0.0.2 255.255.255.252
! 
In the following example, we will create an encrypted tunnel between these two routers. The syntax of the Tunnel interface command is:
interface Tunnel XX

where XX is a device number. The location of a Tunnel interface declaration in the interface configuration file is not important. By convention, the first Tunnel device is Tunnel0, though you may assign any number. You do not need to specify an encapsulation type, as it will be ignored. You must specify an ip address. A description field is optional.
To configure each end of the point-to-point tunnel, you must configure the tunnel addresses, the tunnel source and destination, and the authentication key. The example below shows the tunnel configuration for a CIPE tunnel between Router A and Router B.
Router A:
! 
interface Serial0 
description Leased line to Mexico City encapsulation hdlc 
ip address 25.0.0.1 255.255.255.252
!
interface Tunnel0 
description VPN to Mexico City 
bandwidth 256000 
tunnel mode cipe 
tunnel source 25.0.0.1 4451 
tunnel destination 25.0.0.2 4451 
tunnel key abcdef001 
ip address 10.0.0.1 255.255.255.252 
pointopoint address 10.0.0.2 
! 
ip route 192.168.100.0 255.255.255.0 Tunnel0 
Router B:
! 
interface Serial0 
description Leased line to New York City encapsulation hdlc 
 ip address 25.0.0.2 255.255.255.252
!
interface Tunnel0 
description VPN to New York City bandwidth 256000 
tunnel mode cipe 
tunnel source 25.0.0.2 4451 
tunnel destination 25.0.0.1 4451 
tunnel key abcdef001 
ip address 10.0.0.2 255.255.255.252 
pointopoint address 10.0.0.2 
! 
ip route 192.168.10.0 255.255.255.0 10.0.0.1 
The values in the example are explained below.
Interface Tunnel0 - Denotes the start of the configuration section for the first Tunnel device in your system. All commands that follow this line until the next ! mark will be applied to Tunnel0.
description VPN to New York City - Sets a description for this device. The description is optional used for reporting purposes in other utilities. Setting a value here does not affect the operation of the port.
bandwidth 256000 - Scales the output of the realtime statistics program to 256 Kbps. This value is optional, and should be set either to the connected link speed or to the bandwidth limit allocated by QoS rules.
tunnel mode cipe - Sets the encapsulation type on the tunnel to CIPE, which is the default value. This command is optional.
tunnel source 25.0.0.1 4451 - Sets the source address of the tunnel and the UDP port used to receive the CIPE encapsulated packets. The command takes the form tunnel source ipaddress udpport. The IP address selected must be different from the ip address of the tunnel. The tunnel source address should be an address reachable on the network by the destination router.
tunnel destination 25.0.0.2 4451 - Sets the destination address of the tunnel and the UDP port used to send the CIPE encapsulated packets. The command takes the form tunnel destination ipaddress udpport. The IP address and port must match the values configured as the source on the destination router.
tunnel key abcdef001 - Sets the encryption key used by the tunnel. This command takes the form tunnel key key. This value must match the value configured on the destination router. A script to generate a 128-bit MD5 checksum for use as a more secure key is available from the router's Bash shell under the Advanced menu. Run the "gencipekey" command and cut and paste the output into the key value.
ip address 10.0.0.1 255.255.255.0 - Specifies the IP address and netmask for the Tunnel device.
pointopoint 10.0.0.2 - Specifies the remote tunnel address. This IP address must match the value configured as the IP address on the destination router.
ip route 192.168.100.0 255.255.255.0 Tunnel0 - Adds a static route to the 192.168.100.0 network through the Tunnel0 device.
ip route 192.168.10.0 255.255.255.0 10.0.0.1 - Adds a static route to the 192.168.10.0 network through the IP address of the remote end of the Tunnel device. This is an alternate method of specifying a static route, but has the same effect as adding a static route through the device.
The Tunnel interface appears as a regular interface in the router, meaning you can make modifications to the Tunnel device configuration without taking down other interfaces. You can use firewalling, bandwidth limiting, rule-based routing and other advanced features of the router with any Tunnel device you create. Like other interfaces, the tunnel device is also available via SNMP for monitoring purposes.
The IP addresses on the source and destination ends of the tunnel must be different from the IP address and point-to-point address of the tunnel itself.

Configuring GRE Tunnels

The GRE tunnel interface allows for IP packet tunneling using the GRE protocol. The protocol is designed to be lightweight and simple.
ImageStream Linux 4.0 or later releases provide support for GRE tunnels. An ImageStream router's GRE implementation can interoperate with any GRE client on any operating system.
The configurations listed in this section may not be suitable for use on your network. Any device names, IP addresses, tunnel keys or bandwidth values are provided as examples. You will need to change the commands in the examples below to match the settings suitable for your network.
To configure each end of the point-to-point tunnel, you must configure the tunnel addresses, the tunnel source and destination. The example below shows the tunnel configuration for a GRE tunnel between Router A and Router B.
Router A:
! 
interface Serial0 
description Leased line to Mexico City encapsulation hdlc 
ip address 25.0.0.1 255.255.255.252
!
interface Tunnel0 
description VPN to Mexico City 
bandwidth 256000 
tunnel mode gre
tunnel source 25.0.0.1 
tunnel destination 25.0.0.2 
ip address 10.0.0.1 255.255.255.252  
! 
ip route 192.168.100.0 255.255.255.0 Tunnel0 
Router B:
! 
interface Serial0 
description Leased line to New York City encapsulation hdlc 
 ip address 25.0.0.2 255.255.255.252
!
interface Tunnel0 
description VPN to New York City bandwidth 256000 
tunnel mode gre
tunnel source 25.0.0.2
tunnel destination 25.0.0.1
ip address 10.0.0.2 255.255.255.252  
! 
ip route 192.168.10.0 255.255.255.0 10.0.0.1 
The values in the example are explained below.
Interface Tunnel0 - Denotes the start of the configuration section for the first Tunnel device in your system. All commands that follow this line until the next ! mark will be applied to Tunnel0.
description VPN to New York City - Sets a description for this device. The description is optional used for reporting purposes in other utilities. Setting a value here does not affect the operation of the port.
bandwidth 256000 - Scales the output of the realtime statistics program to 256 Kbps. This value is optional, and should be set either to the connected link speed or to the bandwidth limit allocated by QoS rules.
tunnel mode gre - Sets the encapsulation type on the tunnel to GRE.
tunnel source 25.0.0.1 - Sets the source address of the tunnel GRE encapsulated packets. The command takes the form tunnel source ipaddress. The IP address selected must be different from the ip address of the tunnel. The tunnel source address should be an address reachable on the network by the destination router.
tunnel destination 25.0.0.2 - Sets the destination address of the tunnel GRE encapsulated packets. The command takes the form tunnel destination ipaddress. The IP address and port must match the values configured as the source on the destination router.
ip address 10.0.0.1 255.255.255.0 - Specifies the IP address and netmask for the Tunnel device.
pointopoint 10.0.0.2 - Specifies the remote tunnel address. This IP address must match the value configured as the IP address on the destination router.
ip route 192.168.100.0 255.255.255.0 Tunnel0 - Adds a static route to the 192.168.100.0 network through the Tunnel0 device.
ip route 192.168.10.0 255.255.255.0 10.0.0.1 - Adds a static route to the 192.168.10.0 network through the IP address of the remote end of the Tunnel device. This is an alternate method of specifying a static route, but has the same effect as adding a static route through the device.
The Tunnel interface appears as a regular interface in the router, meaning you can make modifications to the Tunnel device configuration without taking down other interfaces. You can use firewalling, bandwidth limiting, rule-based routing and other advanced features of the router with any Tunnel device you create. Like other interfaces, the tunnel device is also available via SNMP for monitoring purposes.
The IP addresses on the source and destination ends of the tunnel must be different from the IP address and point-to-point address of the tunnel itself.
Note: You must save the settings to the router's non-volatile flash memory! If the router is rebooted before saving, your changes will be lost! See the Chapter 26, "Backup/Restore Menu: Managing Configurations" for more information.
Personal tools
Router software releases