VPN example:
Site-to-Site VPN (Hub and Spoke), Router (Routing-based VPN), Dynamic routing(OSPF), Quagga, Multihoming, Behind a NAT/NAPT and certificate (PKCS#12/X.509).


The following image shows example hub and spoke VPN for this scenario.

Ubuntu is installed on HubGw (Router/Hub), SpokeGw1 (Router/Spoke), SpokeGw2 (Router/Spoke) and Router1.

Rockhopper VPN software and Quagga are installed on HubGw, SpokeGw1 and SpokeGw2.

Each gateway (Router1, SpokeGw1 and SpokeGw2) is connected to two service providers with a high-bandwidth(primary) link and a low-bandwidth(secondary) link.

Primary and secondary VPN connections are established between the hub gateway (HubGw) and each spoke gateway (SpokeGw1 and SpokeGw2). HubGw fowards packets between the spoke sites. Though MOBIKE service can be used for this scenario, these VPN pathes are watched by Quagga's OSPFv2 service in this example configuration.

Quagga's OSPFv2 service is enabled on each VPN gateway (HubGw, SpokeGw1 and SpokeGw2) and it exchanges routing information between the sites.

To enable the OSPFv2 service to handle the primary and secondary pathes respectively, two VPN Tunnel/TAP interfaces (virtual interfaces) on each VPN gateway are needed. Rockhopper creates a single VPN interface for each VPN realm. Therefore, two VPN realms are configured. One is for the primary path (VPN realm ID: 10 and the rhpvif10 interface) and the other is for the secondary path (VPN realm ID: 20 and the rhpvif20 interface). Also, see "Documents/What is a VPN Realm?".

RSA-Signature(certificate) is used as an authentication method for all the VPN gateways.

HubGw is deployed in a one-armed configuration and located behind a NAT(NAPT). Therefore, a default gateway for an internal server in the Site0 is not Router1(192.168.0.1/24) but HubGw(192.168.0.10/24).

Router1 provides Port Forwarding service.



sample0

rhpvif10 and rhpvif20 on each gateway: Virtual interfaces(Tunnel/TAP interfaces) to access protected network. "10" or "20" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console. Of course, you can see this interface's information from Quagga's terminal like vtysh.

eth0 and eth1 on each gateway: A real interface to access physical network.



Advance preparation:


- HubGw (gateway1.example.com):
Setup a physical interface.

# sudo ifconfig eth0 192.168.0.10 netmask 255.255.255.0

Add a default route.
# sudo route add default gw 192.168.0.1

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

- SpokeGw1 (spoke1.example.com):
Setup physical interfaces.
eth0, eth1 and a routing table are configured according to your service provider's instructions.

# sudo ifconfig eth2 192.168.1.10 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

- SpokeGw2 (spoke2.example.com):
Setup physical interfaces.
eth0, eth1 and a routing table are configured according to your service provider's instructions.

# sudo ifconfig eth2 192.168.2.10 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1



- Router1 (Port Forwarding):
Setup physical interfaces.
eth0, eth1 and a routing table are configured according to your service provider's instructions.

# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 10.0.1.1 netmask 255.255.255.0
# sudo ifconfig eth2 192.168.0.1 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.10:500(HubGw).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.10:500

Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.10:4500(HubGw).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.10:4500

Forward packets destinated to 10.0.1.1:500(Router1) to 192.168.0.10:500(HubGw).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.1.1 --dport 500 -j DNAT --to-destination 192.168.0.10:500

Forward packets destinated to 10.0.1.1:4500(Router1) to 192.168.0.10:4500(HubGw).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.1.1 --dport 4500 -j DNAT --to-destination 192.168.0.10:4500


Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interfaces like this. This is an example for HubGw (gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu):
auto eth0
iface eth0 inet static
address 192.168.0.10
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1


- PKCS#12 files:

   - HubGw: gateway1.example.com.p12
   - SpokeGw1: spoke1.example.com.p12
   - SpokeGw2: spoke2.example.com.p12

   The certificate(X.509) for each node includes a subjectAltName(Host name/FQDN).
   - HubGw: gateway1.example.com (Host name/FQDN)
   - SpokeGw1: spoke1.example.com (Host name/FQDN)
   - SpokeGw2: spoke2.example.com (Host name/FQDN)

See "Documents/Tips: Managing certificates by XCA" to create the each PKCS#12 file, including a private key and a certificate(X.509) and a CA certificate(X.509).



Configuring VPN:


HubGw (gateway1.example.com):


Rockhopper configuration:


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.

 - Configure a VPN realm for the primary path (Realm ID: 10).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "Primary Path"
    Description: "Config for Primary Path."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif10.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.1
    Netmask: 255.255.255.248

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Hub(Concentrator) Node.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): gateway1.example.com.p12
    RSA Private Key's Password: himitsu


 - Similarly, configure a VPN realm for the secondary path (Realm ID: 20).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 20
    Realm Name: "Secondary Path"
    Description: "Config for Secondary Path."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif20.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.9
    Netmask: 255.255.255.248

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Hub(Concentrator) Node.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): gateway1.example.com.p12
    RSA Private Key's Password: himitsu



 - Finally, save these realms' configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
     Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

     - Click Save Configuration button.



Quagga configuration:


Please visit Quagga's Documentation to get more detailed information.

/etc/quagga/daemons
  zebra=yes
  bgpd=no
  ospfd=yes
  ospf6d=no
  ripd=no
  ripngd=no
  isisd=no

/etc/quagga/debian.conf
  vtysh_enable=yes
  zebra_options=" --daemon -A 127.0.0.1"
  bgpd_options=" --daemon -A 127.0.0.1"
  ospfd_options=" --daemon -A 127.0.0.1"
  ospf6d_options="--daemon -A ::1"
  ripd_options=" --daemon -A 127.0.0.1"
  ripngd_options="--daemon -A ::1"
  isisd_options=" --daemon -A 127.0.0.1"

/etc/quagga/vtysh.conf
  !service integrated-vtysh-config
  hostname hubgw
  username root nopassword
  !


#sudo cp /usr/share/doc/quagga/examples/zebra.conf.sample /etc/quagga/zebra.conf
#sudo cp /usr/share/doc/quagga/examples/ospfd.conf.sample /etc/quagga/ospfd.conf


#sudo chown quagga:quaggavty /etc/quagga/*.conf
#sudo chmod 640 /etc/quagga/*.conf


#sudo /etc/init.d/quagga restart


# sudo vtysh
configure terminal
  interface rhpvif10
  !
  interface rhpvif20
    ip ospf cost 100
  !
  router ospf
    router-id 0.0.0.100
    network 192.168.0.0/24 area 0.0.0.0
    network 192.168.100.0/29 area 0.0.0.0
    network 192.168.100.8/29 area 0.0.0.0
  !




SpokeGw1 (spoke1.example.com):


Rockhopper configuration:


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.

 - Configure a VPN realm for the primary path (Realm ID: 10).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "Primary Path"
    Description: "Config for Example VPN."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif10.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.2
    Netmask: 255.255.255.248

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Spoke Node / Client / Other.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): spoke1.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: gateway1.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 10.0.0.1 (Router1's global address)
    This peer's Network Deployment: Hub(Concentrator) Node
    Always-on connection: Check Enabled.


  8. Enable this VPN gateway (SpokeGw1) to send the realm ID to the responder (HubGw) in the IKE_AUTH exchange. When the initiator (SpokeGw1) uses the common ID and certificate for two reamls (Realm ID:10 and 20), the responder can distinguish each VPN connection's membership by using the received ream ID.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > IKE SA Settings[Left-Tree]: Click this tree node and show IKE SA Detailed Settings pane.

    - Click Add Setting button.

    - Add a New IKE SA Setting[Dialog]: Enter the following, then click OK button.

    Setting Name: send_realm_id
    Setting Value: enable


 - Similarly, configure a VPN realm for the secondary path (Realm ID: 20).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 20
    Realm Name: "Secondary Path"
    Description: "Config for Example VPN."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif20.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.10
    Netmask: 255.255.255.248

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Spoke Node / Client / Other.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): spoke1.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: gateway1.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 20.0.0.1 (Router1's global address)
    This peer's Network Deployment: Hub(Concentrator) Node
    Always-on connection: Check Enabled.


  8. Enable this VPN gateway (SpokeGw1) to send the realm ID to the responder (HubGw) in the IKE_AUTH exchange.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > IKE SA Settings[Left-Tree]: Click this tree node and show IKE SA Detailed Settings pane.

    - Click Add Setting button.

    - Add a New IKE SA Setting[Dialog]: Enter the following, then click OK button.

    Setting Name: send_realm_id
    Setting Value: enable



 - Finally, save these realms' configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
     Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

     - Click Save Configuration button.


Quagga configuration:


# sudo vtysh
configure terminal
  interface rhpvif10
  !
  interface rhpvif20
    ip ospf cost 100
  !
  router ospf
    router-id 0.0.0.90
    network 192.168.1.0/24 area 0.0.0.0
    network 192.168.100.0/29 area 0.0.0.0
    network 192.168.100.8/29 area 0.0.0.0
  !




SpokeGw2 (spoke2.example.com):


Rockhopper configuration:


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.

 - Configure a VPN realm for the primary path (Realm ID: 10).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "Primary Path"
    Description: "Config for Example VPN."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif10.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.3
    Netmask: 255.255.255.248

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Spoke Node / Client / Other.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): spoke2.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: gateway1.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Primary Path(Router)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 10.0.0.1 (Router1's global address)
    This peer's Network Deployment: Hub(Concentrator) Node
    Always-on connection: Check Enabled.

  8. Enable this VPN gateway (SpokeGw2) to send the realm ID to the responder (HubGw) in the IKE_AUTH exchange.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > IKE SA Settings[Left-Tree]: Click this tree node and show IKE SA Detailed Settings pane.

    - Click Add Setting button.

    - Add a New IKE SA Setting[Dialog]: Enter the following, then click OK button.

    Setting Name: send_realm_id
    Setting Value: enable


 - Similarly, configure a VPN realm for the secondary path (Realm ID: 20).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 20
    Realm Name: "Secondary Path"
    Description: "Config for Example VPN."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif20.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.11
    Netmask: 255.255.255.248

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Spoke Node / Client / Other.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): spoke2.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: gateway1.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 20.0.0.1 (Router1's global address)
    This peer's Network Deployment: Hub(Concentrator) Node
    Always-on connection: Check Enabled.

  8. Enable this VPN gateway (SpokeGw1) to send the realm ID to the responder (HubGw) in the IKE_AUTH exchange.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Secondary Path(Router)[Left-Tree] > IKE SA Settings[Left-Tree]: Click this tree node and show IKE SA Detailed Settings pane.

    - Click Add Setting button.

    - Add a New IKE SA Setting[Dialog]: Enter the following, then click OK button.

    Setting Name: send_realm_id
    Setting Value: enable



 - Finally, save these realms' configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
     Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

     - Click Save Configuration button.


Quagga configuration:


# sudo vtysh
configure terminal
  interface rhpvif10
  !
  interface rhpvif20
    ip ospf cost 100
  !
  router ospf
    router-id 0.0.0.80
    network 192.168.2.0/24 area 0.0.0.0
    network 192.168.100.0/29 area 0.0.0.0
    network 192.168.100.8/29 area 0.0.0.0
  !

Back to Top