VPN example:
Site-to-Site VPN (Mesh), Router (Routing-based VPN), Dynamic routing(OSPF), Quagga, Behind a NAT/NAPT and certificate (PKCS#12/X.509).


The following image shows example meshed VPN for this scenario.

Ubuntu is installed on MeshGw0, MeshGw1, MeshGw2 and Router1.

Rockhopper VPN software and Quagga are installed on MeshGw0, MeshGw1 and MeshGw2.

Three VPN connections are established between MeshGw0, MeshGw1 and MeshGw2. Each of these three gateways works as a router between Site0, Site1 and Site2. In addition, it provides a redundant path for other two sites. For example, when a VPN connection between MeshGw0 and MeshGw1 is not available because of temporary network failure, packets from Site0 to Site1 are fowarded from MeshGw0 to MeshGw1 via MeshGw2.

Quagga's OSPFv2 service is enabled on each gateway (MeshGw0, MeshGw1 and MeshGw2) and it exchanges routing information between the sites.

To enable the OSPFv2 service to handle the two pathes to other sites respectively, two VPN Tunnel/TAP interfaces (virtual interfaces) on each VPN gateway are needed. Rockhopper creates a single VPN interface for each VPN realm. Therefore, two VPN realms are configured.
In MeshGw0's case, one is for the VPN connection with MeshGw1 (VPN realm ID: 10 and the rhpvif10 interface) and the other is with MeshGw2 (VPN realm ID: 20 and the rhpvif20 interface). Also, see "Documents/What is a VPN Realm?".

RSA-Signature(certificate) is used as an authentication method for all the VPN gateways.

MeshGw0 is deployed in a one-armed configuration and located behind a NAT(NAPT). Therefore, a default gateway for an internal server in the Site0 is not Router1(192.168.0.1/24) but MeshGw0(192.168.0.10/24).

Router1 provides Port Forwarding service.

If you want to configure a VPN connection between Site1 and Site2 as a backup path, see "Appendix: Configure a VPN connection Site1-Site2 as a backup path."



sample0

rhpvif10, rhpvif20 and/or rhpvif30 on each gateway: A virtual interface(a Tunnel/TAP interface) to access protected network. "10", "20", or "30" is the VPN realm ID. These interfaces are automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console. Of course, you can see this interface's information from Quagga's terminal like vtysh.

eth0 and eth1 on each gateway: A real interface to access physical network.



Advance preparation:


- MeshGw0 (meshgw0.example.com):
Setup a physical interface.

# sudo ifconfig eth0 192.168.0.10 netmask 255.255.255.0

Add a default route.
# sudo route add default gw 192.168.0.1

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

- MeshGw1 (meshgw1.example.com):
Setup physical interfaces.
eth0 and a routing table are configured according to your service provider's instructions.
# sudo ifconfig eth0 10.0.0.2 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.1.10 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

- MeshGw2 (meshgw2.example.com):
Setup physical interfaces.
eth0 and a routing table are configured according to your service provider's instructions.
# sudo ifconfig eth0 10.0.0.3 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.2.10 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1



- Router1 (Port Forwarding):
Setup physical interfaces.
eth0 and a routing table are configured according to your service provider's instructions.

# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.0.1 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.10:500(HubGw).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.10:500

Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.10:4500(HubGw).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.10:4500


Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interfaces like this. This is an example for MeshGw0 (gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu):
auto eth0
iface eth0 inet static
address 192.168.0.10
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1


- PKCS#12 files:

   - MeshGw0: meshgw0.example.com.p12
   - MeshGw1: meshgw1.example.com.p12
   - MeshGw2: meshgw2.example.com.p12

   The certificate(X.509) for each node includes a subjectAltName(Host name/FQDN).
   - MeshGw0: meshgw0.example.com (Host name/FQDN)
   - MeshGw1: meshgw1.example.com (Host name/FQDN)
   - MeshGw2: meshgw2.example.com (Host name/FQDN)

See "Documents/Tips: Managing certificates by XCA" to create the each PKCS#12 file, including a private key and a certificate(X.509) and a CA certificate(X.509).



Configuring VPN:


MeshGw0: (meshgw0.example.com):


Rockhopper configuration:


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.

 - Configure a VPN realm for a VPN connection with MeshGw1. (Realm ID: 10).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "To MeshGw1"
    Description: "Config for MeshGw1."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw1(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif10.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.1
    Netmask: 255.255.255.252

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw1(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw1(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Mesh Node.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw1(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): meshgw0.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw1(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: meshgw1.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw1(Router)[Left-Tree] > Peers[Left-Tree] > meshgw1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: meshgw1.example.com(FQDN) pane.

    - Enter the following.

    This peer's Network Deployment: Mesh Node


 - Similarly, configure a VPN realm for a VPN connection with MeshGw2 (Realm ID: 20).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 20
    Realm Name: "To MeshGw2"
    Description: "Config for MeshGw2."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:To MeshGw1(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif20.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.5
    Netmask: 255.255.255.252

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:To MeshGw1(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:To MeshGw1(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Mesh Node.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:To MeshGw1(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): meshgw0.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:To MeshGw2(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: meshgw2.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:To MeshGw2(Router)[Left-Tree] > Peers[Left-Tree] > meshgw2.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: meshgw2.example.com(FQDN) pane.

    - Enter the following.

    This peer's Network Deployment: Mesh Node



 - Finally, save these realms' configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
     Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

     - Click Save Configuration button.



Quagga configuration:


Please visit Quagga's Documentation to get more detailed information.

/etc/quagga/daemons
  zebra=yes
  bgpd=no
  ospfd=yes
  ospf6d=no
  ripd=no
  ripngd=no
  isisd=no

/etc/quagga/debian.conf
  vtysh_enable=yes
  zebra_options=" --daemon -A 127.0.0.1"
  bgpd_options=" --daemon -A 127.0.0.1"
  ospfd_options=" --daemon -A 127.0.0.1"
  ospf6d_options="--daemon -A ::1"
  ripd_options=" --daemon -A 127.0.0.1"
  ripngd_options="--daemon -A ::1"
  isisd_options=" --daemon -A 127.0.0.1"

/etc/quagga/vtysh.conf
  !service integrated-vtysh-config
  hostname meshgw0
  username root nopassword
  !


#sudo cp /usr/share/doc/quagga/examples/zebra.conf.sample /etc/quagga/zebra.conf
#sudo cp /usr/share/doc/quagga/examples/ospfd.conf.sample /etc/quagga/ospfd.conf


#sudo chown quagga:quaggavty /etc/quagga/*.conf
#sudo chmod 640 /etc/quagga/*.conf


#sudo /etc/init.d/quagga restart


# sudo vtysh
configure terminal
  router ospf
    router-id 0.0.0.100
    network 192.168.0.0/24 area 0.0.0.0
    network 192.168.100.0/30 area 0.0.0.0
    network 192.168.100.4/30 area 0.0.0.0
  !




MeshGw1: (meshgw1.example.com):


Rockhopper configuration:


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.

 - Configure a VPN realm for a VPN connection with MeshGw0. (Realm ID: 10).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "To MeshGw0"
    Description: "Config for MeshGw0."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif10.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.2
    Netmask: 255.255.255.252

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Mesh Node.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): meshgw1.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: meshgw0.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree] > Peers[Left-Tree] > meshgw0.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: meshgw0.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 10.0.0.1 (Router1's global address)
    - Network Deployment: Select Mesh Node.
    Always-on connection: Check Enabled.


 - Similarly, configure a VPN realm for a VPN connection with MeshGw2 (Realm ID: 30).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 30
    Realm Name: "To MeshGw2"
    Description: "Config for MeshGw2."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw2(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif30.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.9
    Netmask: 255.255.255.252

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw2(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw2(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Mesh Node.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw2(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): meshgw1.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw2(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: meshgw2.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw2(Router)[Left-Tree] > Peers[Left-Tree] > meshgw2.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: meshgw2.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 10.0.0.3
    - Network Deployment: Select Mesh Node.
    Always-on connection: Check Enabled.



 - Finally, save these realms' configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
     Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

     - Click Save Configuration button.



Quagga configuration:


Please visit Quagga's Documentation to get more detailed information.

# sudo vtysh
configure terminal
  router ospf
    router-id 0.0.0.90
    network 192.168.1.0/24 area 0.0.0.0
    network 192.168.100.0/30 area 0.0.0.0
    network 192.168.100.8/30 area 0.0.0.0
  !




MeshGw2: (meshgw2.example.com):


Rockhopper configuration:


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.

 - Configure a VPN realm for a VPN connection with MeshGw0. (Realm ID: 20).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 20
    Realm Name: "To MeshGw0"
    Description: "Config for MeshGw0."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif20.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.6
    Netmask: 255.255.255.252

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Mesh Node.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): meshgw2.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: meshgw0.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:To MeshGw0(Router)[Left-Tree] > Peers[Left-Tree] > meshgw0.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: meshgw0.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 10.0.0.1 (Router1's global address)
    - Network Deployment: Select Mesh Node.
    Always-on connection: Check Enabled.


 - Similarly, configure a VPN realm for a VPN connection with MeshGw1 (Realm ID: 30).


  1. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 30
    Realm Name: "To MeshGw1"
    Description: "Config for MeshGw1."
    Mode: Router

  2. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw1(Router)[Left-Tree]
    > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following. This address is for the virtual interface rhpvif30.

    Internal Address Type: Static Address
    Internal IPv4 Address: 192.168.100.10
    Netmask: 255.255.255.252

  3. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw1(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.
        Primary interface:
          - Name: Select eth0 as a source interface.

  4. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw1(Router)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Mesh Node.

  5. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw1(Router)[Left-Tree]
    > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): meshgw2.example.com.p12
    RSA Private Key's Password: himitsu

  6. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw1(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: meshgw1.example.com

  7. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 30:To MeshGw1(Router)[Left-Tree] > Peers[Left-Tree] > meshgw1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: meshgw1.example.com(FQDN) pane.

    - Enter the following.

    - Network Deployment: Select Mesh Node.



 - Finally, save these realms' configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
     Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

     - Click Save Configuration button.



Quagga configuration:


Please visit Quagga's Documentation to get more detailed information.

# sudo vtysh
configure terminal
  router ospf
    router-id 0.0.0.80
    network 192.168.2.0/24 area 0.0.0.0
    network 192.168.100.4/30 area 0.0.0.0
    network 192.168.100.8/30 area 0.0.0.0
  !



Appendix: Configure a VPN connection Site1-Site2 as a backup path.



sample0

In this scenario, packets from Site1 to Site2 are normally forwarded via MeshGw0. When network failure between MeshGw0 and MeshGw1/MeshGw2 occurs, the VPN connetion MeshGw1-MeshGw2 is used.

For this scenario, just increase OSPF's interface cost for rhpvif30 on MeshGw1 and MeshGw2 like this:

Quagga configuration for MeshGw1 and MeshGw2:


# sudo vtysh
configure terminal
  interface rhpvif30
    ip ospf cost 100
  !
  router ospf
    ....
  !



Back to Top