Dear community,

I'm evaluating the following:

- v5600 routers deployed in NFV style (Industry-Standard Hardware, deployed on KVM hypervisors, DPDK to enable multiple Virtual Routers on one physical hypervisor)

- IPSec Site-2-Site VPNs in hub-spoke architecture (about 400 sites terminating at 1 headquarter datacenter)

- NFV orchestration with HPE NFV Director (automation to deploy v5600 nodes)

What IPSec performance can I expect for one vSR 5600 Software Router?

Are there any HW Encryption cards supported (Intel Quick Assist)?

What is the ideal setup for this NFV deployment that is proven and you would recommend?#

Please support me, I'm new to Brocade products.

Kind regards,

Michael

Hello,

This post is in relation to a previous post

Brocade vRouter 5410 6.7 R11S3 AWS VPN with Public IP Encryption Domain

Unfortunately, I had been assigned to another project so this issue was parked until now.

A little recap on what I am trying to achieve.

2 VPN tunnels between a single vRouter hosted in AWS to a customer site.

There is an EC2 instance on the AWS side, in a private subnet, which can communicate to the vRouter.

This EC2 instance private IP has been nat'ed to an encryption domain on the AWS side and needs to speak with the customers encryption domain over the IPSEC tunnel. Logically it looks like this:

Customer                           AWS

Enc Domain     Peer          Peer       Enc Domain    Web Server

1.1.1.1              2.2.2.1      3.3.3.1    4.4.4.1             5.5.5.200

1.1.1.2              2.2.2.2

The vRouter for this environment has been upgraded 5600 17.1.1 with some config changes to support the new CLI.

I am now at the same stage as before:

IPSEC tunnels are up but I am not seeing any traffic traversing.

Peer ID / IP Local ID / IP

------------ -------------

2.2.2.2    5.5.5.12

Description: UAT

Tunnel Id          State Bytes Out/In    Encrypt Hash    DH  A-Time L-Time

------     ---------- -----   -------------        ------------ -------- --     ------     ------

1          246       up     0.0/0.0             3des md5          2     959      3600

Peer ID / IP Local ID / IP

------------ -------------

2.2.2.1    10.168.65.12

Description: UAT

Tunnel Id          State Bytes Out/In     Encrypt Hash     DH  A-Time  L-Time

------     ---------- -----   -------------         ------------ --------  --     ------      ------

1          245       up     0.0/0.0              3des md5           2     2246      3600

I can see the EC2 instance hitting the vRouter and NATing to the correct encryption domain on the AWS side. But nothing appears to be traversing the VPN.

Pre-NAT             Post-NAT        Prot Timeout

5.5.5.200:59861 4.4.4.1:59861 tcp   18

5.5.5.200:35915 4.4.4.1:35915 tcp   28

If anyone can assist with debugging this issue that would appreciated. On addresses have been anonymised.

set interfaces dataplane dp0s0 address 'dhcp'
set interfaces loopback 'lo'
set protocols static route 1.1.1.1/32 next-hop '2.2.2.1'
set protocols static route 1.1.1.2/32 next-hop '2.2.2.2'
set security vpn ipsec auto-update '30'
set security vpn ipsec esp-group espExt compression 'disable'
set security vpn ipsec esp-group espExt lifetime '3600'
set security vpn ipsec esp-group espExt mode 'tunnel'
set security vpn ipsec esp-group espExt pfs 'disable'
set security vpn ipsec esp-group espExt proposal 1 encryption '3des'
set security vpn ipsec esp-group espExt proposal 1 hash 'md5'
set security vpn ipsec ike-group ikeExt dead-peer-detection action 'restart'
set security vpn ipsec ike-group ikeExt dead-peer-detection interval '15'
set security vpn ipsec ike-group ikeExt dead-peer-detection timeout '30'
set security vpn ipsec ike-group ikeExt lifetime 86400
set security vpn ipsec ike-group ikeExt proposal 1 dh-group '2'
set security vpn ipsec ike-group ikeExt proposal 1 encryption '3des'
set security vpn ipsec ike-group ikeExt proposal 1 hash 'md5'
set security vpn ipsec nat-networks allowed-network '0.0.0.0/0'
set security vpn ipsec nat-traversal 'enable'
set security vpn ipsec site-to-site peer 2.2.2.2 authentication id '3.3.3.1'
set security vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret ‘sharedkey1’
set security vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate'
set security vpn ipsec site-to-site peer 2.2.2.2 default-esp-group 'espExt'
set security vpn ipsec site-to-site peer 2.2.2.2 description 'UAT'
set security vpn ipsec site-to-site peer 2.2.2.2 ike-group 'ikeExt'
set security vpn ipsec site-to-site peer 2.2.2.2 local-address '5.5.5.12'
set security vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 local prefix '4.4.4.1/32'
set security vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 remote prefix '1.1.1.2/32'
set security vpn ipsec site-to-site peer 2.2.2.1 authentication id '3.3.3.1'
set security vpn ipsec site-to-site peer 2.2.2.1 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 2.2.2.1 authentication pre-shared-secret ‘sharedkey2!’
set security vpn ipsec site-to-site peer 2.2.2.1 connection-type 'initiate'
set security vpn ipsec site-to-site peer 2.2.2.1 default-esp-group 'espExt'
set security vpn ipsec site-to-site peer 2.2.2.1 description 'UAT'
set security vpn ipsec site-to-site peer 2.2.2.1 ike-group 'ikeExt'
set security vpn ipsec site-to-site peer 2.2.2.1 local-address '5.5.5.12'
set security vpn ipsec site-to-site peer 2.2.2.1 tunnel 1 local prefix '4.4.4.1/32'
set security vpn ipsec site-to-site peer 2.2.2.1 tunnel 1 remote prefix '1.1.1.1/32'
set service https http-redirect 'disable'
set service nat source rule 10 description '5.5.5.200 > 1.1.1.1'
set service nat source rule 10 destination address '1.1.1.1'
set service nat source rule 10 outbound-interface 'dp0s0'
set service nat source rule 10 'source'
set service nat source rule 10 translation address '4.4.4.1'
set service nat source rule 20 description '5.5.5.200 > 1.1.1.2'
set service nat source rule 20 destination address '1.1.1.2'
set service nat source rule 20 outbound-interface 'dp0s0'
set service nat source rule 20 'source'
set service nat source rule 20 translation address '4.4.4.1'
set system host-name ‘ec2instance’
set system name-server ‘5.5.5.2’
set system ntp server '0.vyatta.pool.ntp.org'
set system ntp server '1.vyatta.pool.ntp.org'
set system ntp server '2.vyatta.pool.ntp.org'

Than you,

Scott

We have plan migrating from v5400 to 5600 because of Vyatta 5400 EOS..

I want to know consideration to migrate 5600 and known bugs....

Also when will be release new version ?

please let me know..

Both the vRouter (Vyatta) 5400 and 5600 are going EOL/EOS in a very short time per http://www.brocade.com/en/support/product-end-of-life.html.

What if any other product is replacing them?

If there is no replacement, what is Brocade's advisement to customers?

Hello,

I seem to be having trouble changing eth0 from dhcp to a static address. When changed using the below commands the Vyatta starts the process then become unavailable.  A reboot is then required to restore the last known saved config before the commit.

delete interface ethernet eth0 dhcp

set interface ethernet eth0 address 10.168.64.4/28

commit

The CLI returns

[ interfaces ethernet eth0 address dhcp ]

Stopping DHCP client on eth0 ...

This has been tested on vRouter 4500 and vRouter 5600 with the same outcome.  All vyattas are running on AWS.

I have a vRouter 4500 in a HA configuration which was implemented before my time and it has a static address assigned to both instance. Can anyone explain why this might be happening?

My environment is hosted in AWS.

Thanks,

Scott

Hi ,

I have configured L2tp / ipsec Remote access VPN on vyatta5400 router , I am able to establish l2tp connection and client user can be seen conneted on vpn status , however I am unable to ping or ssh from client window7 host ip 192.168.100.101 ( asigned after connecting to remote access vpn ) to reach destination ip 10.170.114.22 ,

I am able to ping remote-address x.x.x.x .

Strange thing is server 10.170.114.22 i log in and can ing 192.168.100.101 but vice versa is not happening .

Is remote-nexthop command required , i have added it and name server also .

what could be the issue to look into , any chnges at client host ip  192.168.100.101 to be made ?

exact similar config done . no firewall port is blocked .

set vpn ipsec ipsec-interfaces interface <OUTSIDE PUBLIC INT>
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn l2tp remote-access outside-address <OUTSIDE PUBLIC IP>
set vpn l2tp remote-access client-ip-pool start <x.x.x.x>
set vpn l2tp remote-access client-ip-pool stop <x.x.x.x>

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <passphrase>
set vpn l2tp remote-access authentication mode local

set vpn l2tp remote-access authentication local-users username test password abc123

Hello

I am configuring vRouter 5600 (5.2R5) , especcialy Interface-based firewall.

I have heard of specification change regarding stateful firewall from Release 5.1
(The vRouter with the stateful firewall feature enabled globally doesn't generate accept rules automatically for the return packets which arrive at outside interface)

I have a question about the firewall configuration to permit traffic initiated by vRouter itself.
(such as NTP, dns lookup, icmp, ssh login to other routers)

When above types of communications are issued , they bypass "local" firewall and "in" firewall, then the return packets are dropped by
"local" firewall or "in" firewall.

If I added accept rules for the return packets, these traffics come to not to be dropped, but I want to avoid this configuration because  it's complicated.

Is it possible to configure firewall to accept return packets without adding accept rules ?

Thank you

Im trying to figure out how to apply a local-zone filter in a zone policy on the 5600. I want to fitler the inbound traffic to the vyatta itself. On the 5400 that was accomplished by creating zone local on the interface, which does not seem to be possible on the 5600. I realize that I can still apply a local filter in an interface based policy but I would like to be able to filter via zone-base. I hope there is a distinction between local traffic and forwarded traffic per interface in zone configuration.

Hi all,

I need some help configuring Vyatta.

Site A has a Cisco router and can ping site B (Vyatta)
Site A also has a Mikrotik router and can ping site  C (cloud provider 2 - AWS gateway working fine) 

but I am not able to ping from site B to site C and vice versa.


As far as I understand, I need to add a route on Vyatta to forward all packets destined for C to A but I am not having much luck with this.

Happy to post config once I know what information is needed...

If I do ip route show all i get the following 3 among others..

172.20.0.0/16 dev eth0  proto zebra
172.30.200.0/24 dev eth1  proto kernel  scope link  src 172.30.200.254
192.168.0.0/16 dev eth0  scope link  src 172.30.200.254

I need to change the 172.20.0.0/16 to look like the 192.168.0.0/26 route.

Has anyone else failed to receive an email with activation code after downloading the v5600?

Hello Community!

I'm having a little trouble with a new VPN configuration and was hoping the community could provide me with a few pointers.

I have spun up a Brocade vRouter 5410 6.7 R11S3 instance on AWS from the market place to replace an older Vyatta deployment. The customer has requests the encryption domain is a public IP address. An elastic IP is assoicated with the instance for VPN conecivity.  The Encrpytion Domain elastic IP is reserved but not assigned.  All port configurations are correct (sharing the same older Vyatta security group rules which is working).

I have configured a VPN to a customer site.  Phase 1 is successful, Phase 2 is stuck.

000 #13: "peer-1.2.3.4-tunnel-1" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 11s
000 #3: "peer-1.2.3.4-tunnel-1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27359s; newest ISAKMP; DPD active

I 'think' the issue is with the NAT configuration due to the Encryption Domain requirement. The customer has checked thier logs and belive it's an issue with the Encryption Domain configuration.

set nat destination rule 11 description 'IN Peer IP > Local IP'
set nat destination rule 11 destination address 'vRouter Elastic IP'
set nat destination rule 11 inbound-interface 'eth0'
set nat destination rule 11 log 'enable'
set nat destination rule 11 source address 'Customer Encryption Domain IP'
set nat destination rule 11 translation address 'AWS IP CIDR'
set nat source rule 11 description 'OUT Local IP > Peer IP'
set nat source rule 11 destination address 'Customer Peer IP'
set nat source rule 11 log 'enable'
set nat source rule 11 outbound-interface 'eth0'
set nat source rule 11 source address 'AWS IP CIDR'
set nat source rule 11 translation address 'AWS Encryption Domain Public IP'

Any assistance would be greatly appreicated!

Thank you in advance!

Scott

Hi Team,

We are trying to setup a VPN tunnel between 2 regions using AWS VPN on one end (region) and Broccade router on another end (region). Could you please help us in setting up the VPN tunneling and also provide any documentation on how to set this up. 

Regards,

Suman B M 

Please provide if you have any documentation to tunnel between two regions where VPN is used at one region and Brocade router is used in another region.

Problem Description:
=============
Gre over Ipsec b/w Vyos and Vyatta not working , IKE is up but IPsec down.


GRE-IPSEC B/w VYOS and Vyatta:
====================

Topology:
=========

VYOS(172.31.61.122)—1:1NAT GW —Y.Y.Y.Y———————GRE-IPSEC——————(X.X.X.X)—VYATTA

WHERE X.X.X.X & Y.Y.Y.Y ARE PUBLIC IPs


VYOS-STATIC-NAT-AWS:
====================

wanclouds@VyOS-AMI-ZAYAD:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1W0 lifetime '86400'
set vpn ipsec esp-group ESP-1W0 mode 'transport'
set vpn ipsec esp-group ESP-1W0 pfs 'dh-group5'
set vpn ipsec esp-group ESP-1W0 proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1W0 proposal 1 hash 'md5'
set vpn ipsec ike-group IKE-1W0 lifetime '86400'
set vpn ipsec ike-group IKE-1W0 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1W0 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1W0 proposal 1 hash 'md5'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer X.X.X.X authentication id '419b9c8ee2544d598bf209173640f934'
set vpn ipsec site-to-site peer X.X.X.X authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer X.X.X.X authentication pre-shared-secret '62066c88582a411390965d7827d2780c'
set vpn ipsec site-to-site peer X.X.X.X authentication remote-id '419b9c8ee2544d598bf209173640f934'
set vpn ipsec site-to-site peer X.X.X.X default-esp-group 'ESP-1W0'
set vpn ipsec site-to-site peer X.X.X.X ike-group 'IKE-1W0'
set vpn ipsec site-to-site peer X.X.X.X local-address '172.31.61.122'
set vpn ipsec site-to-site peer X.X.X.X tunnel 0 protocol 'gre'
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address '172.168.100.198/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '172.31.61.122'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 remote-ip 'X.X.X.X'
set vpn ipsec site-to-site peer X.X.X.X tunnel 0 protocol 'gre'
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ show log
log    login  
wanclouds@VyOS-AMI-ZAYAD:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
X.X.X.X                            172.31.61.122                          

    State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----    -------  -----  ------  ------
    up     aes256   md5     5        yes    3658    86400  

 
wanclouds@VyOS-AMI-ZAYAD:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
X.X.X.X                            172.31.61.122                          

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    0       down   n/a            n/a      n/a     yes    0       86400   gre

 
wanclouds@VyOS-AMI-ZAYAD:~$ show log
log    login  
wanclouds@VyOS-AMI-ZAYAD:~$ show log tail -20
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #410: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #410: starting keying attempt 37 of an unlimited number
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #428: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #410 {using isakmp#15}
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: next payload type of ISAKMP Hash Payload has an unknown value: 58
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: malformed payload in packet
Apr 11 21:30:47 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: last message repeated 3 times
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #411: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #411: starting keying attempt 42 of an unlimited number
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #429: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #411 {using isakmp#15}
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: next payload type of ISAKMP Hash Payload has an unknown value: 72
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: malformed payload in packet
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #412: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #412: starting keying attempt 15 of an unlimited number
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #430: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #412 {using isakmp#15}
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: byte 2 of ISAKMP Hash Payload must be zero, but is not
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: malformed payload in packet
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ 





VYATTA-PUBLIC-IP:
===============

vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1W0 lifetime '86400'
set vpn ipsec esp-group ESP-1W0 mode 'transport'
set vpn ipsec esp-group ESP-1W0 pfs 'dh-group5'
set vpn ipsec esp-group ESP-1W0 proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1W0 proposal 1 hash 'md5'
set vpn ipsec ike-group IKE-1W0 lifetime '86400'
set vpn ipsec ike-group IKE-1W0 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1W0 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1W0 proposal 1 hash 'md5'
set vpn ipsec ipsec-interfaces interface 'bond1v1'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication id '419b9c8ee2544d598bf209173640f934'
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication pre-shared-secret '62066c88582a411390965d7827d2780c'
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication remote-id '419b9c8ee2544d598bf209173640f934'
set vpn ipsec site-to-site peer Y.Y.Y.Y default-esp-group 'ESP-1W0'
set vpn ipsec site-to-site peer Y.Y.Y.Y ike-group 'IKE-1W0'
set vpn ipsec site-to-site peer Y.Y.Y.Y local-address 'X.X.X.X'
set vpn ipsec site-to-site peer Y.Y.Y.Y tunnel 0 protocol 'gre'
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address '172.168.100.163/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip 'X.X.X.X'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 remote-ip 'Y.Y.Y.Y'
set vpn ipsec site-to-site peer Y.Y.Y.Y tunnel 0 protocol 'gre'
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa                          
Peer ID / IP                            Local ID / IP               
------------                            -------------
Y.Y.Y.Y                           X.X.X.X                           

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     aes256   md5   5        yes    3377    86400  

 
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
Y.Y.Y.Y                           X.X.X.X                           

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    0       down   n/a            n/a      n/a   yes    0       86400   gre

 

      
vyatta@gw-melbourne1-02-06-2016:~$ show log tail -25
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0...Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:19 gw-melbourne1-02-06-2016 sshd[10183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.172.60  user=root
Apr 11 16:32:20 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x8e4cb23d (perhaps this is a duplicated packet)
Apr 11 16:32:20 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:21 gw-melbourne1-02-06-2016 sshd[10181]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.172.60  user=root
Apr 11 16:32:21 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x80a5a69d (perhaps this is a duplicated packet)
Apr 11 16:32:21 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:23 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0...Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:23 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:24 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xe95143e1 (perhaps this is a duplicated packet)
Apr 11 16:32:24 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:25 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xac9835cc (perhaps this is a duplicated packet)
Apr 11 16:32:25 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:26 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1c6d8a04 (perhaps this is a duplicated packet)
Apr 11 16:32:26 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:28 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x10df76cd (perhaps this is a duplicated packet)
Apr 11 16:32:28 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x83384514 (perhaps this is a duplicated packet)
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0...Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:33 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x142e7918 (perhaps this is a duplicated packet)
Apr 11 16:32:33 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
vyatta@gw-melbourne1-02-06-2016:~$

Is their a document which includes list of event types and formats for Vyatta which can be used to understand the log on 3rd party tool.

Hi folks,

My lab is on VMware Workstation 12 Pro:

- vrouter 5600 v17.1.0 with 1xnic to Internet, 2xnics to Internal lan on Bond

- Win 7 with 1xnic to Internal lan, firewall disabled

Ping between Win and 5600 work fine without bond. Once I commit bond the ping doesn´t work.

The strange case is that the same configuration worksfine on vrouter 5600 v6.5R1.

admin@vyatta2# run show version
Version:      17.1.0
Description:  Brocade Vyatta Network OS 5600 17.1.0
License:      Evaluation

admin@vyatta2# run show interfaces bonding dp1bond1
dp1bond1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 00:0c:29:da:f4:fe brd ff:ff:ff:ff:ff:ff
    inet 20.20.20.1/24 brd 20.20.20.255 scope global dp1bond1
       valid_lft forever preferred_lft forever
    Description: bonding de la red Interna 20.20.20.x

    RX:  bytes    packets     errors    ignored    overrun      mcast
             0          0          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
             0          0          0          0          0          0
[edit]

Any idea?

Has anyone try to config bond in vSphere 5.5/6?

Thanks to all

Hi there, 

We're trying to load balance between a couple of Kubernetes nodes, running on port 30300, using the brocade VTM but they're failing any health check we try and apply...

If we remove the health check, it sends traffic through fine...

Is this something to do with the port number?

thanks

I installed vyatta 5600 as a VM, connecting it to 2 interfaces directly connected to the physical 82599 NICs on the host.

I am using qemu-kvm 2.5. and virtio drivers for the NICs.

then I send traffic using pktgen to one port expecting it on the other port.

I am sending always same udp packet in a rate of 2gbps but cannot forward 100% of the packets (only ~99.9% are forwarded).

host machine is: Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz

using vt-d

vm is deployed with 8G RAM and 3 vcpus (also tried with 5 vcpus).

any idea what can be the problem? I am trying to reach at least 6gbps.

Thanks

Hi all,

We have couple of vyatta deployments in different locations.

All of them are able to connect between each other.

I want to make something like proxy on one of the vyattas to do:

Some source IP (ex. 10.10.10.10) connect to the vyatta's ip address on port (192.168.100.1:2222).

once this source tries to connect, vytta should change the destination and source IP like. 192.168.100.1 and destination ip of 7.7.7.7 for example.

On this way the original destionation of 7.7.7.7 will believe that the source is 192.168.100.1 and will reply to it.

Once reply is recieved on the vyattas 192.168.100.1 address it should reply back to the original source of 10.10.10.10.

Is there a way to achive that ?

You may find a brief diagram as attachment 

Thank you

Not sure if I am in the correct discussion group or no one knows the answer but what is this interface .spathintf and what its used for?  Service Path Interface for routing protocols? my best guess.

The issue I am having is this.  I am running Windows 10 Pro, Installed vRouter 5600 with a trial license on the Hyper-V VM.  I create an openVPN (vtun0) tunnel and I am able to reach across the network with pings both directions.  I configured the GRE tunnel (tun0) and was able to ping to the remote side.  However, the remote side could not ping the local side of the GRE tunnel IP.   All these packets hit the tun0 then the ICMP reply is sent to the .spathintf  ( Verified using Monitor IP-Traffic) .  I rebooted the vRouter and now all packets sourced from the tun0 are sent to the interface .spathintf.

I did read there was a problem with Windows Server 2012 and GRE is this problem also seen in Windows Pro you can use GRE tunnels?

thanks,

-mike