Vyatta
Suite200
1301ShorewayRoad
Belmont,CA94002
vyatta.com
6504137200
1888VYATTA1(USandCanada)
VYATTA,INC. | VyattaSystem
Bridging
REFERENCEGUIDE
COPYRIGHT
Copyright©2005–2012Vyatta,Inc.Allrightsreserved.
Vyattareservestherighttomakechangestosoftware,hardware,anddocumentationwithoutnotice.Forthemostrecentversionof
documentation,visittheVyattawebsiteatvyatta.com.
PROPRIETARYNOTICES
VyattaisaregisteredtrademarkofVyatta,Inc.
Hyper‐VisaregisteredtrademarkofMicrosoftCorporation.
VMware,VMwareESX,andVMwareserveraretrademarksofVMware,Inc.
XenServer,andXenCenteraretrademarksofCitrixSystems,Inc.
Allothertrademarksarethepropertyoftheirrespectiveowners.
RELEASEDATE:October2012
DOCUMENTREVISION.6.5R1
v01
RELEASEDWITH:6.5.0R1
PARTNO.A0‐0247‐10‐0003
iii
Bridging 6.5R1v01 Vyatta
Contents
QuickListofCommands......................................................... v
ListofExamples ...............................................................vi
Preface. ..................................................................... vii
IntendedAudience ................. ................... ..........................................viii
OrganizationofThisGuide ........... .......
................................. .....................viii
DocumentConventions ............................................
............... ................ix
VyattaPublicati ons.................
................................ .. ................. ...........ix
Chapter1 BridgingOverview .................................................... 1
Layer2Bridging ............................................................................... ...2
RFC1483BridgedEthernet..............
...........................................................2
MTUforBridgeGroups ................... ...................
................................ .. ....2
Chapter2 BridgingConfigurationExamples ........................................ 3
BasicBridgingConfiguration.......... ................... ................... .................... ....4
BridgingAcrossaWANUsingaGRETunnel...................
.................................... ....5
ConfigureWEST........
...................................................................... 5
ConfigureEAST...... ................... ....
............... ................... ................7
BridgingacrossaWANUsingaGRETunneloverIPsecVPN..............................................8
ConfigureWEST........................ ..................
................................. ...9
DefinetheBridge,Ethernet,andLoopbackInterfaceson“WEST”.....
............................9
DefinetheGRETunnelon“WEST”............... .
..........................................10
DefinetheIPsecTunnelon“WEST”..
.................................... ................. .. 11
ConfigureEAST...... ................... ...................
............... ................... 13
BridgingAcrossaWANUsingSite‐to‐SiteOpenVPN.......
............... ................... ..........15
ConfigureWEST....
............... ................... .................... ................... 16
DefinetheBridgeandEthernetInterfaceson“WEST” ..... ................
.....................16
DefinetheOpenVPNTunnelon“WEST” ..................... ..
..............................17
ConfigureEAST...... .............
................................. ..........................18
BridgingAcrossaWANUsingClient‐ServerOpenVPN..................................
................18
ConfigureV1............. ....................
............... ................... .............19
DefinetheBridge
Interfaceon“V1” ...................... ................... ................19
DefinetheEthernetInterfaceson“V1”....................................
..................20
DefinetheOpenVPNServeron“V1”..........................
..............................20
DefinetheDHCPServeron“V1”...............
.............................................21
iv
Bridging 6.5R1v01 Vyatta
CommitandDisplaytheConfigurationon“V1” ............................................... 22
ConfigureV2............. .................................
..................................23
DefinetheBridgeInterfaceon“V2” ...........
................................. .............23
DefinetheEthernetInterface
on“V2” .................... ................... ................23
DefinetheOpenVPNClienton“V2”....................... ................
............... ...24
CommitandDisplaytheConfigurationon“V2” .........................
............... .......25
Chapter3 BridgeGroupCommands.............................................. 26
interfacesbridge<brx>.......................................................................29
interfacesbridge<brx>address<address> .......................
................................30
interfacesbridge<brx>aging<age> .............
.................................... ...........32
interfacesbridge<brx>
description<desc>.......................................................34
interfacesbridge<brx>dhcpv6‐options ...................................... .
............... ...35
interfacesbridge<brx>disable.............................
............... ................... ..37
interfacesbridge<brx>disable‐link‐detect .........
............... ...............................38
interfacesbridge<brx>forwarding‐
delay<delay> ....................................... ..........39
interfacesbridge<brx>hello‐time<interval> .....................................................41
interfacesbridge<brx>ipv6address .................................... ...
.....................43
interfacesbridge<brx>ipv6disable‐forwarding ................... .. ..
...........................45
interfacesbridge<brx>ipv6dup‐addr‐detect‐transmits<num> ..............
.......................46
interfacesbridge<brx>ipv6router‐advert ......................
................................. 48
interfacesbridge<brx>mac<mac‐addr> ...........
.............................................53
interfacesbridge<brx>max‐age
<interval> ........................... ................... ........55
interfacesbridge<brx>priority<priority> ........................................
............... 57
interfacesbridge<brx>stp<state>..............................
............... ................59
showbridge .................
............... ................... .............................61
Chapter4 BridgeInterfaceCommands ........................................... 62
clearinterfacesbridgecounters ...... .. ........................................................64
interfacesadsl<adslx>pvc<pvc‐id>bridged‐ethernetbridge‐group .........................
.........65
interfacesbonding<bondx>bridge‐group .......... ..........................
...................67
interfacesbonding<bondx>vif<vlan‐id>bridge‐group........ ................
.....................69
interfacesethernet<ethx>bridge‐group ......... .. .............
................................71
interfacesethernet<ethx>vif<vlan‐id>bridge‐group...........
................................. ..73
interfacesopenvpn<vtunx>bridge‐group ..........
.............................................75
interfacestunnel<tunx>parametersip
bridge‐group .............................. ................77
interfaceswireless<wlanx>
bridge‐group........................................................79
showinterfacesbridge ........................................
............... ................81
GlossaryofAcronyms.......................................................... 82
v
Bridging 6.5R1v01 Vyatta
QuickListofCommands
Use this list to help you quickly locate commands.
clearinterfacesbridgecounters.................................... ................. .. .............64
interfacesadsl<adslx>pvc<pvc‐id>bridged‐ethernetbridge‐group ....................
.................65
interfacesbonding<bondx>bridge‐group............................
...............................67
interfacesbonding<bondx>vif<vlan‐id>bridge‐group ...........
.....................................69
interfacesbridge<brx>address<address>.........
..................................................30
interfacesbridge<brx>aging<age>........................... ..................
...................32
interfacesbridge<brx>description<desc> ........ ..................
................................34
interfacesbridge<brx>dhcpv6‐options.............
................................................35
interfacesbridge
<brx>disable ....................................................................37
interfacesbridge<brx>disable‐link‐detect..........................
................................. 38
interfacesbridge<brx>forwarding‐delay<delay>............
................................. ........39
interfacesbridge<brx>hello‐time<interval>....
.....................................................41
interfacesbridge<brx>ipv6address...................... ................... ..
.....................43
interfacesbridge<brx>ipv6disable‐forwarding .......................
............... ................45
interfacesbridge<brx>ipv6dup‐addr‐detect‐transmits<num>..........
............... ................46
interfacesbridge<brx>ipv6router‐advert..............
................................ .. ...........48
interfacesbridge<brx>mac<mac‐
addr>.. ....................................... ...................53
interfacesbridge<brx>max‐age<interval>................ .. ................
........................55
interfacesbridge<brx>priority<priority> .....................
................................. .....57
interfacesbridge<brx>stp<state> ........
................................. ........................59
interfacesbridge<brx> .... .....................................
............... ................... 29
interfacesethernet<ethx>bridge‐group...........
............... ................... ...............71
interfaces
ethernet<ethx>vif<vlan‐id>bridge‐group ...................................... ...........73
interfacesopenvpn<vtunx>bridge‐group.... ....................................
...................75
interfacestunnel<tunx>parametersipbridge‐group.........................
.........................77
interfaceswireless<wlanx>bridge‐group.....................
.................................... ...79
showbridge.........
................................. ..........................................61
showinterfacesbridge......................
................................ .. ................. ..81
vi
Bridging 6.5R1v01 Vyatta
ListofExamples
Use this list to help you locate examples you’d like to look at or try.
vii
Bridging 6.5R1v01 Vyatta
Preface
This document describes the various deployment, installation, and upgrade options
for Vyatta software.
This preface provides information about using this guide. The following topics are
presented:
• Intended Audience
• Organization of This Guide
• Document Conventions
• Vyatta Publications
IntendedAudience
viii
Bridging 6.5R1v01 Vyatta
IntendedAudience
This guide is intended for experienced system and network administrators.
Depending on the functionality to be used, readers should have specific knowledge
in the following areas:
• Networking and data communications
• TCP/IP protocols
• General router configuration
• Routing protocols
• Network administration
• Network security
• IP services
OrganizationofThisGuide
This guide has the following aid to help you find the information you are looking for:
• Quick List of Commands
Use this list to help you quickly locate commands.
• List of Examples
Use this list to help you locate examples you’d like to try or look at.
This guide has the following chapters:
Chapter Description Page
Chapter 1:BridgingOverview ThischapterprovidesabriefintroductiontotheVyatta
system’ssupport forLayer2bridging.
1
Chapter 2:BridgingConfiguration
Examples
Thischapterprovidesconfigurationexamplesforbridging. 3
Chapter 3:BridgeGroupCommands Thischapterliststhecommandsusedtocreatethebridge
group(thebridgeinterface)anddefineitscharacteristics.
26
Chapter 4:BridgeInterface
Commands
Thischapterdescribescommandsforaddinginterfacestoa
bridgegroup.
62
GlossaryofAcronyms 82
DocumentConventions
ix
Bridging 6.5R1v01 Vyatta
DocumentConventions
This guide uses the following advisory paragraphs, as follows.
NOTENotesprovideinformationyoumightneedtoavoidproblemsorconfigurationerrors.
This document uses the following typographic conventions.
VyattaPublications
WARNINGWarningsalertyoutosituationsthatmayposeathreattopersonalsafety.
CAUTIONCautionsalertyoutosituationsthatmightcauseharmtoyoursystemordamageto
equipment,orthatmayaffectservice.
Monospace
Examples, command-line output, and representations of
configuration nodes.
boldMonospace
Your input: something you type at a command line.
bold Commands, keywords, and file names, when mentioned
inline.
Objects in the user interface, such as tabs, buttons, screens,
and panes.
italics An argument or variable where you supply a value.
<key> A key on your keyboard, such as <Enter>. Combinations of
keys are joined by plus signs (“+”), as in <Ctrl>+c.
[ key1 | key2] Enumerated options for completing a syntax. An example is
[enable | disable].
num1–numN A inclusive range of numbers. An example is 1–65535, which
means 1 through 65535, inclusive.
arg1 argN A range of enumerated values. An example is eth0 eth3,
which means eth0, eth1, eth2, or eth3.
arg[ arg ]
arg[,arg ]
A value that can optionally represent a list of elements (a
space-separated list and a comma-separated list, respectively).
VyattaPublications
x
Bridging 6.5R1v01 Vyatta
Full product documentation is provided in the Vyatta technical library. To see what
documentation is available for your release, see the Guide to Vyatta Documentation.
This guide is posted with every release of Vyatta software and provides a great
starting point for finding the information you need.
Additional information is available on www.vyatta.com and www.vyatta.org.
1
Bridging 6.5R1v01 Vyatta
Chapter1:BridgingOverview
This chapter provides a brief introduction to the Vyatta system’s support for Layer 2
bridging.
This chapter presents the following topics:
• Layer 2 Bridging
• RFC 1483 Bridged Ethernet
• MTU for Bridge Groups
Chapter1:BridgingOverview Layer2Bridging
2
Bridging 6.5R1v01 Vyatta
Layer2Bridging
Bridging allows you to connect multiple network segments (typically LAN segments)
at the Layer 2 level.
Since bridging occurs at Layer 2 (the data link layer) and IP addresses are relevant
only on Layer 3 (the network layer), IP addresses are not allowed on the interfaces
being bridged.
To create a bridge, use the following workflow:
1 Create the bridge group. You create a bridge group by defining a bridge interface
and setting its characteristics.
2 Add the interfaces to the bridge group. You do with within the configuration
node for the interface itself.
The following interface types can be added directly to bridge groups:
• Physical Ethernet interfaces
• Ethernet bonded links
• VLAN interfaces configured under physical Ethernet interfaces or Ethernet
bonded links
• OpenVPN interfaces
• Tunnel interfaces
• Wireless interfaces in access mode (not in station mode)
RFC1483BridgedEthernet
ADSL interfaces cannot be added to bridge groups, but the Vyatta system supports
the mechanisms described in RFC 1483 bridging ADSL traffic over an ATM
network. You can bridge ADSL traffic over Ethernet using the interfaces adsl <adslx>
pvc <pvc-id> bridged-ethernet bridge-group command.
MTUforBridgeGroups
The effective MTU (maximum transmission unit) size for a bridge group is the
minimum MTU of all the interfaces that belong to the bridge group. So, the
maximum frame size of frames transmitted by the bridged interfaces will be this
effective MTU size.
3
Bridging 6.5R1v01 Vyatta
Chapter2:BridgingConfiguration
Examples
This chapter provides configuration examples for bridging.
This chapter presents the following topics:
• Basic Bridging Configuration
• Bridging Across a WAN Using a GRE Tunnel
• Bridging across a WAN Using a GRE Tunnel over IPsec VPN
• Bridging Across a WAN Using Site-to-Site OpenVPN
• Bridging Across a WAN Using Client-Server OpenVPN
Chapter2:BridgingConfigurationExamples BasicBridgingConfiguration
4
Bridging 6.5R1v01 Vyatta
BasicBridgingConfiguration
This section presents a sample configuration for a basic bridge between two Ethernet
segments on a Vyatta system.
When you have finished, the system will be configured as shown in Figure 2-1.
Figure2‐1Basicbridging
In this example, you create a bridge interface and assign the Ethernet interfaces to
the bridge group.
Example 2-1 creates the bridge interface and adds the Ethernet interfaces to the
bridge group. To do this, perform the following steps on R1 in configuration mode.
eth0
R1
eth1
Example2‐1ConfiguringabridgebetweentwoEthernetinterfaces
Step Command
Createthebridgeinterface.
vyatta@R1#setinterfacesbridgebr0
Addeth0tothe bridgegroup.
vyatta@R1#setinterfacesetherneteth0bridge‐groupbridge
br0
Addeth1tothe bridgegroup.
vyatta@R1#setinterfacesetherneteth1bridge‐groupbridge
br0
Committheconfiguration.
vyatta@R1#commit
Chapter2:BridgingConfigurationExamples BridgingAcrossaWANUsingaGRETunnel
5
Bridging 6.5R1v01 Vyatta
BridgingAcrossaWANUsinga GRETunnel
This section presents a sample configuration for bridging remote network segments
using a GRE-bridge encapsulated tunnel between Vyatta systems WEST and EAST.
First WEST is configured, and then EAST.
This basic tunnel is not protected by a key: this means it is not secure.
When you have finished, these systems will be configured as shown in Figure 2-2
with bridged network segments connected to eth0 on each of the two systems.
Figure2‐2BridgingacrossaWANusingaGRE‐bridgeencapsulatedtunnel
ConfigureWEST
GRE tunnels are explained in detail in the Vyatta Tunnels Reference Guide. Please
see that guide for further details.
Viewtheconfiguration.
vyatta@R1#showinterfaces
bridgebr0{
}
etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
bridge‐group{
bridgebr0
}
}
Example2‐1ConfiguringabridgebetweentwoEthernetinterfaces
eth0 eth1
eth0
eth1
.1
.30 .62 .33
192.0.2.0/27
192.0.2.32/27
GRE-bridge Tunnel
EAST
WEST
Chapter2:BridgingConfigurationExamples BridgingAcrossaWANUsingaGRETunnel
6
Bridging 6.5R1v01 Vyatta
The GRE-bridge tunnel in the example configuration extends from eth1 on WEST
through the wide-area network to eth1 on EAST. In this example, you create the
bridge interface, add eth0 to the bridge group, and then create a tunnel interface and
add it to the bridge group.
• The source IP address of the tunnel endpoint (the local-ip) is the same as the
address associated with eth1 in this example.
• The destination IP address of the tunnel endpoint (the remote-ip) is 192.0.2.33
on EAST.
• The tunnel encapsulation is gre-bridge.
• The tunnel is added to the bridge group.
Example 2-2 creates the bridge and tunnel interfaces and adds eth0 and the tunnel
interface to the bridge group. To do this, perform the following steps on WEST in
configuration mode.
Example2‐2CreatingabasicGRE‐bridgetunnelendpointandbridgeonWEST
Step Command
Createthebridgeinterface.
vyatta@WEST#setinterfacesbridgebr0
Addeth0tothe bridgegroup.
vyatta@WEST#setinterfacesetherneteth0bridge‐groupbridge
br0
Configureanaddressoneth1.
vyatta@WEST#setinterfacesetherneteth1address
192.0.2.1/27
Createthetunnelinterfaceand
specifythesourceIPaddressfor
thetunnel.
vyatta@WEST#setinterfacestunneltun0local‐ip192.0.2.1
SpecifytheIPaddressofthe
otherendofthetunnel.
vyatta@WEST#setinterfacestunneltun0remote‐ip192.0.2.33
SpecifytheGRE‐bridge
encapsulationmodeforthe
tunnel.
vyatta@WEST#setinterfacestunneltun0encapsulation
gre‐bridge
Addtun0tothebridgegroup.
vyatta@WEST#setinterfacestunneltun0bridge‐groupbridge
br0
Committheconfiguration.
vyatta@WEST#commit
Chapter2:BridgingConfigurationExamples BridgingAcrossaWANUsingaGRETunnel
7
Bridging 6.5R1v01 Vyatta
ConfigureEAST
EAST is configured similarly to WEST. The differences are as follows:
• The address assigned to eth1 is 192.0.2.33/2.
• The local IP address (local-ip) is 192.0.2.33.
• The remote IP address (remote-ip) is 192.0.2.1.
Viewtheconfiguration.
vyatta@WEST#showinterfaces
bridgebr0{
}
etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
address192.0.2.1/27
}
tunneltun0{
bridge‐group{
bridgebr0
}
encapsulationgre‐bridge
local‐ip192.0.2.1
remote‐ip192.0.2.33
}
Example2‐2CreatingabasicGRE‐bridgetunnelendpointandbridgeonWEST
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
8
Bridging 6.5R1v01 Vyatta
Example 2-3 shows the completed configuration.
BridgingacrossaWANUsingaGRETunnel
overIPsecVPN
This example configures a GRE-bridge tunnel between WEST and EAST and
protects it within an IPsec tunnel between the same endpoints.
When you have finished, WEST and EAST will be configured as shown in Figure 2-3.
Example2‐3ConfigurationforabasicGRE‐bridgetunnelendpointandbridgeonEAST
Step Command
Viewtheconfiguration.
vyatta@EAST#showinterfaces
bridgebr0{
}
etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
address192.0.2.33/27
}
tunneltun0{
bridge‐group{
bridgebr0
}
encapsulationgre‐bridge
local‐ip192.0.2.33
remote‐ip192.0.2.1
}
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
9
Bridging 6.5R1v01 Vyatta
Figure2‐3GRE‐bridgetunnelprotectedbyanIPsectunnel
ConfigureWEST
This section presents the following examples:
• Example 2-4 Defining the bridge, Ethernet, and loopback interfaces on WEST
• Example 2-5 Defining the GRE-bridge tunnel from WEST to EAST
• Example 2-6 Defining the IPsec tunnel from WEST to EAST
DefinetheBridge,Ethernet,andLoopback
Interfaceson“WEST”
Example 2-4 defines the bridge, Ethernet, and loopback interfaces on WEST. In this
example:
• The bridge interface br0 is created.
• Ethernet interface eth0 is added to the bridge group
• Ethernet interface eth1 is configured with IP address 192.0.2.1/27.
• Loopback interface lo is configured with IP address 172.16.0.1/32.
To create the bridge, Ethernet, and loopback interfaces on WEST, perform the
following steps in configuration mode.
eth0 eth1
eth0
eth1
.1
.30 .62 .33
192.0.2.0/27 192.0.2.32/27
IPsec Tunnel
EAST
WEST
GRE-bridge
Tunnello
172.16.0.1/32
lo
172.16.0.2/32
tun0
tun0
Example2‐4Definingthebridge,Ethernet,andloopbackinterfacesonWEST
Step Command
Createthebridgeinterface.
vyatta@WEST#setinterfacesbridgebr0
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
10
Bridging 6.5R1v01 Vyatta
DefinetheGRETunnelon“WEST”
NOTEThisexampledealswithGREtunnelsinthecontextofabridge.GREtunnelsthemselvesare
explainedindetailintheVyattaTunnelsReferenceGuide.
Example 2-5 defines WEST’s end of the GRE-bridge tunnel. In this example:
• The IP address on the local side of the GRE tunnel (local-ip) is assigned the local
loopback address 172.16.0.1.
• The IP address of the other end of the GRE tunnel (remote-ip) is assigned the
loopback address of the remote system 172.16.0.2.
• The tunnel encapsulation is gre-bridge.
• The tunnel is added to the bridge group.
To create the tunnel interface and the tunnel endpoint on WEST, perform the
following steps in configuration mode.
Addeth0tothe bridgegroup.
vyatta@WEST#setinterfacesetherneteth0bridge‐groupbridge
br0
Configureanaddressoneth1.
vyatta@WEST#setinterfacesetherneteth1address
192.0.2.1/27
Configureanaddressonlo.
vyatta@WEST#setinterfacesloopbackloaddress172.16.0.1/32
Committheconfiguration.
Verifytheconfiguration.
Example2‐4Definingthebridge,Ethernet,andloopbackinterfacesonWEST
Example2‐5DefiningtheGRE‐bridgetunnelfromWESTtoEAST
Step Command
SpecifythelocalIPaddressfor
theGREtunnel.
vyatta@WEST#setinterfacestunneltun0local‐ip172.16.0.1
SpecifytheremoteIPaddress
fortheGREtunnel.
vyatta@WEST#setinterfacestunneltun0remote‐ip172.16.0.2
Specifytheencapsulationmode
forthetunnel.
vyatta@WEST#setinterfacestunneltun0encapsulation
gre‐bridge
Addtun0tothebridgegroup.
vyatta@WEST#setinterfacestunneltun0bridge‐groupbridge
br0
Committheconfiguration.
vyatta@WEST#commit
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
11
Bridging 6.5R1v01 Vyatta
DefinetheIPsecTunnelon“WEST”
Example 2-6 creates the IPsec tunnel from WEST to EAST.
• WEST uses IP address 192.0.2.1 on eth1.
• EAST uses IP address 192.0.2.33 on eth1.
• The IKE group is IKE-1W
• The preshared secret is “test_key_1”.
• The IPsec tunnel is between subnet 172.16.0.1/32 on WEST and 172.16.0.2/32
on EAST, using ESP group ESP-1W.
This examples assumes that you have already configured the following:
• IKE group IKE-1W
• ESP group ESP-1W
NOTEIfyouneedmoreinformationaboutIKEandESPgroups,theyareexplainedindetailinthe
VyattaVPNReferenceGuide.
Viewthemodified
configuration.
vyatta@WEST#showinterfaces
bridgebr0{
}
etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
address192.0.2.1/27
}
loopbacklo{
address172.16.0.1/32
}
tunneltun0{
bridge‐group{
bridgebr0
}
encapsulationgre‐bridge
local‐ip172.16.0.1
remote‐ip172.16.0.2
}
Example2‐5DefiningtheGRE‐bridgetunnelfromWESTtoEAST
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
12
Bridging 6.5R1v01 Vyatta
To create the IPsec tunnel from WEST to EAST, perform the following steps on
WEST in configuration mode.
Example2‐6DefiningtheIPsectunnelfromWESTtoEAST
Step Command
EnableVPNoneth1.
vyatta@WEST#setvpnipsecipsec‐interfacesinterfaceeth1
Definethesite‐to‐site
connectiontoEAST.Setthe
authenticationmode.
vyatta@WEST#setvpnipsecsite‐to‐sitepeer192.0.2.33
authenticationmodepre‐shared‐secret
Navigatetothenodeforthe
peerforeasierediting.
vyatta@WEST#editvpnipsecsite‐to‐sitepeer192.0.2.33
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
Providethestringthatwillbe
usedtoauthenticatethepeers.
vyatta@WEST#setauthenticationpre‐shared‐secrettest_key_1
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
SpecifytheIKEgroup.
vyatta@WEST#setike‐groupIKE‐1W
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
IdentifytheIPaddressonthis
systemtobeusedforthis
connection.
vyatta@WEST#setlocal‐ip192.0.2.1
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
Createatunnelconfiguration,
andprovidethelocalsubnetfor
thistunnel.
vyatta@WEST#settunnel1localsubnet172.16.0.1/32
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
Specifytheremotesubnetfor
thetunnel.
vyatta@WEST#settunnel1remotesubnet172.16.0.2/32
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
SpecifytheESPgroupforthis
tunnel.
vyatta@WEST#settunnel1esp‐groupESP‐1W
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
Returntothetopofthe
configurationhierarchy.
vyatta@WEST#top
Committheconfiguration.
vyatta@WEST#commit
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
13
Bridging 6.5R1v01 Vyatta
ConfigureEAST
EAST is configured similarly to WEST. The differences in the interface configuration
are as follows:
• The address assigned to eth1 is 192.0.2.33/27.
• The address assigned to the loopback interface is 172.16.0.2/32.
• The IP address on the local side is 172.16.0.2.
• The on the remote side is 172.16.0.1.
Example 2-7 shows the completed interfaces configuration.
Viewthemodified
configuration.
vyatta@WEST#showvpnipsecipsec‐interfaces
interfaceeth1
vyatta@WEST#showvpnipsecsite‐to‐sitepeer192.0.2.33
authentication
modepre‐shared‐secret
pre‐shared‐secrettest_key_1
}
ike‐groupIKE‐1W
local‐ip192.0.2.1
tunnel1{
esp‐groupESP‐1W
local{
subnet172.16.0.1/32
}
remote{
subnet172.16.0.2/32
}
}
Example2‐6DefiningtheIPsectunnelfromWESTtoEAST
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
14
Bridging 6.5R1v01 Vyatta
The differences in the IPsec VPN configuration are as follows:
• The peer address is 192.0.2.1.
• The IKE group is IKE-1E.
• The IP address on the local side is 192.0.2.33.
• The ESP group is ESP-1E.
• The local subnet is 172.16.0.2/32.
• The remote subnet is 172.16.0.1/32.
Example2‐7ConfigurationforinterfacesonEAST
Step Command
Viewthemodified
configuration.
vyatta@EAST#showinterfaces
bridgebr0{
}
etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
address192.0.2.33/27
}
loopbacklo{
address172.16.0.2/32
}
tunneltun0{
bridge‐group{
bridgebr0
}
encapsulationgre‐bridge
local‐ip172.16.0.2
remote‐ip172.16.0.1
}
Chapter2:BridgingConfigurationExamples BridgingAcrossaWANUsingSite ‐to ‐SiteOpenVPN
15
Bridging 6.5R1v01 Vyatta
Example 2-8 shows the completed IPsec VPN configuration.
BridgingAcrossaWANUsingSite‐to‐Site
OpenVPN
This example configures a bridge across a site-to-site OpenVPN tunnel between
WEST and EAST.
NOTEIfyouneedmoreinformationaboutOpenVPNtunnels,theyareexplainedindetailinthe
VyattaVPNReferenceGuide.
When you have finished, WEST and EAST will be configured as shown in Figure 2-4
and the LANs connected to WEST and EAST will be bridged.
Example2‐8ConfigurationforIPsecVPNonEAST
Step Command
Viewthemodified
configuration.
vyatta@EAST#showvpnipsecipsec‐interfaces
interfaceeth1
vyatta@EAST#showvpnipsecsite‐to‐sitepeer192.0.2.1
authentication
modepre‐shared‐secret
pre‐shared‐secrettest_key_1
}
ike‐groupIKE‐1E
local‐ip192.0.2.33
tunnel1{
esp‐groupESP‐1E
local{
subnet172.16.0.2/32
}
remote{
subnet172.16.0.1/32
}
}