20141102 vyos 1.1.0 and nifty cloud new features

Copyright © NIFTY Corporation All Rights Reserved.

VyOS 1.1.0 and NIFTY CloudNew Features

Yuya Kusakabe - @higebu

NIFTY Corp.

VyOS Users Meeting #2,

Nov. 2, 2014

Copyright © NIFTY Corporation All Rights Reserved. Confidential 2

VyOS 1.1.0 released!

Release date: Oct. 9, 2014

New features:

Unmanaged L2TPv3

Dummy interfaces

QinQ

Event handler

IGMP proxy

Experimental features:

VXLAN -> @upaa

DMVPN

For more detail:

http://vyos.net/wiki/1.1.0/release_notes


Lithium branch

Helium is now feature frozen, please submit all patches to lithium.


VyOS on IaaS


VyOS on IaaS

AWS

AMI

さくらのクラウド ( Sakura Cloud )

Images

VPCルータ ( VPC Router )

IDCFクラウド ( IDCF Cloud )

Images

NIFTY Cloud

Images

New network features


AWS

VyOS 1.0.5 64bit

https://aws.amazon.com/marketplace/pp/B00JK5UPF6



VyOS 1.0.5 64bit

http://cloud.sakura.ad.jp/



http://www.slideshare.net/sakuranocloud/20140727-vyosuserspost?qid=4616b826-dfa1-4ff9-9dce-d9f13516fd84


IDCFクラウド ( IDCF Cloud )

VyOS 1.0.4 64bit

http://www.idcf.jp/cloud/


NIFTY Cloud

VyOS 1.0.5 64bit and 1.1.0 64bit


New network features

Release date: Nov. 2014

プライベートLAN ( Private network )

You can use multiple private network.

ルーター ( Router )

DHCP, NAT, Routing, Web Proxy

VPNゲートウェイ ( VPN Gateway )

IPsec

Unmanaged L2TPv3 over IPsec

Managed L2TPv3 over IPsec


About Managed L2TPv3

Enhanced xl2tpd

For Managed L2TPv3

The source code will be released as open source.

Enhanced ebtables

For storm control

This is NIFTY Cloud original commands…

Special thanks to @m_asama !


Managed L2TPv3 Commands

set system l2tpv3 router-id { local address }

set interfaces l2tpv3 l2tpeth0 bridge-group bridge br0

set interfaces l2tpv3 l2tpeth0 encapsulation udp

set interfaces l2tpv3 l2tpeth0 mode { lns or lac }

set interfaces l2tpv3 l2tpeth0 remote-ip { remote address }

set interfaces l2tpv3 l2tpeth0 remote-end-id { remote end id }


Storm control Commands

set service nifty-cloud-bridge-filter interface eth3

set service nifty-cloud-bridge-filter mac-addr-limit 20/30

set service nifty-cloud-bridge-filter mcast-limit 1000/s

set service nifty-cloud-bridge-filter mcast-limit-burst 2000

And if above setting is enabled, ebtables drops except IPv4 and ARP packets.


Extending Home network to NIFTY Cloudacross the Internet with L2TPv3 / IPsec


The Internet

Network configuration

Managed L2TPv3 / IPsec

My Home

FLET'S HIKARI NEXTHigh-Speed TypeFor Houses

192.168.100.0/24

121.94.82.26

192.168.100.0/24

Same subnet

dhcp

CustomizedVyOS 1.0.5 amd64

YAMAHA RTX1200


Setting up NIFTY Cloud VPN Gateway

Demo

No Photographs


Setting up YAMAHA RTX1200

#

# IP configuration

#

ip route default gateway pp 1

#

# Bridge configuration

#

bridge member bridge1 lan1 tunnel4

ip bridge1 address 192.168.100.1/24

#

# NAT Descriptor configuration

#

nat descriptor type 1 masquerade

### PP 1 ###

pp select 1

pp always-on on

pppoe use lan2

pp auth accept pap chap

pp auth myname {FLET’S ID} {FLET’S Password}

ppp lcp mru on 1454

ppp ipcp ipaddress on

ppp ipcp msext on

ip pp mtu 1454

ip pp nat descriptor 1

pp enable 1



### TUNNEL 4 ###

tunnel select 4

tunnel encapsulation l2tpv3

tunnel endpoint address 192.168.100.1 121.94.82.26

ipsec tunnel 104

ipsec sa policy 104 4 esp aes256-cbc sha-hmac

ipsec ike duration ipsec-sa 4 3600

ipsec ike duration ike-sa 4 28800

ipsec ike encryption 4 aes256-cbc

ipsec ike group 4 modp1024

ipsec ike hash 4 sha

ipsec ike keepalive use 4 on dpd

ipsec ike local address 4 192.168.100.1

ipsec ike pfs 4 on

ipsec ike pre-shared-key 4 text {pre shared key}

ipsec ike remote address 4 121.94.82.26



l2tp always-on on

l2tp hostname YAMAHA-RTX1200

l2tp tunnel auth off

l2tp tunnel disconnect time off

l2tp keepalive use on 20 3

l2tp keepalive log on

l2tp syslog on

l2tp local router-id {WAN IP Address}

l2tp remote router-id 121.94.82.26

l2tp remote end-id niftycloud

tunnel enable 4

#

# IPSEC configuration

#

ipsec auto refresh on

ipsec transport 4 104 udp 1701

#

# L2TP configuration

#

l2tp service on

#

# DHCP configuration

#

dhcp service server

dhcp server rfc2131 compliant except remain-silent

dhcp scope 1 192.168.100.10-192.168.100.254/24

For more detail:http://jp.yamaha.com/products/network/solution/vpn-connect-l2tpv3-rtx1200/


Performance

This is for reference.NIFTY Cloud does not guarantee the performance.

30 15

80 70

600

0

100

200

300

400

500

600

700

Cloud->Home Home->Cloud Cloud->Home Home->Cloud Cloud->Cloud

L2TPv3/Ipsec/Internet Internet L2TPv3/IPsec


Conculusion

VyOS 1.1.0 released!

Lithium branch!

You can use VyOS on some IaaS.

NIFTY Cloud new features, private network, router, and VPN gateway.

Enhanced xl2tpd and ebtables will be released as open source.

VPN gateway can connect to YAMAHA RTX1200 with L2TPv3/IPsec.


Thank you for listening!

We are hiring!

http://www.nifty.co.jp/recruit/

20141102 vyos 1.1.0 and nifty cloud new features

Technology