VPN: Difference between revisions
Jump to navigation
Jump to search
On equipment hosting VPN
On other sites' routers
| Line 84: | Line 84: | ||
=== Network interfaces configuration === | === Network interfaces configuration === | ||
{{Managed by Puppet|classes=networkg5k|note=}} | |||
=== Iptables configuration === | |||
{{Managed by Puppet|classes=iptablesg5k|note=}} | |||
=== OpenVPN configuration === | === OpenVPN configuration === | ||
{{Managed by Puppet|classes=openvpn,openvpng5k|note=}} | {{Managed by Puppet|classes=openvpn,openvpng5k|note=}} | ||
== Dom0 == | == Dom0 == | ||
{{Managed by Puppet|classes=networkg5k|note=}} | |||
== Network Equipment == | == Network Equipment == | ||
=== On equipment hosting VPN === | === On equipment hosting VPN {{Yes}}=== | ||
vlan 600 name VPN by port | vlan 600 name VPN by port | ||
| Line 194: | Line 107: | ||
ip address 172.20.255.254 255.255.0.0 | ip address 172.20.255.254 255.255.0.0 | ||
=== On other sites' routers === | === On other sites' routers {{No}} === | ||
route add 172.20.0.0/16 gw 192.168.4.<VPN_site> | route add 172.20.0.0/16 gw 192.168.4.<VPN_site> | ||
| Line 201: | Line 114: | ||
== VPN Client == | == VPN Client == | ||
{{No}} | |||
Revision as of 14:23, 8 October 2013
Présentation CT
Principe
- Connecter des hôtes/réseaux distants "comme si" ils appartiennent au même réseau local
- Chiffrer / Authentifier tout ce qui passe sur les réseaux publiques
- Intêret pour G5K
- S'affranchir de la passerelle SSH
- Accès au monde extérieur (à un serveur, à un réseau)
Implémentation
- OpenVPN : Interfaces virtuelles, Linux, portage Windows, SSL, flexible
- L2 VPN
- Encapsulation de la trame Ethernet (L2) ou paquet IP (L3)
- Fonctionnement des applications non-IP
- Réseau VPN VLAN dédié
- meilleur isolation, pas le VLAN de production
- besoin de configuration des routeurs G5K
- Encapsulation dans
- UDP
- TCP ?
- UDP
Configuration client
- addresse IP dans réseau VPN
- persistence:
- Par nom de certificat / login
- DNS name:
- vpn1.grid5000.fr, vpn2.grid5000.fr
- <login>.vpn.grid5000.fr ? : Besoin de DNS dynamique
- vpn1.grid5000.fr, vpn2.grid5000.fr
- Par nom de certificat / login
- routes G5K (Golden rules !)
- 172.16.0.0/16
- 10.0.0.0/8 ?
- 172.16.0.0/16
- Configuratiuon DNS G5K du client
- Authentification Client
- Génération certificat Client à la demande
- Génération certificat Client à la demande
Securité
- Serveur : Idem access nationale
- Interfaces:
- interface DMZ Publique (pour connexion client VPN depuis Internet)
- interface DMZ Privée (pour administration G5K)
- interface VLAN VPN, sans adresse IP (pour acheminement sur VLAN VPN)
- Utilisation des classes puppet DMZ
- Interfaces:
L2 Ethernet Networks
Some additional VLAN is needed :
VPN: Hosts connected to Grid5000 using VPN access use a dedicated VLAN implemented in sophia site.
Vlan number
| VLAN number | Usage | Name |
|---|---|---|
| 600 | VPN network |
VPN
|
L3 IP Networks
Routing policy
The following table gives detail about the routing policy of each L2 VLAN :
| Network | Routed locally | Routed globally |
|---|---|---|
| VPN network |  |
|
Addressing plan
About VPN
| Site | VPN |
|---|---|
| Sophia | 172.20.0.0/16
|
Need additional route in every gw-site. 
Configuration
DomU
Network interfaces configuration
 |
Managed by Puppet |
|---|---|
|
Classes : Files : Note : | |
Iptables configuration
|
Managed by Puppet |
|---|---|
|
Classes : Files : Note : | |
OpenVPN configuration
|
Managed by Puppet |
|---|---|
|
Classes : Files : Note : | |
Dom0
|
Managed by Puppet |
|---|---|
|
Classes : Files : Note : | |
Network Equipment
On equipment hosting VPN
vlan 600 name VPN by port tagged 7/19 router-interface ve 60
interface ve 60 port-name VPN ip address 172.20.255.254 255.255.0.0
On other sites' routers
route add 172.20.0.0/16 gw 192.168.4.<VPN_site>
VPN Client