Copyright © NIFTY Corporation All Rights Reserved.
VyOS 1.1.0 and NIFTY CloudNew Features
Yuya Kusakabe - @higebu
NIFTY Corp.
VyOS Users Meeting #2,
Nov. 2, 2014
Copyright © NIFTY Corporation All Rights Reserved. Confidential 2
VyOS 1.1.0 released!
Release date: Oct. 9, 2014
New features:
Unmanaged L2TPv3
Dummy interfaces
QinQ
Event handler
IGMP proxy
Experimental features:
VXLAN -> @upaa
DMVPN
For more detail:
http://vyos.net/wiki/1.1.0/release_notes
Copyright © NIFTY Corporation All Rights Reserved. Confidential 3
Lithium branch
Helium is now feature frozen, please submit all patches to lithium.
Copyright © NIFTY Corporation All Rights Reserved.
VyOS on IaaS
Copyright © NIFTY Corporation All Rights Reserved. Confidential 5
VyOS on IaaS
AWS
AMI
さくらのクラウド ( Sakura Cloud )
Images
VPCルータ ( VPC Router )
IDCFクラウド ( IDCF Cloud )
Images
NIFTY Cloud
Images
New network features
Copyright © NIFTY Corporation All Rights Reserved. Confidential 6
AWS
VyOS 1.0.5 64bit
https://aws.amazon.com/marketplace/pp/B00JK5UPF6
Copyright © NIFTY Corporation All Rights Reserved. Confidential 7
さくらのクラウド ( Sakura Cloud )
VyOS 1.0.5 64bit
http://cloud.sakura.ad.jp/
Copyright © NIFTY Corporation All Rights Reserved. Confidential 8
さくらのクラウド ( Sakura Cloud )
http://www.slideshare.net/sakuranocloud/20140727-vyosuserspost?qid=4616b826-dfa1-4ff9-9dce-d9f13516fd84
Copyright © NIFTY Corporation All Rights Reserved. Confidential 9
IDCFクラウド ( IDCF Cloud )
VyOS 1.0.4 64bit
http://www.idcf.jp/cloud/
Copyright © NIFTY Corporation All Rights Reserved. Confidential 10
NIFTY Cloud
VyOS 1.0.5 64bit and 1.1.0 64bit
Copyright © NIFTY Corporation All Rights Reserved. Confidential 11
New network features
Release date: Nov. 2014
プライベートLAN ( Private network )
You can use multiple private network.
ルーター ( Router )
DHCP, NAT, Routing, Web Proxy
VPNゲートウェイ ( VPN Gateway )
IPsec
Unmanaged L2TPv3 over IPsec
Managed L2TPv3 over IPsec
Copyright © NIFTY Corporation All Rights Reserved. Confidential 12
About Managed L2TPv3
Enhanced xl2tpd
For Managed L2TPv3
The source code will be released as open source.
Enhanced ebtables
For storm control
This is NIFTY Cloud original commands…
Special thanks to @m_asama !
Copyright © NIFTY Corporation All Rights Reserved. Confidential 13
Managed L2TPv3 Commands
set system l2tpv3 router-id { local address }
set interfaces l2tpv3 l2tpeth0 bridge-group bridge br0
set interfaces l2tpv3 l2tpeth0 encapsulation udp
set interfaces l2tpv3 l2tpeth0 mode { lns or lac }
set interfaces l2tpv3 l2tpeth0 remote-ip { remote address }
set interfaces l2tpv3 l2tpeth0 remote-end-id { remote end id }
Copyright © NIFTY Corporation All Rights Reserved. Confidential 14
Storm control Commands
set service nifty-cloud-bridge-filter interface eth3
set service nifty-cloud-bridge-filter mac-addr-limit 20/30
set service nifty-cloud-bridge-filter mcast-limit 1000/s
set service nifty-cloud-bridge-filter mcast-limit-burst 2000
And if above setting is enabled, ebtables drops except IPv4 and ARP packets.
Copyright © NIFTY Corporation All Rights Reserved.
Extending Home network to NIFTY Cloudacross the Internet with L2TPv3 / IPsec
Copyright © NIFTY Corporation All Rights Reserved. Confidential 16
The Internet
Network configuration
Managed L2TPv3 / IPsec
My Home
FLET'S HIKARI NEXTHigh-Speed TypeFor Houses
192.168.100.0/24
121.94.82.26
192.168.100.0/24
Same subnet
dhcp
CustomizedVyOS 1.0.5 amd64
YAMAHA RTX1200
Copyright © NIFTY Corporation All Rights Reserved. Confidential 17
Setting up NIFTY Cloud VPN Gateway
Demo
No Photographs
Copyright © NIFTY Corporation All Rights Reserved. Confidential 18
Setting up YAMAHA RTX1200
#
# IP configuration
#
ip route default gateway pp 1
#
# Bridge configuration
#
bridge member bridge1 lan1 tunnel4
ip bridge1 address 192.168.100.1/24
#
# NAT Descriptor configuration
#
nat descriptor type 1 masquerade
### PP 1 ###
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname {FLET’S ID} {FLET’S Password}
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
Copyright © NIFTY Corporation All Rights Reserved. Confidential 19
Setting up YAMAHA RTX1200
### TUNNEL 4 ###
tunnel select 4
tunnel encapsulation l2tpv3
tunnel endpoint address 192.168.100.1 121.94.82.26
ipsec tunnel 104
ipsec sa policy 104 4 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 4 3600
ipsec ike duration ike-sa 4 28800
ipsec ike encryption 4 aes256-cbc
ipsec ike group 4 modp1024
ipsec ike hash 4 sha
ipsec ike keepalive use 4 on dpd
ipsec ike local address 4 192.168.100.1
ipsec ike pfs 4 on
ipsec ike pre-shared-key 4 text {pre shared key}
ipsec ike remote address 4 121.94.82.26
Copyright © NIFTY Corporation All Rights Reserved. Confidential 20
Setting up YAMAHA RTX1200
l2tp always-on on
l2tp hostname YAMAHA-RTX1200
l2tp tunnel auth off
l2tp tunnel disconnect time off
l2tp keepalive use on 20 3
l2tp keepalive log on
l2tp syslog on
l2tp local router-id {WAN IP Address}
l2tp remote router-id 121.94.82.26
l2tp remote end-id niftycloud
tunnel enable 4
#
# IPSEC configuration
#
ipsec auto refresh on
ipsec transport 4 104 udp 1701
#
# L2TP configuration
#
l2tp service on
#
# DHCP configuration
#
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.100.10-192.168.100.254/24
For more detail:http://jp.yamaha.com/products/network/solution/vpn-connect-l2tpv3-rtx1200/
Copyright © NIFTY Corporation All Rights Reserved. Confidential 21
Performance
This is for reference.NIFTY Cloud does not guarantee the performance.
30 15
80 70
600
0
100
200
300
400
500
600
700
Cloud->Home Home->Cloud Cloud->Home Home->Cloud Cloud->Cloud
L2TPv3/Ipsec/Internet Internet L2TPv3/IPsec
Copyright © NIFTY Corporation All Rights Reserved. Confidential 22
Conculusion
VyOS 1.1.0 released!
Lithium branch!
You can use VyOS on some IaaS.
NIFTY Cloud new features, private network, router, and VPN gateway.
Enhanced xl2tpd and ebtables will be released as open source.
VPN gateway can connect to YAMAHA RTX1200 with L2TPv3/IPsec.
Copyright © NIFTY Corporation All Rights Reserved.
Thank you for listening!
We are hiring!
http://www.nifty.co.jp/recruit/
Copyright © NIFTY Corporation All Rights Reserved. Confidential 24