I've used Ansible for 'show' commands to validate configurations, but have not used it to configure.
Want to use Ansible to configure 60+ routers with IP SLA and Track. Then tying the Track to a static ip route statement.
The IP SLA and Track configuration will be the same on all routers. So I can write it in the playbook and apply it to all.
However, each router's ip route statement has a unique variable, as the next hop IP address is different on each router, such as:
RTR1:
ip route 0.0.0.0 0.0.0.0 x.x.x.x
RTR2:
ip route 0.0.0.0 0.0.0.0 y.y.y.y
My understanding is that the 'next hop' variable can be handled with Jinja2 in Ansible. I've never used it. Can someone please point me in the right direction in terms of using Jinja with above variables or if there's a better/alternate method.
I'm running Ansible version 2.9.22, Ubuntu 18.0.4
The output of configuration on each router is shown below - which also reflects the exact configuration input.
track 8 ip sla 1 reachability
ip sla 1
icmp-echo 10.1.13.2 source-ip 10.0.12.1
ip sla schedule 1 life forever start-time now
ip route 0.0.0.0 0.0.0.0 x.x.x.x track 8
ip route 0.0.0.0 0.0.0.0 x.x.x.x 10
Please note that the 'x.x.x.x', which is the next hop variable will be different on each router.
Related
I'm having a hard time to finalize a first working configuration with IPsec.
I want to have a IPsec server that creates a network with its clients, and I want the clients to be able to communicate each other through the server. I'm using Strongswan on both server and clients, and I'll have a few clients with other IPsec implementations.
Problem
So the server is reachable at 10.231.0.1 for every clients and the server can ping the clients. It works well. But the clients cannot reach each other.
Here is an output of tcpdump when I try to ping 10.231.0.2 from 10.231.0.3
# tcpdump -n host 10.231.0.3
[..]
21:28:49.099653 ARP, Request who-has 10.231.0.2 tell 10.231.0.3, length 28
21:28:50.123649 ARP, Request who-has 10.231.0.2 tell 10.231.0.3, length 28
I thought of farp plugin, mentionned here : https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling but the ARP request is not making its way to the server, it stays local.
Information
Server ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
esp=aes256-sha256-modp4096!
ike=aes256-sha256-modp4096!
rekey=no
left=%any
leftid=%any
leftcert=server.crt
leftsendcert=always
leftsourceip=10.231.0.1
leftauth=pubkey
leftsubnet=10.231.0.0/16
right=%any
rightid=%any
rightauth=pubkey
rightsourceip=10.231.0.2-10.231.254.254
rightsubnet=10.231.0.0/16
Client ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=route
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=60s
esp=aes256-sha256-modp4096!
ike=aes256-sha256-modp4096!
rekey=no
right=server.url
rightid=%any
rightauth=pubkey
rightsubnet=10.231.0.1/32
left=%defaultroute
leftid=%any
leftauth=pubkey
leftcert=client.crt
leftsendcert=always
leftsourceip=10.231.0.3
leftsubnet=10.231.0.3/32
There should be nothing special or relevant in Strongswan's & charon's configuration file, but I can provide them if you think that could be usefull.
I've taken a few shortcuts in the configuration : I'm using VirtualIP but I'm not using a DHCP plugin or anything to distribute the IP. I'm setting the IP address manually on the clients like so :
ip address add 10.231.0.3/16 dev eth0
And here is a routing table on the client's side (automatically set like that by adding the IP and by Strongswann for the table 220) :
# ip route list | grep 231
10.231.0.0/16 dev eth0 proto kernel scope link src 10.231.0.3
# ip route list table 220
10.231.0.1 via 192.168.88.1 dev eth0 proto static src 10.231.0.3
I've also played with iptables and this rule
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
On both client and server, because I understood that could be a problem if I have MASQUERADE rules already set, but that did not changed anything.
I've also set those kernel parameters through sysctl on both client and server side :
sysctl net.ipv4.conf.default.accept_redirects=0
sysctl net.ipv4.conf.default.send_redirects=0
sysctl net.ipv4.conf.default.rp_filter=0
sysctl net.ipv4.conf.eth0.accept_redirects=0
sysctl net.ipv4.conf.eth0.send_redirects=0
sysctl net.ipv4.conf.eth0.rp_filter=0
sysctl net.ipv4.conf.all.proxy_arp=1
sysctl net.ipv4.conf.eth0.proxy_arp=1
sysctl net.ipv4.ip_forward=1
Lead 1
This could be related to my subnets declared in /32 in my client's configurations. At first I declared the subnet in /16 but I could not connect two clients with this configuration. The second client was taking the whole traffic for itself. So I understood I should limit the traffic selectors and this is how I did it but maybe I'm wrong.
Lead 2
This could be related to my way of assigning IP manually, and the mess it can introduce in the routing table. When I play with the routing table manually assigning gateway (like the public IP of the client as a gateway) then the ARP in TCPdump disappear and I see the ICMP request. But absolutely nothing on the server.
Any thoughts on what I've done wrong ?
Thanks
I wish to run my elasticsearch remotely on gcloud VM, this is configured to run at 127.0.0.1 at a specific port 9200. How to access this from a website outside this vm? If I change the network host to 0.0.0.0 on the yml file, even 9200 port becomes inaccessible. How do I overcome this problem?
Changed network.host: [_site_ , _local_ , _global_ ]
_site_ = internal ip given by google cloud vm,
_local_ = 127.0.0.1,
_global_ = found using curl ifconfig.me,
Opened a specific port (9200) and tried to connect with global IP address.
curl to the global ip gives
>Output: Failed to connect to (_global_ ip) port 9200: connection refused.
So put network.host:0.0.0.0 and then try to allow 9200 and 9201 port and restart the elasticsearch service.If you are using ubuntu then sudo service elasticsearch restart then check by doing curl -XGET 'http://localhost:9200?pretty'.Let me know if you are still facing any issues.
Use following configurations for elasticsearch.yml
network.host: 0.0.0.0
action.auto_create_index: false
index.mapper.dynamic: false
Solved this problem by going through the logs and found out that the public ip address is re-mapped to the internal ip address, hence network.host can't be set to external ip directly. Elasticsearch yml config is as follows:
'network.host: xx.xx.xxx.xx' is set to the internal ip (given by google),
'http.cors.enabled: true',
'http.cors.allow-origin:"*", (Do not use * in production, its a security issue)
'discovery.type: single-node' in my case to make it work independently and not in a cluster
Now this sandboxed version can be accessed from outside the VM using the external IP address given by Google.
I have been trying in the past few days to build and run a very simple network to no avail (most of the network I try to build is borrowed from extServer example). No matter my configuration in terms of IP addresses, routes etc. I cannot seem to make it work.
I have seen many people struggling with it, but have not found any solutions posted anywhere. The readme file in the Emulation folder of INET is more confusing than helpful.
Hence, I would like your help in making the following simple network work and, hopefully, even make it (the post) a tutorial for others as well.
The network I want to build (could not be simpler):
External Server <----> [ext0] ROUTER [ppp0] <----> [ppp0] Standard Host
My setup:
Software:
OMNET++ 4.6 with PCAP enabled.
INET Integration head (includes several features that I like).
OS:
Xubuntu in VirtualBox as a guest which hosts OMNET++. The reason for using Virtualbox is that my Host Win 7 machine refuses to run any external interface example with the error "cSocketRTScheduler: couldn't set socketopt for raw socket.". I modified the source a bit and used WSAGetLastError function, which resolved the issue as "The requested address is not valid in its context.".
Back to VirtualBox :)
Xubuntu has one network interface set to Host-only networking with IP address 10.0.0.1 and netmask 255.255.255.0 .
Standard Host Setup in omnetpp.ini:
**.server.numTcpApps = 1
**.server.tcpApp[*].typename = "TCPSinkApp"
**.server.tcpApp[*].localAddress = "172.0.1.111"
**.server.tcpApp[*].localPort = 10021
The standard host is using the same server.mrt from extServer example.
The router.mrt is as follows:
ifconfig:
# interface 1 to server
name: ppp0
inet_addr: 172.0.1.100
Mask: 255.255.255.0
MTU: 1500
POINTTOPOINT MULTICAST
# interface 2 to external server (real network interface)
name: ext0
inet_addr: 10.0.0.2
Mask: 255.255.255.0
MTU: 1500
POINTTOPOINT MULTICAST
ifconfigend.
route:
#Destination Gateway Genmask Flags Metric Iface
172.0.1.111 172.0.1.100 255.255.255.255 H 0 ppp0
10.0.0.1 10.0.0.2 255.255.255.255 H 0 ext0
0.0.0.0 * 0.0.0.0 G 0 ext0
routeend.
Any ideas on how to make this network work are really welcome as, should it work, I want to expand it later. Also, I would greatly appreciate it if any suggestions are in step-by-step style.
Thank you in advance.
I have my Single node Hadoop installed on Google Compute Engine instance and i want to open port 50070 on that machine to access the hadoop dashboard. i configured in the firewall rule as tcp:50070 in compute engine networks. but still i am unable to access my port outside the network (ie . via internet). I tried nmap for the public ip of my GCE instance and i got a result which has only ssh port got opened all other ports are filtered .
Note: i am using debian 7.5 image
Make sure your daemon is listening on port 50070. If you have more than one networks in you project make sure the port is opened on the right network. You can run the following commands to check the information about your instance and network.
lsof -i
gcutil --project= getinstance
gcutil --project= listnetworks
gcutil --project= listfirewalls
gcutil --project= getfirewall
Check if IP/Port is allowed in iptables or not.
iptables -L
would show you all the records.
To allow port in iptables you can do the following:
sudo iptables -A INPUT -p tcp -m tcp --dport 50070 -j ACCEPT
sudo iptables-save -c
Short answer
In addition to configure the firewall rule at GCE web console make sure that your server is listening at 0.0.0.0 instead of 127.0.0.1
Long answer
In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine. If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a server running on the host listens on 0.0.0.0, it will be reachable at both of those IPs - Source
In contrast 127.0.0.1 is the IP address used to stablish a connection to the same machine used by the user this address is usually referred as the localhost.
It's often used when you want a network-capable application to only serve clients on the same host. A process that is listening on 127.0.0.1 for connections will only receive local connections on that socket. - Source
Hence, if you try to stablish a connection to your server from internet and your server is listening at 127.0.0.1 at your GCE machine, then, from the server point of view a request has never been received and as a consequence Goocle Cloud Firewall will refuse the connection because there is no server listening at the opened port (in your case 50070).
I hope this answer helps to solve your problem. Best regards.
I'm having problems with proxy/relay applications such as a BNC. I have a CentOS 5.6 VPS with 2 IP addresses which are virtual adapters (venet0:0 and venet0:1) under venet0.
In these applications I can choose which IP address to bind to (IP address of venet0:1) but when they create an outbound connection, it is done through venet0:0.
These are my current settings (found using webmin):
Interfaces
Name Type IP Address Netmask Status
lo Loopback 127.0.0.1 255.0.0.0 Up
Loopback ::1 128 Up
venet0 Unknown 127.0.0.1 255.255.255.255 Up
venet0:0 Unknown (Virtual) xxx.xxx.xxx.xxx 255.255.255.255 Up
venet0:1 Unknown (Virtual) xxx.xxx.xxx.yyy 255.255.255.255 Up
Route and Gateways
Destination Gateway Netmask Interface
169.254.0.0 None 255.255.0.0 venet0
Default Route None venet0
::1 :: 128 lo
Please can someone help me figure out how to configure the VPS?
Try to remove the default routes you do not want. The command ip route list should give you three entries. For example, on my Debian VPS, I get :
192.0.2.1 dev venet0 scope link
default via 192.0.2.1 dev venet0 src 10.15.4.62
default via 192.0.2.1 dev venet0 src 10.15.4.61
I want the VPS to use 10.15.4.61 for outgoing connections, not 10.15.4.62, so I type :
ip route del default via 192.0.2.1 dev venet0 src 10.15.4.62
Now I have a single default route, and my VPS will use the IP I want.