forked from erjosito/azcli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
linuxnva.azcli
490 lines (470 loc) · 24 KB
/
linuxnva.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
##############################################################
#
# This script demonstrates how to configure Linux NVAs in
# Azure with BGP (bird) and VPN (StrongSwan) on Ubuntu 18.04.
# Both 1-nic and 2-nic NVAs are covered.
#
# Alternative an autoconfig service can be used, where files
# are uploaded to a storage account, and the NVA gets its
# configurations automatically (poor man's centralized config).
#
# Jose Moreno, March 2021
##############################################################
# Variables
rg=linuxnva
location=westeurope
vnet_name=hub
vnet_prefix=10.1.0.0/16
vm_subnet_name=vm
vm_subnet_prefix=10.1.1.0/24
vm_size=Standard_B1s
publisher=Canonical
offer=UbuntuServer
sku=18.04-LTS
version=$(az vm image list -p $publisher -f $offer -s $sku --all --query '[0].version' -o tsv 2>/dev/null)
# Create Vnet
az group create -n $rg -l $location
az network vnet create -g $rg -n $vnet_name --address-prefix $vnet_prefix --subnet-name $vm_subnet_name --subnet-prefix $vm_subnet_prefix
# Create VM for testing purposes
azurevm_name=azurevm
azurevm_pip_name="${azurevm_name}-pip"
az network nsg create -n "${azurevm_name}-nsg" -g $rg
az network nsg rule create -n SSH --nsg-name "${azurevm_name}-nsg" -g $rg --priority 1000 --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -n ICMP --nsg-name "${azurevm_name}-nsg" -g $rg --priority 1030 --destination-port-ranges '*' --access Allow --protocol Icmp
az vm create -n $azurevm_name -g $rg -l $location --image ubuntuLTS --generate-ssh-keys --nsg "${azurevm_name}-nsg" \
--public-ip-address $azurevm_pip_name --vnet-name $vnet_name --size $vm_size --subnet $vm_subnet_name
azurevm_pip_ip=$(az network public-ip show -n $azurevm_pip_name --query ipAddress -o tsv -g $rg) && echo $azurevm_pip_ip
azurevm_nic_id=$(az vm show -n $azurevm_name -g "$rg" --query 'networkProfile.networkInterfaces[0].id' -o tsv)
# az network nic update --ids $azurevm_nic_id --network-security-group "${azurevm_name}-nsg"
azurevm_private_ip=$(az network nic show --ids $azurevm_nic_id --query 'ipConfigurations[0].privateIpAddress' -o tsv) && echo $azurevm_private_ip
# Initialize autoconfig (auto download of config files from storage account)
storage_account_name=linuxnva$RANDOM
az storage account create -n $storage_account_name -g $rg --sku Standard_LRS --kind StorageV2
storage_account_key=$(az storage account keys list -n $storage_account_name -g $rg --query '[0].value' -o tsv)
function new_guid () {
echo "$(uuidgen)"
}
function create_container () {
storage_container_name=$1
az storage container create -n $storage_container_name --public-access container \
--auth-mode key --account-name $storage_account_name --account-key $storage_account_key -o none
end_date=$(date -u -d "1 year" '+%Y-%m-%dT%H:%MZ')
az storage container generate-sas -n $storage_container_name --permissions lr --expiry $end_date \
--account-name $storage_account_name --account-key $storage_account_key --auth-mode key -o tsv
}
function upload_file () {
storage_container_name=$1
file_name=$2
storage_blob_name=$3
az storage blob upload -n $storage_blob_name -c $storage_container_name -f $file_name \
--auth-mode key --account-name $storage_account_name --account-key "$storage_account_key"
}
function list_files () {
storage_container_name=$1
az storage blob list -c $storage_container_name -o table \
--auth-mode key --account-name $storage_account_name --account-key "$storage_account_key"
}
function download_files () {
sas=$(sudo cat /root/azure.nva.sas)
storage_account_name=$(sudo cat /root/azure.nva.account)
storage_container_name=$(sudo cat /root/azure.nva.guid)
url="https://${storage_account_name}.blob.core.windows.net/${storage_container_name}/ipsec.conf?${sas}"
echo "Downloading from $url..."
wget $url -O ./ipsec.conf
}
function first_ip(){
subnet=$1
IP=$(echo $subnet | cut -d/ -f 1)
IP_HEX=$(printf '%.2X%.2X%.2X%.2X\n' `echo $IP | sed -e 's/\./ /g'`)
NEXT_IP_HEX=$(printf %.8X `echo $(( 0x$IP_HEX + 1 ))`)
NEXT_IP=$(printf '%d.%d.%d.%d\n' `echo $NEXT_IP_HEX | sed -r 's/(..)/0x\1 /g'`)
echo "$NEXT_IP"
}
# Create Azure NVA with Bird and StrongSwan
linuxnva_asn=65001
linuxnva_subnet_name=azurenva
linuxnva_subnet_prefix=10.1.11.0/24
linuxnva_subnet2_name=azurenva2
linuxnva_subnet2_prefix=10.1.12.0/24
linuxnva_name=linuxnva
linuxnva_pip=${linuxnva_name}-pip
linuxnva_autodeploy=no
az network vnet subnet create --vnet-name $vnet_name --name $linuxnva_subnet_name -g $rg --address-prefixes $linuxnva_subnet_prefix
az network vnet subnet create --vnet-name $vnet_name --name $linuxnva_subnet2_name -g $rg --address-prefixes $linuxnva_subnet2_prefix
linuxnva_cloudinit_file_autodeploy=/tmp/linuxnva_cloudinit_auto.txt
linuxnva_cloudinit_file_noautodeploy=/tmp/linuxnva_cloudinit_noauto.txt
linuxnva_guid=$(new_guid)
linuxnva_sas=$(create_container $linuxnva_guid)
linuxnva_default_gw=$(first_ip "$linuxnva_subnet_prefix") && echo $linuxnva_default_gw
linuxnva_default_gw2=$(first_ip "$linuxnva_subnet2_prefix") && echo $linuxnva_default_gw2
cat <<EOF > $linuxnva_cloudinit_file_autodeploy
#cloud-config
runcmd:
- apt update
- UCF_FORCE_CONFOLD=1 DEBIAN_FRONTEND=noninteractive apt install -y bird strongswan
- sysctl -w net.ipv4.ip_forward=1
- sysctl -w net.ipv4.conf.all.accept_redirects = 0
- sysctl -w net.ipv4.conf.all.send_redirects = 0
- ip link set up dev eth1
- dhclient eth1 -v
- ip route add 0.0.0.0/0 via $linuxnva_default_gw
- ip route add $vnet_prefix via $linuxnva_default_gw2
- wget https://raw.githubusercontent.com/erjosito/azcli/master/linuxnva_autoconfig.sh -O /root/linuxnva_autoconfig.sh
- chmod 755 /root/linuxnva_autoconfig.sh
- (crontab -l 2>/dev/null; echo "* * * * * /root/linuxnva_autoconfig.sh") | crontab -
- echo "$linuxnva_sas" >/root/azure.nva.sas
- echo "$storage_account_name" >/root/azure.nva.account
- echo "$linuxnva_guid" >/root/azure.nva.guid
EOF
cat <<EOF > $linuxnva_cloudinit_file_noautodeploy
#cloud-config
runcmd:
- apt update
- UCF_FORCE_CONFOLD=1 DEBIAN_FRONTEND=noninteractive apt install -y bird strongswan --fix-missing
- sysctl -w net.ipv4.ip_forward=1
- sysctl -w net.ipv4.conf.all.accept_redirects = 0
- sysctl -w net.ipv4.conf.all.send_redirects = 0
- ip link set up dev eth1
- dhclient eth1 -v
- ip route add 0.0.0.0/0 via $linuxnva_default_gw
- ip route add $vnet_prefix via $linuxnva_default_gw2
EOF
if [[ "$linuxnva_autodeploy" == "yes" ]]
then
linuxnva_cloudinit_file=$linuxnva_cloudinit_file_autodeploy
else
linuxnva_cloudinit_file=$linuxnva_cloudinit_file_noautodeploy
fi
az network nsg create -n "${linuxnva_name}-nsg" -g $rg
az network nsg rule create -n SSH --nsg-name "${linuxnva_name}-nsg" -g $rg --priority 1000 --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -n IKE --nsg-name "${linuxnva_name}-nsg" -g $rg --priority 1010 --destination-port-ranges 4500 --access Allow --protocol Udp
az network nsg rule create -n IPsec --nsg-name "${linuxnva_name}-nsg" -g $rg --priority 1020 --destination-port-ranges 500 --access Allow --protocol Udp
az network nsg rule create -n ICMP --nsg-name "${linuxnva_name}-nsg" -g $rg --priority 1030 --destination-port-ranges '*' --access Allow --protocol Icmp
az network public-ip create -g $rg -n "$linuxnva_pip" --allocation-method Dynamic --sku Basic
az network nic create -n "${linuxnva_name}-nic0" -g $rg --vnet-name $vnet_name --subnet $linuxnva_subnet_name --network-security-group "${linuxnva_name}-nsg" --public-ip-address "$linuxnva_pip" --ip-forwarding
az network nic create -n "${linuxnva_name}-nic1" -g $rg --vnet-name $vnet_name --subnet $linuxnva_subnet2_name --network-security-group "${linuxnva_name}-nsg" --ip-forwarding
az vm create -n $linuxnva_name -g $rg -l $location --image "${publisher}:${offer}:${sku}:${version}" --generate-ssh-keys \
--size ${vm_size} --custom-data "$linuxnva_cloudinit_file" --nics "${linuxnva_name}-nic0" "${linuxnva_name}-nic1"
linuxnva_pip_ip=$(az network public-ip show -n $linuxnva_pip -g $rg --query ipAddress -o tsv) && echo $linuxnva_pip_ip
linuxnva_private_ip=$(az network nic show -n "${linuxnva_name}-nic0" -g $rg --query 'ipConfigurations[0].privateIpAddress' -o tsv) && echo $linuxnva_private_ip
# Send all RFC1918 from the VM to the NVA
linuxnva_private_ip2=$(az network nic show -n "${linuxnva_name}-nic1" -g $rg --query 'ipConfigurations[0].privateIpAddress' -o tsv) && echo $linuxnva_private_ip
vm_rt_name=vm
az network route-table create -n vm -g $rg -l $location
az network route-table route create --route-table-name $vm_rt_name -g $rg \
--address-prefix 192.168.0.0/16 --name "RFC1918-1" --next-hop-type VirtualAppliance --next-hop-ip-address "$linuxnva_private_ip2"
az network route-table route create --route-table-name $vm_rt_name -g $rg \
--address-prefix 10.0.0.0/8 --name "RFC1918-2" --next-hop-type VirtualAppliance --next-hop-ip-address "$linuxnva_private_ip2"
az network route-table route create --route-table-name $vm_rt_name -g $rg \
--address-prefix 172.16.0.0/12 --name "RFC1918-3" --next-hop-type VirtualAppliance --next-hop-ip-address "$linuxnva_private_ip2"
az network vnet subnet update -g $rg --vnet-name $vnet_name -n $vm_subnet_name --route-table $vm_rt_name
# Simulation of onprem with a different Azure VNet and NVA
onprem_vnet_name=onprem
onprem_vnet_prefix=192.168.0.0/16
onprem_nva_subnet_name=onprem
onprem_nva_subnet_prefix=192.168.0.0/24
onprem_gw_subnet_name=GatewaySubnet
onprem_gw_subnet_prefix=192.168.1.0/24
az network vnet create -n $onprem_vnet_name -g $rg --address-prefixes $onprem_vnet_prefix --subnet-name $onprem_nva_subnet_name --subnet-prefixes $onprem_nva_subnet_prefix
az network vnet subnet create -g $rg --vnet-name $onprem_vnet_name -n GatewaySubnet --address-prefix $onprem_gw_subnet_prefix
# az network route-table create -n onpremnva -g $rg -l $location --disable-bgp-route-propagation
# az network vnet subnet update -g $rg --vnet-name $onprem_vnet_name -n $onprem_nva_subnet_name --route-table onpremnva
# Create onprem Linux NVA
onprem_linuxnva_asn=65002
onprem_linuxnva_name=onpremnva
onprem_linuxnva_pip=${onprem_linuxnva_name}-pip
onprem_linuxnva_ip=192.168.0.20
onprem_linuxnva_autodeploy=no
linuxnva_cloudinit_file_autodeploy=/tmp/linuxnva_cloudinit_auto.txt
linuxnva_cloudinit_file_noautodeploy=/tmp/linuxnva_cloudinit_noauto.txt
onprem_linuxnva_guid=$(new_guid)
onprem_linuxnva_sas=$(create_container $onprem_linuxnva_guid)
cat <<EOF > $linuxnva_cloudinit_file_autodeploy
#cloud-config
runcmd:
- apt update && apt install -y bird strongswan
- sysctl -w net.ipv4.ip_forward=1
- sysctl -w net.ipv4.conf.all.accept_redirects = 0
- sysctl -w net.ipv4.conf.all.send_redirects = 0
- wget https://raw.githubusercontent.com/erjosito/azcli/master/linuxnva_autoconfig.sh -O /root/linuxnva_autoconfig.sh
- chmod 755 /root/linuxnva_autoconfig.sh
- (crontab -l 2>/dev/null; echo "* * * * * /root/linuxnva_autoconfig.sh") | crontab -
- echo "$onprem_linuxnva_sas" >/root/azure.nva.sas
- echo "$storage_account_name" >/root/azure.nva.account
- echo "$onprem_linuxnva_guid" >/root/azure.nva.guid
EOF
cat <<EOF > $linuxnva_cloudinit_file_noautodeploy
#cloud-config
runcmd:
- apt update && apt install -y bird strongswan
- sysctl -w net.ipv4.ip_forward=1
- sysctl -w net.ipv4.conf.all.accept_redirects = 0
- sysctl -w net.ipv4.conf.all.send_redirects = 0
EOF
if [[ "$onprem_linuxnva_autodeploy" == "yes" ]]
then
linuxnva_cloudinit_file=$linuxnva_cloudinit_file_autodeploy
else
linuxnva_cloudinit_file=$linuxnva_cloudinit_file_noautodeploy
fi
az network nsg create -n "${onprem_linuxnva_name}-nsg" -g $rg
az network nsg rule create -n SSH --nsg-name "${onprem_linuxnva_name}-nsg" -g $rg --priority 1000 --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -n IKE --nsg-name "${onprem_linuxnva_name}-nsg" -g $rg --priority 1010 --destination-port-ranges 4500 --access Allow --protocol Udp
az network nsg rule create -n IPsec --nsg-name "${onprem_linuxnva_name}-nsg" -g $rg --priority 1020 --destination-port-ranges 500 --access Allow --protocol Udp
az network nsg rule create -n ICMP --nsg-name "${onprem_linuxnva_name}-nsg" -g $rg --priority 1030 --destination-port-ranges '*' --access Allow --protocol Icmp
az vm create -n $onprem_linuxnva_name -g $rg -l $location --image ubuntuLTS --generate-ssh-keys \
--public-ip-address $onprem_linuxnva_pip --vnet-name $onprem_vnet_name --size $vm_size --subnet $onprem_nva_subnet_name \
--custom-data $linuxnva_cloudinit_file --private-ip-address "$onprem_linuxnva_ip" --nsg "${onprem_linuxnva_name}-nsg"
onprem_linuxnva_nic_id=$(az vm show -n $onprem_linuxnva_name -g "$rg" --query 'networkProfile.networkInterfaces[0].id' -o tsv)
az network nic update --ids $onprem_linuxnva_nic_id --ip-forwarding
onprem_linuxnva_pip_ip=$(az network public-ip show -n $onprem_linuxnva_pip -g $rg --query ipAddress -o tsv) && echo $onprem_linuxnva_pip_ip
onprem_linuxnva_private_ip=$(az network nic show --ids $onprem_linuxnva_nic_id --query 'ipConfigurations[0].privateIpAddress' -o tsv) && echo $onprem_linuxnva_private_ip
onprem_linuxnva_default_gw=$(first_ip "$onprem_nva_subnet_prefix") && echo $onprem_linuxnva_default_gw
sleep 30 # It can take some time for the bird/ipsec daemons to start
# Configure StrongSwan VPN
# See https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html
# See https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
echo "Configuring VPN between A:${linuxnva_pip_ip}/${linuxnva_private_ip} and B:${onprem_linuxnva_pip_ip}/${onprem_linuxnva_private_ip}"
if [[ "$linuxnva_autodeploy" == "yes" ]]
then
vti_file=/tmp/vti.csv
echo "${linuxnva_pip_ip},${linuxnva_private_ip},${onprem_linuxnva_pip_ip},${onprem_linuxnva_private_ip},vti0,12" >$vti_file
upload_file $linuxnva_guid $vti_file vti.csv
else
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo ip tunnel add vti0 local $linuxnva_private_ip remote $onprem_linuxnva_pip_ip mode vti key 12"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo sysctl -w net.ipv4.conf.vti0.disable_policy=1"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo ip link set up dev vti0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo ip route add $onprem_linuxnva_private_ip/32 dev vti0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo sed -i 's/# install_routes = yes/install_routes = no/' /etc/strongswan.d/charon.conf"
fi
if [[ "$onprem_linuxnva_autodeploy" == "yes" ]]
then
vti_file=/tmp/vti.csv
echo "${onprem_linuxnva_pip_ip},${onprem_linuxnva_private_ip},${linuxnva_pip_ip},${linuxnva_private_ip},vti0,12" >$vti_file
upload_file $onprem_linuxnva_guid $vti_file vti.csv
else
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo ip tunnel add vti0 local $onprem_linuxnva_private_ip remote $linuxnva_pip_ip mode vti key 12"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo sysctl -w net.ipv4.conf.vti0.disable_policy=1"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo ip link set up dev vti0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo ip route add $linuxnva_private_ip/32 dev vti0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo sed -i 's/# install_routes = yes/install_routes = no/' /etc/strongswan.d/charon.conf"
fi
# Config files
vpn_psk=$(openssl rand -base64 64)
vpn_psk=${vpn_psk//$'\n'/} # Remove line breaks
psk_file_a=/tmp/ipsec.secrets.a
psk_file_b=/tmp/ipsec.secrets.b
cat <<EOF > $psk_file_a
$linuxnva_pip_ip $onprem_linuxnva_pip_ip : PSK "$vpn_psk"
EOF
cat <<EOF > $psk_file_b
$onprem_linuxnva_pip_ip $linuxnva_pip_ip : PSK "$vpn_psk"
EOF
ipsec_file_a=/tmp/ipsec.conf.a
ipsec_file_b=/tmp/ipsec.conf.b
cat <<EOF > $ipsec_file_a
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn to-onprem
authby=secret
leftid=$linuxnva_pip_ip
leftsubnet=0.0.0.0/0
right=$onprem_linuxnva_pip_ip
rightsubnet=0.0.0.0/0
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
mark=12
EOF
cat <<EOF > $ipsec_file_b
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn to-azure
authby=secret
leftid=$onprem_linuxnva_pip_ip
leftsubnet=0.0.0.0/0
right=$linuxnva_pip_ip
rightsubnet=0.0.0.0/0
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
mark=12
EOF
if [[ "$linuxnva_autodeploy" == "yes" ]]
then
upload_file $linuxnva_guid $psk_file_a ipsec.secrets
upload_file $linuxnva_guid $ipsec_file_a ipsec.conf
list_files $linuxnva_guid
else
username=$(whoami)
scp $psk_file_a $linuxnva_pip_ip:/home/$username/ipsec.secrets
scp $ipsec_file_a $linuxnva_pip_ip:/home/$username/ipsec.conf
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo mv ./ipsec.* /etc/"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo systemctl restart ipsec"
fi
if [[ "$onprem_linuxnva_autodeploy" == "yes" ]]
then
upload_file $onprem_linuxnva_guid $psk_file_b ipsec.secrets
upload_file $onprem_linuxnva_guid $ipsec_file_b ipsec.conf
list_files $onprem_linuxnva_guid
else
username=$(whoami)
scp $psk_file_b $onprem_linuxnva_pip_ip:/home/$username/ipsec.secrets
scp $ipsec_file_b $onprem_linuxnva_pip_ip:/home/$username/ipsec.conf
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo mv ./ipsec.* /etc/"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo systemctl restart ipsec"
fi
# Configure BGP with Bird (azure)
bird_config_file_a=/tmp/bird.conf.a
cat <<EOF > $bird_config_file_a
log syslog all;
router id $linuxnva_private_ip;
protocol device {
scan time 10;
}
protocol direct {
disabled;
}
protocol kernel {
preference 254;
learn;
merge paths on;
import filter {
if net ~ ${onprem_linuxnva_private_ip}/32 then accept;
else reject;
};
export filter {
if net ~ ${onprem_linuxnva_private_ip}/32 then reject;
else accept;
};
}
protocol static {
import all;
route 1.1.1.1/32 via $linuxnva_default_gw;
route $vnet_prefix via $linuxnva_default_gw;
}
protocol bgp uplink0 {
description "BGP to Azure";
multihop;
local $linuxnva_private_ip as $linuxnva_asn;
neighbor $onprem_linuxnva_private_ip as $onprem_linuxnva_asn;
import filter {accept;};
export filter {accept;};
}
EOF
# Configure BGP with Bird (onprem)
bird_config_file_b=/tmp/bird.conf.b
cat <<EOF > $bird_config_file_b
log syslog all;
router id $onprem_linuxnva_private_ip;
protocol device {
scan time 10;
}
protocol direct {
disabled;
}
protocol kernel {
preference 254;
learn;
merge paths on;
import filter {
if net ~ ${linuxnva_private_ip}/32 then accept;
else reject;
};
export filter {
if net ~ ${linuxnva_private_ip}/32 then reject;
else accept;
};
}
protocol static {
import all;
route 2.2.2.2/32 via $onprem_linuxnva_default_gw;
route $onprem_vnet_prefix via $onprem_linuxnva_default_gw;
}
protocol bgp uplink0 {
description "BGP to Azure";
multihop;
local $onprem_linuxnva_private_ip as $onprem_linuxnva_asn;
neighbor $linuxnva_private_ip as $linuxnva_asn;
import filter {accept;};
export filter {accept;};
}
EOF
# Deploy config files
if [[ "$linuxnva_autodeploy" == "yes" ]]
then
upload_file $linuxnva_guid $bird_config_file_a bird.conf
list_files $linuxnva_guid
else
username=$(whoami)
scp $bird_config_file_a "${linuxnva_pip_ip}:/home/${username}/bird.conf"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo mv /home/${username}/bird.conf /etc/bird/bird.conf"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo systemctl restart bird"
fi
if [[ "$onprem_linuxnva_autodeploy" == "yes" ]]
then
upload_file $onprem_linuxnva_guid $bird_config_file_b bird.conf
list_files $onprem_linuxnva_guid
else
username=$(whoami)
scp $bird_config_file_b "${onprem_linuxnva_pip_ip}:/home/${username}/bird.conf"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo mv /home/${username}/bird.conf /etc/bird/bird.conf"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo systemctl restart bird"
fi
# Wait 1 minute to make sure the config is applied
sleep 60
# File diagnostics
list_files $linuxnva_guid
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo crontab -l"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo ls -l /root/"
list_files $onprem_linuxnva_guid
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo crontab -l"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo ls -l /root/"
# IPsec Diagnostics
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "ip a"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "netstat -rnv"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "systemctl status ipsec"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo ipsec status"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "ping $onprem_linuxnva_private_ip -c 5"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "ip a"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "netstat -rnv"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "systemctl status ipsec"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo ipsec status"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "ping $linuxnva_private_ip -c 5"
# BGP Diagnostics
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "systemctl status bird"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo birdc show status"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo birdc show protocols uplink0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo birdc show protocol all uplink0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo birdc show route"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo birdc show route protocol uplink0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo birdc show route export uplink0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "sudo birdc show route where net ~2.2.2.2/32 all"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $linuxnva_pip_ip "netstat -rnv"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "systemctl status bird"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo birdc show status"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo birdc show protocols uplink0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo birdc show protocol all uplink0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo birdc show route"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo birdc show route protocol uplink0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo birdc show route export uplink0"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "sudo birdc show route where net ~2.2.2.2/32 all"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $onprem_linuxnva_pip_ip "netstat -rnv"
# Ping from Azure VM to onprem
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $azurevm_pip_ip "ping $onprem_linuxnva_private_ip -c 5"