IPSEC and NAT changes

When TRIUMF stops advertising 142.90.0.0/16. SIP telephones and NAT will break. NAT is being used by TR13, Visitor WiFi and TRIUMF House WiFi users

• SIP Telephones communicate with Educloud over an IPSEC vpn tunnel. The tunnel is terminated on the TRIUMF Firewall on interface 142.90.1.2
• NAT on the firewall uses the egress interface as the source-nat. Depending on the destination this could be
• 142.90.1.2 (ORAN)
• 142.90.1.6 (Compute Canada)
• 142.90.1.10 (Commodity)
• 142.90.1.14 (IX CANARIE CDS)

To correct this TRIUMF must move the 4 iBGP peerings between its Firewall (SRX-3400) and its Border VRFs on the EX9208 from 142.90.1.x adresses to 142.90.y.x addresses. It has been decided to use y=191. This is the highest /24 in the two IP address blocks that TRIUMF will not be transferring, 142.90.64.0/18 and 142.90.128.0/18

These changes will incure service interuptions

1. All SIP phones relying on connectivity to Educloud will be impacted. If the VPN tunnel is not restored within 10 minutes all SIP phones will reboot and try connecting to PBX server. When 800 phones try to tftp to the server it can take up to 40 minutes before all phones recover.
2. There will be a 4 short network interruption estimated at  ~ 5minutes (this is the ~ time it akes for the BGP and OSPF to populate the route tables )  for traffic destined offsite to
1. ORAN
2. Commodity
3. Compute Canada
4. IX

This work has been scheduled to occur Friday Jan 31 00:00 -06:00. The proposed order is the following. The work should be done from tradmin which has interface on v5

1. Notify BCNET operations of potential interruption
2. Notify Control room and activate work permit.
3. The Westgrid iBGP peering. This has the least impact to the site.
1. Confirm procedure works
2. Confirm duration  of the interruption
3. Confirm NAT works by connecting to Visitor WiFi and confirm offsite connectivity.
4. The CANARIE IX peering
1. Confirm the number of received routes before and after change
2. Confim NAT with visitor WiFi to Google, O365
5. The Commodity peering
1. Confirm connectivuty to BCNET peer address and beyond
6. Finally the ORAN peering. This is the one that impacts the SIP Phones.
1. EX-9208 first
2. SRX-3400
3. Should experience short interruption (duration unknown)
4. Logon to Educloud and change VPN tunnels to 142.90.191.2
5. If phones Tunnel is not restored within 10 minutes ALL SIP phones will reboot and it could take as long as 40 minutes to fully recover.

ORAN Connection iBGP 142.90.1.1 and 142.90.1.2 - used by Educloud VPN  Tunnel for SIP Phones

!
! EX-9208
!
set    routing-instances oran routing-options router-id 142.90.191.1

delete routing-instances oran routing-options static route 0.0.0.0/0 next-hop 142.90.1.2
set    routing-instances oran routing-options static route 0.0.0.0/0 next-hop 142.90.191.2

set    routing-instances oran protocols bgp group iBGP local-address 142.90.191.1
delete routing-instances oran protocols bgp group iBGP neighbor 142.90.1.2
set    routing-instances oran protocols bgp group iBGP neighbor 142.90.191.2

delete interfaces irb unit 200 family inet address 142.90.1.1/30
set    interfaces irb unit 200 family inet address 142.90.191.1/30


!
! SRX-3400
!
delete security ipsec vpn Educloud-PBX traffic-selector TRIUMF21-TOP local-ip 142.90.128.0/17
set    security ipsec vpn Educloud-PBX traffic-selector TRIUMF21-TOP local-ip 142.90.128.0/19

delete routing-instances wan-fw routing-options static route 206.12.9.128/25 next-hop 142.90.1.1
delete routing-instances wan-fw routing-options static route 206.12.9.112/28 next-hop 142.90.1.1
delete routing-instances wan-fw routing-options static route 206.12.9.0/29   next-hop 142.90.1.1
set    routing-instances wan-fw routing-options static route 206.12.9.128/25 next-hop 142.90.191.1
set    routing-instances wan-fw routing-options static route 206.12.9.112/28 next-hop 142.90.191.1
set    routing-instances wan-fw routing-options static route 206.12.9.0/29   next-hop 142.90.191.1

delete routing-instances wan-fw protocols bgp group iBGP neighbor 142.90.1.1
set    routing-instances wan-fw protocols bgp group iBGP neighbor 142.90.191.1

delete interfaces reth0 unit 200 family inet address 142.90.1.2/30
set    interfaces reth0 unit 200 family inet address 142.90.191.2/30

! Remove unnecessary code
deactivate security ipsec vpn Educloud-PBX traffic-selector Goldline local-ip 162.248.168.64/28
deactivate security ipsec vpn Educloud-PBX traffic-selector Goldline remote-ip 142.90.21.0/24


!
! Checks
!
run show route table oran.inet.0 --> should see 19010 routes

! check ping to BCNET peering
run ping routing-instance oran 142.231.1.54
run ping routing-instance oran 134.87.2.70
!
run ping routing-instance wan-fw 142.231.1.54
run ping routing-instance wan-fw 134.87.2.70
run ping routing-instance wan-fw 142.90.191.1

! Check from ccnmac visitor WiFi can access 8.8.8.8

run show security ike security-associations 
node0:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
1081813688 UP  6b71f75707db2ada  bcdf9e59a700c612  Main           206.12.208.77   

run show security ipsec security-associations  
node0:
--------------------------------------------------------------------------
  Total active tunnels: 4
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <75497473 ESP:aes-cbc-256/sha1 895f0d8 2010/ unlim - root 500 206.12.208.77   
  >75497473 ESP:aes-cbc-256/sha1 c9a4c434 2010/ unlim - root 500 206.12.208.77   
  <75497702 ESP:aes-cbc-256/sha1 80bfd7d 2395/ unlim - root 500 206.12.208.77   
  >75497702 ESP:aes-cbc-256/sha1 c2e65fc1 2395/ unlim - root 500 206.12.208.77   
  <75497704 ESP:aes-cbc-256/sha1 87e7077 1783/ unlim - root 500 206.12.208.77   
  >75497704 ESP:aes-cbc-256/sha1 c42e5f9f 1783/ unlim - root 500 206.12.208.77   
  <75497703 ESP:aes-cbc-256/sha1 8bc2da2 2502/ unlim - root 500 206.12.208.77   
  >75497703 ESP:aes-cbc-256/sha1 ca6c3254 2502/ unlim - root 500 206.12.208.77 

Westgrid Connection iBGP 142.90.1.5 and 142.90.1.6

!
! EX-9208
!
set    routing-instances westgrid routing-options router-id 142.90.191.5

delete routing-instances westgrid routing-options static route 0.0.0.0/0 next-hop 142.90.1.6
set    routing-instances westgrid routing-options static route 0.0.0.0/0 next-hop 142.90.191.6

set    routing-instances westgrid protocols bgp group iBGP local-address 142.90.191.5
delete routing-instances westgrid protocols bgp group iBGP neighbor 142.90.1.6
set    routing-instances westgrid protocols bgp group iBGP neighbor 142.90.191.6

delete interfaces irb unit 201 family inet address 142.90.1.5/30
set    interfaces irb unit 201 family inet address 142.90.191.5/30

!
! SRX-3400
!
delete routing-instances wan-fw protocols bgp group iBGP neighbor 142.90.1.5
set    routing-instances wan-fw protocols bgp group iBGP neighbor 142.90.191.5

delete interfaces reth0 unit 201 family inet address 142.90.1.6/30
set    interfaces reth0 unit 201 family inet address 142.90.191.6/30

!
! Checks
!
run show route table westgrid.inet.0 --> should see 119 routes

! check ping to BCNET peering
run ping routing-instance westgrid 206.12.8.5
run ping routing-instance westgrid 206.12.8.9
!
run ping routing-instance wan-fw   206.12.8.5
run ping routing-instance wan-fw   206.12.8.9
run ping routing-instance wan-fw 142.90.191.5

! Check from ccnmac visitor WiFi can access 206.12.8.5

IX Connection iBGP 142.90.1.13 and 142.90.1.14

!
! EX-9208
!
set    routing-instances ix routing-options router-id 142.90.191.13

delete routing-instances ix routing-options static route 0.0.0.0/0 next-hop 142.90.1.14
set    routing-instances ix routing-options static route 0.0.0.0/0 next-hop 142.90.191.14

set    routing-instances ix protocols bgp group iBGP local-address 142.90.191.13
delete routing-instances ix protocols bgp group iBGP neighbor 142.90.1.14
set    routing-instances ix protocols bgp group iBGP neighbor 142.90.191.14

delete interfaces irb unit 203 family inet address 142.90.1.13/30
set    interfaces irb unit 203 family inet address 142.90.191.13/30

!
! SRX-3400
!
delete routing-instances wan-fw protocols bgp group iBGP neighbor 142.90.1.13
set    routing-instances wan-fw protocols bgp group iBGP neighbor 142.90.191.13

delete interfaces reth0 unit 203 family inet address 142.90.1.14/30
set    interfaces reth0 unit 203 family inet address 142.90.191.14/30


!
! Checks
!
run show route table ix.inet.0 --> should see 6971 routes

! check ping to BCNET peering
run ping routing-instance ix 134.87.0.22
run ping routing-instance ix 134.87.0.94
!
run ping routing-instance wan-fw 134.87.0.22
run ping routing-instance wan-fw 134.87.0.94
run ping routing-instance wan-fw 142.90.191.13

! Check from ccnmac visitor WiFi can access 206.12.8.5

Commodity Connection iBGP 142.90.1.9 and 142.90.10

!
! EX-9208
!
set    routing-instances commodity routing-options router-id 142.90.191.9

set    routing-instances commodity protocols bgp group iBGP local-address 142.90.191.9
delete routing-instances commodity protocols bgp group iBGP neighbor 142.90.1.10
set    routing-instances commodity protocols bgp group iBGP neighbor 142.90.191.10

delete interfaces irb unit 202 family inet address 142.90.1.9/30
set    interfaces irb unit 202 family inet address 142.90.191.9/30

!
! SRX-3400
!
delete routing-instances wan-fw protocols bgp group iBGP neighbor 142.90.1.9
set    routing-instances wan-fw protocols bgp group iBGP neighbor 142.90.191.9

delete interfaces reth0 unit 202 family inet address 142.90.1.10/30
set    interfaces reth0 unit 202 family inet address 142.90.191.10/30

 !
! Checks
!
run show route table commodity.inet.0 --> should see 109 routes

! check ping to BCNET peering
run ping routing-instance commodity 207.23.240.14
run ping routing-instance commodity 207.23.240.18
!
run ping routing-instance wan-fw 207.23.240.14
run ping routing-instance wan-fw 207.23.240.18
run ping routing-instance wan-fw 142.90.191.9

! Check from ccnmac visitor WiFi can access 207.23.240.14