Creating a VPN connection between regions
Thanks to the Openstack Neutron VPN as a Service (VPNaaS) feature, you can bridge two different regions via a site-to-site IPSec VPN connection. This is made possible without setting up and configuring a virtual machine in any one of the regions. On the contrary, you can quickly establish such a connection using the Cleura Cloud Management Panel or the OpenStack CLI. Let us demonstrate the process following both approaches.
Prerequisites
Whether you choose to work from the Cleura Cloud Management Panel or with the OpenStack CLI,
you need to have an account in
Cleura Cloud. If you prefer to work with the OpenStack
CLI, then in addition to
the Python openstackclient module, you need to install the
Python neutronclient module also. Use either the package manager
of your operating system or pip:
apt install python3-neutronclient
This Python module is unavailable via brew, but you can
install it via pip.
pip install python-neutronclient
Creating a VPN connection between two regions
To create and establish such a connection from the Cleura Cloud Management Panel, fire up your favorite web browser, navigate to the Cleura Cloud Management Panel start page, and log into your Cleura Cloud account. Should you decide to follow the OpenStack CLI route instead, please make sure you have the appropriate RC file for each region involved.
On the top right-hand side of the Cleura Cloud Management Panel, click the Create button. A vertical pane titled Create will slide into view from the right-hand side of the browser window. You will notice several rounded boxes, each one for defining, configuring, and instantiating a different Cleura Cloud object. Go ahead and click the VPN box.
A new pane titled Create a VPN Service will slide over. Between the two boxes, click the one titled Quick (Guided) Connect.
Type in a name for the new site-to-site VPN connection.
Select a region, project, and network for each of the two data centers involved.
Look at the pre-shared key and, optionally, expand the Advanced Options section to see all presets. You do not have to change anything there. When you are ready, click the green Create button. The VPN connection between the two regions will be established in a few seconds.
First, you need to have the RC files of the two regions you will be
connecting. In the example that follows, we demonstrate establishing a
site-to-site connection between regions fra1 and kna1. This means
that, while following through, before working in fra1 you need to
source the RC file for fra1, and before working in kna1 you need
to source the RC file for kna1.
It helps to imagine the site-to-site connection schematically, with
fra1being on the left side andkna1being on the right side of the connection. That is why we interchange the termsfra1, left andkna1, right.
You also have to decide which subnets from either side you will
connect. Additionally, you need to know the respective CIDR notations
and routers. In the examples that follow, on the left side we have
subnet subnet-fra1 with CIDR 10.15.25.0/24 and router
router-fra1, and on the right side we have subnet subnet-kna1 with
CIDR 10.15.20.0/24 and router router-kna1. For convenience, we have
set the shell variables SUBNET_FRA1 and SUBNET_KNA1:
SUBNET_FRA1="10.15.25.0/24"
SUBNET_KNA1="10.15.20.0/24"
Prepare the left side (region fra1)
Begin by creating a new IKE policy:
openstack vpn ike policy create ike-pol-fra1
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Authentication Algorithm | sha1 |
| Description | |
| Encryption Algorithm | aes-128 |
| ID | 5782b141-afcc-4327-9ac5-b8cd2e110c6a |
| IKE Version | v1 |
| Lifetime | {'units': 'seconds', 'value': 3600} |
| Name | ike-pol-fra1 |
| Perfect Forward Secrecy (PFS) | group5 |
| Phase1 Negotiation Mode | main |
| Project | dfc700467396428bacba4376e72cc3e9 |
| project_id | dfc700467396428bacba4376e72cc3e9 |
+-------------------------------+--------------------------------------+
Then, create a new IPSec policy:
openstack vpn ipsec policy create ipsec-pol-fra1
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Authentication Algorithm | sha1 |
| Description | |
| Encapsulation Mode | tunnel |
| Encryption Algorithm | aes-128 |
| ID | 15ec761f-1642-49b6-b5a2-e43624c5752d |
| Lifetime | {'units': 'seconds', 'value': 3600} |
| Name | ipsec-pol-fra1 |
| Perfect Forward Secrecy (PFS) | group5 |
| Project | dfc700467396428bacba4376e72cc3e9 |
| Transform Protocol | esp |
| project_id | dfc700467396428bacba4376e72cc3e9 |
+-------------------------------+--------------------------------------+
You are ready to create a new VPN service:
openstack vpn service create --router router-fra1 vpn-service-fra1
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| Description | |
| Flavor | None |
| ID | d74d51f0-182d-4d88-952a-1d593ce696fd |
| Name | vpn-service-fra1 |
| Project | dfc700467396428bacba4376e72cc3e9 |
| Router | 62f885d8-6b13-4161-89d1-003c4fafec55 |
| State | True |
| Status | PENDING_CREATE |
| Subnet | None |
| external_v4_ip | 198.51.100.50 |
| external_v6_ip | 2a03:b000:701:5:f816:3eff:feb5:be0e |
| project_id | dfc700467396428bacba4376e72cc3e9 |
+----------------+--------------------------------------+
Notice in the command output that the Status is PENDING_CREATE.
This is expected. Also, jot down the value of the external_v4_ip
parameter. Better yet, set this value to a new variable, EXT_IP_FRA1,
for you will soon need it:
EXT_IP_FRA1="198.51.100.50"
The site-to-site connection you are about to create needs two
end-point groups on the left, and two end-point groups on the right.
More specifically, on either side of the connection, there should be
one end-point group for the local subnet and one end-point group for
the peer (remote) subnet. You are now on the left side of the
connection (region fra1), so begin with the left local end-point
group…
openstack vpn endpoint group create \
--type subnet --value subnet-fra1 local-epg-fra1
+-------------+------------------------------------------+
| Field | Value |
+-------------+------------------------------------------+
| Description | |
| Endpoints | ['df6fb6ca-4751-4b74-8b3e-5fbda0117cea'] |
| ID | 51895e0e-fa3a-43d3-8037-5eea073fb77f |
| Name | local-epg-fra1 |
| Project | dfc700467396428bacba4376e72cc3e9 |
| Type | subnet |
| project_id | dfc700467396428bacba4376e72cc3e9 |
+-------------+------------------------------------------+
…and then move on to creating the left peer end-point group:
openstack vpn endpoint group create \
--type cidr --value $SUBNET_KNA1 peer-epg-fra1
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| Description | |
| Endpoints | ['10.15.20.0/24'] |
| ID | a96bb9ef-d0ec-4174-93ae-a8e655910f94 |
| Name | peer-epg-fra1 |
| Project | dfc700467396428bacba4376e72cc3e9 |
| Type | cidr |
| project_id | dfc700467396428bacba4376e72cc3e9 |
+-------------+--------------------------------------+
Prepare the right side (region kna1)
Before establishing a site-to-site VPN connection between the two
regions, you must make similar preparations on the right side of the
connection (region kna1). You should adjust all commands you entered
above and execute them on the right side. For your convenience, these
are all the adjusted commands with the respective outputs:
Create a new IKE policy:
openstack vpn ike policy create ike-pol-kna1
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Authentication Algorithm | sha1 |
| Description | |
| Encryption Algorithm | aes-128 |
| ID | 6af4f52c-6522-483d-bb70-b144657489f3 |
| IKE Version | v1 |
| Lifetime | {'units': 'seconds', 'value': 3600} |
| Name | ike-pol-kna1 |
| Perfect Forward Secrecy (PFS) | group5 |
| Phase1 Negotiation Mode | main |
| Project | 94109c764a754e24ac0f6b01aef82359 |
| project_id | 94109c764a754e24ac0f6b01aef82359 |
+-------------------------------+--------------------------------------+
Create a new IPSec policy:
openstack vpn ipsec policy create ipsec-pol-kna1
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Authentication Algorithm | sha1 |
| Description | |
| Encapsulation Mode | tunnel |
| Encryption Algorithm | aes-128 |
| ID | 8f9c2219-a931-46eb-b3f5-22d76cbc89d0 |
| Lifetime | {'units': 'seconds', 'value': 3600} |
| Name | ipsec-pol-kna1 |
| Perfect Forward Secrecy (PFS) | group5 |
| Project | 94109c764a754e24ac0f6b01aef82359 |
| Transform Protocol | esp |
| project_id | 94109c764a754e24ac0f6b01aef82359 |
+-------------------------------+--------------------------------------+
Create a new VPN service:
openstack vpn service create --router router-kna1 vpn-service-kna1
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| Description | |
| Flavor | None |
| ID | bb1a307d-6f8f-4a0a-83db-7c705403485d |
| Name | vpn-service-kna1 |
| Project | 94109c764a754e24ac0f6b01aef82359 |
| Router | 5ac45739-a379-4936-8b1b-67d10e017f4d |
| State | True |
| Status | PENDING_CREATE |
| Subnet | None |
| external_v4_ip | 203.0.113.101 |
| external_v6_ip | 2a00:16d8:0:3b:f816:3eff:fe0e:2074 |
| project_id | 94109c764a754e24ac0f6b01aef82359 |
+----------------+--------------------------------------+
For convenience, set the value of parameter external_v4_ip to a
shell variable:
EXT_IP_KNA1="203.0.113.101"
Create a local end-point group:
openstack vpn endpoint group create \
--type subnet --value subnet-kna1 local-epg-kna1
+-------------+------------------------------------------+
| Field | Value |
+-------------+------------------------------------------+
| Description | |
| Endpoints | ['421d8fd2-dd7f-4f7c-9a51-42ef4a866dd9'] |
| ID | c1937c3d-77e7-4f2c-842d-70b5e10df9a8 |
| Name | local-epg-kna1 |
| Project | 94109c764a754e24ac0f6b01aef82359 |
| Type | subnet |
| project_id | 94109c764a754e24ac0f6b01aef82359 |
+-------------+------------------------------------------+
Create a peer (remote) end-point group:
openstack vpn endpoint group create \
--type cidr --value $SUBNET_FRA1 peer-epg-kna1
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| Description | |
| Endpoints | ['10.15.25.0/24'] |
| ID | 2e627315-02f0-4d68-8683-14230b166060 |
| Name | peer-epg-kna1 |
| Project | 94109c764a754e24ac0f6b01aef82359 |
| Type | cidr |
| project_id | 94109c764a754e24ac0f6b01aef82359 |
+-------------+--------------------------------------+
Instantiate a pre-shared key
Before establishing a site-to-site IPSec VPN connection, you must
have a randomly generated pre-shared key. You may use openssl for
generating a random string and immediately set it to a shell variable:
PRE_SHARED_KEY=$(openssl rand -hex 24)
The above is just an example. The key should not necessarily be a
hexadecimal string, nor do you have to use openssl. Another option
would be to use the fine pwgen tool, for example like this:
PRE_SHARED_KEY=$(pwgen 64 1)
Establish a left-to-right connection (region fra1)
To create a VPN connection from left to right, i.e., from region
fra1 to region kna1, issue the following command:
openstack vpn ipsec site connection create \
--vpnservice vpn-service-fra1 \
--ikepolicy ike-pol-fra1 \
--ipsecpolicy ipsec-pol-fra1 \
--local-endpoint-group local-epg-fra1 \
--peer-address $EXT_IP_KNA1 \
--peer-id $EXT_IP_KNA1 \
--peer-endpoint-group peer-epg-fra1 \
--psk $PRE_SHARED_KEY \
vpn-conn-to-kna1
+--------------------------+----------------------------------------------------+
| Field | Value |
+--------------------------+----------------------------------------------------+
| Authentication Algorithm | psk |
| Description | |
| ID | 5f44be31-0588-4f33-883d-9e2d97be55e1 |
| IKE Policy | 5782b141-afcc-4327-9ac5-b8cd2e110c6a |
| IPSec Policy | 15ec761f-1642-49b6-b5a2-e43624c5752d |
| Initiator | bi-directional |
| Local Endpoint Group ID | 51895e0e-fa3a-43d3-8037-5eea073fb77f |
| Local ID | |
| MTU | 1500 |
| Name | vpn-conn-to-kna1 |
| Peer Address | 203.0.113.101 |
| Peer CIDRs | |
| Peer Endpoint Group ID | a96bb9ef-d0ec-4174-93ae-a8e655910f94 |
| Peer ID | 203.0.113.101 |
| Pre-shared Key | de12db260ee1b9c0b9e624d910c9a9dbddec13dc24d60332 |
| Project | dfc700467396428bacba4376e72cc3e9 |
| Route Mode | static |
| State | True |
| Status | PENDING_CREATE |
| VPN Service | d74d51f0-182d-4d88-952a-1d593ce696fd |
| dpd | {'action': 'hold', 'interval': 30, 'timeout': 120} |
| project_id | dfc700467396428bacba4376e72cc3e9 |
+--------------------------+----------------------------------------------------+
Establish a right-to-left connection (region kna1)
Similarly, to create a VPN connection from right to left, i.e.,
from region kna1 to region fra1, issue the following command:
openstack vpn ipsec site connection create \
--vpnservice vpn-service-kna1 \
--ikepolicy ike-pol-kna1 \
--ipsecpolicy ipsec-pol-kna1 \
--local-endpoint-group local-epg-kna1 \
--peer-address $EXT_IP_FRA1 \
--peer-id $EXT_IP_FRA1 \
--peer-endpoint-group peer-epg-kna1 \
--psk $PRE_SHARED_KEY \
vpn-conn-to-fra1
+--------------------------+----------------------------------------------------+
| Field | Value |
+--------------------------+----------------------------------------------------+
| Authentication Algorithm | psk |
| Description | |
| ID | 7705afc7-d0ff-444a-9474-3614e21d2399 |
| IKE Policy | 6af4f52c-6522-483d-bb70-b144657489f3 |
| IPSec Policy | 8f9c2219-a931-46eb-b3f5-22d76cbc89d0 |
| Initiator | bi-directional |
| Local Endpoint Group ID | c1937c3d-77e7-4f2c-842d-70b5e10df9a8 |
| Local ID | |
| MTU | 1500 |
| Name | vpn-conn-to-fra1 |
| Peer Address | 198.51.100.50 |
| Peer CIDRs | |
| Peer Endpoint Group ID | 2e627315-02f0-4d68-8683-14230b166060 |
| Peer ID | 198.51.100.50 |
| Pre-shared Key | de12db260ee1b9c0b9e624d910c9a9dbddec13dc24d60332 |
| Project | 94109c764a754e24ac0f6b01aef82359 |
| Route Mode | static |
| State | True |
| Status | PENDING_CREATE |
| VPN Service | bb1a307d-6f8f-4a0a-83db-7c705403485d |
| dpd | {'action': 'hold', 'interval': 30, 'timeout': 120} |
| project_id | 94109c764a754e24ac0f6b01aef82359 |
+--------------------------+----------------------------------------------------+
Viewing VPN connections and getting details
No matter if you use the Cleura Cloud Management Panel or the OpenStack CLI, you may at any time list all VPN connections and get relevant details.
In the vertical pane on the left-hand side of the Cleura Cloud Management Panel, expand the Networking section and then the VPN Services subsection. From the available options, click VPN Services again. You will see two VPN connections in the main pane, each from one region to the other.
For more information regarding a specific connection, click the corresponding three-dot icon (right-hand side) and select View details. Then, you can glance over all the details regarding, for example, the connection status and public IP address.
You can list all IPSec VPN connections working from any of the two
regions involved. See, for example, the view from fra1:
openstack vpn ipsec site connection list
+--------------------------+------------------+---------------+--------------------------+--------+
| ID | Name | Peer Address | Authentication Algorithm | Status |
+--------------------------+------------------+---------------+--------------------------+--------+
| 5f44be31-0588-4f33-883d- | vpn-conn-to-kna1 | 203.0.113.101 | psk | ACTIVE |
| 9e2d97be55e1 | | | | |
+--------------------------+------------------+---------------+--------------------------+--------+
If you want more information regarding a specific connection, type something like this:
openstack vpn ipsec site connection show vpn-conn-to-kna1
+--------------------------+----------------------------------------------------+
| Field | Value |
+--------------------------+----------------------------------------------------+
| Authentication Algorithm | psk |
| Description | |
| ID | 5f44be31-0588-4f33-883d-9e2d97be55e1 |
| IKE Policy | 5782b141-afcc-4327-9ac5-b8cd2e110c6a |
| IPSec Policy | 15ec761f-1642-49b6-b5a2-e43624c5752d |
| Initiator | bi-directional |
| Local Endpoint Group ID | 51895e0e-fa3a-43d3-8037-5eea073fb77f |
| Local ID | |
| MTU | 1500 |
| Name | vpn-conn-to-kna1 |
| Peer Address | 203.0.113.101 |
| Peer CIDRs | |
| Peer Endpoint Group ID | a96bb9ef-d0ec-4174-93ae-a8e655910f94 |
| Peer ID | 203.0.113.101 |
| Pre-shared Key | de12db260ee1b9c0b9e624d910c9a9dbddec13dc24d60332 |
| Project | dfc700467396428bacba4376e72cc3e9 |
| Route Mode | static |
| State | True |
| Status | ACTIVE |
| VPN Service | d74d51f0-182d-4d88-952a-1d593ce696fd |
| dpd | {'action': 'hold', 'interval': 30, 'timeout': 120} |
| project_id | dfc700467396428bacba4376e72cc3e9 |
+--------------------------+----------------------------------------------------+
Testing the site-to-site VPN connection
One way to test the VPN connection is to have two servers (e.g.,
server-fra1 and server-kna1), each on a different region (e.g.,
fra1 and kna1 respectively), ping each other using private IP
addresses. With no VPN connection between the two regions, pinging
should not be possible:
ubuntu@server-fra1:~$ ping -c 3 10.15.20.148
PING 10.15.20.148 (10.15.20.148) 56(84) bytes of data.
--- 10.15.20.148 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2050ms
ubuntu@server-kna1:~$ ping -c 3 10.15.25.58
PING 10.15.25.58 (10.15.25.58) 56(84) bytes of data.
--- 10.15.25.58 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2045ms
On the other hand, with a VPN connection established between the two regions, pinging should be all possible:
ubuntu@server-fra1:~$ ping -c 3 10.15.20.148
PING 10.15.20.148 (10.15.20.148) 56(84) bytes of data.
64 bytes from 10.15.20.148: icmp_seq=1 ttl=62 time=32.8 ms
64 bytes from 10.15.20.148: icmp_seq=2 ttl=62 time=32.5 ms
64 bytes from 10.15.20.148: icmp_seq=3 ttl=62 time=32.6 ms
--- 10.15.20.148 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 32.544/32.624/32.761/0.096 ms
ubuntu@server-kna1:~$ ping -c 3 10.15.25.58
PING 10.15.25.58 (10.15.25.58) 56(84) bytes of data.
64 bytes from 10.15.25.58: icmp_seq=1 ttl=62 time=33.3 ms
64 bytes from 10.15.25.58: icmp_seq=2 ttl=62 time=32.5 ms
64 bytes from 10.15.25.58: icmp_seq=3 ttl=62 time=32.6 ms
--- 10.15.25.58 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 32.533/32.832/33.336/0.358 ms
Disabling an active connection
You may, at any time, disable an active site-to-site VPN connection.
Currently, there is no way to disable an active connection from the Cleura Cloud Management Panel. If you want to disable an active connection, please use the OpenStack CLI.
All you have to do is get on either side of the connection and
disable the VPN connection across the other side. Suppose you are on
the left side of the connection (region fra1), and for whatever
reason, you want to disable the site-to-site connection between left
and right (regions fra1 and kna1). First, you might want to
remember the name of the VPN connection to the right:
openstack vpn ipsec site connection list
+--------------------------+------------------+---------------+--------------------------+--------+
| ID | Name | Peer Address | Authentication Algorithm | Status |
+--------------------------+------------------+---------------+--------------------------+--------+
| 5f44be31-0588-4f33-883d- | vpn-conn-to-kna1 | 203.0.113.101 | psk | ACTIVE |
| 9e2d97be55e1 | | | | |
+--------------------------+------------------+---------------+--------------------------+--------+
That would be vpn-conn-to-kna1, and according to the command
output above, it is active. To disable it, type the following:
openstack vpn ipsec site connection set --disable vpn-conn-to-kna1
Check if it is really disabled:
openstack vpn ipsec site connection show vpn-conn-to-kna1 -c Status
+--------+-------+
| Field | Value |
+--------+-------+
| Status | DOWN |
+--------+-------+
It looks like it is disabled — or DOWN.
You will probably have to wait several seconds before seeing a status change. If you are impatient, try something like this:
Hit CTRL+C as soon as you see the status change you expect.watch "openstack vpn ipsec site connection show vpn-conn-to-kna1 -c Status"
Now, get on the right side of the connection (region kna1),
optionally look for the name of the VPN connection to the left (in our
example, that would be vpn-conn-to-fra1), and check its status:
openstack vpn ipsec site connection show vpn-conn-to-fra1 -c Status
+--------+-------+
| Field | Value |
+--------+-------+
| Status | DOWN |
+--------+-------+
It turns out that this direction of the connection is also disabled.
To test that a previously enabled site-to-site connection is now disabled,
select a server from one region and try to ping a server in another region.
Suppose, for example, that a now-disabled connection involved regions
fra1 and kna1, and that we have servers server-fra1 (in fra1) and
server-kna1 (in kna1). With the VPN connection between the two regions
now disabled, pinging should not be possible:
ubuntu@server-fra1:~$ ping -c 3 10.15.20.148
PING 10.15.20.148 (10.15.20.148) 56(84) bytes of data.
--- 10.15.20.148 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2055ms
ubuntu@server-kna1:~$ ping -c 3 10.15.25.58
PING 10.15.25.58 (10.15.25.58) 56(84) bytes of data.
--- 10.15.25.58 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2050ms
Enabling an inactive connection
You can easily enable an inactive site-to-site VPN connection.
Currently, there is no way to enable an inactive connection from the Cleura Cloud Management Panel. If you want to re-enable an inactive connection, please use the OpenStack CLI.
Make sure you hop on the side where you initially disabled the
connection. According to the example scenario we described in the
previous section, that would be the left side (region fra1), and the
name of the disabled connection would be vpn-conn-to-kna1. Make sure
the connection status is DOWN:
openstack vpn ipsec site connection show vpn-conn-to-kna1 -c Status
+--------+-------+
| Field | Value |
+--------+-------+
| Status | DOWN |
+--------+-------+
Note that if you issued a similar command from the right side of
the connection (region kna1), you would also get a DOWN status.
Being on the left side, all you have to do to enable the inactive
connection is type the following:
openstack vpn ipsec site connection set --enable vpn-conn-to-kna1
Check the connection status — it should be ACTIVE:
openstack vpn ipsec site connection show vpn-conn-to-kna1 -c Status
+--------+--------+
| Field | Value |
+--------+--------+
| Status | ACTIVE |
+--------+--------+
You get the same status by issuing a similar command from the right side.
Again, since you may have to wait several seconds before seeing the status change you expect, try something like this:
Hit CTRL+C to stop watching.watch "openstack vpn ipsec site connection show vpn-conn-to-kna1 -c Status"
To test that a previously disabled site-to-site connection is now enabled,
select a server from one region and try to ping a server in another region.
Suppose, for example, that a re-enabled connection involves regions
fra1 and kna1, and that we have servers server-fra1 (in fra1) and
server-kna1 (in kna1). With the VPN connection between the two regions
now re-established, pinging should be possible:
ubuntu@server-fra1:~$ ping -c 3 10.15.20.148
PING 10.15.20.148 (10.15.20.148) 56(84) bytes of data.
64 bytes from 10.15.20.148: icmp_seq=1 ttl=62 time=32.6 ms
64 bytes from 10.15.20.148: icmp_seq=2 ttl=62 time=32.6 ms
64 bytes from 10.15.20.148: icmp_seq=3 ttl=62 time=32.7 ms
--- 10.15.20.148 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 32.619/32.634/32.662/0.019 ms
ubuntu@server-kna1:~$ ping -c 3 10.15.25.58
PING 10.15.25.58 (10.15.25.58) 56(84) bytes of data.
64 bytes from 10.15.25.58: icmp_seq=1 ttl=62 time=32.8 ms
64 bytes from 10.15.25.58: icmp_seq=2 ttl=62 time=32.6 ms
64 bytes from 10.15.25.58: icmp_seq=3 ttl=62 time=33.4 ms
--- 10.15.25.58 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 32.560/32.899/33.357/0.336 ms