このブログを検索

この記事の内容は、個人の見解、検証の範囲のものであり、誤りがある可能性があります。
個人の責任において情報活用をお願いします。


2017年3月16日木曜日

【IDCFクラウド】VyOS間でIPIPトンネルの中にIPsecVPNを構成してみた その2

前回の続きです。




















Config抜粋 
<radian VyOS>
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces tunnel tun0 address '172.16.0.1/30'
set interfaces tunnel tun0 encapsulation 'ipip'
set interfaces tunnel tun0 local-ip '10.13.0.100'
set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 remote-ip 'B.B.B.B'
set vpn ipsec esp-group ESP-G compression 'disable'
set vpn ipsec esp-group ESP-G lifetime '3600'
set vpn ipsec esp-group ESP-G mode 'tunnel'
set vpn ipsec esp-group ESP-G pfs 'dh-group2'
set vpn ipsec esp-group ESP-G proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-G proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-G ikev2-reauth 'no'
set vpn ipsec ike-group IKE-G key-exchange 'ikev1'
set vpn ipsec ike-group IKE-G lifetime '28800'
set vpn ipsec ike-group IKE-G proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-G proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-G proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 172.16.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.16.0.2 authentication pre-shared-secret 'TestVPN1234567890'
set vpn ipsec site-to-site peer 172.16.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 172.16.0.2 default-esp-group 'ESP-G'
set vpn ipsec site-to-site peer 172.16.0.2 ike-group 'IKE-G'
set vpn ipsec site-to-site peer 172.16.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.16.0.2 local-address '172.16.0.1'
set vpn ipsec site-to-site peer 172.16.0.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 172.16.0.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 172.16.0.2 tunnel 1 local prefix '10.13.0.0/21'
set vpn ipsec site-to-site peer 172.16.0.2 tunnel 1 remote prefix '10.11.0.0/21'

################################################

<newton VyOS>
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces tunnel tun0 address '172.16.0.2/30'
set interfaces tunnel tun0 encapsulation 'ipip'
set interfaces tunnel tun0 local-ip '10.11.0.100'
set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 remote-ip 'A.A.A.A'
set vpn ipsec esp-group ESP-G compression 'disable'
set vpn ipsec esp-group ESP-G lifetime '3600'
set vpn ipsec esp-group ESP-G mode 'tunnel'
set vpn ipsec esp-group ESP-G pfs 'dh-group2'
set vpn ipsec esp-group ESP-G proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-G proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-G ikev2-reauth 'no'
set vpn ipsec ike-group IKE-G key-exchange 'ikev1'
set vpn ipsec ike-group IKE-G lifetime '28800'
set vpn ipsec ike-group IKE-G proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-G proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-G proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 172.16.0.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.16.0.1 authentication pre-shared-secret 'TestVPN1234567890'
set vpn ipsec site-to-site peer 172.16.0.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 172.16.0.1 default-esp-group 'ESP-G'
set vpn ipsec site-to-site peer 172.16.0.1 ike-group 'IKE-G'
set vpn ipsec site-to-site peer 172.16.0.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.16.0.1 local-address '172.16.0.2'
set vpn ipsec site-to-site peer 172.16.0.1 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 172.16.0.1 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 172.16.0.1 tunnel 1 local prefix '10.11.0.0/21'
set vpn ipsec site-to-site peer 172.16.0.1 tunnel 1 remote prefix '10.13.0.0/21'

##############################################

IPsec VPN確認

<radian VyOS>
vyos@vyos:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
172.16.0.2                              172.16.0.1

    State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----    -------  -----  ------  ------
    up     aes128   sha1    2        no     1311    28800


vyos@vyos:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
172.16.0.2                              172.16.0.1

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    1       up     12.3K/8.0K     aes128   sha1    no     1315    3600    all
vyos@vyos:~$


<newton VyOS>
vyos@vyos:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
172.16.0.1                              172.16.0.2

    State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----    -------  -----  ------  ------
    up     aes128   sha1    2        no     1785    28800


vyos@vyos:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
172.16.0.1                              172.16.0.2

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    1       up     8.0K/8.0K      aes128   sha1    no     1549    3600    all
vyos@vyos:~$

##############################################
Ping確認

<radian VyOS>
vyos@vyos:~$ ping 10.11.0.100 interface 10.13.0.100 count 4
PING 10.11.0.100 (10.11.0.100) from 10.13.0.100 : 56(84) bytes of data.
64 bytes from 10.11.0.100: icmp_req=1 ttl=64 time=0.915 ms
64 bytes from 10.11.0.100: icmp_req=2 ttl=64 time=1.13 ms
64 bytes from 10.11.0.100: icmp_req=3 ttl=64 time=0.962 ms
64 bytes from 10.11.0.100: icmp_req=4 ttl=64 time=0.911 ms

--- 10.11.0.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.911/0.980/1.133/0.093 ms
vyos@vyos:~$
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [210/0] via 10.13.0.1, eth0
K>* 10.11.0.0/21 is directly connected, tun0
C>* 10.13.0.0/21 is directly connected, eth0
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.16.0.0/30 is directly connected, tun0
vyos@vyos:~$

<newton VyOS>
vyos@vyos:~$ ping 10.13.0.100 interface 10.11.0.100 count 4
PING 10.13.0.100 (10.13.0.100) from 10.11.0.100 : 56(84) bytes of data.
64 bytes from 10.13.0.100: icmp_req=1 ttl=64 time=0.996 ms
64 bytes from 10.13.0.100: icmp_req=2 ttl=64 time=0.863 ms
64 bytes from 10.13.0.100: icmp_req=3 ttl=64 time=1.03 ms
64 bytes from 10.13.0.100: icmp_req=4 ttl=64 time=0.931 ms

--- 10.13.0.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.863/0.956/1.035/0.068 ms
vyos@vyos:~$
vyos@vyos:~$ ip route
default via 10.11.0.1 dev eth0  proto zebra
10.11.0.0/21 dev eth0  proto kernel  scope link  src 10.11.0.100
10.13.0.0/21 dev tun0  scope link  src 10.11.0.100
127.0.0.0/8 dev lo  proto kernel  scope link  src 127.0.0.1
172.16.0.0/30 dev tun0  proto kernel  scope link  src 172.16.0.2
vyos@vyos:~$