【VyOS】VyOS 1.2.9 LTSを利用してAWSとIPsec VPNを試してみた 静的ルート編

先日、デプロイしたVyOS 1.2.9 LTSを利用してAWSとの間で静的ルートを利用するIPsec VPNを試してみました。今回はVTIインターフェイスを使わない設定を試しました。なお、長時間の通信試験はしていません。利用した環境は、以下の通りです。

＜利用した環境＞

• VMware Workstation Player 17
• Windows11 Home
• VMware v1.2.9 LTS
• AWS 東京リージョン

＜利用した構成図＞

AWSの設定とステータスは以下のとおりです。

VPNオプションはデフォルトのまま利用しています。

【Site-to-Site VPN 接続】詳細

【Site-to-Site VPN 接続】トンネルの詳細

【Site-to-Site VPN 接続】静的ルート

【ルートテーブル】ルート

【ルートテーブル】ルート伝播

VyOSの設定は以下となります。今回はVPN確立と簡単な疎通確認のみのため、TCP MSSは設定していません。

vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:f3:72:11'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:f3:72:1b'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '<VyOS-Password>'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server 133.243.238.243
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Tokyo'
set vpn ipsec esp-group esp-grp-01 compression 'disable'
set vpn ipsec esp-group esp-grp-01 lifetime '3600'
set vpn ipsec esp-group esp-grp-01 mode 'tunnel'
set vpn ipsec esp-group esp-grp-01 pfs 'dh-group21'
set vpn ipsec esp-group esp-grp-01 proposal 1 encryption 'aes256'
set vpn ipsec esp-group esp-grp-01 proposal 1 hash 'sha256'
set vpn ipsec ike-group ike-grp-01 close-action 'none'
set vpn ipsec ike-group ike-grp-01 dead-peer-detection action 'restart'
set vpn ipsec ike-group ike-grp-01 dead-peer-detection interval '10'
set vpn ipsec ike-group ike-grp-01 dead-peer-detection timeout '120'
set vpn ipsec ike-group ike-grp-01 ikev2-reauth 'no'
set vpn ipsec ike-group ike-grp-01 key-exchange 'ikev2'
set vpn ipsec ike-group ike-grp-01 lifetime '28800'
set vpn ipsec ike-group ike-grp-01 proposal 1 dh-group '21'
set vpn ipsec ike-group ike-grp-01 proposal 1 encryption 'aes256'
set vpn ipsec ike-group ike-grp-01 proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] authentication pre-shared-secret '<pre-shared key1>'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] connection-type 'initiate'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] default-esp-group 'esp-grp-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] description 'AWS-VPC-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] ike-group 'ike-grp-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] local-address '192.168.115.130'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] tunnel 1 esp-group 'esp-grp-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] tunnel 1 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] tunnel 1 remote prefix '172.31.0.0/16'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] authentication pre-shared-secret '<pre-shared key2>'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] connection-type 'initiate'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] default-esp-group 'esp-grp-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] description 'AWS-VPC-02'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] ike-group 'ike-grp-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] local-address '192.168.115.130'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] tunnel 1 esp-group 'esp-grp-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] tunnel 1 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP2] tunnel 1 remote prefix '172.31.0.0/16'
vyos@vyos:~$

VyOSでVPNステータスを確認した結果は以下となります。

vyos@vyos:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
[AWS-VirtualPrivateGateway-IP1]                             192.168.115.130

    Description: AWS-VPC-01

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   aes256   sha256_128 21(ECP_521)    no     3600    28800


Peer ID / IP                            Local ID / IP
------------                            -------------
[AWS-VirtualPrivateGateway-IP2]                           192.168.115.130

    Description: AWS-VPC-02

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   aes256   sha256_128 21(ECP_521)    no     3600    28800


vyos@vyos:~$
vyos@vyos:~$ show vpn ipsec sa
Connection                   State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
---------------------------  -------  ----------  --------------  ----------------  -----------  -------------------------------------------------------
peer-[AWS-VirtualPrivateGateway-IP1]-tunnel-1    up       39 minutes  38K/54K         [AWS-VirtualPrivateGateway-IP1]       N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
peer-[AWS-VirtualPrivateGateway-IP2]-tunnel-1  up       39 minutes  0B/0B           [AWS-VirtualPrivateGateway-IP2]     N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
vyos@vyos:~$
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

S>* 0.0.0.0/0 [210/0] via 192.168.115.2, eth0, 00:45:20
C>* 192.168.0.0/24 is directly connected, eth1, 00:45:19
C>* 192.168.115.0/24 is directly connected, eth0, 00:45:21
vyos@vyos:~$

VyOSからPingとcurlコマンドを実行します。

vyos@vyos:~$ ping 172.31.0.143 count 4

PING 172.31.0.143 (172.31.0.143) 56(84) bytes of data.

64 bytes from 172.31.0.143: icmp_seq=1 ttl=127 time=52.3 ms

64 bytes from 172.31.0.143: icmp_seq=2 ttl=127 time=60.7 ms

64 bytes from 172.31.0.143: icmp_seq=3 ttl=127 time=59.4 ms

64 bytes from 172.31.0.143: icmp_seq=4 ttl=127 time=36.4 ms

--- 172.31.0.143 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3005ms

rtt min/avg/max/mdev = 36.401/52.247/60.723/9.684 ms

vyos@vyos:~$

vyos@vyos:~$ curl 172.31.0.143

<html><body><h1>It works!</h1></body></html>

vyos@vyos:~$

VyOSからAWSのEC2インスタンスへ通信できることを確認しました。

今回はこのへんで。それでは。