先日、デプロイしたVyOS 1.2.9 LTSを利用してAWSとの間で動的ルーティングのVPNを試してみました。動的ルーティング構成では、VTIインターフェイスとBGPを利用します。なお、長時間の通信試験はしていません。利用した環境は、以下の通りです。
<利用した環境>
- VMware Workstation Player 17
- Windows11 Home
- VMware v1.2.9 LTS
- AWS 東京リージョン
<利用した構成図>
AWSの設定とステータスは以下のとおりです。
VPNオプションはデフォルトのまま利用しています。
【Site-to-Site VPN 接続】詳細
【Site-to-Site VPN 接続】トンネルの詳細
今回の確認では、VyOSからTunnel1のみVPN接続するように設定しました。
そのため、Tunnel2はダウンしています。
【ルートテーブル】ルート
前回の静的ルートVPNで利用したVPNゲートウェイを削除したばかりのため、192.168.0.0/24のルートのステータスがブラックホールとなっています。
【ルートテーブル】ルート伝播
VyOSの設定は以下となります。
繰り返しになりますが、今回は簡易確認のためAWSとのVPN接続は1つだけ設定しています。
vyos@vyos:~$ show configuration commands
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall options interface vti0 adjust-mss '1394'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:f3:72:11'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.1.1/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:f3:72:1b'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces vti vti0 address '169.254.204.246/30'
set interfaces vti vti0 mtu '1436'
set nat source rule 1 outbound-interface 'eth0'
set nat source rule 1 translation address 'masquerade'
set protocols bgp 65000 address-family ipv4-unicast network 192.168.1.0/24
set protocols bgp 65000 neighbor 169.254.204.245 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.204.245 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.204.245 timers keepalive '10'
set protocols static interface-route 169.254.204.244/30 next-hop-interface vti0
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '[vyos-password]'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system ntp server 133.243.238.243
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Tokyo'
set vpn ipsec esp-group esp-grp-01 compression 'disable'
set vpn ipsec esp-group esp-grp-01 lifetime '3600'
set vpn ipsec esp-group esp-grp-01 mode 'tunnel'
set vpn ipsec esp-group esp-grp-01 pfs 'dh-group21'
set vpn ipsec esp-group esp-grp-01 proposal 1 encryption 'aes256'
set vpn ipsec esp-group esp-grp-01 proposal 1 hash 'sha256'
set vpn ipsec ike-group ike-grp-01 close-action 'none'
set vpn ipsec ike-group ike-grp-01 dead-peer-detection action 'restart'
set vpn ipsec ike-group ike-grp-01 dead-peer-detection interval '10'
set vpn ipsec ike-group ike-grp-01 dead-peer-detection timeout '120'
set vpn ipsec ike-group ike-grp-01 ikev2-reauth 'no'
set vpn ipsec ike-group ike-grp-01 key-exchange 'ikev2'
set vpn ipsec ike-group ike-grp-01 lifetime '28800'
set vpn ipsec ike-group ike-grp-01 proposal 1 dh-group '21'
set vpn ipsec ike-group ike-grp-01 proposal 1 encryption 'aes256'
set vpn ipsec ike-group ike-grp-01 proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] authentication pre-shared-secret '[pre-shared key1]'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] connection-type 'initiate'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] default-esp-group 'esp-grp-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] description 'AWS-VPC-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] ike-group 'ike-grp-01'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] local-address '192.168.115.130'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] vti bind 'vti0'
set vpn ipsec site-to-site peer [AWS-VirtualPrivateGateway-IP1] vti esp-group 'esp-grp-01'
vyos@vyos:~$
VyOSでVPNステータスを確認した結果は以下となります。
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
[AWS-VirtualPrivateGateway-IP1] 192.168.115.130
Description: AWS-VPC-01
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 aes256 sha256_128 21(ECP_521) no 7200 28800
vyos@vyos:~$ show vpn ipsec sa
Connection State Up Bytes In/Out Remote address Remote ID Proposal
----------------------------- ------- ----------- -------------- ---------------- ----------- -------------------------------------------------------
peer-[AWS-VirtualPrivateGateway-IP1]-tunnel-vti up 110 minutes 11K/16K [AWS-VirtualPrivateGateway-IP1] N/A AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
vyos@vyos:~$
VyOSでBGPネイバーとルーティングを確認した結果は以下となります。
vyos@vyos:~$ show ip bgp
BGP table version is 2, local router ID is 192.168.115.130, vrf id 0
Default local pref 100, local AS 65000
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 172.31.0.0/16 169.254.204.245 100 0 64512 i
*> 192.168.1.0/24 0.0.0.0 0 32768 i
Displayed 2 routes and 2 total paths
vyos@vyos:~$ show ip bgp neighbors
BGP neighbor is 169.254.204.245, remote AS 64512, local AS 65000, external link
BGP version 4, remote router ID 169.254.204.245, local router ID 192.168.115.130
BGP state = Established, up for 01:54:51
Last read 00:00:10, Last write 00:00:10
Hold time is 30, keepalive interval is 10 seconds
Configured hold time is 30, keepalive interval is 10 seconds
Neighbor capabilities:
4 Byte AS: advertised and received
AddPath:
IPv4 Unicast: RX advertised IPv4 Unicast
Route refresh: advertised and received(old & new)
Address Family IPv4 Unicast: advertised and received
Hostname Capability: advertised (name: vyos,domain name: n/a) not received
Graceful Restart Capabilty: advertised
Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 2 2
Keepalives: 689 690
Route Refresh: 0 0
Capability: 0 0
Total: 692 693
Minimum time between advertisement runs is 0 seconds
For address family: IPv4 Unicast
Update group 1, subgroup 1
Packet Queue length 0
Community attribute sent to this neighbor(all)
1 accepted prefixes
Connections established 1; dropped 0
Last reset 01:54:53, Waiting for peer OPEN
Local host: 169.254.204.246, Local port: 54076
Foreign host: 169.254.204.245, Foreign port: 179
Nexthop: 169.254.204.246
Nexthop global: fe80::5efe:c0a8:7382
Nexthop local: fe80::5efe:c0a8:7382
BGP connection: shared network
BGP Connect Retry Timer in Seconds: 120
Estimated round trip time: 32 ms
Read thread: on Write thread: on FD used: 27
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
S>* 0.0.0.0/0 [210/0] via 192.168.115.2, eth0, 01:54:57
S 169.254.204.244/30 [1/0] is directly connected, vti0, 01:54:54
C>* 169.254.204.244/30 is directly connected, vti0, 01:54:54
B>* 172.31.0.0/16 [20/100] via 169.254.204.245, vti0, 01:54:53
C>* 192.168.1.0/24 is directly connected, eth1, 01:54:59
C>* 192.168.115.0/24 is directly connected, eth0, 01:54:58
vyos@vyos:~$
VyOSからPingとcurlコマンドを実行します。
vyos@vyos:~$ ping 169.254.204.245 count 4
PING 169.254.204.245 (169.254.204.245) 56(84) bytes of data.
64 bytes from 169.254.204.245: icmp_seq=1 ttl=254 time=57.7 ms
64 bytes from 169.254.204.245: icmp_seq=2 ttl=254 time=54.1 ms
64 bytes from 169.254.204.245: icmp_seq=3 ttl=254 time=43.1 ms
64 bytes from 169.254.204.245: icmp_seq=4 ttl=254 time=40.9 ms
--- 169.254.204.245 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 40.914/48.990/57.715/7.099 ms
vyos@vyos:~$
vyos@vyos:~$ ping 172.31.0.143 count 4 interface 192.168.1.1
PING 172.31.0.143 (172.31.0.143) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 172.31.0.143: icmp_seq=1 ttl=127 time=68.3 ms
64 bytes from 172.31.0.143: icmp_seq=2 ttl=127 time=48.3 ms
64 bytes from 172.31.0.143: icmp_seq=3 ttl=127 time=216 ms
64 bytes from 172.31.0.143: icmp_seq=4 ttl=127 time=54.4 ms
--- 172.31.0.143 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 48.381/96.924/216.491/69.410 ms
vyos@vyos:~$
vyos@vyos:~$ curl --interface 192.168.1.1 172.31.0.143
<html><body><h1>It works!</h1></body></html>
vyos@vyos:~$
VyOSからAWSのEC2インスタンスへ通信できることを確認しました。