More than 5 years have passed since last update.

RTX1200 を使って GCP VPN に接続

Posted at 2016-08-30

環境

	IP アドレス
RTX1200	aaa.bbb.ccc.ddd(192.168.0.x/24)
GCP	AAA.BBB.CCC.DDD(10.140.0.0/20)

RTX1200 は NAT 配下にあって上位の FW でグローバル IP アドレス aaa.bbb.ccc.ddd を割り当てている

GCP は、デフォルトのネットワーク（10.140.0.0/20）をそのまま使用して VPN ゲートウェイにはグローバル IP アドレス AAA.BBB.CCC.DDD を割り当てている

GCP VPN の設定

GCP 側で VPN ゲートウェイとトンネルの作成

RTX1200 の設定

tunnle の ID は適当に

tunnel select 100
 description tunnel VPNGCP
 ipsec tunnel 1100
  ipsec sa policy 1100 100 esp aes-cbc sha-hmac
  ipsec ike version 100 2
  ipsec ike always-on 100 on
  ipsec ike encryption 100 aes-cbc
  ipsec ike group 100 modp1024
  ipsec ike hash 100 sha
  ipsec ike keepalive log 100 on
  ipsec ike keepalive use 100 on rfc4306
  ipsec ike local address 100 aaa.bbb.ccc.ddd
  ipsec ike local name 100 aaa.bbb.ccc.ddd ipv4-addr
  ipsec ike nat-traversal 100 on
  ipsec ike pfs 100 on
  ipsec ike pre-shared-key 100 text ***************** # Preshared Key
  ipsec ike remote address 100 AAA.BBB.CCC.DDD
  ipsec ike remote name 100 AAA.BBB.CCC.DDD ipv4-addr
  ipsec auto refresh 100 on
 ip tunnel tcp mss limit auto
 tunnel enable 100

状況の確認

> show ipsec sa

sa   sgw isakmp connection   dir  life[s] remote-id
-----------------------------------------------------------------------------
5     100  -    ike          -    26867   AAA.BBB.CCC.DDD
23    100  5    tun[100]esp  send 26867   AAA.BBB.CCC.DDD
24    100  5    tun[100]esp  recv 26867   AAA.BBB.CCC.DDD

詳細の確認

> show ipsec sa gateway 100 detail
SA[5] Status: Establised  Duration: 26725s
Protocol: IKEv2
Local Host: 192.168.0.x:4500
Remote Host: AAA.BBB.CCC.DDD:4500
Encryption Algorithm    : AES256_CBC         PRF     : HMAC_SHA2_256
Authentication Algorithm: HMAC_SHA2_256_128  DH Group: MODP_2048
SPI: 9f 2c ee 14 09 82 41 8c 7a 7d e8 53 7d dd e4 71
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------
SA[23] Status: Establised  Duration: 26725s
Direction: send
Protocol: ESP (Mode: tunnel)
Local ID : aaa.bbb.ccc.ddd (IPv4_ADDR)
Remote ID: AAA.BBB.CCC.DDD:4500 (IPv4_ADDR)
Encryption Algorithm    : AES256_CBC
Authentication Algorithm: HMAC_SHA1_96       ESN: DISABLE
Source Traffic Selector (type / protocol / port / address)
 IPv4-range / any / 0-65535     / 192.168.0.0-192.168.0.255
 IPv4-range / any / 0-65535     / 192.168.0.0-192.168.0.255
Destination Traffic Selector (type / protocol / port / address)
 IPv4-range / any / 0-65535     / 10.140.0.0-10.140.15.255
 IPv4-range / any / 0-65535     / 10.140.0.0-10.140.15.255
SPI: 75 22 42 12
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------
SA[24] Status: Establised  Duration: 26725s
Direction: receive
Protocol: ESP (Mode: tunnel)
Local ID : aaa.bbb.ccc.ddd (IPv4_ADDR)
Remote ID: AAA.BBB.CCC.DDD:4500 (IPv4_ADDR)
Encryption Algorithm    : AES256_CBC
Authentication Algorithm: HMAC_SHA1_96       ESN: DISABLE
SPI: 69 92 43 b6
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------

スタティックルートの追加

# ip route 10.140.0.0/20 gateway tunnel 100

あとは、GCP 側でファイアウォールルールの調整を行う

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up