前回書いたもの は VyOS のドキュメントに引っ張られて余計な dum0 インターフェースなどを作っていたので、余計なものを削除してやり直し。
1対1 VPN
10.1.0.254 は OPNsense FW で、管理 LAN からアクセスする用の port forwading ルータ。
NAT : インターネットへの出口
L3 : VyOS 間のルーティング (プライオとか、IWAN [Interconnected WAN] とかを想定)
VyOS の外側は固定 IP アドレス
VyOS に流し込むデフォルト
VyOS 共通設定
VyOS default
stty rows 30 columns 130
configure
delete service
delete protocols static
delete interfaces ethernet
delete vpn
delete vrf
delete system login
set system domain-name 'my.home'
set system host-name 'NAT'
set system time-zone 'Asia/Tokyo'
set system ipv6 disable-forwarding
set service lldp interface all
set service lldp legacy-protocols cdp
set service ssh
set service ssh vrf MGT
set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication public-keys 'user01' key 'AAAA~~~~'
set system login user vyos authentication public-keys 'user01' type 'ssh-ed25519'
set vrf name MGT table '100'
set vrf name MGT protocols static route 0.0.0.0/0 next-hop 10.1.0.254
set interfaces ethernet eth0 description 'MGT_RT'
set interfaces ethernet eth0 vrf MGT
set system name-server 192.168.0.252
set system name-server 1.0.0.1
NAT, L3 の Config
NAT に流し込む config (VyOS)
set interfaces ethernet eth0 address '10.1.0.253/24'
set interfaces ethernet eth0 description 'MGT_RT'
set interfaces ethernet eth0 vrf MGT
set interfaces ethernet eth1 address 'dhcp'
set interfaces ethernet eth1 description 'to_Internet'
set interfaces ethernet eth2 address '172.16.0.254/24'
set interfaces ethernet eth2 description 'LAN_RT'
set protocols static route 172.16.0.0/16 next-hop 172.16.0.1
set nat source rule 1 outbound-interface name 'eth1'
set nat source rule 1 translation address 'masquerade'
commit
save
L3 に流し込む config (Cisco)
clock timezone JST 9 0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
lldp run
username admin algorithm-type sha256 secret Cisco1
enable algorithm-type sha256 secret Cisco1
hostname L3
ip domain name my.home
crypto key generate rsa modulus 4096
ip ssh version 2
line vty 0 4
transport input ssh
login local
ip vrf MGT
rd 1:100
no ip http server
no ip http secure-server
spanning-tree portfast bpduguard
interface Ethernet0/0
ip address 192.168.2.254 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 192.168.1.254 255.255.255.0
no shutdown
interface Ethernet0/2
ip address 192.168.10.254 255.255.255.0
no shutdown
interface Ethernet2/3
ip vrf forwarding MGT
ip address 10.1.0.252 255.255.255.0
no shutdown
exit
ip route vrf MGT 0.0.0.0 0.0.0.0 10.1.0.254
VPN 設定前の状態
L3 部分をプライオと想定して eth1 を mtu 1444 に設定する
VPN設定前
VyOS default に続けて流し込む config
設定前 RT-00
RT-00
set interfaces ethernet eth0 address '10.1.0.100/24'
set interfaces ethernet eth0 description 'MGT_RT-00'
set interfaces ethernet eth0 vrf MGT
set interfaces ethernet eth1 address '192.168.2.1/24'
set interfaces ethernet eth1 description 'L3_RT-00'
set interfaces ethernet eth1 mtu 1444
set interfaces ethernet eth2 address '172.16.0.1/24'
set interfaces ethernet eth2 description 'LAN_RT-00'
set protocols static route 0.0.0.0/0 next-hop 172.16.0.254 interface eth2
set protocols static route 192.168.0.0/16 next-hop 192.168.2.254 interface eth1
commit
save
設定前 RT-10
RT-10
set interfaces ethernet eth0 address '10.1.0.110/24'
set interfaces ethernet eth0 description 'MGT_RT-10'
set interfaces ethernet eth0 vrf MGT
set interfaces ethernet eth1 address '192.168.10.1/24'
set interfaces ethernet eth1 description 'L3_RT-10'
set interfaces ethernet eth1 mtu 1444
set interfaces ethernet eth2 address '172.16.10.1/24'
set interfaces ethernet eth2 description 'LAN_RT-10'
set protocols static route 192.168.0.0/16 next-hop 192.168.10.254 interface eth1
commit
save
VPN 設定の共通部分
VPN共通設定
# ESP,IKE 暗号化方式の設定 (プロファイルの作成)
# IKE 👉 sa (ipsec v1 の phase1)
# ESP 👉 child-sa (ipsec v1 の phase2)
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group14'
set vpn ipsec esp-group ESP_DEFAULT proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 1 hash 'sha512'
set vpn ipsec ike-group IKE_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE_DEFAULT dead-peer-detection interval '15'
set vpn ipsec ike-group IKE_DEFAULT dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE_DEFAULT ikev2-reauth
set vpn ipsec ike-group IKE_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKE_DEFAULT lifetime '28800'
set vpn ipsec ike-group IKE_DEFAULT proposal 1 dh-group '31'
set vpn ipsec ike-group IKE_DEFAULT proposal 1 encryption 'chacha20poly1305'
set vpn ipsec ike-group IKE_DEFAULT proposal 1 hash 'sha512'
# VPN間通信 (WAN側, トンネル)
set vpn ipsec interface eth1
set protocols static route 169.254.0.0/24 interface vti10
# 推奨設定
set vpn ipsec options disable-route-autoinstall
# site-to-site のプロファイル
set vpn ipsec site-to-site peer Site2Site ike-group 'IKE_DEFAULT'
set vpn ipsec site-to-site peer Site2Site vti esp-group 'ESP_DEFAULT'
set vpn ipsec site-to-site peer Site2Site authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer Site2Site ikev2-reauth inherit
set vpn ipsec site-to-site peer Site2Site vti bind 'vti10'
set vpn ipsec site-to-site peer Site2Site connection-type 'initiate'
個別設定
「フレッツ・VPN プライオ」でVPN装置(CPE)下部へルータを設置する場合のMTU値設定について によると、トンネルインターフェースの mss は 1334 になるそうな。
西日本はオプションが付いて小さくなるとか言っていたような、いなかったような...。取りあえず mss は 1334 で。
RT-00
RT-00 の VPN設定
# 列挙した IP アドレスで使用する共通鍵 (psk)
set vpn ipsec authentication psk Site2Site id RT-00
set vpn ipsec authentication psk Site2Site id RT-10
set vpn ipsec authentication psk Site2Site secret 'secret_ABC-def'
set vpn ipsec site-to-site peer Site2Site authentication local-id RT-00
set vpn ipsec site-to-site peer Site2Site authentication remote-id RT-10
set vpn ipsec site-to-site peer Site2Site local-address '192.168.2.1'
set vpn ipsec site-to-site peer Site2Site remote-address '192.168.10.1'
# トンネル用アドレス
set interfaces vti vti10 address '169.254.0.100/24'
set interfaces vti vti10 description 'RT-00_tunnel'
set interfaces vti vti10 ip adjust-mss '1334'
# VPN 用ルート
set protocols static route 172.16.10.0/24 next-hop 169.254.0.110 interface vti10
RT-10
RT-10 の VPN設定
# 列挙した IP アドレスで使用する共通鍵 (psk)
set vpn ipsec authentication psk Site2Site id RT-10
set vpn ipsec authentication psk Site2Site id RT-00
set vpn ipsec authentication psk Site2Site secret 'secret_ABC-def'
set vpn ipsec site-to-site peer Site2Site authentication local-id RT-10
set vpn ipsec site-to-site peer Site2Site authentication remote-id RT-00
set vpn ipsec site-to-site peer Site2Site local-address '192.168.10.1'
set vpn ipsec site-to-site peer Site2Site remote-address '192.168.2.1'
# トンネル用アドレス
set interfaces vti vti10 address '169.254.0.110/24'
set interfaces vti vti10 description 'RT-10_tunnel'
set interfaces vti vti10 ip adjust-mss '1334'
set protocols static route 0.0.0.0/0 interface vti10
# NAT の向こうへ traceroute が通らないので
set protocols static route 192.168.0.0/24 interface vti10
通信試験
通信試験用端末の 172.16.0.10
インターネットの 1.1.1.1
に夫れ夫れ traceroute をうってみる
通信試験
vyos@RT-10:~$ traceroute 172.16.0.10 no-resolve
traceroute to 172.16.0.10 (172.16.0.10), 30 hops max, 60 byte packets
1 169.254.0.100 2.517 ms 2.322 ms 2.210 ms
2 172.16.0.10 2.123 ms 2.048 ms 1.964 ms
vyos@RT-10:~$
vyos@RT-10:~$ traceroute 1.1.1.1 source-address 172.16.10.1 no-resolve
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 169.254.0.100 2.287 ms 2.115 ms 2.042 ms
2 172.16.0.254 3.593 ms 3.519 ms 3.339 ms
3 192.168.0.254 5.119 ms 7.039 ms 7.010 ms
4 192.168.10.254 7.234 ms 8.428 ms 9.046 ms
.....(略)
13 162.158.4.25 9.974 ms 9.796 ms 162.158.4.43 7.245 ms
14 1.1.1.1 6.193 ms 7.334 ms 11.229 ms
vyos@RT-10:~$
無事、接続できましたね。
ルーティングなど
RT-10
vyos@RT-10:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ---------------- ----------------- ------- ----- ----- -------------
eth0 10.1.0.110/24 50:00:00:04:00:00 MGT 1500 u/u MGT_RT-10
eth1 192.168.10.1/24 50:00:00:04:00:01 default 1444 u/u L3_RT-10
eth2 172.16.10.1/24 50:00:00:04:00:02 default 1500 u/u LAN_RT-10
eth3 - 50:00:00:04:00:03 default 1500 u/u
lo 127.0.0.1/8 00:00:00:00:00:00 default 65536 u/u
::1/128
vti10 169.254.0.110/24 n/a default 1500 u/u RT-10_tunnel
vyos@RT-10:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S>* 0.0.0.0/0 [1/0] is directly connected, vti10, weight 1, 00:45:58
S 169.254.0.0/24 [1/0] is directly connected, vti10, weight 1, 00:45:58
C>* 169.254.0.0/24 is directly connected, vti10, 00:45:58
C>* 172.16.10.0/24 is directly connected, eth2, 00:46:05
S>* 192.168.0.0/16 [1/0] via 192.168.10.254, eth1, weight 1, 00:46:02
S>* 192.168.0.0/24 [1/0] is directly connected, vti10, weight 1, 00:44:03
C>* 192.168.10.0/24 is directly connected, eth1, 00:46:06
接続時の状態
VPN接続状態 (RT-00)
vyos@RT-00:~$ show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
------------- ------- ------ ---------------- ---------- ----------- ---------- ----------- ---------------------------------------
Site2Site up IKEv2 192.168.10.1 - - RT-00 RT-10 CHACHA20_POLY1305/None/None/CURVE_25519
Site2Site-vti up IPsec 192.168.10.1 0.0.0.0/0 0.0.0.0/0 RT-00 RT-10 AES_GCM/256/None/None
::/0 ::/0
vyos@RT-00:~$
vyos@RT-00:~$
vyos@RT-00:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
192.168.10.1 RT-10 192.168.2.1 RT-00
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 CHACHA20_POLY1305 n/a CURVE_25519 no 1489 26637
Peer ID / IP Local ID / IP
------------ -------------
192.168.10.1 RT-10 192.168.2.1 RT-00
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 CHACHA20_POLY1305 n/a CURVE_25519 no 1449 24794
vyos@RT-00:~$
vyos@RT-00:~$
vyos@RT-00:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------- ------- -------- -------------- ---------------- ---------------- ----------- --------------
Site2Site-vti up 24m14s 0B/0B 0/0 192.168.10.1 RT-10 AES_GCM_16_256
Site2Site-vti up 24m54s 0B/0B 0/0 192.168.10.1 RT-10 AES_GCM_16_256
vyos@RT-00:~$
vyos@RT-00:~$
vyos@RT-00:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ---------------- ----------------- ------- ----- ----- -------------
eth0 10.1.0.100/24 50:00:00:05:00:00 MGT 1500 u/u MGT_RT-00
eth1 192.168.2.1/24 50:00:00:05:00:01 default 1444 u/u L3_RT-00
eth2 172.16.0.1/24 50:00:00:05:00:02 default 1500 u/u LAN_RT-00
eth3 - 50:00:00:05:00:03 default 1500 A/D
lo 127.0.0.1/8 00:00:00:00:00:00 default 65536 u/u
::1/128
vti10 169.254.0.100/24 n/a default 1500 u/u RT-00_tunnel
vyos@RT-00:~$
センターを 2台にして冗長化...は追記予定