More than 5 years have passed since last update.

Vyatta の IPsec VPN の設定をシェルスクリプトで行う

Last updated at 2017-03-28Posted at 2017-03-28

目的

Vyattaを設定する機会があったので、シェルスクリプトでの設定方法を書きます。
以下の記事にて、コマンド形式でエクスポートする方法はあります

Vyattaの設定をコマンド形式でエクスポートする方法 - Qiita

が、手動でパラメータの置き換えなどを行う必要があったので、シェルスクリプトの変数を使った形で、より一般的に設定できればと思い、探してみました。

以下の記事を参考にしながら、設定してみます。

Vyattaの設定をシェルスクリプトで行う。 — ペンギンと愉快な機械の日々

シェルスクリプトにおけるVyatta configureモードのコマンド

実際のディレクトリにあるコマンドを用いる必要があります。

# ls ${vyatta_sbindir}/my*
/opt/vyatta/sbin/my_cli_bin        /opt/vyatta/sbin/my_delete
/opt/vyatta/sbin/my_cli_shell_api  /opt/vyatta/sbin/my_discard
/opt/vyatta/sbin/my_comment        /opt/vyatta/sbin/my_move
/opt/vyatta/sbin/my_commit         /opt/vyatta/sbin/my_rename
/opt/vyatta/sbin/my_copy           /opt/vyatta/sbin/my_set

具体的にシェルスクリプトでは、以下のような記述を使います。

${vyatta_sbindir}/my_comment
${vyatta_sbindir}/my_commit
${vyatta_sbindir}/my_copy
${vyatta_sbindir}/my_delete
${vyatta_sbindir}/my_discard
${vyatta_sbindir}/my_move
${vyatta_sbindir}/my_rename
${vyatta_sbindir}/my_set

shebangはvbashに

シェルスクリプト内の1行目のおまじない（shebang）は、Vyatta(VyOS)については以下のように書く必要があります。

# !/bin/vbash

また、今回記載している方法では、configureモードにて実行してもらう必要があるので、ご注意ください。

テスト1

ためしにconfigureモードで以下を実行します。

$ configure
# ./test01.sh

test01

# !/bin/vbash
saddr="192.168.20.0/24"

${vyatta_sbindir}/my_set nat source rule 2 outbound-interface eth0
${vyatta_sbindir}/my_set nat source rule 2 source address ${saddr}
${vyatta_sbindir}/my_set nat source rule 2 translation address masquerade
${vyatta_sbindir}/my_commit

結果

# show nat 
 source {
     rule 2 {
         outbound-interface eth0
         source {
             address 192.168.20.0/24
         }
         translation {
             address masquerade
         }
     }
 }

テスト2

さらに以下のスクリプトも実行してみます。

test02.sh

# !/bin/vbash

for NUM in $(seq 5 10)
do
    ${vyatta_sbindir}/my_set nat source rule ${NUM} outbound-interface eth0
    ${vyatta_sbindir}/my_set nat source rule ${NUM} source address 192.168.${NUM}0.0/24
    ${vyatta_sbindir}/my_set nat source rule ${NUM} translation address masquerade
done
${vyatta_sbindir}/my_commit

結果は以下の通りです。

# show nat 
 source {
     rule 5 {
         outbound-interface eth0
         source {
             address 192.168.50.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 6 {
         outbound-interface eth0
         source {
             address 192.168.60.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 7 {
         outbound-interface eth0
         source {
             address 192.168.70.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 8 {
         outbound-interface eth0
         source {
             address 192.168.80.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 9 {
         outbound-interface eth0
         source {
             address 192.168.90.0/24
         }
         translation {
             address masquerade
         }
     }
     rule 10 {
         outbound-interface eth0
         source {
             address 192.168.100.0/24
         }
         translation {
             address masquerade
         }
     }
 }

IPsec VPNの設定を行う

それではIPsec VPNの設定をシェルスクリプトを持って書いてみましょう。
こうすれば、最初の数行のパラメータだけをみればいいので、楽です。

vyatta-ipsec.sh

# !/bin/vbash

LOCALADDR="169.0.0.1"
LOCALSUBNET="10.0.0.0/8"
REMOTEADDR="161.0.0.1"
REMOTESUBNET="192.168.10.0/24"
INTERFACE="eth1"
SECRET="your_pre_shared_secret"

${vyatta_sbindir}/my_set firewall all-ping 'enable'
${vyatta_sbindir}/my_set firewall broadcast-ping 'disable'
${vyatta_sbindir}/my_set firewall config-trap 'disable'
${vyatta_sbindir}/my_set firewall ipv6-receive-redirects 'disable'
${vyatta_sbindir}/my_set firewall ipv6-src-route 'disable'
${vyatta_sbindir}/my_set firewall ip-src-route 'disable'
${vyatta_sbindir}/my_set firewall log-martians 'enable'
${vyatta_sbindir}/my_set firewall name IN default-action 'drop'
${vyatta_sbindir}/my_set firewall name IN rule 10 action 'accept'
${vyatta_sbindir}/my_set firewall name IN rule 10 description 'For-IPSec'
${vyatta_sbindir}/my_set firewall name IN rule 10 destination address ${LOCALSUBNET}
${vyatta_sbindir}/my_set firewall name IN rule 10 source address ${REMOTESUBNET}
${vyatta_sbindir}/my_set firewall name LOCAL default-action 'drop'
${vyatta_sbindir}/my_set firewall name LOCAL rule 20 action 'accept'
${vyatta_sbindir}/my_set firewall name LOCAL rule 20 description 'For-IPSec'
${vyatta_sbindir}/my_set firewall name LOCAL rule 20 destination address ${LOCALADDR}
${vyatta_sbindir}/my_set firewall name LOCAL rule 20 destination port '4500'
${vyatta_sbindir}/my_set firewall name LOCAL rule 20 protocol 'udp'
${vyatta_sbindir}/my_set firewall name LOCAL rule 20 source address ${REMOTEADDR}
${vyatta_sbindir}/my_set firewall name LOCAL rule 30 action 'accept'
${vyatta_sbindir}/my_set firewall name LOCAL rule 30 description 'For-IPSec'
${vyatta_sbindir}/my_set firewall name LOCAL rule 30 destination address ${LOCALADDR}
${vyatta_sbindir}/my_set firewall name LOCAL rule 30 destination port '500'
${vyatta_sbindir}/my_set firewall name LOCAL rule 30 protocol 'udp'
${vyatta_sbindir}/my_set firewall name LOCAL rule 30 source address ${REMOTEADDR}
${vyatta_sbindir}/my_set firewall name LOCAL rule 50 action 'accept'
${vyatta_sbindir}/my_set firewall name LOCAL rule 50 description 'For-IPSec'
${vyatta_sbindir}/my_set firewall name LOCAL rule 50 destination address ${LOCALADDR}
${vyatta_sbindir}/my_set firewall name LOCAL rule 50 protocol 'esp'
${vyatta_sbindir}/my_set firewall name LOCAL rule 50 source address ${REMOTEADDR}
${vyatta_sbindir}/my_set firewall name LOCAL rule 90 action 'accept'
${vyatta_sbindir}/my_set firewall name LOCAL rule 90 state established 'enable'
${vyatta_sbindir}/my_set firewall name LOCAL rule 110 action 'accept'
${vyatta_sbindir}/my_set firewall name LOCAL rule 110 description 'ping-check'
${vyatta_sbindir}/my_set firewall name LOCAL rule 110 protocol 'icmp'
${vyatta_sbindir}/my_set firewall name LOCAL rule 110 source address ${REMOTEADDR}
${vyatta_sbindir}/my_set firewall receive-redirects 'disable'
${vyatta_sbindir}/my_set firewall send-redirects 'disable'
${vyatta_sbindir}/my_set firewall source-validation 'disable'
${vyatta_sbindir}/my_set firewall syn-cookies 'enable'
${vyatta_sbindir}/my_set firewall twa-hazards-protection 'disable'
${vyatta_sbindir}/my_set interfaces ethernet ${INTERFACE} firewall in name 'IN'
${vyatta_sbindir}/my_set interfaces ethernet ${INTERFACE} firewall local name 'LOCAL'
${vyatta_sbindir}/my_set vpn ipsec esp-group ESP-GROUP compression 'disable'
${vyatta_sbindir}/my_set vpn ipsec esp-group ESP-GROUP lifetime '3600'
${vyatta_sbindir}/my_set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
${vyatta_sbindir}/my_set vpn ipsec esp-group ESP-GROUP pfs 'enable'
${vyatta_sbindir}/my_set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
${vyatta_sbindir}/my_set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha1'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '15'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '90'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP ikev2-reauth 'no'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP lifetime '86400'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '5'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
${vyatta_sbindir}/my_set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha1'
${vyatta_sbindir}/my_set vpn ipsec ipsec-interfaces interface ${INTERFACE}
${vyatta_sbindir}/my_set vpn ipsec nat-networks allowed-network ${REMOTESUBNET}
${vyatta_sbindir}/my_set vpn ipsec nat-traversal 'enable'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} authentication id '@local-id'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} authentication mode 'pre-shared-secret'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} authentication pre-shared-secret ${SECRET}
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} authentication remote-id '@remote-id'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} connection-type 'initiate'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} default-esp-group 'ESP-GROUP'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} ike-group 'IKE-GROUP'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} ikev2-reauth 'inherit'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} local-address ${LOCALADDR}
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} tunnel 1 allow-nat-networks 'disable'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} tunnel 1 allow-public-networks 'disable'
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} tunnel 1 local prefix ${LOCALSUBNET}
${vyatta_sbindir}/my_set vpn ipsec site-to-site peer ${REMOTEADDR} tunnel 1 remote prefix ${REMOTESUBNET}
${vyatta_sbindir}/my_commit

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up