SEILとは
「SEIL(ザイル)」は、IIJがISPのノウハウを結集して開発した高機能ルータです。
SEIL/x86はなんか800円で買える
とりあえず何も考えずにVMに突っ込めば動くルータ。
IPv6にも対応してるし、BGP,OSPF,RIPと一通り動く。
そんなルータですが EBGP-multihopに対応してません。
で、SEILの間にFirewallがいるような環境でなんとかそれっぽく動かしたいなと触ってみた記録。
環境
利用ソフトウェア
- VirtualBox 5.1.6
- Vagrant 1.8.6
- SEIL/x86 5.32vagrant box
- Debian8(Firewall代わり)
使用したデータはgithubに置いてあります。
Topology
seil1 ---- fw(debian) --- seil2
実験環境
case-1 何も考えずにEBGPでpeeringしてみる
設定
seil-1
hostname seil-1
interface lan1 add 192.168.56.100/24
interface lan2 add 10.1.0.1/24
route dyna bgp my-as 65501
route dyna bgp router 10.0.0.1
route dyna bgp nei add 192.168.57.100 remote 65502
route dyna bgp network add 10.1.0.0/24
route dyna bgp en
route add 192.168.57.100 192.168.56.110
seill-2
hostname seil-2
interface lan1 add 192.168.57.100/24
interface lan2 add 10.2.0.1/24
route dyna bgp my-as 65502
route dyna bgp router 10.0.0.2
route dyna bgp nei add 192.168.56.100 remote 65501
route dyna bgp network add 10.2.0.0/24
route dyna bgp en
route add 192.168.56.100 192.168.57.110
結果
ttl=254
seil-1# ping 192.168.57.100
PING 192.168.57.100 (192.168.57.100): 56 data bytes
64 bytes from 192.168.57.100: icmp_seq=0 ttl=254 time=3.089 ms
BGP peerが張れてない。
seil-1# sh statu route dyna bgp nei
BGP neighbor is 192.168.57.100, remote AS 65502, local AS 65501, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Active
Last read 00:57:57, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 0 0
Notifications: 0 0
Updates: 0 0
Keepalives: 0 0
Route Refresh: 0 0
Capability: 0 0
Total: 0 0
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Community attribute sent to this neighbor(both)
0 accepted prefixes
Connections established 0; dropped 0
Last reset never
Next connect timer due in 40 seconds
ipsecでtunnelしてみる。(ipsecインターフェース作らず)
設定
seil-1
hostname seil-1
interface lan1 add 192.168.56.100/24
interface lan2 add 10.1.0.1/24
route dyna bgp my-as 65501
route dyna bgp router 10.0.0.1
route dyna bgp nei add 192.168.57.100 remote 65502
route dyna bgp network add 10.1.0.0/24
route dyna bgp en
route add 192.168.57.100 192.168.56.110
ike proposal add IKEPtest encryption aes256 hash sha256 authentication preshared-key dh-group modp1024 lifetime-of-time 12h
ipsec security-association proposal add SAPtest pfs-group modp1024 authentication-algorithm hmac-sha256 encryption-algorithm aes256 lifetime-of-time 6h
ike preshared-key add "192.168.57.100" "test"
ike peer add PEERtest address 192.168.57.100 exchange-mode main proposals IKEPtest my-identifier address peers-identifier address initial-contact enable
ike auto-initiation enable
ipsec security-association add SAtest tunnel 192.168.56.100 192.168.57.100 ike SAPtest esp enable
ipsec security-policy add SPtest security-association SAtest src 192.168.56.100 dst 192.168.57.100
seil-2
hostname seil-2
interface lan1 add 192.168.57.100/24
interface lan2 add 10.2.0.1/24
route dyna bgp my-as 65502
route dyna bgp router 10.0.0.2
route dyna bgp nei add 192.168.56.100 remote 65501
route dyna bgp network add 10.2.0.0/24
route dyna bgp en
route add 192.168.56.100 192.168.57.110
ike proposal add IKEPtest encryption aes256 hash sha256 authentication preshared-key dh-group modp1024 lifetime-of-time 12h
ipsec security-association proposal add SAPtest pfs-group modp1024 authentication-algorithm hmac-sha256 encryption-algorithm aes256 lifetime-of-time 6h
ike preshared-key add "192.168.56.100" "test"
ike peer add PEERtest address 192.168.56.100 exchange-mode main proposals IKEPtest my-identifier address peers-identifier address initial-contact enable
ike auto-initiation enable
ipsec security-association add SAtest tunnel 192.168.57.100 192.168.56.100 ike SAPtest esp enable
ipsec security-policy add SPtest security-association SAtest src 192.168.57.100 dst 192.168.56.100
結果
ttl=255
seil-1# ping 192.168.57.100
PING 192.168.57.100 (192.168.57.100): 56 data bytes
64 bytes from 192.168.57.100: icmp_seq=0 ttl=255 time=2.308 ms
BGP peer は張れているけれど、経路情報がもらえてない。
seil-1# sh statu route dyna bgp nei
BGP neighbor is 192.168.57.100, remote AS 65502, local AS 65501, external link
BGP version 4, remote router ID 10.0.0.2
BGP state = Established, up for 00:00:43
Last read 00:00:42, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
4 Byte AS: advertised and received
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 1 0
Notifications: 0 0
Updates: 1 1
Keepalives: 2 1
Route Refresh: 0 0
Capability: 0 0
Total: 4 2
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Community attribute sent to this neighbor(both)
0 accepted prefixes
Connections established 1; dropped 0
Last reset never
Local host: 192.168.56.100, Local port: 179
Foreign host: 192.168.57.100, Foreign port: 65534
Nexthop: 192.168.56.100
ipsecでtunnelしてみる。(ipsecインターフェース作成)
設定
seil-1
hostname seil-1
interface lan1 add 192.168.56.100/24
interface lan2 add 10.1.0.1/24
route dyna bgp my-as 65501
route dyna bgp router 10.0.0.1
route dyna bgp nei add 10.3.0.2 remote 65502
route dyna bgp network add 10.1.0.0/24
route dyna bgp en
route add 192.168.57.100 192.168.56.110
interface ipsec0 tunnel 192.168.56.100 192.168.57.100
int ipsec0 address 10.3.0.1/30 remote 10.3.0.2
ike proposal add IKEPtest encryption aes256 hash sha256 authentication preshared-key dh-group modp1024 lifetime-of-time 12h
ipsec security-association proposal add SAPtest pfs-group modp1024 authentication-algorithm hmac-sha256 encryption-algorithm aes256 lifetime-of-time 6h
ike preshared-key add "192.168.57.100" "test"
ike peer add PEERtest address 192.168.57.100 exchange-mode main proposals IKEPtest my-identifier address peers-identifier address initial-contact enable tunnel-interface enable
ike auto-initiation enable
ipsec security-association add SAtest tunnel-interface ipsec0 ike SAPtest esp enable
seil-2
hostname seil-2
interface lan1 add 192.168.57.100/24
interface lan2 add 10.2.0.1/24
route dyna bgp my-as 65502
route dyna bgp router 10.0.0.2
route dyna bgp nei add 10.3.0.1 remote 65501
route dyna bgp network add 10.2.0.0/24
route dyna bgp en
route add 192.168.56.100 192.168.57.110
interface ipsec0 tunnel 192.168.57.100 192.168.56.100
interface ipsec0 addr 10.3.0.2/30 remote 10.3.0.1
ike proposal add IKEPtest encryption aes256 hash sha256 authentication preshared-key dh-group modp1024 lifetime-of-time 12h
ipsec security-association proposal add SAPtest pfs-group modp1024 authentication-algorithm hmac-sha256 encryption-algorithm aes256 lifetime-of-time 6h
ike preshared-key add "192.168.56.100" "test"
ike peer add PEERtest address 192.168.56.100 exchange-mode main proposals IKEPtest my-identifier address peers-identifier address initial-contact enable tunnel-interface enable
ike auto-initiation enable
ipsec security-association add SAtest tunnel-interface ipsec0 ike SAPtest esp enable
結果
ttl=255
seil-1# ping 10.3.0.2
PING 10.3.0.2 (10.3.0.2): 56 data bytes
64 bytes from 10.3.0.2: icmp_seq=0 ttl=255 time=3.632 ms
経路情報がもらえているけれど
seil-1# sh statu route dyna bgp nei
BGP neighbor is 10.3.0.2, remote AS 65502, local AS 65501, external link
BGP version 4, remote router ID 10.0.0.2
BGP state = Established, up for 00:15:10
Last read 00:00:10, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
4 Byte AS: advertised and received
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 1 0
Notifications: 0 0
Updates: 1 1
Keepalives: 17 16
Route Refresh: 0 0
Capability: 0 0
Total: 19 17
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Community attribute sent to this neighbor(both)
1 accepted prefixes
Connections established 1; dropped 0
Last reset never
Local host: 10.3.0.1, Local port: 179
Foreign host: 10.3.0.2, Foreign port: 65533
Nexthop: 10.3.0.1
当然、next-hopはipsecインターフェース経由。
seil-1# sh statu route dyna bgp
BGP table version is 0, local router ID is 10.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/24 0.0.0.0 0 32768 i
*> 10.2.0.0/24 10.3.0.2 0 0 65502 i
Total number of prefixes 2
seil-1# sh statu route
Flags: C - Connected, M - Miscellaneous, B - BGP, O - OSPF, R - RIP, S - Static
* - System route, ! - inconsistent
Destination Gateway Interface Flags Dist.
10.0.2.0/24 lan0 lan0 C* 0
10.1.0.0/24 lan2 lan2 C* 0
10.2.0.0/24 10.3.0.2 ipsec0 B* 20
10.3.0.0/30 ipsec0 ipsec0 C* 0
10.3.0.1/32 127.0.0.1 loopback M* 0
127.0.0.0/8 loopback loopback C* 0
192.168.56.0/24 lan1 lan1 C* 0
192.168.57.100/32 192.168.56.110 lan1 S* 1
224.0.0.0/4 127.0.0.1 loopback M* -
これでは外にあるFirewallで制御できないので、内側にFirewallが必要。
結論
無理でした。
BGP peering した先にあるセグメントが分かっていれば、
SEILのfilter設定でnext-hopを書き換えられるので何とかならなくはないかなというところです。
いっそ、内側で使う予定のないアドレス全てのnext-hopを書き換えてしまえばよいか。
内側からSEIL/x86にたどり着くトラフィックであれば、その先に行くべきトラフィックでしょうから。