4
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

YAMAHA NVR700WのTwice NATでOracle Cloudとオンプレミスが重複するNetworkどうしを通信できるようにしてみてみた

Last updated at Posted at 2019-09-08

■目的
重複するNetworkどうしは接続することができません。
プライベートアドレスの重複は、企業の合併やCloud化に伴うOn-PremisesとPublic CloudとのHyblid Cloudによるネットワークの再編等で、 しばしば発生します。
ということでIP変換を行い重複しないように双方向NAT(Twice NAT)で通信できるようにしてみてみます。

Twice NATは、 RFC2663で定義されている用語で、 始点アドレスと終点アドレスの両方を書き換える方式です
この方式を使う典型例は、プライベートアドレスが衝突しているネットワークを扱うときです。
Twice NATは、1台のNATデバイスで「内部の送信元アドレス変換」と「外部の送信元アドレス変換」を同時に行うことができます。
双方向にアドレスが変換されることから、内部ホストも外部ホストの双方ともお互いのIPアドレスを知ることなく通信することが可能です。

#■構成
NW構成.png

まず順方向で1のディスクリプターを適用し、 その後、逆方向で2のディスクリプターを適用します。
この設定にしたがえば、N1(On-Premises)からはN2(OCI)が10.200.200.0/24に見え、 N2(OCI)からはN1(On-Premises)が10.100.100.0/24に見えるようになります。
例えば、N1(On-Premises)からN2(OCI)に対して、 次のようなパケットを送信すると、

始点アドレス: 192.168.100.2
終点アドレス: 10.200.200.2

N2(OCI)に届くときには、次のように変換されることになります。

始点アドレス: 10.100.100.2
終点アドレス: 192.168.100.2

#■事前準備
YAMAHA NVR700wを使用してOracle Cloud にIPsec VPN接続しておきます。
・参考:YAMAHA NVR700wでOCIへIPsec VPN接続してみてみた

#■NVR700W手順
##●Twice NAT設定
「reverse」は、 NATディスクリプターを逆方向に適用するキーワードです
「reverse」を使用してNATディスクリプターを双方向で適用させる場合は、 順方向と逆方向の両側のNATディスクリプターのタイプを「nat」にする必要があり、IPSecのTunnelに順方向で1のディスクリプターを適用し、 その後、逆方向で2のディスクリプターを適用します

    tunnel select 1
     ip tunnel nat descriptor 1 reverse 2
    
    tunnel select 2
     ip tunnel nat descriptor 1 reverse 2

    nat descriptor type 1 nat
     nat descriptor address outer 1 10.200.200.1-10.200.200.254
     nat descriptor static 1 31000 10.200.200.1=192.168.100.1 254

    nat descriptor type 2 nat
     nat descriptor address outer 2 10.100.100.1-10.100.100.254
     nat descriptor static 2 31000 10.100.100.1=192.168.100.1 254

##●Rute追加設定

    ip route 10.100.100.0/24 gateway tunnel 1 hide gateway tunnel 2 hide

##●Route設定確認

# show ip route
    Destination         Gateway          Interface       Kind  Additional Info.
    default             200.200.200.201   WAN1(PDP)    static
    10.100.100.0/24     -                 TUNNEL[1]    static
    10.100.100.0/24     -                 TUNNEL[2]    static
    ・・・
    192.168.100.0/24    192.168.100.254        LAN1  implicit

#■OCI設定
On-Premise側の192.168.100.0/24は10.200.200.0/24に変換されるため、
Route TableとSecurity Listを設定して10.200.200.0/24が疎通できる様に設定

##●Route Table設定
10.200.200.0/24がDRGを通る様に設定
RT01.png

##●Security List設定
10.200.200.0/24が通る様にFirewallを設定
SL01.png

#■接続確認
##●On-Premise -> OCI 接続確認
・ping確認

root@onp-inst01:~ $ ping 10.100.100.2 -c 3
    PING 10.100.100.2 (10.100.100.2) 56(84) bytes of data.
    64 bytes from 10.100.100.2: icmp_seq=1 ttl=62 time=79.6 ms
    64 bytes from 10.100.100.2: icmp_seq=2 ttl=62 time=91.8 ms
    64 bytes from 10.100.100.2: icmp_seq=3 ttl=62 time=81.7 ms

    --- 10.100.100.2 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 79.670/84.413/91.856/5.338 ms

・ssh接続確認

root@onp-inst01:~ $ ssh -i id_rsa opc@10.100.100.2
    The authenticity of host '10.100.100.2 (10.100.100.2)' can't be established.
    ECDSA key fingerprint is SHA256:b/NwTgHlSIbcMf/OpndkI+beEyf7TfT1f.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.100.100.2' (ECDSA) to the list of known hosts.
    Last login: Sun Sep  8 11:21:47 2019 from 10.200.200.2

    [opc@oci-inst01 ~]$ hostname
        oci-inst01

##●OCI -> On-Premises確認
・ping確認

[opc@oci-inst01 ~]$ ping 10.200.200.2 -c 3
    PING 10.200.200.2 (10.200.200.2) 56(84) bytes of data.
    64 bytes from 10.200.200.2: icmp_seq=1 ttl=62 time=109 ms
    64 bytes from 10.200.200.2: icmp_seq=2 ttl=62 time=101 ms
    64 bytes from 10.200.200.2: icmp_seq=3 ttl=62 time=113 ms

    --- 10.200.200.2 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 101.981/108.291/113.045/4.648 ms

・ssh接続確認

[opc@oci-inst01 ~]$ ssh root@10.200.200.2
    The authenticity of host '10.200.200.2 (10.200.200.2)' can't be established.
    ECDSA key fingerprint is SHA256:IyO/duiavlgoauEpbkK35CP3QT9QF.
    ECDSA key fingerprint is MD5:2e:2b:3c:5c:68:e3:34:80:a2:5b:e7.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.200.200.2' (ECDSA) to the list of known hosts.
    root@10.200.200.2's password:
        Linux onp-inst01 4.14.79-v7+ #1159 SMP Sun Nov 4 17:50:20 GMT 2018 armv7l

        The programs included with the Debian GNU/Linux system are free software;
        the exact distribution terms for each program are described in the
        individual files in /usr/share/doc/*/copyright.

        Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
        permitted by applicable law.
        Last login: Sun Sep  8 23:08:09 2019 from 192.168.100.2

    pi@onp-inst01:~ $ hostname
        onp-inst01

#■参考
##●Config

# show config
    # NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
    # MAC Address : 00:a0:ef:a1, 00:a0:de:e7:59:45
    # Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
    # main:  NVR700W ver=00 serial=NVR700W MAC-Address=00:a0:ef:a1 MAC-Addr
    ess=00:a0:ef:a2
    # Reporting Date: Sep 8 20:25:23 2019
    hboard,lan-map,config login-timer=300
    console character en.ascii
    ip route default gateway pdp wan1
    ip route 10.100.100.0/24 gateway tunnel 1 hide gateway tunnel 2 hide
    ip lan1 address 192.168.100.254/24
    ip wan1 address pdp
    ip wan1 secure filter in 300003 300020 300021 300022 300023 300024 300025 30003
    0 300032
    ip wan1 secure filter out 300013 300020 300021 300022 300023 300024 300025 3000
    26 300027 300099 dynamic 300080 300081 300082 300083 300084 300085 300098 30009
    9
    ip wan1 nat descriptor 31000
    wan1 bind wwan 1
    wwan select 1
    description wwan AION
    wwan always-on on
    wwan auth accept chap
    wwan auth myname aion@aion sim
    wwan auto connect on
    wwan disconnect time off
    wwan disconnect input time off
    wwan disconnect output time off
    wwan access-point name 4gn.jp
    wwan access limit length off
    wwan access limit time off
    wwan enable 1
    tunnel select 1
    description tunnel OCI-VPN1
    ipsec tunnel 1
    ipsec sa policy 1 1 esp aes256-cbc sha-hmac
    ipsec ike duration ipsec-sa 1 3600
    ipsec ike duration isakmp-sa 1 28800
    ipsec ike encryption 1 aes256-cbc
    ipsec ike group 1 modp1536
    ipsec ike hash 1 sha256
    ipsec ike keepalive log 1 off
    ipsec ike keepalive use 1 on dpd 5 4
    ipsec ike local address 1 200.200.200.201
    ipsec ike local id 1 0.0.0.0/0
    ipsec ike nat-traversal 1 on
    ipsec ike pfs 1 on
    ipsec ike pre-shared-key 1 text IPSecPassword
    ipsec ike remote address 1 100.100.100.101
    ipsec ike remote id 1 0.0.0.0/0
    ip tunnel address 192.168.0.101/30
    ip tunnel remote address 192.168.0.102
    ip tunnel nat descriptor 1 reverse 2
    ip tunnel tcp mss limit auto
    tunnel enable 1
    tunnel select 2
    description tunnel OCI-VPN2
    ipsec tunnel 2
    ipsec sa policy 2 2 esp aes256-cbc sha-hmac
    ipsec ike duration ipsec-sa 2 3600
    ipsec ike duration isakmp-sa 2 28800
    ipsec ike encryption 2 aes256-cbc
    ipsec ike group 2 modp1536
    ipsec ike hash 2 sha256
    ipsec ike keepalive log 2 off
    ipsec ike keepalive use 2 on dpd 5 4
    ipsec ike local address 2 200.200.200.201
    ipsec ike local id 2 0.0.0.0/0
    ipsec ike nat-traversal 2 on
    ipsec ike pfs 2 on
    ipsec ike pre-shared-key 2 text IPSecPassword
    ipsec ike remote address 2 100.100.100.102
    ipsec ike remote id 2 0.0.0.0/0
    ip tunnel address 192.168.0.105/30
    ip tunnel remote address 192.168.0.106
    ip tunnel nat descriptor 1 reverse 2
    ip tunnel tcp mss limit auto
    tunnel enable 2
    ip filter 300000 reject 10.0.0.0/8 * * * *
    ip filter 300001 reject 172.16.0.0/12 * * * *
    ip filter 300002 reject 192.168.0.0/16 * * * *
    ip filter 300003 reject 192.168.100.0/24 * * * *
    ip filter 300010 reject * 10.0.0.0/8 * * *
    ip filter 300011 reject * 172.16.0.0/12 * * *
    ip filter 300012 reject * 192.168.0.0/16 * * *
    ip filter 300013 reject * 192.168.100.0/24 * * *
    ip filter 300020 reject * * udp,tcp 135 *
    ip filter 300021 reject * * udp,tcp * 135
    ip filter 300022 reject * * udp,tcp netbios_ns-netbios_ssn *
    ip filter 300023 reject * * udp,tcp * netbios_ns-netbios_ssn
    ip filter 300024 reject * * udp,tcp 445 *
    ip filter 300025 reject * * udp,tcp * 445
    ip filter 300026 restrict * * tcpfin * www,21,nntp
    ip filter 300027 restrict * * tcprst * www,21,nntp
    ip filter 300030 pass * 192.168.100.0/24 icmp * *
    ip filter 300031 pass * 192.168.100.0/24 established * *
    ip filter 300032 pass * 192.168.100.0/24 tcp * ident
    ip filter 300033 pass * 192.168.100.0/24 tcp ftpdata *
    ip filter 300034 pass * 192.168.100.0/24 tcp,udp * domain
    ip filter 300035 pass * 192.168.100.0/24 udp domain *
    ip filter 300036 pass * 192.168.100.0/24 udp * ntp
    ip filter 300037 pass * 192.168.100.0/24 udp ntp *
    ip filter 300099 pass * * * * *
    ip filter 500000 restrict * * * * *
    ip filter dynamic 300080 * * ftp
    ip filter dynamic 300081 * * domain
    ip filter dynamic 300082 * * www
    ip filter dynamic 300083 * * smtp
    ip filter dynamic 300084 * * pop3
    ip filter dynamic 300085 * * submission
    ip filter dynamic 300098 * * tcp
    ip filter dynamic 300099 * * udp
    nat descriptor type 1 nat
    nat descriptor address outer 1 10.200.200.1-10.200.200.254
    nat descriptor static 1 31000 10.200.200.1=192.168.100.1 254
    nat descriptor type 2 nat
    nat descriptor address outer 2 10.100.100.1-10.100.100.254
    nat descriptor static 2 31000 10.100.100.1=192.168.100.1 254
    nat descriptor type 31000 masquerade
    nat descriptor address outer 31000 primary
    nat descriptor masquerade static 31000 1 192.168.100.254 udp 500
    nat descriptor masquerade static 31000 2 192.168.100.254 esp
    ipsec auto refresh on
    telnetd service off
    dhcp service server
    dhcp server rfc2131 compliant except remain-silent
    dhcp scope 1 192.168.100.2-192.168.100.249/24
    dns host lan1
    dns server pdp wan1
    dns server select 500401 pdp wan1 any .
    dns private address spoof on
    dns private name setup.netvolante.jp
    analog supplementary-service pseudo call-waiting
    analog extension dial prefix sip prefix="9#"
    sshd service on
    sshd host key generate *
    statistics traffic on
    wwan-module use on

##●資料
 ・ヤマハネットワーク機器の技術資料:Twice NAT機能
 ・Twice NAT機能を利用した拠点間接続 : コマンド設定

4
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
4
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?