UNIVERGE IXシリーズは、高速化が進むブロードバンド回線でのVPN構築に適した、企業向けエンタープライズ向けの高速アクセスルータです。
NECさんにIPsec接続検証をしてもらいコンフィグをつくってもらいましたので、早速ためしてみてみました。
NECさんのNEC UNIVERGE IXルーターには、ネットワークモニタwatch-groupの機能があるので2台構成の冗長化ができますが、インターネットの回線が2つないため今回はシングルCPE構成になります。
■構成
■NEC UNIVERGE IXルーター設定
●シリアルケーブル準備と接続
Mac Book(onp-inst01)のUSBポートからルーターにシリアル接続するには次の2つのアイテムが必要です
・シリアルケーブル
参考:Cisco Systems Cisco RJ-45 DB-9
・USBシリアル変換ケーブル
参考:BUFFALO BSUSRC0610BS
①上の2つのアイテムを接続
②USB側をMac(onp-inst01)に接続
③RJ-45側をNEC IXルーターのシリアルポートに接続
●コンソール接続
①Mac(onp-inst01)にloginして以下コマンドでシリアルケーブルのデバイスを確認
[root@onp-inst ~]$ ls -l /dev/tty.*
crw-rw-rw- 1 root wheel 18, 0 4 3 09:21 /dev/tty.Bluetooth-Incoming-Port
crw-rw-rw- 1 root wheel 18, 4 4 8 23:39 /dev/tty.usbserial-FTRTJ5Y8
==>tty.usbserial-FTRTJ5Y8が認識されていることを確認
②NEC IXルーターにコンソル接続
[root@onp-inst ~]$ screen /dev/tty.usbserial-FTRTJ5Y8
Router#
●IXルーター初期化
Router# default-console command-line
% You must RELOAD the router for this configuration to take effect.
Router# reload
% Warning: current running-configuration is not saved yet.
Notice: The router will be RELOADED. This is to ensure that
the peripheral devices are properly initialized.
Are you sure you want to reload the router? (Yes or [No]): Yes
NEC Bootstrap Software
Copyright (c) 2001-2008 NEC Infrontia All Rights Reserved.
%BOOT-INFO: Trying flash load, exec-image [ix-ms-8.3.39.ldc].
Loading: ################################################### [OK]
Starting at 0x20000
Configuring router subsystems (before IDB proc): done.
Constructing IDB(Interface Database): done.
Configuring router subsystems (after IDB proc): done.
Initializing router subsystems: done.
Starting router subsystems: done.
All router subsystems coming up.
NEC Portable Internetwork Core Operating System Software
Copyright Notices:
Copyright (c) 2001-2008 NEC Infrontia All Rights Reserved.
Copyright (c) 1985-1998 OpenROUTE Networks, Inc.
Copyright (c) 1984-1987, 1989 J. Noel Chiappa.
Router#
●初期状態確認
Router# enable-config
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# show running-config
Current configuration : 578 bytes
! NEC Portable Internetwork Core Operating System Software
! IX Series IX (magellan-sec) Software, Version 8.3.39, RELEASE SOFTWARE
! Compiled Jul 03-Fri-2009 10:39:09 JST #1
! Current time Apr 08-Mon-2019 22:53:07 JST
!
!
timezone +09 00
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
device FastEthernet0
!
device FastEthernet1
!
interface FastEthernet0.0
no ip address
shutdown
!
interface FastEthernet1.0
no ip address
shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
●LAN側IP設定
Router# enable-config
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface FastEthernet1.0
ip address 192.168.100.254/24
no shutdown
●ログインユーザー作成
Router(config)# username opc password plain <password> administrator
% User 'opc' has been added.
●Telnet有効化
①Telnet有効化
Router(config)# telnet-server ip enable
③Mac(onp-inst01)へtelnetインストール
Mac OSにはtelnetが無いためインストールします
[root@onp-inst ~]$ brew install inetutils
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 2 taps (homebrew/core and homebrew/cask).
==> New Formulae
aliyun-cli ccls lazygit volt
breezy embree protobuf@3.6
==> Updated Formulae
gnutls ✔ ffe lorem
activemq fio lxc
・・・
==> inetutils
The following commands have been installed with the prefix 'g'.
dnsdomainname
ftp
rcp
rexec
rlogin
rsh
telnet
If you really need to use these commands with their normal names, you
can add a "gnubin" directory to your PATH from your bashrc like:
PATH="/usr/local/opt/inetutils/libexec/gnubin:$PATH"
②MAC(onp-inst01)からNEC IXルーターへtelnet接続確認
[root@onp-inst ~]$ telnet 192.168.100.254
Trying 192.168.100.254...
Connected to 192.168.100.254.
Escape character is '^]'.
login: root
Password:
NEC Portable Internetwork Core Operating System Software
Copyright Notices:
Copyright (c) 2001-2008 NEC Infrontia All Rights Reserved.
Copyright (c) 1985-1998 OpenROUTE Networks, Inc.
Copyright (c) 1984-1987, 1989 J. Noel Chiappa.
Router#
●WebUIアクセス設定
Webコンソールも初期状態では使用できないため必要に応じて有効化します
Webコンソール使用するとWebブラウザで簡単インターネット接続設定ができます
Router(config)# http-server username root
Router(config)# http-server ip access-list web_console
Router(config)# http-server ip enable
●Internet(PPPoE+IPoE)接続設定
インターネット接続します。
①インターネット接続設定
サンプルコンフィグ作成ツールWebがあるのでこれで設定することも可能です
サンプルコンフィグ作成ツール
を利用して設定
②config確認
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# show running-config
Current configuration : 1686 bytes
! NEC Portable Internetwork Core Operating System Software
! IX Series IX (magellan-sec) Software, Version 8.3.39, RELEASE SOFTWARE
! Compiled Jul 03-Fri-2009 10:39:09 JST #1
! Current time Apr 20-Sat-2019 22:03:38 JST
!
!
hostname Router
timezone +09 00
!
!
!
username root password hash 1CE12A45B8 administrator
!
!
!
!
!
!
logging buffered 131072
logging subsystem all warn
logging timestamp datetime
!
!
ip ufs-cache enable
ip route default FastEthernet0.1
ip dhcp enable
ip access-list web_console permit ip src any dest 192.168.100.254/32
!
!
!
!
!
!
!
!
proxy-dns ip enable
proxy-dns ip query-interval 1
proxy-dns interface FastEthernet0.1 priority 254
!
telnet-server ip enable
!
http-server username root
http-server ip access-list web_console
http-server ip enable
!
!
!
!
!
!
ppp profile web_fastethernet0.1
authentication myname n1297@ntt.ne.jp
authentication password n1297@ntt.ne.jp
!
ip dhcp profile web_fastethernet1.0
assignable-range 192.168.100.60 192.168.100.65
dns-server 192.168.100.254
!
device FastEthernet0
!
device FastEthernet1
!
interface FastEthernet0.0
no ip address
shutdown
!
interface FastEthernet1.0
ip address 192.168.100.254/24
ip dhcp binding web_fastethernet1.0
no shutdown
!
interface FastEthernet0.1
description Ntt
encapsulation pppoe
auto-connect
ppp binding web_fastethernet0.1
ip address ipcp
ip mtu 1454
ip tcp adjust-mss auto
ip napt enable
ip napt static FastEthernet0.1 udp 500
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
③インターネット接続確認
[root@onp-inst ~]$ ping google.com -c 3
PING google.com (172.217.20.110) 56(84) bytes of data.
64 bytes from fra02s28-in-f14.1e100.net (172.217.20.110): icmp_seq=1 ttl=57 time=81.1 ms
64 bytes from fra02s28-in-f14.1e100.net (172.217.20.110): icmp_seq=2 ttl=57 time=81.1 ms
64 bytes from fra02s28-in-f14.1e100.net (172.217.20.110): icmp_seq=3 ttl=57 time=81.1 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 81.156/81.160/81.170/0.329 ms
●設定保存
インターネット接続確認できたのでルーターの設定を再起動しても反映されるよう保存
Router-IX(config)# write memory
Building configuration...
% Warning: do NOT enter CNTL/Z while saving to avoid config corruption.
■OCI IPsec VPN設定
● Customer-Premises Equipment (CPE)作成
OCI コンソールの Networking から Customer-Premises Equipment画面を選択し、
NEC IXルーターのPublic IP address(200.200.200.201)を登録してCPEを作成!
● DRGのIPSec Connections作成
作成したDRGに 自宅CIDR (192.168.100.0/16)を登録して作成
● DRGのIPSec Connection 接続情報メモ
作成後 右端の ・・・(Actions icon) からTunnel InformationメニューをクリックしIPsec接続に必要なの「Public IP Adress」 と 「Shard Secret」をメモし、NEC IXルーターへ設定します。
■NEC IXルーターIPsec VPN設定
●IPsec VPN設定
以下のように設定して実行
ip route 10.0.0.0/16 Tunnel0.0
ip route 10.0.0.0/16 Tunnel1.0
ip access-list sec-list permit ip src any dest any
!
ike proposal ike-prop encryption aes-256 hash sha2-256 group 1536-bit
!
ike policy ike-pol1 peer 100.100.100.101 key SHAREDSECCRET1eoO0a8Laqyvg7eic ike-prop
!
ike policy ike-pol2 peer 100.100.100.102 key SHAREDSECCRET2fkKwI2R7MUeBGFyp ike-prop
!
ipsec autokey-proposal ipsec-prop esp-aes-256 esp-sha lifetime time 3600
!
ipsec autokey-map ipsec-map1 sec-list peer 100.100.100.101 ipsec-prop pfs 1536-bit
!
ipsec autokey-map ipsec-map2 sec-list peer 100.100.100.102 ipsec-prop pfs 1536-bit
!
watch-group watch_tunnel0 10
event 20 ip unreach-host 100.100.100.101 Tunnel0.0 source FastEthernet1.0
action 10 ip shutdown-route 10.0.0.0/16 Tunnel0.0
action 20 ipsec clear-sa Tunnel0.0
!
network-monitor watch_tunnel0 enable
!
watch-group watch_tunnel1 10
event 20 ip unreach-host 100.100.100.102 Tunnel1.0 source FastEthernet1.0
action 10 ip shutdown-route 10.0.0.0/16 Tunnel1.0
action 20 ipsec clear-sa Tunnel1.0
!
network-monitor watch_tunnel1 enable
!
no shutdown
!
interface Tunnel0.0
tunnel mode ipsec
ip unnumbered FastEthernet1.0
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map1 out
no shutdown
!
interface Tunnel1.0
tunnel mode ipsec
ip unnumbered FastEthernet1.0
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map2 out
no shutdown
●IPsec接続確認
①ipsec sa確認
Router(config)# show ipsec sa
IPsec SA - 2 configured, 4 created
Interface is Tunnel0.0
Key policy map name is ipsec-map1
Tunnel mode, 4-over-4, autokey-map
Local address is 110.66.50.57
Remote address is 100.100.100.101
Outgoing interface is FastEthernet0.1
Interface MTU is 1390, path MTU is 1454
Inbound:
ESP, SPI is 0x3517dfbd(890757053)
Transform is ESP-AES-256-HMAC-SHA-96
Remaining lifetime is 3324 seconds
Replay detection support is on
Outbound:
ESP, SPI is 0x79b65d05(2041994501)
Transform is ESP-AES-256-HMAC-SHA-96
Remaining lifetime is 3324 seconds
Replay detection support is on
Perfect forward secrecy is 1536-bit
Interface is Tunnel1.0
Key policy map name is ipsec-map2
Tunnel mode, 4-over-4, autokey-map
Local address is 110.66.50.57
Remote address is 100.100.100.102
Outgoing interface is FastEthernet0.1
Interface MTU is 1390, path MTU is 1454
Inbound:
ESP, SPI is 0x4c7ba24d(1283170893)
Transform is ESP-AES-256-HMAC-SHA-96
Remaining lifetime is 3324 seconds
Replay detection support is on
Outbound:
ESP, SPI is 0x783b0ce1(2017135841)
Transform is ESP-AES-256-HMAC-SHA-96
Remaining lifetime is 3324 seconds
Replay detection support is on
Perfect forward secrecy is 1536-bit
Router(config)#
②ipsec statistics確認
Router(config)# show ipsec statistics
IPsec statistics:
Rcvd: 5 process switching
0 esp encap history des
0 esp encap history 3des
136 esp encap history aes
0 esp encap history null
0 esp auth history md5
136 esp auth history sha1
0 ah auth history md5
0 ah auth history sha1
136 succeeded
0 sp errors, 0 not found esp sa, 0 not found ah sa
0 esp errors, 0 ah errors, 0 ahesp errors
0 decrypt failure, 0 auth failure, 0 invalid icv
0 invalid key, 0 invalid pkt
0 replay errors, 0 seq over
0 seclevel miss, 0 other errors
0 failed
Sent: 351 process switching
0 esp encap history des
0 esp encap history 3des
141 esp encap history aes
0 esp encap history null
0 esp auth history md5
141 esp auth history sha1
0 ah auth history md5
0 ah auth history sha1
141 succeeded
138 key exchg req, 72 unavailable sa
0 esp errors, 0 ah errors, 0 ahesp errors
0 encrypt failure, 0 auth failure
0 seq over, 0 invalid key, 0 invalid pkt
0 endpoint unreach, 0 encap size over
0 nest over, 0 no buffer, 0 other errors
210 failed
③ping疎通確認
Router(config)# ping 10.0.0.254
PING 192.168.100.254 > 10.0.0.254 56 data bytes
64 bytes from 10.0.0.254: icmp_seq=0 ttl=63 time=170.547 ms
64 bytes from 10.0.0.254: icmp_seq=1 ttl=63 time=174.769 ms
64 bytes from 10.0.0.254: icmp_seq=2 ttl=63 time=168.885 ms
--- 10.0.0.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip (ms) min/avg/max = 168.885/171.400/174.769
■接続テスト
●ping確認
自宅のMAC(onp-inst)からOCIのインスタンス(oci-inst01)へping確認
[root@onp-inst ~]$ ping 10.0.0.254
PING 10.0.0.254 (10.0.0.254): 56 data bytes
64 bytes from 10.0.0.254: icmp_seq=0 ttl=61 time=244.067 ms
64 bytes from 10.0.0.254: icmp_seq=1 ttl=61 time=183.464 ms
64 bytes from 10.0.0.254: icmp_seq=2 ttl=61 time=172.075 ms
64 bytes from 10.0.0.254: icmp_seq=3 ttl=61 time=174.417 ms
^C
--- 10.0.0.254 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 172.075/193.506/244.067/29.500 ms
●ssh接続確認
自宅のMAC(onp-inst)からOCIのインスタンス(oci-inst01)へへssh接続確認
[root@onp-inst ~]$ ssh -i id_rsa opc@10.0.0.254 hostname
oci-inst01
■NEC UNIVERGE IXルーター設定保存
IPsec VPN接続確認できたのでルーターの設定を再起動しても反映されるよう保存
Router-IX(config)# write memory
Building configuration...
% Warning: do NOT enter CNTL/Z while saving to avoid config corruption.
■参考
・VPN対応高速アクセスルータ UNIVERGE IXシリーズ