1. はじめに
IBM CloudのVPCにおけるsite-to-site VPNには、policy-based VPNとroute-based VPNが存在する。
https://cloud.ibm.com/docs/vpc?topic=vpc-using-vpn&interface=ui&locale=en
https://cloud.ibm.com/docs/vpc?topic=vpc-vpn-limitations&interface=ui&locale=en
https://cloud.ibm.com/docs/vpc?topic=vpc-vyatta-config&interface=ui#vyatta-config-route-based
policy-based VPN | route-based VPN | |
---|---|---|
到達可能性 | VPN Gatewayが配置された同一Zone内のVSIとしか通信できない(VPN Gatewayを通して別Zoneには通信できない)。Custom Routeとしてpolicy-basedのVPN Gatewayを選択することができないため。 | (Custom Routeなどを適切に構成すれば)VPN Gatewayが配置されたZoneとは別のVSIにも通信できる |
構成 | Active/Standby | Active/Active(よって、対向側のVPNサーバーでも、どちらの経路を利用するかを適切に指定・切り替える仕組みが必要になる) |
つまり、Tokyo1 Zoneのpolicy-based VPN Gatewayのみに障害が発生した場合であっても、Tokyo2 Zoneにpolicy-based VPN Gatewayを構成しているにも関わらず、このVPN Gateway経由でTokyo1 のVSI群にはアクセスできない。
例えば、ALBのようなZoneにまたがってメンバーが配置されるような環境にsite-to-site VPN経由でアクセスする時には、もしTokyo1のVPN Gatewayのみに障害が発生してもクライアントにはTokyo1のALBメンバーのIPアドレスが名前解決で提供されてしまうため、アクセスできなくなる不都合が発生してしまう。ALBを使っていないにしても、例えばDBなどがZoneまたぎでActive/Standb構成などで組まれていた場合は、Tokyo1 ZoneのVPN Gateway障害のためにTokyo1 ZoneのActiveなDBにVPN経由でアクセスできなくなるというのはやはり困るというケースもあるだろう。
この問題を解決するために、route-based VPNを利用する。route-based VPNはActive/Activeで構成されているため、そのrouteの切り替えをうまくデザインする必要がある。加えて、route-based VPNは本稿執筆時点ではまだstatic routeによる構成しか正式にGAされていないため、static routeの構成範囲内で自動切り替えできる必要がある。このあたりのノウハウが共有されておらず、route-based VPNでの構成はIBM Cloud固有の考慮点や用語の使い方で注意するべきポイントもあるため、本稿で整理したいと思う。
2. 検証環境概要
- オンプレミスに見立てたClassic Infrastructure側のアドレス帯:
10.132.0.0/16
-
10.132.0.0/16 = 10.132.0.0/17 + 10.132.128.0/17
であることに注意
-
- VPC: Tokyo1 Zoneのアドレス帯:
172.16.0.0/24
- VPC: Tokyo2 Zoneのアドレス帯:
172.17.0.0/24
この環境において、
- 正常時(オンプレミス -> VPC)では
- 172.16.0.0/24宛はVTI1が最適経路として選択される(Administrative Distanceで優先度が最も高いため)
- 172.17.0.0/24宛はVTI3が最適経路として選択される(Administrative Distanceで優先度が最も高いため)
- 正常時(VPC -> オンプレミス)では
- 以下のCustom Routeによる最適経路に従う。Tokyo1 Zoneからの10.132.0.0/16宛はTokyo1のVPN Gatewayを利用(同一宛先への経路は、longest matchingで
10.132.0.0/16
に対するnext hopよりも10.132.0.0/17 + 10.132.128.0/17
がnext hopとなる経路が優先される。) - VPN Gateway内では、割り当てられているアドレスの小さいメンバーをegress routeとして優先する。つまり、
162.xxx.xxx.119
と162.xxx.xxx.120
というPublic IPがメンバーに割り当てられていた場合は、162.xxx.xxx.119
が割り当てられたメンバーをegress routeとして優先する。- https://cloud.ibm.com/docs/vpc?topic=vpc-using-vpn&locale=en
A static, route-based VPN deploys in Active-Active redundancy mode. Two VPN tunnels are connected with the peer VPN gateway; however, the IBM gateway always uses the tunnel with the small public IP as the primary egress path. The tunnel with the large public IP is the secondary egress path. Traffic from the IBM VPC to the on-prem network goes through the primary egress path if both tunnels are active. Traffic goes through the secondary egress path if the primary egress path is disabled. The on-prem VPN gateway must use route priority to choose the same preferred path.
- Tokyo2 Zoneからの10.132.0.0/16宛はTokyo2のVPN Gatewayを利用
- 以下のCustom Routeによる最適経路に従う。Tokyo1 Zoneからの10.132.0.0/16宛はTokyo1のVPN Gatewayを利用(同一宛先への経路は、longest matchingで
- VPN Connection#1がdown状態(オンプレミス -> VPC)では
- 172.16.0.0/24宛はVTI3が最適経路として選択される(VTI1, VTI2がdownしているため次の優先度であるVTI3が選択される。)
- 172.17.0.0/24宛はVTI3が最適経路として選択される(Administrative Distanceで優先度が最も高いため)
- VPN Connection#1がdown状態(VPC -> オンプレミス)では
3. VPN Gatewayとメンバー、及びVPN ConnectionとVPN tunnelの関係について。
-
1つのsite-to-site VPNを注文すると、1つのVPN Gatewayが提供される。
-
1つのVPN Gatewayには、2つのメンバーが割り当てられる。
-
1つのVPN Gatewayに対して対向VPNサーバーの単一のPeerアドレス、IKE Policy、IPsec policyを指定する。これが(IBM Cloud VPNにおける)VPN connectionである。
-
Zoneまたぎ構成の場合には、対向VPNサーバーはTokyo1 ZoneのVPN Gatewayと2つVPN Tunnelを張り、Tokyo2 ZoneのVPN Gatewayとも2つVPN tunnelを張る。もちろんVPN Tunnelを張る先は、各VPN Gatewayのメンバーである。
4. VPN Connectionの設定例
5. VTIの構成
- route-based VPNを利用する場合には、対向VPNサーバーで、VPN tunnelに紐づくVirtual Tunnel Interface(VTI)を作成する。IBM Cloud VPC宛の通信がこのVTIを通るようにルーティングするだけで、VPNトンネル経由で通信が可能となる(これがroute-basedという名称になっている所以)。
- VTI用のsubnetとしては他のネットワークと重複しなければ何を割り当てても良い。一般的には
/30
で充分である。今回はlink local address(169.254.0.0/16)から割り当てる。- VPN Tunnelが4つ必要なので、
169.254.0.0/30
,169.254.0.4/30
,169.254.0.8/30
,169.254.0.12/30
を利用。
- VPN Tunnelが4つ必要なので、
- 各subnetにおいて、小さいアドレス番号をVPC側に、大きいアドレス番号を対向VPNサーバー側に割り当てる必要がある。
- 169.254.0.2, 169.254.0.6, 169.254.0.10, 169.254.0.14が対向VPN側に設定するアドレス。
- 169.254.0.1, 169.254.0.5, 169.254.0.9, 169.254.0.13がVPC側になるが、これらのアドレスをVPN Gatewayで構成する必要はない(設定する機能もないし、実際はVPN Gatewayでもこれらのアドレスが割り当てられている訳ではない)。あくまで、これらのアドレスは対向VPNサーバーでstatic routeを構成する際のnext hopの参照先として利用されるものである。よって、これらのアドレスにはそもそもpingなどは打てない。
2-3. Static routeの構成(On-premise -> VPC)
- 同じ宛先ネットワークアドレスについて、2つ以上の異なるNextHopを示すルーティングがあった場合、どのルートを優先するかを決めるAdministrative Distance(AD)を、static route構成時に
distance
オプションを使って指定する。AD値が小さいもの程優先される。例えば、以下のように構成することで、- 172.16.0.0/24宛はVTI1, VTI2, VTI3, VTI4の順で優先的に利用される。
- 172.17.0.0/24宛はVTI3, VTI4, VTI1, VTI2の順で優先的に利用される。
- VPN Gateway@Tokyo1にあるメンバー1、メンバー2とのVPN Tunnelがdownすると、VTI1, VTI2が使われなくなるので、172.16.0.0/24宛にはVTI3を利用する。
# Set primary route toward TOK1
set protocols static route 172.16.0.0/24 next-hop 169.254.0.1 distance 10
set protocols static route 172.16.0.0/24 next-hop 169.254.0.1 interface vti1
# Set secondary route toward TOK1
set protocols static route 172.16.0.0/24 next-hop 169.254.0.5 distance 20
set protocols static route 172.16.0.0/24 next-hop 169.254.0.5 interface vti2
# Set 3rd route toward TOK1
set protocols static route 172.16.0.0/24 next-hop 169.254.0.9 distance 30
set protocols static route 172.16.0.0/24 next-hop 169.254.0.9 interface vti3
# Set 4th route toward TOK1
set protocols static route 172.16.0.0/24 next-hop 169.254.0.13 distance 40
set protocols static route 172.16.0.0/24 next-hop 169.254.0.13 interface vti4
# Set primary route toward TOK2
set protocols static route 172.17.0.0/24 next-hop 169.254.0.9 distance 10
set protocols static route 172.17.0.0/24 next-hop 169.254.0.9 interface vti3
# Set secondary route toward TOK2
set protocols static route 172.17.0.0/24 next-hop 169.254.0.13 distance 20
set protocols static route 172.17.0.0/24 next-hop 169.254.0.13 interface vti4
# Set 3rd route toward TOK2
set protocols static route 172.17.0.0/24 next-hop 169.254.0.1 distance 30
set protocols static route 172.17.0.0/24 next-hop 169.254.0.1 interface vti1
# Set 4th route toward TOK2
set protocols static route 172.17.0.0/24 next-hop 169.254.0.5 distance 40
set protocols static route 172.17.0.0/24 next-hop 169.254.0.5 interface vti2
6. Custom Routeの構成(VPC -> On-premise)
オンプレミス(10.132.0.0/16
)にアクセスする際にはVPN Gatewayを経由する必要があるので、Egress Custom Routeで10.132.0.0/16
宛の通信はどのVPN Connectionを通るかを指定する必要がある(指定するのはVPN GatewayでもなくVPN tunnelでもないことに注意)。問題は、VPN Gateway@Tokyo1に障害が発生した時にVPN Gateway@Tokyo2を使うように構成できるかだ。同一の宛先に対して複数のCustom Routeが存在する場合、ECMPで割り振るため、これでは非対称ルーティングになってしまうし、Tokyo1のサーバーと通信する際に平時でもVPN Gateway@Tokyo2が使用される可能性があるため効率が悪い。
ここでは、10.132.0.0/16
=10.132.0.0/17
+10.132.128.0/17
と分割できることに注意して、以下のようにEgress Custom Routeを構成する。
Zone | destination | next hop |
---|---|---|
Tokyo1 | 10.132.0.0/17 | VPN connection#1 |
Tokyo1 | 10.132.128.0/17 | VPN connection#1 |
Tokyo1 | 10.132.0.0/16 | VPN connection#2 |
Tokyo2 | 10.132.0.0/17 | VPN connection#2 |
Tokyo2 | 10.132.128.0/17 | VPN connection#2 |
Tokyo2 | 10.132.0.0/16 | VPN connection#1 |
こうすることで
- longest matchingのためにTokyo1のサーバーは10.132.0.0/16と通信する際にはVPN Gateway@Tokyo1を利用する。
- VPN GatewayはVPN tunnelのステータスを監視しており、VPN tunnelがdownするとcustom routeで構成されていてもその経路を利用しなくなる(内部的に無効化される)。その結果、次善の優先経路であるVPN connection#2が利用される。もしVPN tunnelが再度upすると、そのtunnel宛のcustom routeが有効になるため再度VPN connection#1が利用されることになる。
7. Vyatta 設定例
# SSH setting(Option)
set system login user vyatta authentication public-keys xxxx type ssh-rsa
set system login user vyatta authentication public-keys xxxx key "xxxxxx"
set system time-zone Asia/Tokyo
# VRRPの有効化
delete interfaces bonding dp0bond0 vrrp vrrp-group 1 disable
delete interfaces bonding dp0bond1 vrrp vrrp-group 1 disable
# VRRP切り替え時にVPN Serviceを再起動
# https://cloud.ibm.com/docs/virtual-router-appliance?topic=virtual-router-appliance-working-with-high-availability-and-vrrp#high-availability-vpn-with-vrrp
set interfaces bonding dp0bond1 vrrp vrrp-group 1 notify ipsec
# firewall
set security firewall name FW_PUBLIC default-action drop
set security firewall name FW_PUBLIC rule 1 action accept
set security firewall name FW_PUBLIC rule 1 source address <VPN Gateway@Tokyo1 Member#1のPublic Address>
set security firewall name FW_PUBLIC rule 2 action accept
set security firewall name FW_PUBLIC rule 2 source address <VPN Gateway@Tokyo1 Member#2のPublic Address>
set security firewall name FW_PUBLIC rule 3 action accept
set security firewall name FW_PUBLIC rule 3 source address <VPN Gateway@Tokyo2 Member#1のPublic Address>
set security firewall name FW_PUBLIC rule 4 action accept
set security firewall name FW_PUBLIC rule 4 source address <VPN Gateway@Tokyo2 Member#2のPublic Address>
set interfaces bonding dp0bond1 firewall local FW_PUBLIC
delete security firewall name SERVICE-ALLOW
#VPN ike-group
set security vpn ipsec ike-group ibm-vpc-ike-group
set security vpn ipsec ike-group ibm-vpc-ike-group dead-peer-detection interval 2
set security vpn ipsec ike-group ibm-vpc-ike-group dead-peer-detection action clear
set security vpn ipsec ike-group ibm-vpc-ike-group lifetime 86400
set security vpn ipsec ike-group ibm-vpc-ike-group ike-version 2
set security vpn ipsec ike-group ibm-vpc-ike-group proposal 1
set security vpn ipsec ike-group ibm-vpc-ike-group proposal 1 dh-group 19
set security vpn ipsec ike-group ibm-vpc-ike-group proposal 1 encryption aes256
set security vpn ipsec ike-group ibm-vpc-ike-group proposal 1 hash sha2_256
#VPN esp-group
set security vpn ipsec esp-group ibm-vpc-ipsec-group compression disable
set security vpn ipsec esp-group ibm-vpc-ipsec-group lifetime 10800
set security vpn ipsec esp-group ibm-vpc-ipsec-group mode tunnel
set security vpn ipsec esp-group ibm-vpc-ipsec-group pfs dh-group19
set security vpn ipsec esp-group ibm-vpc-ipsec-group proposal 1 encryption aes256
set security vpn ipsec esp-group ibm-vpc-ipsec-group proposal 1 hash sha2_256
#VPN to-IBMTOK1-VPN-primary
set interfaces vti vti1 description "to-IBMTOK1-VPN-primary"
set interfaces vti vti1 address 169.254.0.2/30
set interfaces vti vti1 ip tcp-mss limit 1360
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> authentication mode pre-shared-secret
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> authentication pre-shared-secret Q89is3MRSBKCLruH
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> ike-group ibm-vpc-ike-group
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> default-esp-group ibm-vpc-ipsec-group
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> description "to-IBMTOK1-VPN-primary"
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> local-address <VRRP IP>
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> connection-type initiate
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> authentication remote-id <VPN Gateway@Tokyo1 Member#1のPublic Address>
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#1のPublic Address> vti bind vti1
# VPN to-IBMTOK1-VPN-secondary
set interfaces vti vti2 description "to-IBMTOK1-VPN-secondary"
set interfaces vti vti2 address 169.254.0.6/30
set interfaces vti vti2 ip tcp-mss limit 1360
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> authentication mode pre-shared-secret
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> authentication pre-shared-secret Q89is3MRSBKCLruH
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> ike-group ibm-vpc-ike-group
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> default-esp-group ibm-vpc-ipsec-group
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> description "to-IBMTOK1-VPN-secondary"
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> local-address <VRRP IP>
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> connection-type initiate
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> authentication remote-id <VPN Gateway@Tokyo1 Member#2のPublic Address>
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo1 Member#2のPublic Address> vti bind vti2
#VPN to-IBMTOK2-VPN-primary
set interfaces vti vti3 description "to-IBMTOK2-VPN-primary"
set interfaces vti vti3 address 169.254.0.10/30
set interfaces vti vti3 ip tcp-mss limit 1360
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> authentication mode pre-shared-secret
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> authentication pre-shared-secret Q89is3MRSBKCLruH
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> ike-group ibm-vpc-ike-group
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> default-esp-group ibm-vpc-ipsec-group
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> description "to-IBMTOK2-VPN-primary"
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> local-address <VRRP IP>
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> connection-type initiate
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> authentication remote-id <VPN Gateway@Tokyo2 Member#1のPublic Address>
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#1のPublic Address> vti bind vti3
# VPN to-IBMTOK2-VPN-secondary
set interfaces vti vti4 description "to-IBMTOK2-VPN-secondary"
set interfaces vti vti4 address 169.254.0.14/30
set interfaces vti vti4 ip tcp-mss limit 1360
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> authentication mode pre-shared-secret
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> authentication pre-shared-secret Q89is3MRSBKCLruH
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> ike-group ibm-vpc-ike-group
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> default-esp-group ibm-vpc-ipsec-group
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> description "to-IBMTOK2-VPN-secondary"
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> local-address <VRRP IP>
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> connection-type initiate
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> authentication remote-id <VPN Gateway@Tokyo2 Member#2のPublic Address>
set security vpn ipsec site-to-site peer <VPN Gateway@Tokyo2 Member#2のPublic Address> vti bind vti4
# Set primary route toward TOK1
set protocols static route 172.16.0.0/24 next-hop 169.254.0.1 distance 10
set protocols static route 172.16.0.0/24 next-hop 169.254.0.1 interface vti1
# Set secondary route toward TOK1
set protocols static route 172.16.0.0/24 next-hop 169.254.0.5 distance 20
set protocols static route 172.16.0.0/24 next-hop 169.254.0.5 interface vti2
# Set 3rd route toward TOK1
set protocols static route 172.16.0.0/24 next-hop 169.254.0.9 distance 30
set protocols static route 172.16.0.0/24 next-hop 169.254.0.9 interface vti3
# Set 4th route toward TOK1
set protocols static route 172.16.0.0/24 next-hop 169.254.0.13 distance 40
set protocols static route 172.16.0.0/24 next-hop 169.254.0.13 interface vti4
# Set primary route toward TOK2
set protocols static route 172.17.0.0/24 next-hop 169.254.0.9 distance 10
set protocols static route 172.17.0.0/24 next-hop 169.254.0.9 interface vti3
# Set secondary route toward TOK2
set protocols static route 172.17.0.0/24 next-hop 169.254.0.13 distance 20
set protocols static route 172.17.0.0/24 next-hop 169.254.0.13 interface vti4
# Set 3rd route toward TOK2
set protocols static route 172.17.0.0/24 next-hop 169.254.0.1 distance 30
set protocols static route 172.17.0.0/24 next-hop 169.254.0.1 interface vti1
# Set 4th route toward TOK2
set protocols static route 172.17.0.0/24 next-hop 169.254.0.5 distance 40
set protocols static route 172.17.0.0/24 next-hop 169.254.0.5 interface vti2
# Disable ALG
set system alg ftp 'disable'
set system alg icmp 'disable'
set system alg pptp 'disable'
set system alg rpc 'disable'
set system alg rsh 'disable'
set system alg sip 'disable'
set system alg tftp 'disable'
8. テスト
1. 事前準備
カウンターをリセットし、以下のテストにて、オンプレ-VPC間でpingを打ち続ける。
vyatta@vra01:~$ clear interfaces counters
2. 正常時環境
vyatta@vra01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0bond0 1 MASTER dp0vrrp1 no 5d6h23m36s vgroup1
dp0bond1 1 MASTER dp0vrrp2 no 5d6h23m36s vgroup1
vyatta@vra01:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Speed/Duplex Description
--------- ---------- --- ------------ -----------
dp0bond0 10.132.163.219/26 u/u 2g/full
dp0bond1 161.xxx.xxx.126/29 u/u 2g/full
dp0s0 - u/u a-1g/a-full
dp0s1 - u/u a-1g/a-full
dp0s2 - u/u a-1g/a-full
dp0s3 - u/u a-1g/a-full
dp0vrrp1 10.132.163.215/32 u/u 2g/full
dp0vrrp2 161.xxx.xxx.123/32 u/u 2g/full
vti1 169.254.0.2/30 u/u -/- to-IBMTOK1-VPN-primary
vti2 169.254.0.6/30 u/u -/- to-IBMTOK1-VPN-secondary
vti3 169.254.0.10/30 u/u -/- to-IBMTOK2-VPN-primary
vti4 169.254.0.14/30 u/u -/- to-IBMTOK2-VPN-secondary
vyatta@vra01:~$ show ip route
Codes: K - kernel, C - connected, S - static, D - DHCP, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
L - LDP, V - RSVP-TE, I - IGP shortcut
> - selected route, * - FIB route, p - stale info
IP Route Table for Routing-instance "default"
Gateway of last resort is 161.xxx.xxx.121 to network 0.0.0.0
S *> 0.0.0.0/0 [1/0] via 161.xxx.xxx.121, dp0bond1
S *> 10.0.0.0/8 [1/0] via 10.132.163.193, dp0bond0
C *> 10.132.163.192/26 is directly connected, dp0bond0
C *> 10.132.163.215/32 is directly connected, dp0vrrp1
C *> 127.0.0.0/8 is directly connected, lo
S *> 161.26.0.0/16 [1/0] via 10.132.163.193, dp0bond0
C *> 161.xxx.xxx.120/29 is directly connected, dp0bond1
C *> 161.xxx.xxx.123/32 is directly connected, dp0vrrp2
S *> 166.8.0.0/14 [1/0] via 10.132.163.193, dp0bond0
C *> 169.254.0.0/30 is directly connected, vti1
C *> 169.254.0.4/30 is directly connected, vti2
C *> 169.254.0.8/30 is directly connected, vti3
C *> 169.254.0.12/30 is directly connected, vti4
S *> 172.16.0.0/24 [10/0] via 169.254.0.1, vti1
S 172.16.0.0/24 [20/0] via 169.254.0.5, vti2
S 172.16.0.0/24 [30/0] via 169.254.0.9, vti3
S 172.16.0.0/24 [40/0] via 169.254.0.13, vti4
S *> 172.17.0.0/24 [10/0] via 169.254.0.9, vti3
S 172.17.0.0/24 [20/0] via 169.254.0.13, vti4
S 172.17.0.0/24 [40/0] via 169.254.0.5, vti2
S 172.17.0.0/24 [30/0] via 169.254.0.1, vti1
vyatta@vra01:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
128.xxx.xxx.129 161.xxx.xxx.123
Description: to-IBMTOK2-VPN-primary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 185 up 0.0/0.0 aes256 sha2_256 19 -27563 10800
Peer ID / IP Local ID / IP
------------ -------------
128.xxx.xxx.98 161.xxx.xxx.123
Description: to-IBMTOK2-VPN-secondary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 188 up 0.0/0.0 aes256 sha2_256 19 -28186 10800
Peer ID / IP Local ID / IP
------------ -------------
162.xxx.xxx.119 161.xxx.xxx.123
Description: to-IBMTOK1-VPN-primary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 186 up 0.0/0.0 aes256 sha2_256 19 -27706 10800
Peer ID / IP Local ID / IP
------------ -------------
162.xxx.xxx.120 161.xxx.xxx.123
Description: to-IBMTOK1-VPN-secondary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 187 up 0.0/0.0 aes256 sha2_256 19 -27882 10800
vyatta@vra01:~$ show interfaces counters
Interface Rx Packets Rx Bytes Tx Packets Tx Bytes
dp0bond0 351 25564 557 65292
dp0bond1 726 89620 839 94470
dp0s0 27 2404 544 64000
dp0s1 395 47510 249 31028
dp0s2 324 23160 8 992
dp0s3 338 44294 604 65032
dp0vrrp1 0 0 236 12744
dp0vrrp2 498 62748 236 12744
lo 0 0 0 0
vti1 104 10192 90 16020
vti2 0 0 0 0
vti3 0 0 0 0
vti4 0 0 0 0
2. VTI1経由のTunnel障害時
FWでVPNを遮断する。pingは停止するが、しばらくするとまた疎通するようになる。
vyatta@vra01:~$ configure
vyatta@vra01# set security firewall name FW_PUBLIC rule 1 action drop
vyatta@vra01# commit
vyatta@vra01:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
128.xxx.xxx.129 161.xxx.xxx.123
Description: to-IBMTOK2-VPN-primary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 185 up 0.0/0.0 aes256 sha2_256 19 -26833 10800
Peer ID / IP Local ID / IP
------------ -------------
128.xxx.xxx.98 161.xxx.xxx.123
Description: to-IBMTOK2-VPN-secondary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 188 up 0.0/0.0 aes256 sha2_256 19 -27456 10800
Peer ID / IP Local ID / IP
------------ -------------
162.xxx.xxx.120 161.xxx.xxx.123
Description: to-IBMTOK1-VPN-secondary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 187 up 4.0K/4.0K aes256 sha2_256 19 -27152 10800
vyatta@vra01:~$ show interfaces counters
Interface Rx Packets Rx Bytes Tx Packets Tx Bytes
dp0bond0 790 61212 1223 125534
dp0bond1 2012 260784 2161 245842
dp0s0 70 6258 1196 122540
dp0s1 1059 128534 676 84872
dp0s2 725 55364 22 2694
dp0s3 955 132638 1495 162028
dp0vrrp1 0 0 627 33858
dp0vrrp2 1178 148428 627 33858
lo 0 0 0 0
vti2 16 1568 16 2848
vti3 0 0 0 0
vti4 0 0 0 0
3. VTI1&VTI2経由のTunnel障害時(=VPN Connection#1障害時)
FWでVPNを遮断する。pingは停止するが、しばらくするとまた疎通するようになる。
vyatta@vra01:~$ configure
vyatta@vra01# set security firewall name FW_PUBLIC rule 1 action drop
vyatta@vra01# set security firewall name FW_PUBLIC rule 2 action drop
vyatta@vra01# commit
vyatta@vra01:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
128.xxx.xxx.129 161.xxx.xxx.123
Description: to-IBMTOK2-VPN-primary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 185 up 1.6K/1.6K aes256 sha2_256 19 -26553 10800
Peer ID / IP Local ID / IP
------------ -------------
128.xxx.xxx.98 161.xxx.xxx.123
Description: to-IBMTOK2-VPN-secondary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 188 up 0.0/0.0 aes256 sha2_256 19 -27176 10800
vyatta@vra01:~$ show interfaces counters
Interface Rx Packets Rx Bytes Tx Packets Tx Bytes
dp0bond0 1100 87274 1736 170674
dp0bond1 2950 391910 3089 350476
dp0s0 105 9436 1705 166836
dp0s1 1850 243068 1030 135182
dp0s2 995 77838 33 4058
dp0s3 1102 148906 2059 215010
dp0vrrp1 0 0 964 52056
dp0vrrp2 1564 197064 964 52056
lo 0 0 0 0
vti3 41 4018 41 7298
vti4 0 0 0 0
vyatta@vra01:~$ show ip route
Codes: K - kernel, C - connected, S - static, D - DHCP, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
L - LDP, V - RSVP-TE, I - IGP shortcut
> - selected route, * - FIB route, p - stale info
IP Route Table for Routing-instance "default"
Gateway of last resort is 161.xxx.xxx.121 to network 0.0.0.0
S *> 0.0.0.0/0 [1/0] via 161.xxx.xxx.121, dp0bond1
S *> 10.0.0.0/8 [1/0] via 10.132.163.193, dp0bond0
C *> 10.132.163.192/26 is directly connected, dp0bond0
C *> 10.132.163.215/32 is directly connected, dp0vrrp1
C *> 127.0.0.0/8 is directly connected, lo
S *> 161.26.0.0/16 [1/0] via 10.132.163.193, dp0bond0
C *> 161.xxx.xxx.120/29 is directly connected, dp0bond1
C *> 161.xxx.xxx.123/32 is directly connected, dp0vrrp2
S *> 166.8.0.0/14 [1/0] via 10.132.163.193, dp0bond0
C *> 169.254.0.8/30 is directly connected, vti3
C *> 169.254.0.12/30 is directly connected, vti4
S *> 172.16.0.0/24 [30/0] via 169.254.0.9, vti3
S 172.16.0.0/24 [20/0] via 169.254.0.5, vti2 inactive
S 172.16.0.0/24 [10/0] via 169.254.0.1, vti1 inactive
S 172.16.0.0/24 [40/0] via 169.254.0.13, vti4
S *> 172.17.0.0/24 [10/0] via 169.254.0.9, vti3
S 172.17.0.0/24 [20/0] via 169.254.0.13, vti4
S 172.17.0.0/24 [30/0] via 169.254.0.1, vti1 inactive
S 172.17.0.0/24 [40/0] via 169.254.0.5, vti2 inactive
4. VPN Connection#1の障害からの回復
FWでVPNを許可する。pingは停止するが、しばらくするとまた疎通するようになる。
vyatta@vra01:~$ configure
vyatta@vra01# set security firewall name FW_PUBLIC rule 1 action accept
vyatta@vra01# set security firewall name FW_PUBLIC rule 2 action accept
vyatta@vra01# commit
vyatta@vra01:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
128.xxx.xxx.129 161.xxx.xxx.123
Description: to-IBMTOK2-VPN-primary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 185 up 15.8K/17.4K aes256 sha2_256 19 -26349 10800
Peer ID / IP Local ID / IP
------------ -------------
128.xxx.xxx.98 161.xxx.xxx.123
Description: to-IBMTOK2-VPN-secondary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 188 up 0.0/0.0 aes256 sha2_256 19 -26972 10800
Peer ID / IP Local ID / IP
------------ -------------
162.xxx.xxx.119 161.xxx.xxx.123
Description: to-IBMTOK1-VPN-primary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 192 up 1.2K/0.0 aes256 sha2_256 19 -32385 10800
Peer ID / IP Local ID / IP
------------ -------------
162.xxx.xxx.120 161.xxx.xxx.123
Description: to-IBMTOK1-VPN-secondary
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
vti 191 up 336.0/924.0 aes256 sha2_256 19 -32381 10800
vyatta@vra01:~$ show interfaces counters
Interface Rx Packets Rx Bytes Tx Packets Tx Bytes
dp0bond0 1302 103848 2047 201032
dp0bond1 3490 468828 3705 427930
dp0s0 126 11284 2011 196632
dp0s1 2295 309431 1178 156190
dp0s2 1176 92564 39 4802
dp0s3 1196 159589 2527 271636
dp0vrrp1 0 0 1149 62046
dp0vrrp2 1788 226565 1149 62046
lo 0 0 0 0
vti1 294 28812 300 53400
vti2 134 13132 133 23674
vti3 212 20776 192 34176
vti4 0 0 0 0
vyatta@vra01:~$ show ip route
Codes: K - kernel, C - connected, S - static, D - DHCP, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
L - LDP, V - RSVP-TE, I - IGP shortcut
> - selected route, * - FIB route, p - stale info
IP Route Table for Routing-instance "default"
Gateway of last resort is 161.xxx.xxx.121 to network 0.0.0.0
S *> 0.0.0.0/0 [1/0] via 161.xxx.xxx.121, dp0bond1
S *> 10.0.0.0/8 [1/0] via 10.132.163.193, dp0bond0
C *> 10.132.163.192/26 is directly connected, dp0bond0
C *> 10.132.163.215/32 is directly connected, dp0vrrp1
C *> 127.0.0.0/8 is directly connected, lo
S *> 161.26.0.0/16 [1/0] via 10.132.163.193, dp0bond0
C *> 161.xxx.xxx.120/29 is directly connected, dp0bond1
C *> 161.xxx.xxx.123/32 is directly connected, dp0vrrp2
S *> 166.8.0.0/14 [1/0] via 10.132.163.193, dp0bond0
C *> 169.254.0.0/30 is directly connected, vti1
C *> 169.254.0.4/30 is directly connected, vti2
C *> 169.254.0.8/30 is directly connected, vti3
C *> 169.254.0.12/30 is directly connected, vti4
S *> 172.16.0.0/24 [10/0] via 169.254.0.1, vti1
S 172.16.0.0/24 [20/0] via 169.254.0.5, vti2
S 172.16.0.0/24 [30/0] via 169.254.0.9, vti3
S 172.16.0.0/24 [40/0] via 169.254.0.13, vti4
S *> 172.17.0.0/24 [10/0] via 169.254.0.9, vti3
S 172.17.0.0/24 [20/0] via 169.254.0.13, vti4
S 172.17.0.0/24 [30/0] via 169.254.0.1, vti1
S 172.17.0.0/24 [40/0] via 169.254.0.5, vti2
5. VRRA障害/VRAメンテナンスによるVRA#2への移動(VIPの移動)
vyatta@vra01:~$ reset vrrp master interface dp0bond0 group 1
vrrp group 1 on dp0bond0 is in sync-group vgroup1
Forcing vyatta-dp0bond0-1 to BACKUP...
Forcing vyatta-dp0bond1-1 to BACKUP...
これでもpingは通り続ける。
vyatta@vra01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0bond0 1 BACKUP dp0vrrp1 no 7h39s vgroup1
dp0bond1 1 BACKUP dp0vrrp2 no 7h39s vgroup1
vyatta@vra01:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Speed/Duplex Description
--------- ---------- --- ------------ -----------
dp0bond0 10.132.163.219/26 u/u 2g/full
dp0bond1 161.xxx.xxx.126/29 u/u 2g/full
dp0s0 - u/u a-1g/a-full
dp0s1 - u/u a-1g/a-full
dp0s2 - u/u a-1g/a-full
dp0s3 - u/u a-1g/a-full
dp0vrrp1 - u/u 2g/full
dp0vrrp2 - u/u 2g/full
vti1 169.254.0.2/30 A/D -/- to-IBMTOK1-VPN-primary
vti2 169.254.0.6/30 A/D -/- to-IBMTOK1-VPN-secondary
vti3 169.254.0.10/30 A/D -/- to-IBMTOK2-VPN-primary
vti4 169.254.0.14/30 A/D -/- to-IBMTOK2-VPN-secondary
vyatta@vra01:~$ show vpn ipsec sa
IPsec Process NOT Running
vyatta@vra01:~$ show ip route
Codes: K - kernel, C - connected, S - static, D - DHCP, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
L - LDP, V - RSVP-TE, I - IGP shortcut
> - selected route, * - FIB route, p - stale info
IP Route Table for Routing-instance "default"
Gateway of last resort is 161.xxx.xxx.121 to network 0.0.0.0
S *> 0.0.0.0/0 [1/0] via 161.xxx.xxx.121, dp0bond1
S *> 10.0.0.0/8 [1/0] via 10.132.163.193, dp0bond0
C *> 10.132.163.192/26 is directly connected, dp0bond0
C *> 127.0.0.0/8 is directly connected, lo
S *> 161.26.0.0/16 [1/0] via 10.132.163.193, dp0bond0
C *> 161.xxx.xxx.120/29 is directly connected, dp0bond1
S *> 166.8.0.0/14 [1/0] via 10.132.163.193, dp0bond0
S 172.16.0.0/24 [30/0] via 169.254.0.9, vti3 inactive
S 172.16.0.0/24 [20/0] via 169.254.0.5, vti2 inactive
S 172.16.0.0/24 [10/0] via 169.254.0.1, vti1 inactive
S 172.16.0.0/24 [40/0] via 169.254.0.13, vti4 inactive
S 172.17.0.0/24 [10/0] via 169.254.0.9, vti3 inactive
S 172.17.0.0/24 [20/0] via 169.254.0.13, vti4 inactive
S 172.17.0.0/24 [30/0] via 169.254.0.1, vti1 inactive
S 172.17.0.0/24 [40/0] via 169.254.0.5, vti2 inactive
vyatta@vra02:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0bond0 1 MASTER dp0vrrp1 no 7h35s vgroup1
dp0bond1 1 MASTER dp0vrrp2 no 7h35s vgroup1