LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@tktk2712(tktk 2712)

Vyosを使用したOCI IPSec VPN接続例

Posted at

概要

Vyos(VyOS 1.3.0)を使用してOCIにIPSec VPNで接続するconfig例です。

Config例

Vyos.
# WAN IF
set interfaces ethernet eth0 address '【WAN IP Address】'

# LAN IF
set interfaces ethernet eth1 address '10.106.2.98/24'

# Lo IF
set interfaces loopback lo

# VTI1 IF
set interfaces vti vti0 address '192.168.0.1/30'
set interfaces vti vti0 description 'OCI IPSec tunnel 1'
set interfaces vti vti0 mtu '1340'

# VTI2 IF
set interfaces vti vti1 address '192.168.0.5/30'
set interfaces vti vti1 description 'OCI IPSec tunnel 2'
set interfaces vti vti1 mtu '1340'

# AS Path prependのためのフィルタ設定
set policy prefix-list ROUTE2 rule 10 action 'permit'
set policy prefix-list ROUTE2 rule 10 prefix '10.106.1.0/24'
set policy prefix-list ROUTE2 rule 20 action 'permit'
set policy prefix-list ROUTE2 rule 20 prefix '10.106.2.0/24'
set policy prefix-list ROUTE2 rule 30 action 'permit'
set policy prefix-list ROUTE2 rule 30 prefix '10.106.0.0/22'
set policy prefix-list ROUTE2 rule 40 action 'permit'
set policy prefix-list ROUTE2 rule 40 prefix '192.168.0.4/30'

# Ingress用のAS Path prepend 条件に合致するとAS Path付加
set policy route-map routemap-2-in rule 10 action 'permit'
set policy route-map routemap-2-in rule 10 set as-path-prepend '31898 31898'

# Egress用のAS Path prepend 条件に合致するとAS Path付加
set policy route-map routemap-2-out rule 10 action 'permit'
set policy route-map routemap-2-out rule 10 match ip address prefix-list 'ROUTE2'
set policy route-map routemap-2-out rule 10 set as-path-prepend '64512 64512'

# ネットワークアドレスを広告する場合はここで設定
set protocols bgp 64512 address-family ipv4-unicast network 10.106.0.0/22

# connectedのサブネットを広告する場合はここで設定
set protocols bgp 64512 address-family ipv4-unicast redistribute connected

# BGP neighber設定
set protocols bgp 64512 neighbor 192.168.0.2 address-family ipv4-unicast route-map export 'routemap-1-out'
set protocols bgp 64512 neighbor 192.168.0.2 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 64512 neighbor 192.168.0.2 ebgp-multihop '100'
set protocols bgp 64512 neighbor 192.168.0.2 remote-as '31898'
set protocols bgp 64512 neighbor 192.168.0.6 address-family ipv4-unicast route-map export 'routemap-2-out'
set protocols bgp 64512 neighbor 192.168.0.6 address-family ipv4-unicast route-map import 'routemap-2-in'
set protocols bgp 64512 neighbor 192.168.0.6 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 64512 neighbor 192.168.0.6 ebgp-multihop '100'
set protocols bgp 64512 neighbor 192.168.0.6 remote-as '31898'

#デフォルトルート
set protocols static route 0.0.0.0/0 next-hop 【WAN Gateway address】

#ESP
set vpn ipsec esp-group oracle compression 'disable'
set vpn ipsec esp-group oracle lifetime '3600'
set vpn ipsec esp-group oracle mode 'tunnel'
set vpn ipsec esp-group oracle pfs 'dh-group5'
set vpn ipsec esp-group oracle proposal 1 encryption 'aes256'
set vpn ipsec esp-group oracle proposal 1 hash 'sha256'

#IKE
set vpn ipsec ike-group oracle close-action 'none'
set vpn ipsec ike-group oracle dead-peer-detection action 'restart'
set vpn ipsec ike-group oracle dead-peer-detection interval '15'
set vpn ipsec ike-group oracle dead-peer-detection timeout '30'
set vpn ipsec ike-group oracle ikev2-reauth 'no'
set vpn ipsec ike-group oracle key-exchange 'ikev1'
set vpn ipsec ike-group oracle lifetime '28800'
set vpn ipsec ike-group oracle proposal 1 dh-group '20'
set vpn ipsec ike-group oracle proposal 1 encryption 'aes256'
set vpn ipsec ike-group oracle proposal 1 hash 'sha384'
set vpn ipsec ipsec-interfaces interface 'eth0'

# Tunnel1設定
set vpn ipsec site-to-site peer 168.138.223.106 authentication id '【WAN IP Address】'
set vpn ipsec site-to-site peer 168.138.223.106 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 168.138.223.106 authentication pre-shared-secret '【PreSharedKey】'
set vpn ipsec site-to-site peer 168.138.223.106 connection-type 'initiate'
set vpn ipsec site-to-site peer 168.138.223.106 default-esp-group 'oracle'
set vpn ipsec site-to-site peer 168.138.223.106 ike-group 'oracle'
set vpn ipsec site-to-site peer 168.138.223.106 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 168.138.223.106 local-address '【WAN IP Address】'
set vpn ipsec site-to-site peer 168.138.223.106 vti bind 'vti0'

#Tunnel2設定
set vpn ipsec site-to-site peer 158.101.69.192 authentication id '【WAN IP Address】'
set vpn ipsec site-to-site peer 158.101.69.192 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 158.101.69.192 authentication pre-shared-secret '【PreSharedKey】'
set vpn ipsec site-to-site peer 158.101.69.192 connection-type 'initiate'
set vpn ipsec site-to-site peer 158.101.69.192 default-esp-group 'oracle'
set vpn ipsec site-to-site peer 158.101.69.192 ike-group 'oracle'
set vpn ipsec site-to-site peer 158.101.69.192 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 158.101.69.192 local-address '【WAN IP Address】'
set vpn ipsec site-to-site peer 158.101.69.192 vti bind 'vti1'
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?