LoginSignup
0
0

NEC IX2105を使用したOCI IPSec VPN接続例

Last updated at Posted at 2023-03-16

概要

NEC IX2105を使用してOCI IPSecにVPN接続する設定例です。

構成

image.png

設定例(Static)

ここでは作成済みの設定となります。

ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN
image.png

image.png

IKE識別子はCPEの機種やネットワーク構成(NAT機器配下にCPEがある)によって異なります。
今回は、PPPoEで取得したグローバルIPアドレスをここに指定します

ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN>>トンネル1
image.png

ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN>>トンネル2
image.png

Router(config)# show running-config
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2105 (magellan-sec) Software, Version 10.2.42, RELEASE SOFTWARE
!
timezone +09 00
!
logging buffered 128000
logging subsystem ike info
logging timestamp datetime
!
!
ip ufs-cache enable
ip route default GigaEthernet0.1
ip route 10.0.0.0/25 Tunnel0.0
ip route 10.0.0.0/25 Tunnel1.0 metric 10
!
ikev2 authentication psk id ipv4 【OCI_Global_IP1】 key char 【PreShartedKey】
ikev2 authentication psk id ipv4 【OCI_Global_IP2】 key char 【PreShartedKey】
!
!インターネットはPPPoEによる接続
ppp profile internet
  authentication myname 【PPPoEユーザーID】
  authentication password 【PPPoEユーザーID】【PPPoEユーザーパスワード】
!
ikev2 default-profile
  dpd interval 10
  source-address GigaEthernet0.1
!
device GigaEthernet0
!
device GigaEthernet1
!
interface GigaEthernet0.0
  no ip address
  shutdown
!
interface GigaEthernet1.0
  ip address 10.2.3.101/24
  no shutdown
!
interface GigaEthernet0.1
  encapsulation pppoe
  auto-connect
  ppp binding internet
  ip address ipcp
  ip napt enable
  ip napt static GigaEthernet0.1 udp 500
  ip napt static GigaEthernet0.1 udp 4500
  ip napt static GigaEthernet0.1 50
  no shutdown
!
interface Loopback0.0
  no ip address
!
interface Null0.0
  no ip address
!
interface Tunnel0.0
  tunnel mode ipsec-ikev2
  ip address 192.168.0.9/30
  ip tcp adjust-mss auto
  ipsec policy tunnel ipsec-policy1 out
  ikev2 child-lifetime 3600
  ikev2 child-pfs 1536-bit
  ikev2 child-proposal enc aes-cbc-256
  ikev2 child-proposal integrity sha2-256
  ikev2 connect-type auto
  ikev2 ipsec pre-fragment
  ikev2 outgoing-interface GigaEthernet0.1
  ikev2 sa-lifetime 28800
  ikev2 sa-proposal enc aes-cbc-256
  ikev2 sa-proposal integrity sha2-384
  ikev2 sa-proposal dh 1536-bit
  ikev2 peer 【OCI_Global_IP1】 authentication psk id ipv4 【OCI_Global_IP1】
  no shutdown
!
interface Tunnel1.0
  tunnel mode ipsec-ikev2
  ip address 192.168.0.13/30
  ip tcp adjust-mss auto
  ikev2 child-lifetime 3600
  ikev2 child-pfs 1536-bit
  ikev2 child-proposal enc aes-cbc-256
  ikev2 child-proposal integrity sha2-256
  ikev2 connect-type auto
  ikev2 ipsec pre-fragment
  ikev2 outgoing-interface GigaEthernet0.1
  ikev2 sa-lifetime 28800
  ikev2 sa-proposal enc aes-cbc-256
  ikev2 sa-proposal integrity sha2-384
  ikev2 sa-proposal dh 1536-bit
  ikev2 peer 【OCI_Global_IP2】 authentication psk id ipv4 【OCI_Global_IP2】
  no shutdown

IPSec状況抜粋

Router(config)# show ikev2 sa
IKEv2 SA - 2 created
Interface Tunnel0.0
  SPI (I)0x190b76da0261382e  (R)0x4db25af75dde4349
    Remain lifetime[sec] : 28397
    Serial : 1316
    Direction : initiator
    Local Addr : 【CPE_Global_IP】:500
    Peer Addr  : 【OCI_Global_IP1】:500
    Local ID : IPV4-ADDR 【CPE_Global_IP】
    Peer ID  : IPV4-ADDR 【OCI_Global_IP1】
    Status : establish
    Local message ID : 42
    Peer message ID  : 58
    Encryption alg : AES-CBC-256
      initiator key : 0xb9bed2d5d28e3eed789312ef75992ed392911eca38739f02b17e1d3b34e4e446
      responder key : 0xe3d8a8fe3fa1fddaaf5790da8a72bc06a787dba75c65f9d48a44d246bbb52d63
    Integrity alg : HMAC-SHA2-384-192
      initiator key : 0x75ad11e41a2bf671342391279673d788e62e4903549c2846b1007e927039cd6d390de60c9ed08c86628938608fee39a5
      responder key : 0x85808f39a27036057642bf9945e4c861c50160479ce5777ca51ee7478960851f6403c45ba982af1351ee274977d50b26
    PRF alg  : HMAC-SHA2-384
    DH group : MODP-1536
    PFS : MODP-1536
    DPD : interval 10[sec]
    Child
      Prot SPI(IN)    SPI(OUT)   Lifetime[sec]
      ESP  0x79077a67 0xef029ad2 3198
Interface Tunnel1.0
  SPI (I)0xc9e64562cf815879  (R)0x8983f9f5afdf184d
    Remain lifetime[sec] : 28490
    Serial : 1322
    Direction : initiator
    Local Addr :【CPE_Global_IP】:500
    Peer Addr  :【OCI_Global_IP2】:500
    Local ID : IPV4-ADDR 【CPE_Global_IP】
    Peer ID  : IPV4-ADDR 【OCI_Global_IP2】
    Status : establish
    Local message ID : 33
    Peer message ID  : 60
    Encryption alg : AES-CBC-256
      initiator key : 0xed6266dfa4d75bd07dd55b23ac004d810a2ba61ab1b15e7dee418ca10c93c84a
      responder key : 0xdc6d001589418743b7a557ff54ecb06ad0785e1f7dc5bf8d46c56dd2afc50dd3
    Integrity alg : HMAC-SHA2-384-192
      initiator key : 0x2f5871a8ab56765f74a79b4ce51096f81f4ff42cef1776b220b68694589336292f716f14e206fa9eecdfdc205125cffb
      responder key : 0xc7bd73ae6097e94843ecb86bc8c72f1545ea3b33772816563d30eb867ce69eb7e865cfa992011dc6164daa563d06296d
    PRF alg  : HMAC-SHA2-384
    DH group : MODP-1536
    PFS : MODP-1536
    DPD : interval 10[sec]
    Child
      Prot SPI(IN)    SPI(OUT)   Lifetime[sec]
      ESP  0xef3626d7 0x5c8124ba 3291
Router(config)#
  • Pingテスト
    オンプレサーバーからOCIサーバーへのping結果
Server.
C:\>ping 10.0.0.105

Pinging 10.0.0.105 with 32 bytes of data:
Reply from 10.0.0.105: bytes=32 time=14ms TTL=60
Reply from 10.0.0.105: bytes=32 time=7ms TTL=60
Reply from 10.0.0.105: bytes=32 time=9ms TTL=60
Reply from 10.0.0.105: bytes=32 time=9ms TTL=60

Ping statistics for 10.0.0.105:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 14ms, Average = 9ms

OCIサーバーからオンプレサーバーへのping結果

Server.
[opc@t-vm10-0-0-105 ~]$ ping 10.2.3.103
PING 10.2.3.103 (10.2.3.103) 56(84) bytes of data.
64 bytes from 10.2.3.103: icmp_seq=1 ttl=252 time=7.02 ms
64 bytes from 10.2.3.103: icmp_seq=2 ttl=252 time=13.8 ms
64 bytes from 10.2.3.103: icmp_seq=3 ttl=252 time=11.10 ms
64 bytes from 10.2.3.103: icmp_seq=4 ttl=252 time=7.32 ms
^C
--- 10.2.3.103 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 7.016/10.012/13.750/2.916 ms
[opc@t-vm10-0-0-105 ~]$

設定例(BGP)

Static route設定を以下のように変更します
【OCI】

  • ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN>>トンネル1を編集しルーティングをBGPに変更
  • ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPN>>トンネル2を編集しルーティングをBGPに変更
  • ネットワーキング>>顧客接続性>>サイト間VPN>>作成したVPNを編集しオンプレミス・ネットワークへのルートに設定したStatic Routeを削除

【IX2105】

以下のスタティックルートを削除
ip route 10.0.0.0/25 Tunnel0.0
ip route 10.0.0.0/25 Tunnel1.0 metric 10
BGP設定を追加
ip prefix-list as-path-in 10 permit any
ip prefix-list as-path-out 10 permit any

route-map route2-in permit 10
  match ip address prefix-list as-path-in
  set as-path prepend 31898
!
route-map route2-out permit 10
  match ip address prefix-list as-path-out
  set as-path prepend 64512
!
router bgp 64512
  neighbor 192.168.0.10 remote-as 31898
  neighbor 192.168.0.10 timers 10 30
  neighbor 192.168.0.14 remote-as 31898
  neighbor 192.168.0.14 timers 10 30
  address-family ipv4 unicast
    neighbor 192.168.0.14 route-map route2-in in
    neighbor 192.168.0.14 route-map route2-out out
    network 10.2.3.0/24

BGP確認

Router(config)#   sh ip route
IP Routing Table - 8 entries, 4 hidden, 2036 frees
Entries: 4 Connected, 1 Static, 0 RIP, 0 OSPF, 3 BGP
Codes: C - Connected, S - Static, R - RIP, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, B - BGP
       * - Candidate default, s - Summary
Timers: Age
S*   0.0.0.0/0 [1/1] is directly connected, GigaEthernet0.1, 1:32:03
     10.0.0.0/8 is subnetted, 3 subnets
B      10.0.0.0/25 [20/0] via 192.168.0.10, Tunnel0.0, 0:13:11
B      10.0.0.128/27 [20/0] via 192.168.0.10, Tunnel0.0, 0:13:11
C      10.2.3.0/24 [0/0] is directly connected, GigaEthernet1.0, 1:23:51
C      192.168.0.8/30 [0/0] is directly connected, Tunnel0.0, 0:15:13
C      192.168.0.12/30 [0/0] is directly connected, Tunnel1.0, 0:13:54

Router(config)# sh ip bgp sum
BGP router ID 192.168.0.13, local AS number 64512
4 BGP AS-PATH entries

Neighbor         V    AS    MsgRcvd MsgSent Up/DownTime   State
 192.168.0.10    4    31898 215     222     0:13:21       ESTABLISHED
 192.168.0.14    4    31898 212     216     0:12:02       ESTABLISHED

Total number of neighbors 2

Router(config)# sh ip bgp
BGP table version is 55, local router ID is 192.168.0.13
Local AS number 64512
Status codes: s - suppressed, * - valid, h - history, l - looped
              > - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network            Next Hop            Metric     LocPrf  Path
*  10.0.0.0/25        192.168.0.14                           31898 31898 i
*>                    192.168.0.10                           31898 i
*  10.0.0.128/27      192.168.0.14                           31898 31898 i
*>                    192.168.0.10                           31898 i
*> 10.2.3.0/24        0.0.0.0                  0             i
*  172.16.0.0/25      192.168.0.14                           31898 31898 i
*>                    192.168.0.10                           31898 i

Total number of prefixes 7
Router(config)#
  • Pingテスト
    オンプレサーバーからOCIサーバーへのping結果
Server.
C:\ping 10.0.0.105

Pinging 10.0.0.105 with 32 bytes of data:
Reply from 10.0.0.105: bytes=32 time=30ms TTL=60
Reply from 10.0.0.105: bytes=32 time=48ms TTL=60
Reply from 10.0.0.105: bytes=32 time=24ms TTL=60
Reply from 10.0.0.105: bytes=32 time=56ms TTL=60

Ping statistics for 10.0.0.105:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 56ms, Average = 39ms

OCIサーバーからオンプレサーバーへのping結果

Server.
[opc@t-vm10-0-0-105 ~]$ ping 10.2.3.103
PING 10.2.3.103 (10.2.3.103) 56(84) bytes of data.
64 bytes from 10.2.3.103: icmp_seq=1 ttl=252 time=43.0 ms
64 bytes from 10.2.3.103: icmp_seq=2 ttl=252 time=38.5 ms
64 bytes from 10.2.3.103: icmp_seq=3 ttl=252 time=38.4 ms
64 bytes from 10.2.3.103: icmp_seq=4 ttl=252 time=41.0 ms
^C
--- 10.2.3.103 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 38.434/40.235/43.008/1.916 ms
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0