VyOS 1.5 回帰セットアップ

Summary

長年、 pfSense を利用してきたが、年初頃ライセンス形態が変更され Homelab 利用でもライセンスの発行に $125/yr のサブスクリプションへ変更された。前から気になっていた OPNsense を導入してみるも、 on KVM の調子が悪く立ち上がりまでに 10 分以上の時間が毎回かかることと 1Core 運用で CPU の張り付きを感じため断念。

弊宅クラウドのルータに必要な機能を再度見直して、 VyOS への移行を検討する。

要件

  • OS: Linux が良い
  • FRR が使える
  • IPsec IKEv2 で VPN 張れる
  • cloudflared か warp 使える
  • DoH client として使える
  • DNS 鯖
  • he.net IPv6 Tunnel Broker で接続
InterfaceenvIP AddressGatewayDescription
eth0${_IF_WAN_IPv4}198.51.100.1/24198.51.100.254
eth1${_IF_MGMT_IPv4}192.0.2.3/24192.0.2.1
eth1v11v4${_IF_MGMT_VRRP_IPv4}192.0.2.1/24
192.0.2.8Syslog Server
BGP${_EIP_VIP_IPv4}203.0.113.1/32VIP Elatic IP
dum1${_ANYCAST_IPv4}10.1.1.12/32BGP IP Anycast
dum1${_ANYCAST_IPv6}fd00:1:2:1010::12/128BGP IP Anycast
2001:db8:cafe:beef::1he.net GW
2001:db8:beef::/48he.net からの /48

インストール

1.5 rolling を雑に使うため、公式サイトからダウンロードして利用する。

VyOS Community

1
https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202405040019/vyos-1.5-rolling-202405040019-amd64.iso

デフォルト username と password は下記。

  • username: vyos

  • password: vyos

  • install image で Disk へのインストールを開始する

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
vyos@vyos:~$ install image
Welcom to VyOS installation!
This command will install VyOS to your permanent storage.
Would you like to continue? [y/N] y
What would you like to name this image? (Default: 1.5-rolling-202405040019) [Enter]
Please enter a password for the "vyos" user: 
Please confirm password for the "vyos" user: 
What console should be used by default? (K: KVM, S: Serial, U: USB-Serial)? (Default: K)
Probing disks
1 disk(s) found
The following disks ware found:
Drive: /dev/vda (25.0 GB)
Which one should be used for installation? (Default: /dev/vda) [Enter]
Installation will delate all data on the drive. Continue? [y/N] y
Searching for data from previous installations
No previous installation found
Would you like to use all the free space on the drive? [Y/n]
Creating partition table...
The following config files are available for boot:
        1: /opt/vyatta/etc/config/config/config.boot
        2: /opt/vyatta/etc/config.boot.default
Which file would you like as boot config? (Default: 1) [Enter]
Createing temporary directoryies
Mounting new partitions
Creating a configuration file
Copying system image files
Installing GRUB configuration files
Installing GRUB to the drive
Cleaning up
Unmounting target filesystems
Removeing temporary files
The image installed successfully: place reboot now.

reboot
y

Version

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
vyos@border-02:~$ show version
Version:          VyOS 1.5-rolling-202405040019
Release train:    current

Built by:         [email protected]
Built on:         Sat 04 May 2024 02:43 UTC
Build UUID:       6d407e87-6eeb-4932-841c-28fabd5dd88f
Build commit ID:  4490b2aeecfde6

Architecture:     x86_64
Boot via:         installed image
System type:      Microsoft Hyper-V guest

Hardware vendor:  Vultr
Hardware model:   VHP
Hardware S/N:     73982079
Hardware UUID:    6f93faab-6a1b-4771-a9b9-fcc396c2db34

Copyright:        VyOS maintainers and contributors

Hostname

1
set system host-name 'border-02'

Timezone

1
set system time-zone 'Asia/Tokyo'

Interface

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# WAN
set interfaces ethernet eth0 address "${_IF_WAN_IPv4}"
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 mtu '1500'

# LAN
set interfaces ethernet eth1 address "${_IF_MGMT_IPv4}"
set interfaces ethernet eth1 description 'MGMT'
set interfaces ethernet eth1 mtu '1450'

# VIP
set interfaces dummy dum1 address "${_EIP_VIP_IPv4}"
set interfaces dummy dum1 description 'VIP 1'

set interfaces dummy dum2 address "${_ANYCAST_IPv4}"
set interfaces dummy dum2 address "${_ANYCAST_IPv6}"
set interfaces dummy dum2 description 'IP anycast for service'

IPv6 Tunnel

Tunnelbroker を使って実験用の IPv6 を生やしているので設定する。

1
2
3
4
5
6
7
8
set interfaces tunnel tun0 address '<he.net PEER IP>'
set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel #000000'
set interfaces tunnel tun0 encapsulation 'sit'
set interfaces tunnel tun0 mtu '1450'
set interfaces tunnel tun0 remote '<he.net GW>'
set interfaces tunnel tun0 source-address "${_EIP_VIP_IPv4}"

set protocols static route6 ::/0 interface tun0

VRRP

弊宅クラウドでは MGMT セグメントの L2 疎通性を確保するために VRRP Version 2 を設定します。

  • startup-delay 30 再起動後などでは 30 経過後からアドバタイズを送信
  • preempt-delay 180 はアドバタイズ到着開始から 3 分後に切り替える
  • track interface * を入れることで link が落ちたら切り替える
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
set high-availability vrrp global-parameters startup-delay 30

set high-availability vrrp group mgmt vrid 11
set high-availability vrrp group mgmt interface eth1
set high-availability vrrp group mgmt address "${_IF_MGMT_VRRP_IPv4}"
set high-availability vrrp group mgmt preempt-delay 60
set high-availability vrrp group mgmt track interface eth0
set high-availability vrrp group mgmt track interface eth1
set high-availability vrrp group mgmt track interface tun0
set high-availability vrrp group mgmt rfc3768-compatibility
border-01 側
1
set high-availability vrrp group mgmt priority 201

border-02 側
1
set high-availability vrrp group mgmt priority 101

1
2
compare
commit

Task Scheduler

スクリプトを作成しました。 he.net とは static route を書かないといけなく障害発生時は route を消さないと defualt route が広報され続けてしまいます。そのため強引ですが、 Task Scheduler 機能で GW に向かって ICMP を送出し死活監視に失敗した場合は route を無効化することで BGP 広報を停止するようにした。

  • source /opt/vyatta/etc/functions/script-template が呼ばれる時 login session が生成されるので configure コマンド前にして不要な呼び出しを抑止
  • exit, exit discard Configuration Mode と Operation Mode をちゃんと抜けないとセッションがたまり続けるのでちゃんと対処する
    • exit discard は予防措置で、前段で commit save しているため残っている設定の破棄と確実に session を抜けるため明示で書いている。
/config/scripts/tunnel-check.script
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/bin/vbash
# chnaged vyattacfg group
# Ref: https://docs.vyos.io/en/latest/automation/command-scripting.html
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

TUNNEL_INTERFACE="${1}"
TARGET_IP="2001:db8:cafe:beef::1"

ping -c5 -W1 "${TARGET_IP}" > /dev/null 2>&1
if [ $? -eq 0 ]; then
    # link up
    ip -6 route get :: > /dev/null 2>&1
    if [ $? -eq 2 ]; then
      source /opt/vyatta/etc/functions/script-template
      configure
      delete protocols static route6 ::/0 interface "${TUNNEL_INTERFACE}" disable
      commit
      save
      exit
    fi
    exit discard
else
    # link down
    ip -6 route get :: > /dev/null 2>&1
    if [ $? -eq 0 ]; then
      source /opt/vyatta/etc/functions/script-template
      configure
      set protocols static route6 ::/0 interface "${TUNNEL_INTERFACE}" disable
      commit
      save
      exit
    fi
    exit discard
fi

実行権限を付けておきます。

1
2
3
4
5
chmod +x /config/scripts/tunnel-check.script

set system task-scheduler task tun0-check executable arguments 'tun0'
set system task-scheduler task tun0-check executable path '/config/scripts/tunnel-check.script'
set system task-scheduler task tun0-check interval '1m'

SNAT

Internal Network を外に出られるように SNAT します。 今回は Vultr の Reserved IP を BGP で広報し冗長化しているためこの IP で SNAT します。
WAN IP でやる場合は address 'masquerade' で可能です。

1
2
3
set nat source rule 101 outbound-interface name 'eth0'
set nat source rule 101 source address '192.0.2.0/24'
set nat source rule 101 translation address "${_EIP_VIP_IPv4}"

LLDP

LLDP を有効化します。 eth0 は WAN なので個別に無効化。

1
2
set service lldp interface all
set service lldp interface eth0 disable

Firewall

Firewall を設定します。
rule の通りです。 description で管理すると便利。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop

```bash{name="WAN"}
set firewall ipv4 name wan rule 101 action 'accept'
set firewall ipv4 name wan rule 101 description 'ACCEPT ICMP echo reply'
set firewall ipv4 name wan rule 101 icmp type-name 'echo-request'
set firewall ipv4 name wan rule 101 protocol 'icmp'

set firewall ipv4 name wan rule 111 action 'accept'
set firewall ipv4 name wan rule 111 description 'ACCEPT BGP from Vultr'
set firewall ipv4 name wan rule 111 destination port 'bgp'
set firewall ipv4 name wan rule 111 protocol 'tcp'
set firewall ipv4 name wan rule 111 source address '169.254.169.254'

set firewall ipv4 name wan rule 121 action 'accept'
set firewall ipv4 name wan rule 121 description 'ACCEPT SSH'
set firewall ipv4 name wan rule 121 destination port '22'
set firewall ipv4 name wan rule 121 log
set firewall ipv4 name wan rule 121 protocol 'tcp'

set firewall zone wan default-action 'drop'
set firewall zone wan interface 'eth0'
return policy
1
2
3
set firewall ipv4 name return rule 11 action 'accept'
set firewall ipv4 name return rule 11 protocol 'all'
set firewall ipv4 name return rule 11 state established 'enable'
MGMT
1
2
3
set firewall zone mgmt default-action 'reject'
set firewall zone mgmt interface 'eth1'
set firewall zone mgmt interface 'eth1v11v4'
IPsecVPN
1
2
3
set firewall zone IPsecVPN default-action 'reject'
set firewall zone IPsecVPN interface 'vti1'
set firewall zone IPsecVPN interface 'vti2'
  • 下記の通信方向を許可する
    • MGT -> WAN
    • IPsecVPN -> WAN
1
2
set firewall zone wan from mgmt firewall name 'return'
set firewall zone wan from IPsecVPN firewall name 'return'

User

1
2
3
4
5
6
7
configure

set system login user vyos authentication public-keys naa0yama key 'AAAAB3Nz'
set system login user vyos authentication public-keys naa0yama type 'ssh-rsa'

compare
commit

SSH

User で ssh-key の設定をしているので password-authentication を無効化します。

1
2
3
4
5
6
7
configure

set service ssh
set service ssh disable-password-authentication

compare
commit

Syslog

リモートホスト(IP: 192.0.2.8 )に送信します。

1
2
set system syslog host 192.0.2.8 facility all level all
set system syslog host 192.0.2.8 protocol udp

DNS

のちに、 cloudflared を利用した DoH を設定しますがシステムの名前解決が失敗するのはまずいのでここは変更しません。

1
2
3
4
set system name-server 1.1.1.1
set system name-server 1.0.0.1
set system name-server 2606:4700:4700::1111
set system name-server 2606:4700:4700::1001

BGP(outbound)

今回は、 Vultr のサービスで default route を受けられる BGP peer を用意してくれているためそちらと接続します。
また、 Vultr は他の VPS サービスと変わった点として Elastic IP を BGP で広報するとルートを引き込める機能があります。これを利用して弊宅ではインターネット越しの VRRP を廃止し BGP で Vultr に広報し Active-Standby を実現しました。
自宅で BGP を利用した「トラヒックエンジニアリング」ってワクワクしますしね。

InstanceVultr
ASN6465064515
IPv4WAN Address169.254.169.254
IPv6IPv6 Address2001:19f0:ffff::
BGP PasswordP@ssw0rd
Multihop2

prefix-list

今回の BGP 接続は Vultr と Private peer になるため問題ないが、自 AS 以外の経路をお漏らしするとまずいので prefix-list と route-map で in/out 共に制御するのが一般的であるため設定する。

  • DEFAULT_ROUTEv4
    • Vultr から advertise される default route を引き込むリスト
  • OUTBOUND_TO_VULTRv4
    • Elastic IP で確保している固定 IP を Vultr に広報するリスト
  • DEFAULT_ROUTEv6
    • IPv6 default route を引き込むリスト
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
set policy prefix-list DEFAULT_ROUTEv4 description 'IPv4 Routes advertised from Border'
set policy prefix-list DEFAULT_ROUTEv4 rule 11 action 'permit'
set policy prefix-list DEFAULT_ROUTEv4 rule 11 description 'IPv4 default route'
set policy prefix-list DEFAULT_ROUTEv4 rule 11 prefix '0.0.0.0/0'

set policy prefix-list6 DEFAULT_ROUTEv6 rule 11 action 'permit'
set policy prefix-list6 DEFAULT_ROUTEv6 rule 11 description 'IPv6 default route'
set policy prefix-list6 DEFAULT_ROUTEv6 rule 11 prefix '::/0'

set policy prefix-list OUTBOUND_TO_VULTRv4 description 'IPv4 Outbound to Vultr'
set policy prefix-list OUTBOUND_TO_VULTRv4 rule 11 action 'permit'
set policy prefix-list OUTBOUND_TO_VULTRv4 rule 11 description 'NAT 1'
set policy prefix-list OUTBOUND_TO_VULTRv4 rule 11 prefix "${_EIP_VIP_IPv4}"
  • HOME_NETv4
    • 宅内のルートを Prefix 24-24, 32 で許可
  • HOME_NETv6
    • 宅内のルートを Prefix 60-64, 126-128 で許可
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
set policy prefix-list HOME_NETv4 description 'IPv4 Redistribute of home routes'
set policy prefix-list HOME_NETv4 rule 11 action 'permit'
set policy prefix-list HOME_NETv4 rule 11 ge '24'
set policy prefix-list HOME_NETv4 rule 11 le '24'
set policy prefix-list HOME_NETv4 rule 11 prefix '10.0.0.0/8'
set policy prefix-list HOME_NETv4 rule 12 action 'permit'
set policy prefix-list HOME_NETv4 rule 12 ge '32'
set policy prefix-list HOME_NETv4 rule 12 prefix '10.0.0.0/8'
set policy prefix-list HOME_NETv4 rule 21 action 'permit'
set policy prefix-list HOME_NETv4 rule 21 ge '24'
set policy prefix-list HOME_NETv4 rule 21 le '24'
set policy prefix-list HOME_NETv4 rule 21 prefix '192.168.0.0/16'
set policy prefix-list HOME_NETv4 rule 22 action 'permit'
set policy prefix-list HOME_NETv4 rule 22 ge '30'
set policy prefix-list HOME_NETv4 rule 21 le '32'
set policy prefix-list HOME_NETv4 rule 22 prefix '192.168.0.0/16'

set policy prefix-list6 HOME_NETv6 description 'IPv6 Redistribute of home routes'
set policy prefix-list6 HOME_NETv6 rule 11 action 'permit'
set policy prefix-list6 HOME_NETv6 rule 11 ge '60'
set policy prefix-list6 HOME_NETv6 rule 11 le '64'
set policy prefix-list6 HOME_NETv6 rule 11 prefix '2001:470:fe17::/48'
set policy prefix-list6 HOME_NETv6 rule 12 action 'permit'
set policy prefix-list6 HOME_NETv6 rule 12 ge '126'
set policy prefix-list6 HOME_NETv6 rule 12 le '128'
set policy prefix-list6 HOME_NETv6 rule 12 prefix '2001:470:fe17::/48'

set policy prefix-list6 HOME_NETv6 rule 21 action 'permit'
set policy prefix-list6 HOME_NETv6 rule 21 ge '60'
set policy prefix-list6 HOME_NETv6 rule 21 le '64'
set policy prefix-list6 HOME_NETv6 rule 21 prefix 'fd00:1:2::/48'
set policy prefix-list6 HOME_NETv6 rule 22 action 'permit'
set policy prefix-list6 HOME_NETv6 rule 22 ge '126'
set policy prefix-list6 HOME_NETv6 rule 22 le '128'
set policy prefix-list6 HOME_NETv6 rule 22 prefix 'fd00:1:2::/48'

route-map

route-map の処理は下記の順番で書かないと不用意に外れる可能性あり。

  • set

  • call

  • match

  • DEFAULT_ROUTE

    • rule 11: 通過すると BGP Community を付与する。 <MyAS>:<識別ID>
    • rule 12: route-map STANDBY_PREPEND の処理を実施
    • rule 10011: prefix-list DEFAULT_ROUTEv4 と一致したら route table に取り込む
    • rule 20011: nexthop が 2001:db8:cafe:beef::1 と一致したら route table に取り込む
    • rule 20012: prefix-list6 DEFAULT_ROUTEv6 と一致したら route table に取り込む
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
set policy route-map DEFAULT_ROUTE description 'Received default route'
set policy route-map DEFAULT_ROUTE rule 11 action 'permit'
set policy route-map DEFAULT_ROUTE rule 11 description 'Attach community to received default route'
set policy route-map DEFAULT_ROUTE rule 11 on-match next
set policy route-map DEFAULT_ROUTE rule 11 set community add '64650:10113'

set policy route-map DEFAULT_ROUTE rule 12 action 'permit'
set policy route-map DEFAULT_ROUTE rule 12 call STANDBY_PREPEND
set policy route-map DEFAULT_ROUTE rule 12 description 'Standby router adds aspath'
set policy route-map DEFAULT_ROUTE rule 12 on-match next

set policy route-map DEFAULT_ROUTE rule 10011 action 'permit'
set policy route-map DEFAULT_ROUTE rule 10011 description 'IPv4 Allow default routes listed in prefix-list'
set policy route-map DEFAULT_ROUTE rule 10011 match ip address prefix-list 'DEFAULT_ROUTEv4'

set policy route-map DEFAULT_ROUTE rule 20011 action 'permit'
set policy route-map DEFAULT_ROUTE rule 20011 description 'IPv6 Allow default routes listed in prefix-list'
set policy route-map DEFAULT_ROUTE rule 20011 on-match next
set policy route-map DEFAULT_ROUTE rule 20011 match ipv6 nexthop address '2001:db8:cafe:beef::1'

set policy route-map DEFAULT_ROUTE rule 20012 action 'permit'
set policy route-map DEFAULT_ROUTE rule 20012 description 'IPv6 Allow default routes listed in prefix-list'
set policy route-map DEFAULT_ROUTE rule 20012 match ipv6 address prefix-list 'DEFAULT_ROUTEv6'
  • OUTBOUND_TO_VULTR
    • rule 11: route-map STANDBY_PREPEND の処理をする
    • rule 12: prefix-list OUTBOUND_TO_VULTR と一致したら peer に広報する
1
2
3
4
5
6
7
8
set policy route-map OUTBOUND_TO_VULTR description 'Standby router adds aspath'
set policy route-map OUTBOUND_TO_VULTR rule 11 action 'permit'
set policy route-map OUTBOUND_TO_VULTR rule 11 call STANDBY_PREPEND
set policy route-map OUTBOUND_TO_VULTR rule 11 on-match next

set policy route-map OUTBOUND_TO_VULTR rule 12 action 'permit'
set policy route-map OUTBOUND_TO_VULTR rule 12 on-match next
set policy route-map OUTBOUND_TO_VULTR rule 12 match ip address prefix-list 'OUTBOUND_TO_VULTRv4'
  • HOME_NET_REDISTRIBUTE
    • 宅内の再配布ルートをまとめたもの、 Default route は含まない
1
2
3
4
5
6
set policy route-map HOME_NET_REDISTRIBUTE description 'Redistribute of home routes'
set policy route-map HOME_NET_REDISTRIBUTE rule 11 action 'permit'
set policy route-map HOME_NET_REDISTRIBUTE rule 11 match ip address prefix-list 'HOME_NETv4'

set policy route-map HOME_NET_REDISTRIBUTE rule 21 action 'permit'
set policy route-map HOME_NET_REDISTRIBUTE rule 21 match ipv6 address prefix-list 'HOME_NETv6'
  • IPSEC_VPN
    • 宅内の再配布ルートと Defualt route をまとめた物
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
set policy route-map IPSEC_VPN description 'Redistribute and default route of home routes'
set policy route-map IPSEC_VPN rule 11 action 'permit'
set policy route-map IPSEC_VPN rule 11 match ip address prefix-list 'HOME_NETv4'
set policy route-map IPSEC_VPN rule 12 action 'permit'
set policy route-map IPSEC_VPN rule 12 match ip address prefix-list 'DEFAULT_ROUTEv4'

set policy route-map IPSEC_VPN rule 21 action 'permit'
set policy route-map IPSEC_VPN rule 21 match ipv6 address prefix-list 'HOME_NETv6'
set policy route-map IPSEC_VPN rule 22 action 'permit'
set policy route-map IPSEC_VPN rule 22 match ipv6 address prefix-list 'DEFAULT_ROUTEv6'
  • STANDBY_PREPEND
    • as-path 末尾を 2 つ増幅させる
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
set policy route-map STANDBY_PREPEND description 'STANDBY_PREPEND: as-path prepend 64650 64650'
set policy route-map STANDBY_PREPEND rule 11 action 'permit'
set policy route-map STANDBY_PREPEND rule 11 match ip nexthop address '198.51.100.1'
set policy route-map STANDBY_PREPEND rule 11 on-match next

set policy route-map STANDBY_PREPEND rule 21 action 'permit'
set policy route-map STANDBY_PREPEND rule 21 on-match next
set policy route-map STANDBY_PREPEND rule 21 set as-path prepend '64650'

set policy route-map STANDBY_PREPEND rule 22 action 'permit'
set policy route-map STANDBY_PREPEND rule 22 on-match next
set policy route-map STANDBY_PREPEND rule 22 set as-path prepend '64650'
  • MAINTENANCE
    • as-path 末尾を 5 つ増幅させる
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
set policy route-map MAINTENANCE description 'MAINTENANCE: as-path prepend 64650 64650 64650 64650 64650'
set policy route-map MAINTENANCE rule 11 action 'permit'
set policy route-map MAINTENANCE rule 11 on-match next
set policy route-map MAINTENANCE rule 11 set as-path prepend '64650'

set policy route-map MAINTENANCE rule 12 action 'permit'
set policy route-map MAINTENANCE rule 12 on-match next
set policy route-map MAINTENANCE rule 12 set as-path prepend '64650'

set policy route-map MAINTENANCE rule 13 action 'permit'
set policy route-map MAINTENANCE rule 13 on-match next
set policy route-map MAINTENANCE rule 13 set as-path prepend '64650'

set policy route-map MAINTENANCE rule 14 action 'permit'
set policy route-map MAINTENANCE rule 14 on-match next
set policy route-map MAINTENANCE rule 14 set as-path prepend '64650'

set policy route-map MAINTENANCE rule 15 action 'permit'
set policy route-map MAINTENANCE rule 15 on-match next
set policy route-map MAINTENANCE rule 15 set as-path prepend '64650'

メンテナンスの場合は下記の通り、 route-map を付けて経路迂回をする。
(GRACEFUL_SHUTDOWN を使いたいが対向機器が対応してないため、堅実な方法で)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
configure

set policy route-map DEFAULT_ROUTE rule 1 action 'permit'
set policy route-map DEFAULT_ROUTE rule 1 call MAINTENANCE
set policy route-map DEFAULT_ROUTE rule 1 on-match next
set policy route-map DEFAULT_ROUTE rule 1 description 'MAINTENANCE'

set policy route-map OUTBOUND_TO_VULTR rule 1 action 'permit'
set policy route-map OUTBOUND_TO_VULTR rule 1 call MAINTENANCE
set policy route-map OUTBOUND_TO_VULTR rule 1 on-match next
set policy route-map OUTBOUND_TO_VULTR rule 1 description 'MAINTENANCE'

compare
commit

実設定

今回の設定では 169.254.169.254 と BGP を張るため static route を書いておきます。

1
set protocols static route 169.254.169.254/32 next-hop 198.51.100.2
  • P@ssW0rd: Vultr から提示されているパスワード
  • router-id: 203.0.113.1
  • AS64512~65534
    • 64515: Vultr
    • 64650: border-01,02
    • 64701: ix2215-01
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
set protocols bgp parameters bestpath as-path multipath-relax
set protocols bgp parameters ebgp-requires-policy
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '203.0.113.1'
set protocols bgp system-as '64650'
set protocols bgp timers holdtime '9'
set protocols bgp timers keepalive '3'

set protocols bgp peer-group Vultr address-family ipv4-unicast route-map export 'OUTBOUND_TO_VULTR'
set protocols bgp peer-group Vultr address-family ipv4-unicast route-map import 'DEFAULT_ROUTE'
set protocols bgp peer-group Vultr address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group Vultr address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp peer-group Vultr description 'Transit from Vultr'
set protocols bgp peer-group Vultr ebgp-multihop '2'
set protocols bgp peer-group Vultr password 'P@ssW0rd'
set protocols bgp peer-group Vultr remote-as '64515'
  • IPsec VPN 用
1
2
3
4
5
set protocols bgp peer-group IPSecVPN address-family ipv4-unicast route-map export IPSEC_VPN
set protocols bgp peer-group IPSecVPN address-family ipv4-unicast route-map import 'HOME_NET_REDISTRIBUTE'
set protocols bgp peer-group IPSecVPN address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group IPSecVPN description 'Home from IPsecVPN'
set protocols bgp peer-group IPSecVPN remote-as 'external'
  • 再配布
1
2
3
set protocols bgp address-family ipv4-unicast redistribute connected
set protocols bgp address-family ipv6-unicast redistribute connected
set protocols bgp address-family ipv6-unicast redistribute kernel route-map 'DEFAULT_ROUTE'

Neighbor

  • Vultr
1
2
3
set protocols bgp neighbor 169.254.169.254 description 'IPv4 to Vultr'
set protocols bgp neighbor 169.254.169.254 peer-group 'Vultr'
set protocols bgp neighbor 169.254.169.254 timers connect '5'
  • IPsec VPN
1
2
set protocols bgp neighbor vti1 interface peer-group IPSecVPN
set protocols bgp neighbor vti2 interface peer-group IPSecVPN

MSS ajast-auto

今回クラウド上の VyOS は不要だったが TCP MSS を自動調整する場合は下記で設定する。
eth0 が WAN で mtu 1440 の場合下記の設定で IPv4, IPv6 で MSS を自動計算し設定してくれる。

1
2
3
4
set interfaces ethernet eth0 mtu 1440

set interfaces ethernet eth0 ip adjust-mss clamp-mss-to-pmtu
set interfaces ethernet eth0 ipv6 adjust-mss clamp-mss-to-pmtu

Docker

cloudflared

cloudflared-tunnelcloudflared-doh の 2 つを起動します。

  • cloudflared-tunnel: Cloudflare Tunnel 用のコンテナ

設定を簡略化するため、環境変数に TOKEN を設定する。

1
export __CF_TOKEN="<TOKEN>"
cloudflared-tunnel
1
2
3
4
5
6
7
8
9
run add container image cloudflare/cloudflared:2024.4.1

set container name cloudflared-tunnel allow-host-networks
set container name cloudflared-tunnel command 'tunnel --no-autoupdate run'
set container name cloudflared-tunnel image cloudflare/cloudflared:2024.4.1
set container name cloudflared-tunnel restart on-failure

set container name cloudflared-tunnel environment 'TUNNEL_TOKEN' value "${__CF_TOKEN}"
set container name cloudflared-tunnel environment 'TUNNEL_METRICS' value 'localhost:60001'
  • cloudflared-doh: DNS Over HTTPS 用のコンテナ
    • こちらには TOKEN は不要。その代わりに Cloudflare Gateway の DNS over HTTPS を発行して設定する。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
set container name cloudflared-doh allow-host-networks
set container name cloudflared-doh capability 'net-bind-service'
set container name cloudflared-doh command 'proxy-dns'
set container name cloudflared-doh image 'cloudflare/cloudflared:2024.4.1'
set container name cloudflared-doh restart 'on-failure'

set container name cloudflared-doh environment 'TUNNEL_DNS_PORT' value '53'
set container name cloudflared-doh environment 'TUNNEL_DNS_ADDRESS' value '0.0.0.0'
set container name cloudflared-doh environment 'TUNNEL_DNS_UPSTREAM' value 'https://1.1.1.1/dns-query,https://1.0.0.1/dns-query'

set container name cloudflared-doh environment 'TUNNEL_METRICS' value 'localhost:60002'
Topic

ブリッジネットワークを作成してやる方法も試したが上手く出来ず。
SNAT を設定しても外に出てない状況だった。

1
2
3
4
5
6
set container network cn-internal description 'Network for containers'
set container network cn-internal prefix '172.17.0.0/16'

set nat source rule 11 outbound-interface name 'eth0'
set nat source rule 11 source address '172.17.0.0/16'
set nat source rule 11 translation address 'masquerade'

frr_exporter

TODO: 検証

FRRouting の Prometheus Exporter として、 frr_exporter が使いやすく Zabbix テンプレートを作成済みためこちらを導入して BGP peer の監視を実施する。

Zabbix

VyOS 1.4 で zabbix-agent が導入されたのでこれを使う。

1
2
3
4
5
6
7
8
vyos@border-02# type zabbix_agent2
zabbix_agent2 is /usr/sbin/zabbix_agent2


vyos@border-02# zabbix_agent2 --version
zabbix_agent2 (Zabbix) 6.0.14
Revision 3f184b456c7 8 March 2023, compilation time: Apr  9 2023 11:12:43
Plugin communication protocol version is 6.0.13
1
2
3
4
5
6
7
set service monitoring zabbix-agent host-name "${HOSTNAME}"
set service monitoring zabbix-agent listen-address '<MGMT IP>'
set service monitoring zabbix-agent log debug-level 'warning'
set service monitoring zabbix-agent log size '10'
set service monitoring zabbix-agent server '<Zabbix IP>'
set service monitoring zabbix-agent server-active '<Zabbix IP>'
set service monitoring zabbix-agent timeout '10'

Vector

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
mkdir -p /config/container/vector
chown -R root:vyattacfg /config/container
touch /config/container/vector/vector.yaml
run add container image timberio/vector:0.38.0-alpine

set container name vector allow-host-networks
set container name vector capability 'net-bind-service'
set container name vector image 'timberio/vector:0.38.0-alpine'
set container name vector restart 'on-failure'
set container name vector environment 'AWS_ACCESS_KEY_ID' value 'AKXXXXXXXXXXXXXXXXXX'
set container name vector environment 'AWS_DEFAULT_REGION' value 'ap-northeast-1'
set container name vector environment 'AWS_SECRET_ACCESS_KEY' value 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
set container name vector environment 'TZ' value 'Asia/Tokyo'

set container name vector volume 'vector_etc' source /config/container/vector/vector.yaml
set container name vector volume 'vector_etc' destination /etc/vector/vector.yaml
set container name vector volume 'vector_etc' mode ro
/etc/vector/vector.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
---
log_schema:
  timestamp_key: event.created

sources:
  syslog_tcp:
    type: syslog
    address: 0.0.0.0:514
    mode: tcp

  syslog_udp:
    type: syslog
    address: 0.0.0.0:514
    mode: udp

transforms:
  remap_timestamp:
    type: remap
    inputs:
      - syslog_tcp
      - syslog_udp
    source: |
      . = parse_json!(.message)
      .timestamp = .event.created      

sinks:
  new_relic_logs:
    type: new_relic
    inputs:
      - remap_timestamp
    account_id: "0000000"
    api: logs
    license_key: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    region: us
    encoding:
      timestamp_format: rfc3339
    healthcheck: true

  s3_archive:
    type: aws_s3
    inputs:
      - remap_timestamp
    bucket: exsample-log-archives
    buffer:
      type: disk
      max_size: 4294967808
    encoding:
      codec: json
      timestamp_format: rfc3339
    healthcheck:
      enabled: true
    key_prefix: "year=%Y/month=%m/day=%d/hour=%H/"

IPsec

今回は古い接続では pfSense を利用して IKEv1 aggressive で繋いでいたが、対向機器の IX2215 は IKEv2 も対応しているということで、 IKEv2 での接続にする。

SubnetNetAddr, BroadcastAddrHomeVultr
192.168.255.0/24
192.168.255.0/30.1,3192.168.255.1192.168.255.2IX2215-01a <-> border-01
192.168.255.4/30.4,7192.168.255.5192.168.255.6IX2215-01b <-> border-01
192.168.255.8/30.8,11192.168.255.9192.168.255.10IX2215-01a <-> border-02
192.168.255.12/30.12,15192.168.255.13192.168.255.14IX2215-01b <-> border-02

汎用な設定を投入しておく。

1
2
3
4
set vpn ipsec interface 'eth0'
set vpn ipsec log level '0'
set vpn ipsec log subsystem 'any'
set vpn ipsec options disable-route-autoinstall

VTI

1 つずつ、冗長な設定を投入してもよいが今回は BGP でルーティングするため VTI を用意して BGP peer を張ることにした。

1
2
3
4
5
set interfaces vti vti1 address '192.168.255.10/30'
set interfaces vti vti1 description 'IX2215-01a <-> border-02'

set interfaces vti vti2 address '192.168.255.14/30'
set interfaces vti vti2 description 'IX2215-01b <-> border-02'

Authentication

IKEv2 の認証設定をする今回は Pre-Shared Key を設定した。

Important

接続元が拠点(今回は自宅)などでキャリア網配下の場合 NAT-T で接続する必要があるが、 Web サイトなどで無数にある紹介記事はほぼ全て Source Address をベースに認証 PSK を選択する方法のため NAT 配下から IKEv2 SA に失敗する。

私も、 GW の貴重な 2 日を潰すぐらいにはハマった。

これの回避策として keyid を設定する必要があるが VyOS の背後で実際に IPsec を処理している strongSwan の仕様に合わせて設定する必要がある。今回であれば下記 3 箇所だ。

1
2
3
4
set vpn ipsec authentication psk <PSK NAME> id 'keyid:<Key ID>'

set vpn ipsec site-to-site peer <PEER NAME> authentication local-id 'keyid:<Key ID>'
set vpn ipsec site-to-site peer <PEER NAME> authentication remote-id 'keyid:<Key ID>'
1
2
3
4
5
6
7
set vpn ipsec authentication psk IX2215-01a id 'keyid:ix2215-01a.tyo1.home.vpn.internal'
set vpn ipsec authentication psk IX2215-01a id 'keyid:border-02.tyo1.vultr.vpn.internal'
set vpn ipsec authentication psk IX2215-01a secret 'Secret_01a'

set vpn ipsec authentication psk IX2215-01b id 'keyid:ix2215-01b.tyo1.home.vpn.internal'
set vpn ipsec authentication psk IX2215-01b id 'keyid:border-02.tyo1.vultr.vpn.internal'
set vpn ipsec authentication psk IX2215-01b secret 'Secret_01b'

ESP, IKEv2

パラメータが多く複雑のため整理した表が下記。

ProtocolUNIVERGE IXVyOS 1.5.x (circinus)採用
ESP Encryptionsa-proposal encesp-group <1> proposal 0 encryption
AES-CBC (128 bits)aes-cbc-128aes128
AES-CBC (192 bits)aes-cbc-192aes192
AES-CBC (256 bits)aes-cbc-256aes256O
IKEv2 DH Groupsa-proposal dhike-group <1> proposal 0 dh-group
DH Group 1768-bit1
DH Group 21024-bit2
DH Group 51536-bit5
DH Group 142048-bit14O
DH Group 153072-bit15
IKEv2 Integrity Algorithmsa-proposal integrityesp-group <1> proposal 0 hash
HMAC-MD5-96md5md5
HMAC-SHA1-96sha1sha1
HMAC-SHA2-256-128sha2-256sha256O
HMAC-SHA2-384-192sha2-384sha384
HMAC-SHA2-512-256sha2-512sha512
IKEv2 PFS(Perfect Forward Secrecy)child-pfsesp-group <1> pfs
DH Group 1768-bitdh-group1
DH Group 21024-bitdh-group2
DH Group 51536-bitdh-group5
DH Group 142048-bitdh-group14O
DH Group 153072-bitdh-group15
IKEv2 PRF(Pseudo-Random Function)sa-proposal prfike-group <1> proposal 0 prf
HMAC-MD5md5prfmd5
HMAC-SHA1sha1prfsha1
HMAC-SHA2-256sha2-256prfsha256O
HMAC-SHA2-384sha2-384prfsha384
HMAC-SHA2-512sha2-512prfsha512
IKEv2 Encryptionchild-proposal encike-group <1> proposal 0 encryption
AES-CBC (128 bits)aes-cbc-128aes128
AES-CBC (192 bits)aes-cbc-192aes192
AES-CBC (256 bits)aes-cbc-256aes256O
IKEv2 Integrity Algorithmchild-proposal integrityike-group <1> proposal 0 encryption
HMAC-MD5-96md5md5
HMAC-SHA1-96sha1sha1
HMAC-SHA2-256-128sha2-256sha256O
HMAC-SHA2-384-192sha2-384sha384
HMAC-SHA2-512-256sha2-512sha512
IKEv2 DPD(Dead Peer Detection)
internal (Sec)1010
timeout (Sec)120
  • 共通設定
    • lifetime: 28800 8Hour
    • Anti-replay off
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
set vpn ipsec esp-group BORDER-IPSEC lifetime '28800'
set vpn ipsec esp-group BORDER-IPSEC mode 'tunnel'
set vpn ipsec esp-group BORDER-IPSEC pfs 'dh-group14'
set vpn ipsec esp-group BORDER-IPSEC proposal 0 encryption 'aes256'
set vpn ipsec esp-group BORDER-IPSEC proposal 0 hash 'sha256'

set vpn ipsec ike-group BORDER-IPSEC close-action 'none'
set vpn ipsec ike-group BORDER-IPSEC dead-peer-detection action 'restart'
set vpn ipsec ike-group BORDER-IPSEC dead-peer-detection interval '10'
set vpn ipsec ike-group BORDER-IPSEC dead-peer-detection timeout '120'
set vpn ipsec ike-group BORDER-IPSEC disable-mobike
set vpn ipsec ike-group BORDER-IPSEC key-exchange 'ikev2'
set vpn ipsec ike-group BORDER-IPSEC lifetime '28800'
set vpn ipsec ike-group BORDER-IPSEC proposal 0 dh-group '14'
set vpn ipsec ike-group BORDER-IPSEC proposal 0 encryption 'aes256'
set vpn ipsec ike-group BORDER-IPSEC proposal 0 hash 'sha256'
set vpn ipsec ike-group BORDER-IPSEC proposal 0 prf 'prfsha256'

IPsec Peer

IPSec Peer はよく IP Address で設定されている(set vpn ipsec site-to-site peer IX2215-01a)がこの箇所は名前であれば問題ないためわかりやすい対向機器名で設定した。

Authentication の章でも記載しているが keyid:<Key ID> を忘れずに設定しないと認証出来ないので注意。

IX2215-01a
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
set vpn ipsec site-to-site peer IX2215-01a authentication local-id 'keyid:border-02.tyo1.vultr.vpn.internal'
set vpn ipsec site-to-site peer IX2215-01a authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer IX2215-01a authentication remote-id 'keyid:ix2215-01a.tyo1.home.vpn.internal'
set vpn ipsec site-to-site peer IX2215-01a description 'IX2215-01a <-> border-02'

set vpn ipsec site-to-site peer IX2215-01a connection-type 'respond'
set vpn ipsec site-to-site peer IX2215-01a ike-group 'BORDER-IPSEC'
set vpn ipsec site-to-site peer IX2215-01a local-address '203.0.113.1'
set vpn ipsec site-to-site peer IX2215-01a remote-address 'any'
set vpn ipsec site-to-site peer IX2215-01a replay-window '0'
set vpn ipsec site-to-site peer IX2215-01a vti bind 'vti1'
set vpn ipsec site-to-site peer IX2215-01a vti esp-group 'BORDER-IPSEC'

IX2215-01b
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
set vpn ipsec site-to-site peer IX2215-01b authentication local-id 'keyid:border-02.tyo1.vultr.vpn.internal'
set vpn ipsec site-to-site peer IX2215-01b authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer IX2215-01b authentication remote-id 'keyid:ix2215-01b.tyo1.home.vpn.internal'
set vpn ipsec site-to-site peer IX2215-01b description 'IX2215-01b <-> border-02'

set vpn ipsec site-to-site peer IX2215-01b connection-type 'respond'
set vpn ipsec site-to-site peer IX2215-01b ike-group 'BORDER-IPSEC'
set vpn ipsec site-to-site peer IX2215-01b local-address '203.0.113.1'
set vpn ipsec site-to-site peer IX2215-01b remote-address 'any'
set vpn ipsec site-to-site peer IX2215-01b replay-window '0'
set vpn ipsec site-to-site peer IX2215-01b vti bind 'vti2'
set vpn ipsec site-to-site peer IX2215-01b vti esp-group 'BORDER-IPSEC'

Anti-replay off

対向の IX2215 では QoS(Quality of Service) を設定しているため、 anti-replay を無効化します。

1
2
set vpn ipsec site-to-site peer IX2215-01a replay-window 0
set vpn ipsec site-to-site peer IX2215-01b replay-window 0

IX2215-01a

本筋とは反れるので詳しくは解説しませんが、 IX2215-01a の config 例を掲載します

IX2215-01a_config
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
ix2215-01a(config)# show run
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2215 (magellan-sec) Software, Version 10.10.21, RELEASE SOFTWARE
! Compiled Oct 04-Fri-2024 13:39:04 JST #2
! Current time Nov 08-Fri-2024 19:36:13 JST
!
hostname ix2215-01a
timezone +09 00
terminal suppress-emanon
!
ip route 203.0.113.1/32 GigaEthernet0.13 dhcp

ikev2 authentication psk id keyid border-02.tyo1.vultr.vpn.internal key char Secret_01a
!
!
!
router bgp 64701
  router-id 10.2.21.2
  address-family ipv4 unicast
    redistribute connected
  peer-group IPsecVPN remote-as 64650
    neighbor 192.168.255.2
    neighbor 192.168.255.10
    timers 3 9
!
ikev2 default-profile
  anti-replay off
  child-lifetime 28800
  child-pfs 2048-bit
  child-proposal enc aes-cbc-256
  child-proposal integrity sha2-256
  dpd interval 10
  local-authentication psk id keyid ix2215-01a.tyo1.home.vpn.internal
  nat-traversal keepalive 20 force
  negotiation-direction initiator
  sa-lifetime 28800
  sa-proposal enc aes-cbc-256
  sa-proposal integrity sha2-256
  sa-proposal dh 2048-bit
  sa-proposal prf sha2-256
!
interface GigaEthernet0.0
  no ip address
  shutdown
!
interface GigaEthernet1.0
  description WAN
  ip address dhcp receive-default
  ip mtu 1500
  no shutdown
!
interface GigaEthernet2.0
  description home
  auto-connect
  ip address 10.2.21.2
  no shutdown
!
interface Tunnel2.0
  tunnel mode ipsec-ikev2
  ip address 192.168.255.9/30
  ip tcp adjust-mss auto
  ikev2 connect-type auto
  ikev2 ipsec pre-fragment
  ikev2 negotiation-direction initiator
  ikev2 peer 203.0.113.1 authentication psk id keyid border-02.tyo1.vultr.vpn.internal
  no shutdown

NTP

弊宅では Cloudflare とインターネットマルチフィードの NTP Server を設定し、 Cloudflare を優先する。

1
2
3
4
5
6
delete service ntp server

set service ntp server ntp.jst.mfeed.ad.jp pool
set service ntp server time.cloudflare.com nts
set service ntp server time.cloudflare.com pool
set service ntp server time.cloudflare.com prefer
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
vyos@border-02# run show ntp sources 
.-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^- ntp2.jst.mfeed.ad.jp          2   6    17    57   +383us[-5794us] +/-   56ms
^? ntp1.jst.mfeed.ad.jp          2   6    17    57   +231us[ -157us] +/-   65ms
^? ntp3.jst.mfeed.ad.jp          2   6    17    56  +1451us[+1062us] +/-   62ms
^* time.cloudflare.com           3   6    17    55   +618us[ +230us] +/-   60ms
^+ time.cloudflare.com           3   6    17    55   +523us[ +523us] +/-   60ms
[edit]

Save

Important
startup-config に書込。
1
save

Troubleshooting

IPsec が張れない

この場合最初に確認するのは strongswan です。下記で確認。

1
2
3
4
5
6
vyos@border-02:~$ journalctl -u strongswan.service -f | grep -e 'charon\['
May 05 04:13:48 border-02 charon[2440]: 11[NET] <218> received packet: from 203.0.113.185[1525] to 203.0.113.163[500] (1024 bytes)
May 05 04:13:48 border-02 charon[2440]: 11[ENC] <218> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 05 04:13:48 border-02 charon[2440]: 11[IKE] <218> no IKE config found for 203.0.113.163...203.0.113.185, sending NO_PROPOSAL_CHOSEN
May 05 04:13:48 border-02 charon[2440]: 11[ENC] <218> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
May 05 04:13:48 border-02 charon[2440]: 11[NET] <218> sending packet: from 203.0.113.163[500] to 203.0.113.185[1525] (36 bytes)

IKE_SA_INIT, NO_PROPOSAL_CHOSEN が出ているので IKE SA の交換と DH 鍵材料の交換で失敗している。

次に tcpdump で、相手側から来ている情報を確認。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
vyos@border-02:~$ /bin/bash -c "sudo tcpdump  -i eth0 esp or udp port 500 or port 4500 -vv -nn"
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:19:19.332292 IP (tos 0x0, ttl 52, id 48674, offset 0, flags [none], proto UDP (17), length 688)
    133.106.35.185.4500 > 198.51.100.2.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000000 cookie a8d897a0d1ba99e2->0000000000000000: parent_sa ikev2_init[I]:
    (sa: len=44
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0100))
            (t: #2 type=integ id=#12 )
            (t: #3 type=prf id=#5 )
            (t: #4 type=dh id=modp2048 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=256 nonce=(18a0687fda99ceb86c2b9cff2fe587504c7966a0730dd3d11cbfa5d234790e53838f682e8733683b4c1959b845557125c79adec0c1b3fb3a2c7b419ba9c3d600b2bf89c4f32ca709b39d22200f1425fd52556b5de75e30401a81592b159b2e0e19af1d436538e5b325da4e2f8325c47e5cbfcccf00043dd564f3bd135b13f125420f1d7ce00bec0393590039d985ecb663347ab3df3b6878d3f808045846cec4a6bb3bdd1b73eb686b0492377bcda731d3d4fcd5aaa7565ac8d9f1fe26cd2cf3714537a2c488693a3a92a36d43a8a5b8167f2e4f9f3bde0359d1b69dee58475a80ab57fdfe57910cd409ee68d3981c0aa45bddfcf70a6686093f773ba529c94f) )
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
06:19:19.333225 IP (tos 0x0, ttl 64, id 44145, offset 0, flags [DF], proto UDP (17), length 68)
    198.51.100.2.4500 > 133.106.35.185.4500: [bad udp cksum 0xa4bb -> 0x0a91!] NONESP-encap: isakmp 2.0 msgid 00000000 cookie a8d897a0d1ba99e2->6349877d0edb3c28: parent_sa ikev2_init[R]:
    (n: prot_id=#0 type=14(no_protocol_chosen))
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

設定内容が見たい場合は cat /etc/swanctl/swanctl.conf で生成後の strongSwan 設定を確認できる。

Hugo で構築されています。
テーマ StackJimmy によって設計されています。