Summary ¶
長年、 pfSense を利用してきたが、年初頃ライセンス形態が変更され Homelab 利用でもライセンスの発行に $125/yr のサブスクリプションへ変更された。前から気になっていた OPNsense を導入してみるも、 on KVM の調子が悪く立ち上がりまでに 10 分以上の時間が毎回かかることと 1Core 運用で CPU の張り付きを感じため断念。
弊宅クラウドのルータに必要な機能を再度見直して、 VyOS への移行を検討する。
要件 ¶
- OS: Linux が良い
- FRR が使える
- IPsec IKEv2 で VPN 張れる
- cloudflared か warp 使える
- DoH client として使える
- DNS 鯖
- he.net IPv6 Tunnel Broker で接続
Interface | env | IP Address | Gateway | Description |
---|
eth0 | ${_IF_WAN_IPv4} | 198.51.100.1/24 | 198.51.100.254 | |
eth1 | ${_IF_MGMT_IPv4} | 192.0.2.3/24 | 192.0.2.1 | |
eth1v11v4 | ${_IF_MGMT_VRRP_IPv4} | 192.0.2.1/24 | | |
| | 192.0.2.8 | | Syslog Server |
| | | | |
BGP | ${_EIP_VIP_IPv4} | 203.0.113.1/32 | | VIP Elatic IP |
dum1 | ${_ANYCAST_IPv4} | 10.1.1.12/32 | | BGP IP Anycast |
dum1 | ${_ANYCAST_IPv6} | fd00:1:2:1010::12/128 | | BGP IP Anycast |
| | 2001:db8:cafe:beef::1 | | he.net GW |
| | 2001:db8:beef::/48 | | he.net からの /48 |
インストール ¶
1.5 rolling を雑に使うため、公式サイトからダウンロードして利用する。
VyOS Community
1
| https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202405040019/vyos-1.5-rolling-202405040019-amd64.iso
|
デフォルト username と password は下記。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| vyos@vyos:~$ install image
Welcom to VyOS installation!
This command will install VyOS to your permanent storage.
Would you like to continue? [y/N] y
What would you like to name this image? (Default: 1.5-rolling-202405040019) [Enter]
Please enter a password for the "vyos" user:
Please confirm password for the "vyos" user:
What console should be used by default? (K: KVM, S: Serial, U: USB-Serial)? (Default: K)
Probing disks
1 disk(s) found
The following disks ware found:
Drive: /dev/vda (25.0 GB)
Which one should be used for installation? (Default: /dev/vda) [Enter]
Installation will delate all data on the drive. Continue? [y/N] y
Searching for data from previous installations
No previous installation found
Would you like to use all the free space on the drive? [Y/n]
Creating partition table...
The following config files are available for boot:
1: /opt/vyatta/etc/config/config/config.boot
2: /opt/vyatta/etc/config.boot.default
Which file would you like as boot config? (Default: 1) [Enter]
Createing temporary directoryies
Mounting new partitions
Creating a configuration file
Copying system image files
Installing GRUB configuration files
Installing GRUB to the drive
Cleaning up
Unmounting target filesystems
Removeing temporary files
The image installed successfully: place reboot now.
reboot
y
|
Version ¶
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| vyos@border-02:~$ show version
Version: VyOS 1.5-rolling-202405040019
Release train: current
Built by: [email protected]
Built on: Sat 04 May 2024 02:43 UTC
Build UUID: 6d407e87-6eeb-4932-841c-28fabd5dd88f
Build commit ID: 4490b2aeecfde6
Architecture: x86_64
Boot via: installed image
System type: Microsoft Hyper-V guest
Hardware vendor: Vultr
Hardware model: VHP
Hardware S/N: 73982079
Hardware UUID: 6f93faab-6a1b-4771-a9b9-fcc396c2db34
Copyright: VyOS maintainers and contributors
|
Hostname ¶
1
| set system host-name 'border-02'
|
Timezone ¶
1
| set system time-zone 'Asia/Tokyo'
|
Interface ¶
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| # WAN
set interfaces ethernet eth0 address "${_IF_WAN_IPv4}"
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 mtu '1500'
# LAN
set interfaces ethernet eth1 address "${_IF_MGMT_IPv4}"
set interfaces ethernet eth1 description 'MGMT'
set interfaces ethernet eth1 mtu '1450'
# VIP
set interfaces dummy dum1 address "${_EIP_VIP_IPv4}"
set interfaces dummy dum1 description 'VIP 1'
set interfaces dummy dum2 address "${_ANYCAST_IPv4}"
set interfaces dummy dum2 address "${_ANYCAST_IPv6}"
set interfaces dummy dum2 description 'IP anycast for service'
|
IPv6 Tunnel ¶
Tunnelbroker を使って実験用の IPv6 を生やしているので設定する。
1
2
3
4
5
6
7
8
| set interfaces tunnel tun0 address '<he.net PEER IP>'
set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel #000000'
set interfaces tunnel tun0 encapsulation 'sit'
set interfaces tunnel tun0 mtu '1450'
set interfaces tunnel tun0 remote '<he.net GW>'
set interfaces tunnel tun0 source-address "${_EIP_VIP_IPv4}"
set protocols static route6 ::/0 interface tun0
|
VRRP ¶
弊宅クラウドでは MGMT セグメントの L2 疎通性を確保するために VRRP Version 2 を設定します。
startup-delay 30
再起動後などでは 30 経過後からアドバタイズを送信preempt-delay 180
はアドバタイズ到着開始から 3 分後に切り替えるtrack interface *
を入れることで link が落ちたら切り替える
1
2
3
4
5
6
7
8
9
10
| set high-availability vrrp global-parameters startup-delay 30
set high-availability vrrp group mgmt vrid 11
set high-availability vrrp group mgmt interface eth1
set high-availability vrrp group mgmt address "${_IF_MGMT_VRRP_IPv4}"
set high-availability vrrp group mgmt preempt-delay 60
set high-availability vrrp group mgmt track interface eth0
set high-availability vrrp group mgmt track interface eth1
set high-availability vrrp group mgmt track interface tun0
set high-availability vrrp group mgmt rfc3768-compatibility
|
border-01 側
1
| set high-availability vrrp group mgmt priority 201
|
border-02 側
1
| set high-availability vrrp group mgmt priority 101
|
Task Scheduler ¶
スクリプトを作成しました。 he.net とは static route を書かないといけなく障害発生時は route を消さないと defualt route が広報され続けてしまいます。そのため強引ですが、 Task Scheduler 機能で GW に向かって ICMP を送出し死活監視に失敗した場合は route を無効化することで BGP 広報を停止するようにした。
source /opt/vyatta/etc/functions/script-template
が呼ばれる時 login session が生成されるので configure
コマンド前にして不要な呼び出しを抑止exit
, exit discard
Configuration Mode と Operation Mode をちゃんと抜けないとセッションがたまり続けるのでちゃんと対処するexit discard
は予防措置で、前段で commit
save
しているため残っている設定の破棄と確実に session を抜けるため明示で書いている。
/config/scripts/tunnel-check.script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| #!/bin/vbash
# chnaged vyattacfg group
# Ref: https://docs.vyos.io/en/latest/automation/command-scripting.html
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
TUNNEL_INTERFACE="${1}"
TARGET_IP="2001:db8:cafe:beef::1"
ping -c5 -W1 "${TARGET_IP}" > /dev/null 2>&1
if [ $? -eq 0 ]; then
# link up
ip -6 route get :: > /dev/null 2>&1
if [ $? -eq 2 ]; then
source /opt/vyatta/etc/functions/script-template
configure
delete protocols static route6 ::/0 interface "${TUNNEL_INTERFACE}" disable
commit
save
exit
fi
exit discard
else
# link down
ip -6 route get :: > /dev/null 2>&1
if [ $? -eq 0 ]; then
source /opt/vyatta/etc/functions/script-template
configure
set protocols static route6 ::/0 interface "${TUNNEL_INTERFACE}" disable
commit
save
exit
fi
exit discard
fi
|
実行権限を付けておきます。
1
2
3
4
5
| chmod +x /config/scripts/tunnel-check.script
set system task-scheduler task tun0-check executable arguments 'tun0'
set system task-scheduler task tun0-check executable path '/config/scripts/tunnel-check.script'
set system task-scheduler task tun0-check interval '1m'
|
SNAT ¶
Internal Network を外に出られるように SNAT します。
今回は Vultr の Reserved IP を BGP で広報し冗長化しているためこの IP で SNAT します。
WAN IP でやる場合は address 'masquerade'
で可能です。
1
2
3
| set nat source rule 101 outbound-interface name 'eth0'
set nat source rule 101 source address '192.0.2.0/24'
set nat source rule 101 translation address "${_EIP_VIP_IPv4}"
|
LLDP ¶
LLDP を有効化します。 eth0
は WAN なので個別に無効化。
1
2
| set service lldp interface all
set service lldp interface eth0 disable
|
Firewall ¶
Firewall を設定します。
rule の通りです。 description
で管理すると便利。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop
```bash{name="WAN"}
set firewall ipv4 name wan rule 101 action 'accept'
set firewall ipv4 name wan rule 101 description 'ACCEPT ICMP echo reply'
set firewall ipv4 name wan rule 101 icmp type-name 'echo-request'
set firewall ipv4 name wan rule 101 protocol 'icmp'
set firewall ipv4 name wan rule 111 action 'accept'
set firewall ipv4 name wan rule 111 description 'ACCEPT BGP from Vultr'
set firewall ipv4 name wan rule 111 destination port 'bgp'
set firewall ipv4 name wan rule 111 protocol 'tcp'
set firewall ipv4 name wan rule 111 source address '169.254.169.254'
set firewall ipv4 name wan rule 121 action 'accept'
set firewall ipv4 name wan rule 121 description 'ACCEPT SSH'
set firewall ipv4 name wan rule 121 destination port '22'
set firewall ipv4 name wan rule 121 log
set firewall ipv4 name wan rule 121 protocol 'tcp'
set firewall zone wan default-action 'drop'
set firewall zone wan interface 'eth0'
|
return policy
1
2
3
| set firewall ipv4 name return rule 11 action 'accept'
set firewall ipv4 name return rule 11 protocol 'all'
set firewall ipv4 name return rule 11 state established 'enable'
|
MGMT
1
2
3
| set firewall zone mgmt default-action 'reject'
set firewall zone mgmt interface 'eth1'
set firewall zone mgmt interface 'eth1v11v4'
|
IPsecVPN
1
2
3
| set firewall zone IPsecVPN default-action 'reject'
set firewall zone IPsecVPN interface 'vti1'
set firewall zone IPsecVPN interface 'vti2'
|
- 下記の通信方向を許可する
- MGT -> WAN
- IPsecVPN -> WAN
1
2
| set firewall zone wan from mgmt firewall name 'return'
set firewall zone wan from IPsecVPN firewall name 'return'
|
User ¶
1
2
3
4
5
6
7
| configure
set system login user vyos authentication public-keys naa0yama key 'AAAAB3Nz'
set system login user vyos authentication public-keys naa0yama type 'ssh-rsa'
compare
commit
|
SSH ¶
User
で ssh-key の設定をしているので password-authentication
を無効化します。
1
2
3
4
5
6
7
| configure
set service ssh
set service ssh disable-password-authentication
compare
commit
|
Syslog ¶
リモートホスト(IP: 192.0.2.8
)に送信します。
1
2
| set system syslog host 192.0.2.8 facility all level all
set system syslog host 192.0.2.8 protocol udp
|
DNS ¶
のちに、 cloudflared を利用した DoH を設定しますがシステムの名前解決が失敗するのはまずいのでここは変更しません。
1
2
3
4
| set system name-server 1.1.1.1
set system name-server 1.0.0.1
set system name-server 2606:4700:4700::1111
set system name-server 2606:4700:4700::1001
|
BGP(outbound) ¶
今回は、 Vultr のサービスで default route を受けられる BGP peer を用意してくれているためそちらと接続します。
また、 Vultr は他の VPS サービスと変わった点として Elastic IP を BGP で広報するとルートを引き込める機能があります。これを利用して弊宅ではインターネット越しの VRRP を廃止し BGP で Vultr に広報し Active-Standby を実現しました。
自宅で BGP を利用した「トラヒックエンジニアリング」ってワクワクしますしね。
| Instance | Vultr |
---|
ASN | 64650 | 64515 |
IPv4 | WAN Address | 169.254.169.254 |
IPv6 | IPv6 Address | 2001:19f0:ffff:: |
BGP Password | | P@ssw0rd |
Multihop | | 2 |
prefix-list ¶
今回の BGP 接続は Vultr と Private peer になるため問題ないが、自 AS 以外の経路をお漏らしするとまずいので prefix-list と route-map で in/out 共に制御するのが一般的であるため設定する。
DEFAULT_ROUTEv4
- Vultr から advertise される default route を引き込むリスト
OUTBOUND_TO_VULTRv4
- Elastic IP で確保している固定 IP を Vultr に広報するリスト
DEFAULT_ROUTEv6
- IPv6 default route を引き込むリスト
1
2
3
4
5
6
7
8
9
10
11
12
13
| set policy prefix-list DEFAULT_ROUTEv4 description 'IPv4 Routes advertised from Border'
set policy prefix-list DEFAULT_ROUTEv4 rule 11 action 'permit'
set policy prefix-list DEFAULT_ROUTEv4 rule 11 description 'IPv4 default route'
set policy prefix-list DEFAULT_ROUTEv4 rule 11 prefix '0.0.0.0/0'
set policy prefix-list6 DEFAULT_ROUTEv6 rule 11 action 'permit'
set policy prefix-list6 DEFAULT_ROUTEv6 rule 11 description 'IPv6 default route'
set policy prefix-list6 DEFAULT_ROUTEv6 rule 11 prefix '::/0'
set policy prefix-list OUTBOUND_TO_VULTRv4 description 'IPv4 Outbound to Vultr'
set policy prefix-list OUTBOUND_TO_VULTRv4 rule 11 action 'permit'
set policy prefix-list OUTBOUND_TO_VULTRv4 rule 11 description 'NAT 1'
set policy prefix-list OUTBOUND_TO_VULTRv4 rule 11 prefix "${_EIP_VIP_IPv4}"
|
HOME_NETv4
- 宅内のルートを Prefix 24-24, 32 で許可
HOME_NETv6
- 宅内のルートを Prefix 60-64, 126-128 で許可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| set policy prefix-list HOME_NETv4 description 'IPv4 Redistribute of home routes'
set policy prefix-list HOME_NETv4 rule 11 action 'permit'
set policy prefix-list HOME_NETv4 rule 11 ge '24'
set policy prefix-list HOME_NETv4 rule 11 le '24'
set policy prefix-list HOME_NETv4 rule 11 prefix '10.0.0.0/8'
set policy prefix-list HOME_NETv4 rule 12 action 'permit'
set policy prefix-list HOME_NETv4 rule 12 ge '32'
set policy prefix-list HOME_NETv4 rule 12 prefix '10.0.0.0/8'
set policy prefix-list HOME_NETv4 rule 21 action 'permit'
set policy prefix-list HOME_NETv4 rule 21 ge '24'
set policy prefix-list HOME_NETv4 rule 21 le '24'
set policy prefix-list HOME_NETv4 rule 21 prefix '192.168.0.0/16'
set policy prefix-list HOME_NETv4 rule 22 action 'permit'
set policy prefix-list HOME_NETv4 rule 22 ge '30'
set policy prefix-list HOME_NETv4 rule 21 le '32'
set policy prefix-list HOME_NETv4 rule 22 prefix '192.168.0.0/16'
set policy prefix-list6 HOME_NETv6 description 'IPv6 Redistribute of home routes'
set policy prefix-list6 HOME_NETv6 rule 11 action 'permit'
set policy prefix-list6 HOME_NETv6 rule 11 ge '60'
set policy prefix-list6 HOME_NETv6 rule 11 le '64'
set policy prefix-list6 HOME_NETv6 rule 11 prefix '2001:470:fe17::/48'
set policy prefix-list6 HOME_NETv6 rule 12 action 'permit'
set policy prefix-list6 HOME_NETv6 rule 12 ge '126'
set policy prefix-list6 HOME_NETv6 rule 12 le '128'
set policy prefix-list6 HOME_NETv6 rule 12 prefix '2001:470:fe17::/48'
set policy prefix-list6 HOME_NETv6 rule 21 action 'permit'
set policy prefix-list6 HOME_NETv6 rule 21 ge '60'
set policy prefix-list6 HOME_NETv6 rule 21 le '64'
set policy prefix-list6 HOME_NETv6 rule 21 prefix 'fd00:1:2::/48'
set policy prefix-list6 HOME_NETv6 rule 22 action 'permit'
set policy prefix-list6 HOME_NETv6 rule 22 ge '126'
set policy prefix-list6 HOME_NETv6 rule 22 le '128'
set policy prefix-list6 HOME_NETv6 rule 22 prefix 'fd00:1:2::/48'
|
route-map ¶
route-map
の処理は下記の順番で書かないと不用意に外れる可能性あり。
set
call
match
DEFAULT_ROUTE
rule 11
: 通過すると BGP Community
を付与する。 <MyAS>:<識別ID>
rule 12
: route-map STANDBY_PREPEND
の処理を実施rule 10011
: prefix-list DEFAULT_ROUTEv4
と一致したら route table に取り込むrule 20011
: nexthop が 2001:db8:cafe:beef::1
と一致したら route table に取り込むrule 20012
: prefix-list6 DEFAULT_ROUTEv6
と一致したら route table に取り込む
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| set policy route-map DEFAULT_ROUTE description 'Received default route'
set policy route-map DEFAULT_ROUTE rule 11 action 'permit'
set policy route-map DEFAULT_ROUTE rule 11 description 'Attach community to received default route'
set policy route-map DEFAULT_ROUTE rule 11 on-match next
set policy route-map DEFAULT_ROUTE rule 11 set community add '64650:10113'
set policy route-map DEFAULT_ROUTE rule 12 action 'permit'
set policy route-map DEFAULT_ROUTE rule 12 call STANDBY_PREPEND
set policy route-map DEFAULT_ROUTE rule 12 description 'Standby router adds aspath'
set policy route-map DEFAULT_ROUTE rule 12 on-match next
set policy route-map DEFAULT_ROUTE rule 10011 action 'permit'
set policy route-map DEFAULT_ROUTE rule 10011 description 'IPv4 Allow default routes listed in prefix-list'
set policy route-map DEFAULT_ROUTE rule 10011 match ip address prefix-list 'DEFAULT_ROUTEv4'
set policy route-map DEFAULT_ROUTE rule 20011 action 'permit'
set policy route-map DEFAULT_ROUTE rule 20011 description 'IPv6 Allow default routes listed in prefix-list'
set policy route-map DEFAULT_ROUTE rule 20011 on-match next
set policy route-map DEFAULT_ROUTE rule 20011 match ipv6 nexthop address '2001:db8:cafe:beef::1'
set policy route-map DEFAULT_ROUTE rule 20012 action 'permit'
set policy route-map DEFAULT_ROUTE rule 20012 description 'IPv6 Allow default routes listed in prefix-list'
set policy route-map DEFAULT_ROUTE rule 20012 match ipv6 address prefix-list 'DEFAULT_ROUTEv6'
|
- OUTBOUND_TO_VULTR
rule 11
: route-map STANDBY_PREPEND
の処理をするrule 12
: prefix-list OUTBOUND_TO_VULTR
と一致したら peer に広報する
1
2
3
4
5
6
7
8
| set policy route-map OUTBOUND_TO_VULTR description 'Standby router adds aspath'
set policy route-map OUTBOUND_TO_VULTR rule 11 action 'permit'
set policy route-map OUTBOUND_TO_VULTR rule 11 call STANDBY_PREPEND
set policy route-map OUTBOUND_TO_VULTR rule 11 on-match next
set policy route-map OUTBOUND_TO_VULTR rule 12 action 'permit'
set policy route-map OUTBOUND_TO_VULTR rule 12 on-match next
set policy route-map OUTBOUND_TO_VULTR rule 12 match ip address prefix-list 'OUTBOUND_TO_VULTRv4'
|
- HOME_NET_REDISTRIBUTE
- 宅内の再配布ルートをまとめたもの、
Default route
は含まない
1
2
3
4
5
6
| set policy route-map HOME_NET_REDISTRIBUTE description 'Redistribute of home routes'
set policy route-map HOME_NET_REDISTRIBUTE rule 11 action 'permit'
set policy route-map HOME_NET_REDISTRIBUTE rule 11 match ip address prefix-list 'HOME_NETv4'
set policy route-map HOME_NET_REDISTRIBUTE rule 21 action 'permit'
set policy route-map HOME_NET_REDISTRIBUTE rule 21 match ipv6 address prefix-list 'HOME_NETv6'
|
- IPSEC_VPN
- 宅内の再配布ルートと
Defualt route
をまとめた物
1
2
3
4
5
6
7
8
9
10
| set policy route-map IPSEC_VPN description 'Redistribute and default route of home routes'
set policy route-map IPSEC_VPN rule 11 action 'permit'
set policy route-map IPSEC_VPN rule 11 match ip address prefix-list 'HOME_NETv4'
set policy route-map IPSEC_VPN rule 12 action 'permit'
set policy route-map IPSEC_VPN rule 12 match ip address prefix-list 'DEFAULT_ROUTEv4'
set policy route-map IPSEC_VPN rule 21 action 'permit'
set policy route-map IPSEC_VPN rule 21 match ipv6 address prefix-list 'HOME_NETv6'
set policy route-map IPSEC_VPN rule 22 action 'permit'
set policy route-map IPSEC_VPN rule 22 match ipv6 address prefix-list 'DEFAULT_ROUTEv6'
|
1
2
3
4
5
6
7
8
9
10
11
12
| set policy route-map STANDBY_PREPEND description 'STANDBY_PREPEND: as-path prepend 64650 64650'
set policy route-map STANDBY_PREPEND rule 11 action 'permit'
set policy route-map STANDBY_PREPEND rule 11 match ip nexthop address '198.51.100.1'
set policy route-map STANDBY_PREPEND rule 11 on-match next
set policy route-map STANDBY_PREPEND rule 21 action 'permit'
set policy route-map STANDBY_PREPEND rule 21 on-match next
set policy route-map STANDBY_PREPEND rule 21 set as-path prepend '64650'
set policy route-map STANDBY_PREPEND rule 22 action 'permit'
set policy route-map STANDBY_PREPEND rule 22 on-match next
set policy route-map STANDBY_PREPEND rule 22 set as-path prepend '64650'
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| set policy route-map MAINTENANCE description 'MAINTENANCE: as-path prepend 64650 64650 64650 64650 64650'
set policy route-map MAINTENANCE rule 11 action 'permit'
set policy route-map MAINTENANCE rule 11 on-match next
set policy route-map MAINTENANCE rule 11 set as-path prepend '64650'
set policy route-map MAINTENANCE rule 12 action 'permit'
set policy route-map MAINTENANCE rule 12 on-match next
set policy route-map MAINTENANCE rule 12 set as-path prepend '64650'
set policy route-map MAINTENANCE rule 13 action 'permit'
set policy route-map MAINTENANCE rule 13 on-match next
set policy route-map MAINTENANCE rule 13 set as-path prepend '64650'
set policy route-map MAINTENANCE rule 14 action 'permit'
set policy route-map MAINTENANCE rule 14 on-match next
set policy route-map MAINTENANCE rule 14 set as-path prepend '64650'
set policy route-map MAINTENANCE rule 15 action 'permit'
set policy route-map MAINTENANCE rule 15 on-match next
set policy route-map MAINTENANCE rule 15 set as-path prepend '64650'
|
メンテナンスの場合は下記の通り、 route-map を付けて経路迂回をする。
(GRACEFUL_SHUTDOWN
を使いたいが対向機器が対応してないため、堅実な方法で)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| configure
set policy route-map DEFAULT_ROUTE rule 1 action 'permit'
set policy route-map DEFAULT_ROUTE rule 1 call MAINTENANCE
set policy route-map DEFAULT_ROUTE rule 1 on-match next
set policy route-map DEFAULT_ROUTE rule 1 description 'MAINTENANCE'
set policy route-map OUTBOUND_TO_VULTR rule 1 action 'permit'
set policy route-map OUTBOUND_TO_VULTR rule 1 call MAINTENANCE
set policy route-map OUTBOUND_TO_VULTR rule 1 on-match next
set policy route-map OUTBOUND_TO_VULTR rule 1 description 'MAINTENANCE'
compare
commit
|
実設定 ¶
今回の設定では 169.254.169.254
と BGP を張るため static route を書いておきます。
1
| set protocols static route 169.254.169.254/32 next-hop 198.51.100.2
|
P@ssW0rd
: Vultr から提示されているパスワードrouter-id
: 203.0.113.1
- AS64512~65534
- 64515: Vultr
- 64650: border-01,02
- 64701: ix2215-01
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| set protocols bgp parameters bestpath as-path multipath-relax
set protocols bgp parameters ebgp-requires-policy
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '203.0.113.1'
set protocols bgp system-as '64650'
set protocols bgp timers holdtime '9'
set protocols bgp timers keepalive '3'
set protocols bgp peer-group Vultr address-family ipv4-unicast route-map export 'OUTBOUND_TO_VULTR'
set protocols bgp peer-group Vultr address-family ipv4-unicast route-map import 'DEFAULT_ROUTE'
set protocols bgp peer-group Vultr address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group Vultr address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp peer-group Vultr description 'Transit from Vultr'
set protocols bgp peer-group Vultr ebgp-multihop '2'
set protocols bgp peer-group Vultr password 'P@ssW0rd'
set protocols bgp peer-group Vultr remote-as '64515'
|
1
2
3
4
5
| set protocols bgp peer-group IPSecVPN address-family ipv4-unicast route-map export IPSEC_VPN
set protocols bgp peer-group IPSecVPN address-family ipv4-unicast route-map import 'HOME_NET_REDISTRIBUTE'
set protocols bgp peer-group IPSecVPN address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group IPSecVPN description 'Home from IPsecVPN'
set protocols bgp peer-group IPSecVPN remote-as 'external'
|
1
2
3
| set protocols bgp address-family ipv4-unicast redistribute connected
set protocols bgp address-family ipv6-unicast redistribute connected
set protocols bgp address-family ipv6-unicast redistribute kernel route-map 'DEFAULT_ROUTE'
|
Neighbor ¶
1
2
3
| set protocols bgp neighbor 169.254.169.254 description 'IPv4 to Vultr'
set protocols bgp neighbor 169.254.169.254 peer-group 'Vultr'
set protocols bgp neighbor 169.254.169.254 timers connect '5'
|
1
2
| set protocols bgp neighbor vti1 interface peer-group IPSecVPN
set protocols bgp neighbor vti2 interface peer-group IPSecVPN
|
MSS ajast-auto ¶
今回クラウド上の VyOS は不要だったが TCP MSS を自動調整する場合は下記で設定する。
eth0
が WAN で mtu 1440
の場合下記の設定で IPv4, IPv6 で MSS を自動計算し設定してくれる。
1
2
3
4
| set interfaces ethernet eth0 mtu 1440
set interfaces ethernet eth0 ip adjust-mss clamp-mss-to-pmtu
set interfaces ethernet eth0 ipv6 adjust-mss clamp-mss-to-pmtu
|
Docker ¶
cloudflared ¶
cloudflared-tunnel
と cloudflared-doh
の 2 つを起動します。
cloudflared-tunnel
: Cloudflare Tunnel 用のコンテナ
設定を簡略化するため、環境変数に TOKEN を設定する。
1
| export __CF_TOKEN="<TOKEN>"
|
cloudflared-tunnel
1
2
3
4
5
6
7
8
9
| run add container image cloudflare/cloudflared:2024.4.1
set container name cloudflared-tunnel allow-host-networks
set container name cloudflared-tunnel command 'tunnel --no-autoupdate run'
set container name cloudflared-tunnel image cloudflare/cloudflared:2024.4.1
set container name cloudflared-tunnel restart on-failure
set container name cloudflared-tunnel environment 'TUNNEL_TOKEN' value "${__CF_TOKEN}"
set container name cloudflared-tunnel environment 'TUNNEL_METRICS' value 'localhost:60001'
|
cloudflared-doh
: DNS Over HTTPS 用のコンテナ- こちらには TOKEN は不要。その代わりに Cloudflare Gateway の
DNS over HTTPS
を発行して設定する。
1
2
3
4
5
6
7
8
9
10
11
| set container name cloudflared-doh allow-host-networks
set container name cloudflared-doh capability 'net-bind-service'
set container name cloudflared-doh command 'proxy-dns'
set container name cloudflared-doh image 'cloudflare/cloudflared:2024.4.1'
set container name cloudflared-doh restart 'on-failure'
set container name cloudflared-doh environment 'TUNNEL_DNS_PORT' value '53'
set container name cloudflared-doh environment 'TUNNEL_DNS_ADDRESS' value '0.0.0.0'
set container name cloudflared-doh environment 'TUNNEL_DNS_UPSTREAM' value 'https://1.1.1.1/dns-query,https://1.0.0.1/dns-query'
set container name cloudflared-doh environment 'TUNNEL_METRICS' value 'localhost:60002'
|
Topic
ブリッジネットワークを作成してやる方法も試したが上手く出来ず。
SNAT を設定しても外に出てない状況だった。
1
2
3
4
5
6
| set container network cn-internal description 'Network for containers'
set container network cn-internal prefix '172.17.0.0/16'
set nat source rule 11 outbound-interface name 'eth0'
set nat source rule 11 source address '172.17.0.0/16'
set nat source rule 11 translation address 'masquerade'
|
frr_exporter ¶
TODO: 検証
FRRouting の Prometheus Exporter として、 frr_exporter
が使いやすく Zabbix テンプレートを作成済みためこちらを導入して BGP peer の監視を実施する。
Zabbix ¶
VyOS 1.4 で zabbix-agent が導入されたのでこれを使う。
1
2
3
4
5
6
7
8
| vyos@border-02# type zabbix_agent2
zabbix_agent2 is /usr/sbin/zabbix_agent2
vyos@border-02# zabbix_agent2 --version
zabbix_agent2 (Zabbix) 6.0.14
Revision 3f184b456c7 8 March 2023, compilation time: Apr 9 2023 11:12:43
Plugin communication protocol version is 6.0.13
|
1
2
3
4
5
6
7
| set service monitoring zabbix-agent host-name "${HOSTNAME}"
set service monitoring zabbix-agent listen-address '<MGMT IP>'
set service monitoring zabbix-agent log debug-level 'warning'
set service monitoring zabbix-agent log size '10'
set service monitoring zabbix-agent server '<Zabbix IP>'
set service monitoring zabbix-agent server-active '<Zabbix IP>'
set service monitoring zabbix-agent timeout '10'
|
Vector ¶
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| mkdir -p /config/container/vector
chown -R root:vyattacfg /config/container
touch /config/container/vector/vector.yaml
run add container image timberio/vector:0.38.0-alpine
set container name vector allow-host-networks
set container name vector capability 'net-bind-service'
set container name vector image 'timberio/vector:0.38.0-alpine'
set container name vector restart 'on-failure'
set container name vector environment 'AWS_ACCESS_KEY_ID' value 'AKXXXXXXXXXXXXXXXXXX'
set container name vector environment 'AWS_DEFAULT_REGION' value 'ap-northeast-1'
set container name vector environment 'AWS_SECRET_ACCESS_KEY' value 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
set container name vector environment 'TZ' value 'Asia/Tokyo'
set container name vector volume 'vector_etc' source /config/container/vector/vector.yaml
set container name vector volume 'vector_etc' destination /etc/vector/vector.yaml
set container name vector volume 'vector_etc' mode ro
|
/etc/vector/vector.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| ---
log_schema:
timestamp_key: event.created
sources:
syslog_tcp:
type: syslog
address: 0.0.0.0:514
mode: tcp
syslog_udp:
type: syslog
address: 0.0.0.0:514
mode: udp
transforms:
remap_timestamp:
type: remap
inputs:
- syslog_tcp
- syslog_udp
source: |
. = parse_json!(.message)
.timestamp = .event.created
sinks:
new_relic_logs:
type: new_relic
inputs:
- remap_timestamp
account_id: "0000000"
api: logs
license_key: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
region: us
encoding:
timestamp_format: rfc3339
healthcheck: true
s3_archive:
type: aws_s3
inputs:
- remap_timestamp
bucket: exsample-log-archives
buffer:
type: disk
max_size: 4294967808
encoding:
codec: json
timestamp_format: rfc3339
healthcheck:
enabled: true
key_prefix: "year=%Y/month=%m/day=%d/hour=%H/"
|
IPsec ¶
今回は古い接続では pfSense を利用して IKEv1 aggressive で繋いでいたが、対向機器の IX2215 は IKEv2 も対応しているということで、 IKEv2 での接続にする。
Subnet | NetAddr, BroadcastAddr | Home | Vultr | |
---|
192.168.255.0/24 | | | | |
192.168.255.0/30 | .1,3 | 192.168.255.1 | 192.168.255.2 | IX2215-01a <-> border-01 |
192.168.255.4/30 | .4,7 | 192.168.255.5 | 192.168.255.6 | IX2215-01b <-> border-01 |
192.168.255.8/30 | .8,11 | 192.168.255.9 | 192.168.255.10 | IX2215-01a <-> border-02 |
192.168.255.12/30 | .12,15 | 192.168.255.13 | 192.168.255.14 | IX2215-01b <-> border-02 |
汎用な設定を投入しておく。
1
2
3
4
| set vpn ipsec interface 'eth0'
set vpn ipsec log level '0'
set vpn ipsec log subsystem 'any'
set vpn ipsec options disable-route-autoinstall
|
VTI ¶
1 つずつ、冗長な設定を投入してもよいが今回は BGP でルーティングするため VTI を用意して BGP peer を張ることにした。
1
2
3
4
5
| set interfaces vti vti1 address '192.168.255.10/30'
set interfaces vti vti1 description 'IX2215-01a <-> border-02'
set interfaces vti vti2 address '192.168.255.14/30'
set interfaces vti vti2 description 'IX2215-01b <-> border-02'
|
Authentication ¶
IKEv2 の認証設定をする今回は Pre-Shared Key
を設定した。
Important
接続元が拠点(今回は自宅)などでキャリア網配下の場合 NAT-T で接続する必要があるが、 Web サイトなどで無数にある紹介記事はほぼ全て Source Address をベースに認証 PSK を選択する方法のため NAT 配下から IKEv2 SA に失敗する。
私も、 GW の貴重な 2 日を潰すぐらいにはハマった。
これの回避策として keyid
を設定する必要があるが VyOS の背後で実際に IPsec を処理している strongSwan の仕様に合わせて設定する必要がある。今回であれば下記 3 箇所だ。
1
2
3
4
| set vpn ipsec authentication psk <PSK NAME> id 'keyid:<Key ID>'
set vpn ipsec site-to-site peer <PEER NAME> authentication local-id 'keyid:<Key ID>'
set vpn ipsec site-to-site peer <PEER NAME> authentication remote-id 'keyid:<Key ID>'
|
1
2
3
4
5
6
7
| set vpn ipsec authentication psk IX2215-01a id 'keyid:ix2215-01a.tyo1.home.vpn.internal'
set vpn ipsec authentication psk IX2215-01a id 'keyid:border-02.tyo1.vultr.vpn.internal'
set vpn ipsec authentication psk IX2215-01a secret 'Secret_01a'
set vpn ipsec authentication psk IX2215-01b id 'keyid:ix2215-01b.tyo1.home.vpn.internal'
set vpn ipsec authentication psk IX2215-01b id 'keyid:border-02.tyo1.vultr.vpn.internal'
set vpn ipsec authentication psk IX2215-01b secret 'Secret_01b'
|
ESP, IKEv2 ¶
パラメータが多く複雑のため整理した表が下記。
Protocol | UNIVERGE IX | VyOS 1.5.x (circinus) | 採用 |
---|
ESP Encryption | sa-proposal enc | esp-group <1> proposal 0 encryption | |
AES-CBC (128 bits) | aes-cbc-128 | aes128 | |
AES-CBC (192 bits) | aes-cbc-192 | aes192 | |
AES-CBC (256 bits) | aes-cbc-256 | aes256 | O |
| | | |
IKEv2 DH Group | sa-proposal dh | ike-group <1> proposal 0 dh-group | |
DH Group 1 | 768-bit | 1 | |
DH Group 2 | 1024-bit | 2 | |
DH Group 5 | 1536-bit | 5 | |
DH Group 14 | 2048-bit | 14 | O |
DH Group 15 | 3072-bit | 15 | |
| | | |
IKEv2 Integrity Algorithm | sa-proposal integrity | esp-group <1> proposal 0 hash | |
HMAC-MD5-96 | md5 | md5 | |
HMAC-SHA1-96 | sha1 | sha1 | |
HMAC-SHA2-256-128 | sha2-256 | sha256 | O |
HMAC-SHA2-384-192 | sha2-384 | sha384 | |
HMAC-SHA2-512-256 | sha2-512 | sha512 | |
| | | |
IKEv2 PFS(Perfect Forward Secrecy) | child-pfs | esp-group <1> pfs | |
DH Group 1 | 768-bit | dh-group1 | |
DH Group 2 | 1024-bit | dh-group2 | |
DH Group 5 | 1536-bit | dh-group5 | |
DH Group 14 | 2048-bit | dh-group14 | O |
DH Group 15 | 3072-bit | dh-group15 | |
| | | |
IKEv2 PRF(Pseudo-Random Function) | sa-proposal prf | ike-group <1> proposal 0 prf | |
HMAC-MD5 | md5 | prfmd5 | |
HMAC-SHA1 | sha1 | prfsha1 | |
HMAC-SHA2-256 | sha2-256 | prfsha256 | O |
HMAC-SHA2-384 | sha2-384 | prfsha384 | |
HMAC-SHA2-512 | sha2-512 | prfsha512 | |
| | | |
IKEv2 Encryption | child-proposal enc | ike-group <1> proposal 0 encryption | |
AES-CBC (128 bits) | aes-cbc-128 | aes128 | |
AES-CBC (192 bits) | aes-cbc-192 | aes192 | |
AES-CBC (256 bits) | aes-cbc-256 | aes256 | O |
| | | |
IKEv2 Integrity Algorithm | child-proposal integrity | ike-group <1> proposal 0 encryption | |
HMAC-MD5-96 | md5 | md5 | |
HMAC-SHA1-96 | sha1 | sha1 | |
HMAC-SHA2-256-128 | sha2-256 | sha256 | O |
HMAC-SHA2-384-192 | sha2-384 | sha384 | |
HMAC-SHA2-512-256 | sha2-512 | sha512 | |
IKEv2 DPD(Dead Peer Detection) | | | |
internal (Sec) | 10 | 10 | |
timeout (Sec) | | 120 | |
- 共通設定
- lifetime:
28800
8Hour - Anti-replay
off
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| set vpn ipsec esp-group BORDER-IPSEC lifetime '28800'
set vpn ipsec esp-group BORDER-IPSEC mode 'tunnel'
set vpn ipsec esp-group BORDER-IPSEC pfs 'dh-group14'
set vpn ipsec esp-group BORDER-IPSEC proposal 0 encryption 'aes256'
set vpn ipsec esp-group BORDER-IPSEC proposal 0 hash 'sha256'
set vpn ipsec ike-group BORDER-IPSEC close-action 'none'
set vpn ipsec ike-group BORDER-IPSEC dead-peer-detection action 'restart'
set vpn ipsec ike-group BORDER-IPSEC dead-peer-detection interval '10'
set vpn ipsec ike-group BORDER-IPSEC dead-peer-detection timeout '120'
set vpn ipsec ike-group BORDER-IPSEC disable-mobike
set vpn ipsec ike-group BORDER-IPSEC key-exchange 'ikev2'
set vpn ipsec ike-group BORDER-IPSEC lifetime '28800'
set vpn ipsec ike-group BORDER-IPSEC proposal 0 dh-group '14'
set vpn ipsec ike-group BORDER-IPSEC proposal 0 encryption 'aes256'
set vpn ipsec ike-group BORDER-IPSEC proposal 0 hash 'sha256'
set vpn ipsec ike-group BORDER-IPSEC proposal 0 prf 'prfsha256'
|
IPsec Peer ¶
IPSec Peer はよく IP Address で設定されている(set vpn ipsec site-to-site peer IX2215-01a
)がこの箇所は名前であれば問題ないためわかりやすい対向機器名で設定した。
Authentication の章でも記載しているが keyid:<Key ID>
を忘れずに設定しないと認証出来ないので注意。
IX2215-01a
1
2
3
4
5
6
7
8
9
10
11
12
| set vpn ipsec site-to-site peer IX2215-01a authentication local-id 'keyid:border-02.tyo1.vultr.vpn.internal'
set vpn ipsec site-to-site peer IX2215-01a authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer IX2215-01a authentication remote-id 'keyid:ix2215-01a.tyo1.home.vpn.internal'
set vpn ipsec site-to-site peer IX2215-01a description 'IX2215-01a <-> border-02'
set vpn ipsec site-to-site peer IX2215-01a connection-type 'respond'
set vpn ipsec site-to-site peer IX2215-01a ike-group 'BORDER-IPSEC'
set vpn ipsec site-to-site peer IX2215-01a local-address '203.0.113.1'
set vpn ipsec site-to-site peer IX2215-01a remote-address 'any'
set vpn ipsec site-to-site peer IX2215-01a replay-window '0'
set vpn ipsec site-to-site peer IX2215-01a vti bind 'vti1'
set vpn ipsec site-to-site peer IX2215-01a vti esp-group 'BORDER-IPSEC'
|
IX2215-01b
1
2
3
4
5
6
7
8
9
10
11
12
| set vpn ipsec site-to-site peer IX2215-01b authentication local-id 'keyid:border-02.tyo1.vultr.vpn.internal'
set vpn ipsec site-to-site peer IX2215-01b authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer IX2215-01b authentication remote-id 'keyid:ix2215-01b.tyo1.home.vpn.internal'
set vpn ipsec site-to-site peer IX2215-01b description 'IX2215-01b <-> border-02'
set vpn ipsec site-to-site peer IX2215-01b connection-type 'respond'
set vpn ipsec site-to-site peer IX2215-01b ike-group 'BORDER-IPSEC'
set vpn ipsec site-to-site peer IX2215-01b local-address '203.0.113.1'
set vpn ipsec site-to-site peer IX2215-01b remote-address 'any'
set vpn ipsec site-to-site peer IX2215-01b replay-window '0'
set vpn ipsec site-to-site peer IX2215-01b vti bind 'vti2'
set vpn ipsec site-to-site peer IX2215-01b vti esp-group 'BORDER-IPSEC'
|
Anti-replay off ¶
対向の IX2215 では QoS(Quality of Service) を設定しているため、 anti-replay
を無効化します。
1
2
| set vpn ipsec site-to-site peer IX2215-01a replay-window 0
set vpn ipsec site-to-site peer IX2215-01b replay-window 0
|
IX2215-01a ¶
本筋とは反れるので詳しくは解説しませんが、 IX2215-01a の config 例を掲載します
IX2215-01a_config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
| ix2215-01a(config)# show run
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2215 (magellan-sec) Software, Version 10.10.21, RELEASE SOFTWARE
! Compiled Oct 04-Fri-2024 13:39:04 JST #2
! Current time Nov 08-Fri-2024 19:36:13 JST
!
hostname ix2215-01a
timezone +09 00
terminal suppress-emanon
!
ip route 203.0.113.1/32 GigaEthernet0.13 dhcp
ikev2 authentication psk id keyid border-02.tyo1.vultr.vpn.internal key char Secret_01a
!
!
!
router bgp 64701
router-id 10.2.21.2
address-family ipv4 unicast
redistribute connected
peer-group IPsecVPN remote-as 64650
neighbor 192.168.255.2
neighbor 192.168.255.10
timers 3 9
!
ikev2 default-profile
anti-replay off
child-lifetime 28800
child-pfs 2048-bit
child-proposal enc aes-cbc-256
child-proposal integrity sha2-256
dpd interval 10
local-authentication psk id keyid ix2215-01a.tyo1.home.vpn.internal
nat-traversal keepalive 20 force
negotiation-direction initiator
sa-lifetime 28800
sa-proposal enc aes-cbc-256
sa-proposal integrity sha2-256
sa-proposal dh 2048-bit
sa-proposal prf sha2-256
!
interface GigaEthernet0.0
no ip address
shutdown
!
interface GigaEthernet1.0
description WAN
ip address dhcp receive-default
ip mtu 1500
no shutdown
!
interface GigaEthernet2.0
description home
auto-connect
ip address 10.2.21.2
no shutdown
!
interface Tunnel2.0
tunnel mode ipsec-ikev2
ip address 192.168.255.9/30
ip tcp adjust-mss auto
ikev2 connect-type auto
ikev2 ipsec pre-fragment
ikev2 negotiation-direction initiator
ikev2 peer 203.0.113.1 authentication psk id keyid border-02.tyo1.vultr.vpn.internal
no shutdown
|
NTP ¶
弊宅では Cloudflare とインターネットマルチフィードの NTP Server を設定し、 Cloudflare を優先する。
1
2
3
4
5
6
| delete service ntp server
set service ntp server ntp.jst.mfeed.ad.jp pool
set service ntp server time.cloudflare.com nts
set service ntp server time.cloudflare.com pool
set service ntp server time.cloudflare.com prefer
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| vyos@border-02# run show ntp sources
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^- ntp2.jst.mfeed.ad.jp 2 6 17 57 +383us[-5794us] +/- 56ms
^? ntp1.jst.mfeed.ad.jp 2 6 17 57 +231us[ -157us] +/- 65ms
^? ntp3.jst.mfeed.ad.jp 2 6 17 56 +1451us[+1062us] +/- 62ms
^* time.cloudflare.com 3 6 17 55 +618us[ +230us] +/- 60ms
^+ time.cloudflare.com 3 6 17 55 +523us[ +523us] +/- 60ms
[edit]
|
Save ¶
Important
startup-config に書込。
Troubleshooting ¶
IPsec が張れない ¶
この場合最初に確認するのは strongswan です。下記で確認。
1
2
3
4
5
6
| vyos@border-02:~$ journalctl -u strongswan.service -f | grep -e 'charon\['
May 05 04:13:48 border-02 charon[2440]: 11[NET] <218> received packet: from 203.0.113.185[1525] to 203.0.113.163[500] (1024 bytes)
May 05 04:13:48 border-02 charon[2440]: 11[ENC] <218> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 05 04:13:48 border-02 charon[2440]: 11[IKE] <218> no IKE config found for 203.0.113.163...203.0.113.185, sending NO_PROPOSAL_CHOSEN
May 05 04:13:48 border-02 charon[2440]: 11[ENC] <218> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
May 05 04:13:48 border-02 charon[2440]: 11[NET] <218> sending packet: from 203.0.113.163[500] to 203.0.113.185[1525] (36 bytes)
|
IKE_SA_INIT
, NO_PROPOSAL_CHOSEN
が出ているので IKE SA の交換と DH 鍵材料の交換で失敗している。
次に tcpdump で、相手側から来ている情報を確認。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| vyos@border-02:~$ /bin/bash -c "sudo tcpdump -i eth0 esp or udp port 500 or port 4500 -vv -nn"
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:19:19.332292 IP (tos 0x0, ttl 52, id 48674, offset 0, flags [none], proto UDP (17), length 688)
133.106.35.185.4500 > 198.51.100.2.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000000 cookie a8d897a0d1ba99e2->0000000000000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0100))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=modp2048 )))
(v2ke: len=256 group=modp2048)
(nonce: len=256 nonce=(18a0687fda99ceb86c2b9cff2fe587504c7966a0730dd3d11cbfa5d234790e53838f682e8733683b4c1959b845557125c79adec0c1b3fb3a2c7b419ba9c3d600b2bf89c4f32ca709b39d22200f1425fd52556b5de75e30401a81592b159b2e0e19af1d436538e5b325da4e2f8325c47e5cbfcccf00043dd564f3bd135b13f125420f1d7ce00bec0393590039d985ecb663347ab3df3b6878d3f808045846cec4a6bb3bdd1b73eb686b0492377bcda731d3d4fcd5aaa7565ac8d9f1fe26cd2cf3714537a2c488693a3a92a36d43a8a5b8167f2e4f9f3bde0359d1b69dee58475a80ab57fdfe57910cd409ee68d3981c0aa45bddfcf70a6686093f773ba529c94f) )
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
06:19:19.333225 IP (tos 0x0, ttl 64, id 44145, offset 0, flags [DF], proto UDP (17), length 68)
198.51.100.2.4500 > 133.106.35.185.4500: [bad udp cksum 0xa4bb -> 0x0a91!] NONESP-encap: isakmp 2.0 msgid 00000000 cookie a8d897a0d1ba99e2->6349877d0edb3c28: parent_sa ikev2_init[R]:
(n: prot_id=#0 type=14(no_protocol_chosen))
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
|
設定内容が見たい場合は cat /etc/swanctl/swanctl.conf
で生成後の strongSwan 設定を確認できる。