티스토리 뷰

GNS3

GNS3 v2.1 Appliance (2) : vyOS v1.1.8 -2-

쏠라구구 2018.06.09 17:53
# vyOS 기능을 알아보자
OSPF, Site-to-Site IPSec VPN, DMVPN(3가지 오픈기술 조합)
특히 DMVPN 의 경우 vyos 나 linux 로 구현을 하면 다수 지점의 vpn 접속 솔루션이 될 것으로 기대된다
 
 
1. OSPF
vyOS에 OSPF 라우팅 프로토콜을 설정해보자
 
1.1 구성도
vyOS 2대와 Cisco Router를 사용함

 
1.2 vyOS 설치
 
 
1.3 기본 설정
vyOS1)
configure
set interfaces ethernet eth0 address '192.168.254.61/24'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '172.16.10.1/24'
set interfaces ethernet eth1 description 'INSIDE'
commit
run show interfaces
 
vyOS2)
configure
set interfaces ethernet eth0 address '192.168.254.62/24'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '172.16.20.1/24'
set interfaces ethernet eth1 description 'INSIDE'
commit
run show interfaces
 
L3_SW)
en
conf t
 int f0/0
  ip add 192.168.254.63 255.255.255.0
  no shut
 int f1/0
  ip add 172.16.30.1 255.255.255.0
  no shut
 
 
1.4 OSPF 설정
vyOS1)
set protocols ospf area 0 network 192.168.254.0/24
set protocols ospf area 0 network 172.16.10.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 172.16.10.1
commit
run show ip ospf neighbor
run show ip route
 
vyOS2)
set protocols ospf area 0 network 192.168.254.0/24
set protocols ospf area 0 network 172.16.20.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 172.16.20.1
commit
run show ip ospf neighbor
run show ip route
 
L3_SW)
 ip routing
 router ospf 1
  router-id 172.16.30.1
  network 192.168.254.0 0.0.0.255 area 0
  network 172.16.30.0 0.0.0.255 area 0
  log-adjacency-changes
 
 
1.5 OSPF 확인 라우팅 확인
vyOS1)
2개의 OSPF 네이버가 정상 맺어 있음을 확인
라우팅 테이블 확인 시 각각 vyOS2 와 L3_SW의 내부 네트워크 정보가 보이는 것을 확인

 
L3_SW)
Cisco 장비에서도 정상적으로 OSPF 네이버 및 라우팅 테이블 확인

 
PC1)
vyOS1 내부에 PC1(172.16.10.100)에서 각각 PC2, PC3으로 통신 확인

 
참고링크
 
 
2. Site-to-Site IPSec VPN
 
2.1 구성도
2대의 vyOS와 내부 통신 확인을 위한 PC2대로 구성

 
 
2.2 vyOS Site-to-Site IPSec 설정
vyOS1)
IKE 정책설정 : 키교환프로토콜버전(ikev1), 라이프타임(3600초), 암호화 및 해시 수준
set vpn ipsec ike-group home-ike-group key-exchange 'ikev1'
set vpn ipsec ike-group home-ike-group lifetime '3600'
set vpn ipsec ike-group home-ike-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group home-ike-group proposal 1 hash 'sha256'
set vpn ipsec ike-group home-ike-group ikev2-reauth 'no'
 
ESP 정책설정 : 모드(터널), 암호화 및 해시 수준, 압축(미사용), 라이프타임(1800초), PFS(미사용)
set vpn ipsec esp-group home-esp-group mode 'tunnel'
set vpn ipsec esp-group home-esp-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group home-esp-group proposal 1 hash 'sha256'
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '3600'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
 
IPSec 연결에 사용할 인터페이스 지정 : 일반적으로 WAN연결된 인터페이스(eth0)
set vpn ipsec ipsec-interfaces interface 'eth0'
 
상대측 VPN Peer의 정책 설정 : 상대방 IP(192.168.254.62), 인증모드(공유암호), 공유암호(qwe123)
set vpn ipsec site-to-site peer 192.168.254.62 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.254.62 authentication pre-shared-secret 'qwe123'
 
상대측 VPN Peer의 정책 설정 : 위에서 생성한 IKE 정책을 적용
set vpn ipsec site-to-site peer 192.168.254.62 ike-group 'home-ike-group'
 
상대측 VPN Peer의 정책 설정 : 자신의 WAN 인터페이스 IP 설정
set vpn ipsec site-to-site peer 192.168.254.62 local-address '192.168.254.61'
 
상대측 VPN Peer의 정책 설정 : NAT 대역과 인터넷 대역은 VPN 사용을 차단
set vpn ipsec site-to-site peer 192.168.254.62 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.168.254.62 tunnel 0 allow-public-networks 'disable'
 
상대측 VPN Peer의 정책 설정 : 위에서 생성한 ESP 정책을 적용
set vpn ipsec site-to-site peer 192.168.254.62 tunnel 0 esp-group 'home-esp-group'
 
상대측 VPN Peer의 정책 설정 : VPN을 통하여 암호화 처리할 트래픽을 지정(출발대역 and 목적지대역)
set vpn ipsec site-to-site peer 192.168.254.62 tunnel 0 local prefix '172.16.10.0/24'
set vpn ipsec site-to-site peer 192.168.254.62 tunnel 0 remote prefix '172.16.20.0/24'
 
vyOS2)
정책은 동일하게 설정, IP/네트워크대역은 자신과 상대측 확인하여 설정
set vpn ipsec ike-group home-ike-group key-exchange 'ikev1'
set vpn ipsec ike-group home-ike-group lifetime '3600'
set vpn ipsec ike-group home-ike-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group home-ike-group proposal 1 hash 'sha256'
set vpn ipsec ike-group home-ike-group ikev2-reauth 'no'
 
set vpn ipsec esp-group home-esp-group mode 'tunnel'
set vpn ipsec esp-group home-esp-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group home-esp-group proposal 1 hash 'sha256'
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '3600'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
 
set vpn ipsec ipsec-interfaces interface 'eth0'
 
set vpn ipsec site-to-site peer 192.168.254.61 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.254.61 authentication pre-shared-secret 'qwe123'
set vpn ipsec site-to-site peer 192.168.254.61 ike-group 'home-ike-group'
set vpn ipsec site-to-site peer 192.168.254.61 local-address '192.168.254.62'
set vpn ipsec site-to-site peer 192.168.254.61 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.168.254.61 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.168.254.61 tunnel 0 esp-group 'home-esp-group'
set vpn ipsec site-to-site peer 192.168.254.61 tunnel 0 local prefix '172.16.20.0/24'
set vpn ipsec site-to-site peer 192.168.254.61 tunnel 0 remote prefix '172.16.10.0/24'
 
 
2.3 vyOS Site-to-Site IPSec 상태 확인
PC1) 에서 PC2로 ping 성공 : VPN 정상 연결 되었음을 확인

 
패킷캡쳐확인)
VPN 협상 프로토콜에 이어서 실제 데이터는 ESP헤더로 암호화되어 감싸있어서 내부헤더 및 데이터 정보가 보이지 않음

 
vyOS확인)
sh vpn ike sa
sh vpn ipsec sa
sh vpn ipsec sa detail
sh vpn ipsec sa statistics
sh vpn ipsec policy
sh vpn ipsec state
 
vyOS1)
sh ip route : VPN의 remote prefix 대역이 자동으로 라우팅 테이블에 추가 되어 있음
sh vpn ike sa , sh vpn ipsec sa : IKE와 IPSec 정책이 잘 협상되었음
sh vpn ipsec sa detail : 상세정보 및 VPN 터널을 통한 암호화 패킷의 tx/rx bytes 를 확인

 
# 참고링크
https://wiki.vyos.net/wiki/User_Guide 중 하단에 Site-to-Site VPN 부분 참고
 
 
 
3. DMVPN
Site-to-site IPSec 경우 VPN Peer가 추가 될 때마다 각각 peer 설정을 해줘야되어 확장 시 설정에 어려움이 있다
Cisco에서 DMVPN 기술을 개발하였고 peer 정보를 동적으로 학습하여 peer 연결이 된다.
아래 3가지의 표준 기술을 조합하여 DMVPN의 기능을 구현 할 수 있다
- NHRP : RFC2332, next hop 정보를 동적으로 알려줌
- mGRE : RFC1702. 멀티 gre 연결 가능
- IPSec : RFC4301등 다수, IPSec VPN
 
3.1 구성도
3대의 vyOS와 3대의 PC로 구성

 
 
3.2 기본설정
vyos1)
configure
set interfaces ethernet eth0 address '192.168.254.71/24'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '172.16.10.1/24'
set interfaces ethernet eth1 description 'INSIDE'
set system host-name vyOS1
set service ssh port '22'
commit
run show interfaces
 
vyos2)
configure
set interfaces ethernet eth0 address '192.168.254.72/24'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '172.16.20.1/24'
set interfaces ethernet eth1 description 'INSIDE'
set system host-name vyOS2
set service ssh port '22'
commit
run show interfaces
 
vyos3)
configure
set interfaces ethernet eth0 address '192.168.254.73/24'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '172.16.30.1/24'
set interfaces ethernet eth1 description 'INSIDE'
set system host-name vyOS3
set service ssh port '22'
commit
run show interfaces
 
 
3.3 터널 인터페이스(mGRE) NHRP 설정
vyos1)
터널 인터페이스 IP 설정, 터널의 key(=333)은 mGRE 모든 tun0 에 동일하게 설정
set interfaces tunnel tun0 address 10.0.0.1/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 192.168.254.71
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 333
 
NHRP 설정, 인증암호키(동일하게 설정), vyOS1는 HUB 역활 설정
set protocols nhrp tunnel tun0 cisco-authentication qwe123
set protocols nhrp tunnel tun0 holding-time  300
set protocols nhrp tunnel tun0 multicast dynamic
set protocols nhrp tunnel tun0 redirect
commit
 
vyos2)
set interfaces tunnel tun0 address 10.0.0.2/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 192.168.254.72
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 333
 
vyOS2는 Spoke 역활 설정으로 map/register 는 vyOS1의 WAN_IP/Tun0_IP 를 설정
set protocols nhrp tunnel tun0 cisco-authentication qwe123
set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 192.168.254.71
set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register'
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 'redirect'
set protocols nhrp tunnel tun0 'shortcut'
commit
 
vyos3)
set interfaces tunnel tun0 address 10.0.0.3/24
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 192.168.254.73
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 333
 
set protocols nhrp tunnel tun0 cisco-authentication qwe123
set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 192.168.254.71
set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register'
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 'redirect'
set protocols nhrp tunnel tun0 'shortcut'
commit
 
Tunnel 확인)
vyOS1 에서 tun0 인터페이스간 ping 성공 확인

 
NHRP 확인)
show nhrp tunnel
show nhrp interface
vyOS1(Hub)에서 아래 처럼 vyOS2/vyOS3의 tun0 IP와 WAN IP 정보를 확인

 
vyOS2(Spoke1)에서는 vyOS1(Hub)는 등록 설정으로 알고 있지만 vyOS3(Spoke2)는 현재는 모름

 
 
3.4 Site-to-Site IPSec 설정
Site-to-Site IPSEc은 위 2번 설정 참고
 
vyos1)
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-HUB proposal 1
set vpn ipsec ike-group IKE-HUB proposal 1 encryption aes256
set vpn ipsec ike-group IKE-HUB proposal 1 hash sha1
set vpn ipsec ike-group IKE-HUB proposal 2 encryption aes128
set vpn ipsec ike-group IKE-HUB proposal 2 hash sha1
set vpn ipsec ike-group IKE-HUB lifetime 3600
set vpn ipsec esp-group ESP-HUB proposal 1 encryption aes256
set vpn ipsec esp-group ESP-HUB proposal 1 hash sha1
set vpn ipsec esp-group ESP-HUB proposal 2 encryption 3des
set vpn ipsec esp-group ESP-HUB proposal 2 hash md5
set vpn ipsec esp-group ESP-HUB lifetime 1800
set vpn ipsec esp-group ESP-HUB pfs dh-group2
 
set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret qwe12345
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-HUB
set vpn ipsec profile NHRPVPN ike-group IKE-HUB
commit
 
vyos2)
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-SPOKE proposal 1
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1
set vpn ipsec ike-group IKE-SPOKE lifetime 3600
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5
set vpn ipsec esp-group ESP-SPOKE lifetime 1800
set vpn ipsec esp-group ESP-SPOKE pfs dh-group2
 
set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret qwe12345
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE
commit
 
vyos3)
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-SPOKE proposal 1
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1
set vpn ipsec ike-group IKE-SPOKE lifetime 3600
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5
set vpn ipsec esp-group ESP-SPOKE lifetime 1800
set vpn ipsec esp-group ESP-SPOKE pfs dh-group2
 
set vpn ipsec profile NHRPVPN
set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret qwe12345
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE
commit
 
 
VPN 상태 확인)
vyOS1(Hub)에서는 vyOS2/3(Spoke1/2)가 둘 다 보이는 것을 알 수 있음
하단에 0.0.0.0 정보는 pre-config 되어 있고 any ip가 연결되기를 위하여 listen 하는 것으로 보면됨

 
vyOS2(Spoke1)에서도 vyOS1(Hub)와 연결정보 확인됨
Spoke들 간에는 실제 vpn 데이터가 발생할때 nhrp로 ip 정보를 습득하고 vpn 협상 후 연결 정보가 확인 됨

3.5 (1) Static Routing 설정
현재 VPN 내부간 라우팅 정보가 없기 때문에 tun0 인터페이스를 통해서 static routing 설정 후 PC들간 통신하자
 
vyos1)
set protocols static route 172.16.20.0/24 next-hop 10.0.0.2
set protocols static route 172.16.30.0/24 next-hop 10.0.0.3
commit
 
vyos2)
set protocols static route 172.16.10.0/24 next-hop 10.0.0.1
set protocols static route 172.16.30.0/24 next-hop 10.0.0.3
commit
 
vyos3)
set protocols static route 172.16.10.0/24 next-hop 10.0.0.1
set protocols static route 172.16.20.0/24 next-hop 10.0.0.2
commit
 
PC2) 에서 PC3 ping 통신 성공
show ip route : Static routing 추가 확인
show nhrp tunnel : vyOS3의 tun0 과 wan IP 정보 자동 학습 확인
show vpn ipsec sa : vyOS3과 IPSec 협상 확인

 
 
3.5 (2) OSPF Routing 설정
현재 VPN 내부간 라우팅 정보가 없기 때문에 tun0 인터페이스를 통해서 ospf routing 설정 후 PC들간 통신하자
 
vyOS1)
delete protocols static route 172.16.20.0/24
delete protocols static route 172.16.30.0/24
 
set protocols ospf area 0 network 10.0.0.0/24
set protocols ospf area 0 network 172.16.10.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 172.16.10.1
commit
 
vyOS2)
delete protocols static route 172.16.10.0/24
delete protocols static route 172.16.30.0/24
 
set protocols ospf area 0 network 10.0.0.0/24
set protocols ospf area 0 network 172.16.20.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 172.16.20.1
commit
 
vyOS3)
delete protocols static route 172.16.10.0/24
delete protocols static route 172.16.20.0/24
 
set protocols ospf area 0 network 10.0.0.0/24
set protocols ospf area 0 network 172.16.30.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 172.16.30.1
commit
 
확인)
sh ip ospf neighbor
sh ip route
 
vyOS1)
VPN Hub이며, OSPF 네이버가 Spoke 2대 잡혀있고, 각각 172.16.20.0/24, 172.16.30.0/24 정보를 OSPF로 학습함

 
vyOS2)
VPN Spoke 이며, OSPF 네이버가 Hub만 보임
10.0/24, 30.0/24 정보를 Hub(vyOS1)으로 부터 학습함.
하지만 30.0/24 정보의 next-hop 은 tun0 의 10.0.0.3 이므로,
실제 데이터(VPN 암호화) 통신시에는 hub를 경유하지 않고 Spoke3(vyOS3)으로 직접 통신함

 
vyOS3)
vyOS2와 설명은 상동

 
# 참고링크


댓글
댓글쓰기 폼
공지사항
Total
382,666
Today
24
Yesterday
123
링크
«   2018/12   »
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
글 보관함