DMVPN OSPF VYOS
Материал из xapmc.net
- Задача
- Настроить маршрутизацию между филиалами по защищенному каналу, используя open source.
- Решение
- Воспользуемся для решения: Vyos, DMVPN, OSPF.
- Оборудование, которым располагаем
| Вендор | Модель |
|---|---|
| 1. Vyos | VyOS 1.1.6 |
| 2. Vyos | VyOS 1.1.6 |
| 3. Vyos | VyOS 1.1.6 |
- Схема сети
- Настройка DMVPN
- HUB 1
Нужно поднять интерфейс tun1 с адресом и указать ему режим инкапсуляции gre, указать внешний адрес x.x.x.160, указать поддержку multicast, указать с помощью key 1 ключ туннеля
set interfaces tunnel tun1 address 172.17.1.1/24 set interfaces tunnel tun1 encapsulation gre set interfaces tunnel tun1 local-ip x.x.x.160 set interfaces tunnel tun1 multicast enable set interfaces tunnel tun1 parameters ip key 1
Протоколу NHRP требуется указать интерфейс tun1 как отправную точку взаимодействия туннелей. Также нужно указать режим аутентификации, где xapmcnet используем как пароль
set protocols nhrp tunnel tun1 cisco-authentication xapmcnet set protocols nhrp tunnel tun1 holding-time 300 set protocols nhrp tunnel tun1 multicast dynamic set protocols nhrp tunnel tun1 redirect
Здесь мы настраиваем две фазы IPSec: IKE и ESP
set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec ike-group ike_h1 proposal 1 set vpn ipsec ike-group ike_h1 proposal 1 encryption aes256 set vpn ipsec ike-group ike_h1 proposal 1 hash sha1 set vpn ipsec ike-group ike_h1 proposal 2 encryption aes128 set vpn ipsec ike-group ike_h1 proposal 2 hash sha1 set vpn ipsec ike-group ike_h1 lifetime 3600 set vpn ipsec esp-group esp_h1 proposal 1 encryption aes256 set vpn ipsec esp-group esp_h1 proposal 1 hash sha1 set vpn ipsec esp-group esp_h1 proposal 2 encryption 3des set vpn ipsec esp-group esp_h1 proposal 2 hash md5 set vpn ipsec esp-group esp_h1 lifetime 1800 set vpn ipsec esp-group esp_h1 pfs dh-group2
Создаем профиль для IPsec и привязываем его к туннелю tun1. Создаем режим аутентификации по паролю xapmcnet. Привязываем две фазы esp_h1, ike_h1 к нашему профилю
set vpn ipsec profile dmvpn set vpn ipsec profile dmvpn authentication mode pre-shared-secret set vpn ipsec profile dmvpn authentication pre-shared-secret xapmcnet set vpn ipsec profile dmvpn bind tunnel tun1 set vpn ipsec profile dmvpn esp-group esp_h1 set vpn ipsec profile dmvpn ike-group ike_h1
- SPOKE 1
set interfaces tunnel tun1 address 172.17.1.2/24 set interfaces tunnel tun1 encapsulation gre set interfaces tunnel tun1 local-ip x.x.x.161 set interfaces tunnel tun1 multicast enable set interfaces tunnel tun1 parameters ip key 1
Нужно указать адрес HUB 1 как туннельный 172.17.1.1/24, так и внешний x.x.x.160
set protocols nhrp tunnel tun1 cisco-authentication xapmcnet set protocols nhrp tunnel tun1 map 172.17.1.1/24 nbma-address x.x.x.160 set protocols nhrp tunnel tun1 map 172.17.1.1/24 'register' set protocols nhrp tunnel tun1 multicast 'nhs' set protocols nhrp tunnel tun1 'redirect' set protocols nhrp tunnel tun1 'shortcut'
set vpn ipsec ipsec-interfaces interface eth2 set vpn ipsec ike-group ike_s1 proposal 1 set vpn ipsec ike-group ike_s1 proposal 1 encryption aes256 set vpn ipsec ike-group ike_s1 proposal 1 hash sha1 set vpn ipsec ike-group ike_s1 proposal 2 encryption aes128 set vpn ipsec ike-group ike_s1 proposal 2 hash sha1 set vpn ipsec ike-group ike_s1 lifetime 3600 set vpn ipsec esp-group esp_s1 proposal 1 encryption aes256 set vpn ipsec esp-group esp_s1 proposal 1 hash sha1 set vpn ipsec esp-group esp_s1 proposal 2 encryption 3des set vpn ipsec esp-group esp_s1 proposal 2 hash md5 set vpn ipsec esp-group esp_s1 lifetime 1800 set vpn ipsec esp-group esp_s1 pfs dh-group2
set vpn ipsec profile dmvpn set vpn ipsec profile dmvpn authentication mode pre-shared-secret set vpn ipsec profile dmvpn authentication pre-shared-secret xapmcnet set vpn ipsec profile dmvpn bind tunnel tun1 set vpn ipsec profile dmvpn esp-group esp_s1 set vpn ipsec profile dmvpn ike-group ike_s1
- SPOKE 2
set interfaces tunnel tun1 address 172.17.1.3/24 set interfaces tunnel tun1 encapsulation gre set interfaces tunnel tun1 local-ip x.x.x.162 set interfaces tunnel tun1 multicast enable set interfaces tunnel tun1 parameters ip key 1 set protocols nhrp tunnel tun1 cisco-authentication xapmcnet set protocols nhrp tunnel tun1 map 172.17.1.1/24 nbma-address x.x.x.160 set protocols nhrp tunnel tun1 map 172.17.1.1/24 'register' set protocols nhrp tunnel tun1 multicast 'nhs' set protocols nhrp tunnel tun1 'redirect' set protocols nhrp tunnel tun1 'shortcut' set vpn ipsec ipsec-interfaces interface eth2 set vpn ipsec ike-group ike_s2 proposal 1 set vpn ipsec ike-group ike_s2 proposal 1 encryption aes256 set vpn ipsec ike-group ike_s2 proposal 1 hash sha1 set vpn ipsec ike-group ike_s2 proposal 2 encryption aes128 set vpn ipsec ike-group ike_s2 proposal 2 hash sha1 set vpn ipsec ike-group ike_s2 lifetime 3600 set vpn ipsec esp-group esp_s2 proposal 1 encryption aes256 set vpn ipsec esp-group esp_s2 proposal 1 hash sha1 set vpn ipsec esp-group esp_s2 proposal 2 encryption 3des set vpn ipsec esp-group esp_s2 proposal 2 hash md5 set vpn ipsec esp-group esp_s2 lifetime 1800 set vpn ipsec esp-group esp_s2 pfs dh-group2 set vpn ipsec profile dmvpn set vpn ipsec profile dmvpn authentication mode pre-shared-secret set vpn ipsec profile dmvpn authentication pre-shared-secret xapmcnet set vpn ipsec profile dmvpn bind tunnel tun1 set vpn ipsec profile dmvpn esp-group esp_s2 set vpn ipsec profile dmvpn ike-group ike_s2
- Настройка OSPF
- HUB 1
Нужно указать приоритет туннеля для того что бы HUB1 был всегда DR. Добавим сети в маршрутизацию.
set interfaces tunnel tun1 ip ospf priority '255' set protocols ospf area 0 network '172.17.1.0/24' set protocols ospf area 0 network '10.10.1.0/24'
- SPOKE 1
Укажем приоритет 0, что бы SPOKE 1 и SPOKE 2 никогда не участвовали в выборе DR.
set interfaces tunnel tun1 ip ospf priority '0' set protocols ospf area 0 network '172.17.1.0/24' set protocols ospf area 0 network '10.10.10.0/24'
- SPOKE 2
set interfaces ethernet tun1 ip ospf priority '0' set protocols ospf area 0 network '172.17.1.0/24' set protocols ospf area 0 network '10.10.3.0/24'
- Проверка
- HUB 1
- OSPF
run show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
x.x.x.161 0 Full/DROther 38.779s 172.17.1.2 tun1:172.17.1.1 0 0 0
x.x.x.162 0 Full/DROther 36.687s 172.17.1.3 tun1:172.17.1.1 0 0 0
- NHRP
run show nhrp tunnel
Status: ok Interface: tun1 Type: local Protocol-Address: 172.17.1.255/32 Alias-Address: 172.17.1.1 Flags: up Interface: tun1 Type: local Protocol-Address: 172.17.1.1/32 Flags: up Interface: tun1 Type: dynamic Protocol-Address: 172.17.1.2/32 NBMA-Address: x.x.x.161 Flags: up Expires-In: 117:22 Interface: tun1 Type: dynamic Protocol-Address: 172.17.1.3/32 NBMA-Address: x.x.x.162 Flags: up Expires-In: 107:49
- Route OSPF
run show ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.10.1.0/24 [110/10] is directly connected, eth1, 11:51:55
O>* 10.10.3.0/24 [110/20] via 172.17.1.3, tun1, 11:02:55
O>* 10.10.10.0/24 [110/20] via 172.17.1.2, tun1, 11:01:01
O 172.17.1.0/24 [110/10] is directly connected, tun1, 11:02:55
- ICMP
run ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_req=1 ttl=64 time=0.463 ms 64 bytes from 10.10.10.1: icmp_req=2 ttl=64 time=0.511 ms ^C --- 10.10.10.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.463/0.487/0.511/0.024 ms
run ping 10.10.3.1
PING 10.10.3.1 (10.10.3.1) 56(84) bytes of data. 64 bytes from 10.10.3.1: icmp_req=1 ttl=64 time=0.459 ms 64 bytes from 10.10.3.1: icmp_req=2 ttl=64 time=0.488 ms ^C --- 10.10.3.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.459/0.473/0.488/0.026 ms
- Все сети доступны, трафик может проходить по защищенному каналу IPsec.
