vyatta 㧠Amazon VPC ã«æŽ¥ç¶š
最近ã€Amazon VPC ãŒã©ã‚“ã©ã‚“機能強化ã•ã‚Œã¦ç›®ã‚’見張るã°ã‹ã‚Šã§ã™ã€‚
Vyatta ã‚’ VPC ã® Customer Gataway ã¨ã—ã¦ä½¿ãˆã‚‹ã‹ã©ã†ã‹ãƒ†ã‚¹ãƒˆã—ãŸçµæžœã‚’ã¾ã¨ã‚ã¦ãŠãã¾ã™ã€‚
試ã—ãŸã“ã¨
çµæžœ
- vyatta ã§ã¯ IPsec仮想インタフェース ãŒä½¿ãˆãªã„
- ã¨ã‚Šã‚ãˆãš ãƒãƒªã‚·ãƒ™ãƒ¼ã‚¹ã® IPsecè¨å®šã‚’ã—ã¦ãŠãã€iproute2 (ã¾ãŸã¯ setkey)ã«ã¦ ãƒãƒªã‚·ã‚’書ãã‹ãˆã‚‹ã“ã¨ã§é€šä¿¡ã¯ã§ããŸ
- ã“ã®æ–¹æ³•ã ã¨ã€æŠ˜è§’BGPã§çµŒè·¯äº¤æ›ã—ã¦ã„ã‚‹ã®ã« å„Subnet ã‚’vyattaã«è¨å®šã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ã®ãŒé›£ç‚¹ã‚
Amazon VPC 㯠IP-IPトンãƒãƒ«ã«ã‚‚対応ã—ã¦ãれるã¨è‰¯ã„ã®ã«..ã¨æ„Ÿã˜ã¾ã—ãŸã€‚
ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯æ§‹æˆ
10.255.254.0/23 = VPCå´ã® CIDR
10.255.252.0/23 = 顧客å´ã® LANセグメント
169.254.255.0/30 = IPsec tunnel #1
.1 = VPN Gateway
.2 = Customer Gateway
169.254.255.4/30 = IPsec tunnel #2
.5 = VPN Gateway
.6 = Customer Gateway
1.2.3.4 = Customer Gateway
72.21.209.225 = VPN Gateway #1
72.21.209.193 = VPN Gateway #2EC2
| 10.255.254.0/24
--------+----+----+---------------- (VPC Subnet)
:
| |
VPN-GW1 VPN-GW2
.225| |.193
| | 72.21.209.x/x
--------+--+------+---------------- (VPC Gateway)
|
: (The Internet)
|
Vyatta 1.2.3.4/32
| 10.255.252.0/24
-----------+----+------------------ (é¡§å®¢å´ LAN)
|
PC
コンフィグ (Vyatta Core 6.2)
interfaces {
ethernet eth0 {
duplex auto
hw-id 00:90:fb:0f:8a:c1
pppoe 0 {
default-route auto
mtu 1492
name-server auto
password
user-id
}
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.255.252.1/24
duplex auto
hw-id 00:90:fb:0f:8a:c0
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 00:90:fb:0f:8a:bf
smp_affinity auto
speed auto
}
ethernet eth3 {
duplex auto
hw-id 00:90:fb:0f:8a:be
smp_affinity auto
speed auto
}
loopback lo {
address 169.254.255.2/32
address 169.254.255.6/32
}
}
protocols {
bgp 65000 {
neighbor 169.254.255.1 {
default-originate {
}
description vpn-4e06e227-0
remote-as 7224
soft-reconfiguration {
inbound
}
timers {
connect 10
holdtime 30
keepalive 30
}
}
neighbor 169.254.255.5 {
default-originate {
}
description vpn-4e06e227-1
remote-as 7224
soft-reconfiguration {
inbound
}
timers {
connect 10
holdtime 30
keepalive 30
}
}
network 0.0.0.0/0 {
}
}
static {
}
}
service {
ssh {
port 22
protocol-version v2
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name vyatta
login {
user vyatta {
authentication {
encrypted-password
}
level admin
}
}
ntp {
server 0.vyatta.pool.ntp.org {
}
server 1.vyatta.pool.ntp.org {
}
server 2.vyatta.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Asia/Tokyo
}
vpn {
ipsec {
esp-group ipsec-prop-vpn-4e06e227-0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
esp-group ipsec-prop-vpn-4e06e227-1 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group isakmp-vpn-4e06e227-1 {
dead-peer-detection {
action hold
interval 15
timeout 30
}
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ike-group keyring-vpn-4e06e227-0 {
dead-peer-detection {
action hold
interval 15
timeout 30
}
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface pppoe0
}
site-to-site {
peer 72.21.209.193 {
authentication {
mode pre-shared-secret
pre-shared-secret
}
ike-group isakmp-vpn-4e06e227-1
local-ip 1.2.3.4
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group ipsec-prop-vpn-4e06e227-1
local-subnet 169.254.255.6/32
remote-subnet 169.254.255.4/30
}
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ipsec-prop-vpn-4e06e227-1
local-subnet 10.255.252.0/24
remote-subnet 10.255.254.0/23
}
}
peer 72.21.209.225 {
authentication {
mode pre-shared-secret
pre-shared-secret
}
ike-group keyring-vpn-4e06e227-0
local-ip 1.2.3.4
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group ipsec-prop-vpn-4e06e227-0
local-subnet 169.254.255.2/32
remote-subnet 169.254.255.1/30
}
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ipsec-prop-vpn-4e06e227-0
local-subnet 10.255.252.0/24
remote-subnet 10.255.254.0/23
}
}
}
}
}
xfrm.sh (コンフィグè¨å®šå¾Œã«å®Ÿè¡Œ)
#!/bin/shBGP_LOCAL_IP_1=169.254.255.2
BGP_LOCAL_IP_2=169.254.255.6
BGP_LOCAL_IP_SUBNET_1=169.254.255.0
BGP_LOCAL_IP_SUBNET_2=169.254.255.4
VPN_1_IP=72.21.209.225
VPN_2_IP=72.21.209.193
MY_WAN_IP=1.2.3.4
VPC_CIDR=10.255.254.0/23
MY_LOCAL_SUBNET_IP=10.255.252.0ip xfrm policy update dir fwd src $BGP_LOCAL_IP_SUBNET_1/30 dst
$BGP_LOCAL_IP_1/32 tmpl src $VPN_1_IP dst $MY_WAN_IP proto esp level required
mode tunnel
ip xfrm policy update dir in src $BGP_LOCAL_IP_SUBNET_1/30 dst
$BGP_LOCAL_IP_1/32 tmpl src $VPN_1_IP dst $MY_WAN_IP proto esp level required
mode tunnelip xfrm policy update dir fwd src $BGP_LOCAL_IP_SUBNET_2/30 dst
$BGP_LOCAL_IP_2/32 tmpl src $VPN_2_IP dst $MY_WAN_IP proto esp level required
mode tunnel
ip xfrm policy update dir in src $BGP_LOCAL_IP_SUBNET_2/30 dst
$BGP_LOCAL_IP_2/32 tmpl src $VPN_2_IP dst $MY_WAN_IP proto esp level required
mode tunnelip xfrm policy update dir fwd src $VPC_CIDR dst $MY_LOCAL_SUBNET_IP/24 tmpl src
$VPN_1_IP dst $MY_WAN_IP proto esp level required mode tunnel
ip xfrm policy update dir in src $VPC_CIDR dst $MY_LOCAL_SUBNET_IP/24 tmpl src
$VPN_1_IP dst $MY_WAN_IP proto esp level required mode tunnel
