読者です 読者をやめる 読者になる 読者になる

NETWORK ENGINEER BLOG

Tips and Reviews for Engineers

BGP設定例

概要

BGP を使った冗長化設定例になります。
動作確認は R5 と R6 の Loopback インターフェース間の Ping 疎通により行っています。

検証環境

  • CSR1000V を VMware Workstation 上に構築
  • IOS は 15.4(1)S2を使用

f:id:FriendsNow:20170506114903p:plain

通信フロー

正常系

f:id:FriendsNow:20170506115004p:plain

故障系-1

f:id:FriendsNow:20170506120026p:plain

故障系-2

f:id:FriendsNow:20170506120234p:plain

故障系-3

f:id:FriendsNow:20170506120245p:plain

設定例

R1

hostname R1
!
interface GigabitEthernet1
 ip address 10.1.13.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 10.1.12.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 ip address 172.16.15.1 255.255.255.0
 negotiation auto
!
router ospf 1
 redistribute bgp 65001 metric 100 metric-type 1 subnets
 network 172.16.15.0 0.0.0.255 area 0
!
router bgp 65001
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 10.1.12.2 remote-as 65001
 neighbor 10.1.13.3 remote-as 65002
 !
 address-family ipv4
  bgp redistribute-internal
  network 192.168.5.0
  neighbor 10.1.12.2 activate
  neighbor 10.1.12.2 next-hop-self
  neighbor 10.1.13.3 activate
  neighbor 10.1.13.3 route-map LP in
  neighbor 10.1.13.3 route-map MED out
  neighbor 10.1.13.3 filter-list 1 out
 exit-address-family
!
ip as-path access-list 1 permit ^$
ip as-path access-list 2 permit ^65002_
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
route-map LP permit 10
 match as-path 2
 set local-preference 200
!
route-map MED permit 10
 match ip address 1
 set metric 110
!

R2

hostname R2
!
interface GigabitEthernet1
 ip address 10.1.24.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 10.1.12.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 ip address 172.16.25.2 255.255.255.0
 negotiation auto
!
router ospf 1
 network 172.16.25.0 0.0.0.255 area 0
!
router bgp 65001
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 10.1.12.1 remote-as 65001
 neighbor 10.1.24.4 remote-as 65002
 !
 address-family ipv4
  network 192.168.5.0
  neighbor 10.1.12.1 activate
  neighbor 10.1.12.1 next-hop-self
  neighbor 10.1.24.4 activate
  neighbor 10.1.24.4 route-map LP in
  neighbor 10.1.24.4 route-map MED out
  neighbor 10.1.24.4 filter-list 1 out
  distance bgp 20 100 200
 exit-address-family
!
ip as-path access-list 1 permit ^$
ip as-path access-list 2 permit ^65002_
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
route-map LP permit 10
 match as-path 2
 set local-preference 150
!
route-map MED permit 10
 match ip address 1
 set metric 120
!

R3

hostname R3
!
interface GigabitEthernet1
 ip address 10.1.13.3 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 10.1.34.3 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 ip address 172.16.36.3 255.255.255.0
 negotiation auto
!
router ospf 1
 redistribute bgp 65002 metric 100 metric-type 1 subnets
 network 172.16.36.0 0.0.0.255 area 0
!
router bgp 65002
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 10.1.13.1 remote-as 65001
 neighbor 10.1.34.4 remote-as 65002
 !
 address-family ipv4
  bgp redistribute-internal
  network 192.168.6.0
  neighbor 10.1.13.1 activate
  neighbor 10.1.13.1 route-map LP in
  neighbor 10.1.13.1 route-map MED out
  neighbor 10.1.13.1 filter-list 1 out
  neighbor 10.1.34.4 activate
  neighbor 10.1.34.4 next-hop-self
 exit-address-family
!
ip as-path access-list 1 permit ^$
ip as-path access-list 2 permit ^65001_
!
access-list 1 permit 192.168.6.0 0.0.0.255
!
route-map LP permit 10
 match as-path 2
 set local-preference 200
!
route-map MED permit 10
 match ip address 1
 set metric 110
!

R4

hostname R4
!
interface GigabitEthernet1
 ip address 10.1.24.4 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 10.1.34.4 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 ip address 172.16.46.4 255.255.255.0
 negotiation auto
!
router ospf 1
 network 172.16.46.0 0.0.0.255 area 0
!
router bgp 65002
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 10.1.24.2 remote-as 65001
 neighbor 10.1.34.3 remote-as 65002
 !
 address-family ipv4
  network 192.168.6.0
  neighbor 10.1.24.2 activate
  neighbor 10.1.24.2 route-map LP in
  neighbor 10.1.24.2 route-map MED out
  neighbor 10.1.24.2 filter-list 1 out
  neighbor 10.1.34.3 activate
  neighbor 10.1.34.3 next-hop-self
  distance bgp 20 100 200
 exit-address-family
!
ip as-path access-list 1 permit ^$
ip as-path access-list 2 permit ^65001_
!
access-list 1 permit 192.168.6.0 0.0.0.255
!
route-map LP permit 10
 match as-path 2
 set local-preference 150
!
route-map MED permit 10
 match ip address 1
 set metric 120
!

R5

hostname R5
!
interface Loopback1
 ip address 192.168.5.5 255.255.255.0
 ip ospf network point-to-point
!
interface GigabitEthernet1
 ip address 172.16.15.5 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 172.16.25.5 255.255.255.0
 negotiation auto
!
router ospf 1
 network 172.16.15.0 0.0.0.255 area 0
 network 172.16.25.0 0.0.0.255 area 0
 network 192.168.5.0 0.0.0.255 area 0
!
ip route 192.168.6.0 255.255.255.0 172.16.25.2 200
!

R6

hostname R6
!
interface Loopback1
 ip address 192.168.6.6 255.255.255.0
 ip ospf network point-to-point
!
interface GigabitEthernet1
 ip address 172.16.36.6 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 172.16.46.6 255.255.255.0
 negotiation auto
!
router ospf 1
 network 172.16.36.0 0.0.0.255 area 0
 network 172.16.46.0 0.0.0.255 area 0
 network 192.168.6.0 0.0.0.255 area 0
!
ip route 192.168.5.0 255.255.255.0 172.16.46.4 200168.6.0 255.255.255.0 172.16.25.2 200
!

設定のポイント

R1(R3)

  • IBGP の経路情報を OSPF へ再配送
 address-family ipv4
  bgp redistribute-internal

R2(R4)

  • IBGP の AD 値をデフォルトの200から100へ変更*1
 address-family ipv4
  distance bgp 20 100 200

共通

  • 他の AS の経路情報を配送しない。
 address-family ipv4
  neighbor 10.1.13.3 filter-list 1 out
!
ip as-path access-list 1 permit ^$

動作確認

正常系

R1(R3)は、対向へ経路情報を配信

R1#show ip bgp neighbors 10.1.13.3 advertised-routes
BGP table version is 4, local router ID is 192.168.1.221
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.5.0      172.16.15.5              2         32768 i

Total number of prefixes 1

R1(R3)は、対向から経路情報を受信

R1#show ip bgp neighbors 10.1.13.3 routes
BGP table version is 4, local router ID is 192.168.1.221
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.6.0      10.1.13.3              110    200      0 65002 i

Total number of prefixes 1

R1(R3)は、LAN 内のネットワークについて OSPF 経由の経路を使用

R1#show ip route 192.168.5.0 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

O     192.168.5.0/24 [110/2] via 172.16.15.5, 06:44:10, GigabitEthernet3

R1(R3)は、対向のネットワークについて BGP 経由の経路を使用

R1#show ip route 192.168.6.0 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

B     192.168.6.0/24 [20/110] via 10.1.13.3, 00:29:35

R2(R4)は、対向のネットワークについて R1(R3)経由の経路を使用(LocPrf により優先)

R2#show ip bgp
BGP table version is 3, local router ID is 192.168.1.222
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 192.168.5.0      10.1.12.1                2    100      0 i
 *   192.168.6.0      10.1.24.4              120    150      0 65002 i
 *>i                  10.1.12.1              110    200      0 65002 i

故障系-1

R1(R3)は、対向のネットワークについて R2(R4)経由の経路へ変更

R1#show ip bgp
BGP table version is 8, local router ID is 192.168.1.221
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.5.0      172.16.15.5              2         32768 i
 *>i 192.168.6.0      10.1.12.2              120    150      0 65002 i

R2(R4)は、対向のネットワークについて R4(R2)経由の経路へ変更

R2#show ip bgp
BGP table version is 4, local router ID is 192.168.1.222
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 192.168.5.0      10.1.12.1                2    100      0 i
 *>  192.168.6.0      10.1.24.4              120    150      0 65002 i

故障系-2

R1(R3)は、LAN 内のネットワークについて BGP 経由の経路へ変更

R1#show ip route 192.168.5.0 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

B     192.168.5.0/24 [200/2] via 10.1.12.2, 00:13:30

R2(R4)は、LAN 内のネットワークについて OSPF 経由の経路へ変更

R2#show ip route 192.168.5.0 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

O     192.168.5.0/24 [110/2] via 172.16.25.5, 00:24:05, GigabitEthernet3

故障系-3

R2(R4)は、LAN 内のネットワークについて OSPF 経由の経路へ変更

R2#show ip route 192.168.5.0 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

O     192.168.5.0/24 [110/2] via 172.16.25.5, 00:24:05, GigabitEthernet3

R2(R4)は、対向のネットワークについて R4(R2)経由の経路へ変更

R2#show ip route 192.168.6.0 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

B     192.168.6.0/24 [20/120] via 10.1.24.4, 00:06:25

R3は、対向のネットワークについて R4 経由の経路へ変更

R3#show ip bgp
BGP table version is 8, local router ID is 192.168.1.223
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 192.168.5.0      10.1.34.4              120    150      0 65001 i
 *>  192.168.6.0      172.16.36.6              2         32768 i

R5(R6)は、対向のネットワークについて R2(R4)経由の経路へ変更

R5#show ip static route
Codes: M - Manual static, A - AAA download, N - IP NAT, D - DHCP,
       G - GPRS, V - Crypto VPN, C - CASA, P - Channel interface processor,
       B - BootP, S - Service selection gateway
       DN - Default Network, T - Tracking object
       L - TL1, E - OER, I - iEdge
       D1 - Dot1x Vlan Network, K - MWAM Route
       PP - PPP default route, MR - MRIPv6, SS - SSLVPN
       H - IPe Host, ID - IPe Domain Broadcast
       U - User GPRS, TE - MPLS Traffic-eng, LI - LIIN
       IR - ICMP Redirect
Codes in []: A - active, N - non-active, B - BFD-tracked, D - Not Tracked, P - permanent

Static local RIB for default

M  192.168.6.0/24 [200/0] via 172.16.25.2 [A]

*1:OSPF(AD110)経由で学習した経路より IBGP 経由で学習した経路を優先するため。

ASA と VyOS で IPsec

VyOS は Vyattaの無償版である Vyatta Core よりフォークされたオープンソースのネットワーク OS です。
Cisco の ASA(HA 構成)と VyOS 間で IPsec を確立する際の設定例になります。

検証環境

  • VyOS1.1.7 及び、CentOS6.8 を VMware Workstation 上に構築
  • VMware ESXi5.5 を VMweare Workstation 上に構築し、ESXi5.5 上に ASAv を構築*1

f:id:FriendsNow:20160920135254p:plain

ASA 設定例

HA 関連の最終設定
※HA の具体的な設定方法は、こちらをご参照ください。

<...snip...>
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2
!
interface GigabitEthernet0/2
 description LAN Failover Interface
!
interface GigabitEthernet0/3
 description STATE Failover Interface
<...snip...>
failover
failover lan interface failover GigabitEthernet0/2
failover link state GigabitEthernet0/3
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.2.1 255.255.255.0 standby 172.16.2.2
<...snip...>

HA の確認

ciscoasa# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
Version: Ours 9.2(0)2, Mate 9.2(0)2
Last Failover at: 02:57:55 UTC Sep 19 2016
        This host: Primary - Active
                Active time: 27 (sec)
                slot 0: empty
                  Interface inside (192.168.10.1): Normal (Monitored)
                  Interface outside (10.1.2.1): Normal (Monitored)
                  Interface management (192.168.1.101): Normal (Monitored)
        Other host: Secondary - Standby Ready
                Active time: 12455 (sec)
                  Interface inside (192.168.10.2): Normal (Monitored)
                  Interface outside (10.1.2.2): Normal (Monitored)
                  Interface management (192.168.1.102): Normal (Monitored)
<...snip...>
ルートの設定
route outside 10.1.1.0 255.255.255.0 10.1.2.254 1
route outside 192.168.20.0 255.255.255.0 10.1.2.254 1
IPsec の設定

IKE ポリシーの定義及び有効化

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 enable outside

Tunnel Group (LAN-to-LAN プロファイル)の作成

tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
 ikev1 pre-shared-key cisco

セレクタ ACL の設定

object-group network local-network
 network-object 192.168.10.0 255.255.255.0
object-group network remote-network
 network-object 192.168.20.0 255.255.255.0
access-list asa-router-vpn extended permit ip object-group local-network object-group remote-network

NAT 除外設定

nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup

IKE トランスフォーム設定

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

Crypto MAP の設定とインターフェースへの適用

crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer 10.1.1.2
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside

IPsec 関連の最終設定

<...snip...>
object-group network local-network
 network-object 192.168.10.0 255.255.255.0
object-group network remote-network
 network-object 192.168.20.0 255.255.255.0
access-list asa-router-vpn extended permit ip object-group local-network object-group remote-network
<...snip...>
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
<...snip...>
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 10.1.1.2
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
<...snip...>
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
 ikev1 pre-shared-key *****

IPsec の確認

ciscoasa# show crypto isakmp sa
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 10.1.1.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

ciscoasa# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 10.1.2.1
      access-list asa-router-vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      current_peer: 10.1.1.2
      #pkts encaps: 21281, #pkts encrypt: 21281, #pkts digest: 21281
      #pkts decaps: 21281, #pkts decrypt: 21281, #pkts verify: 21281
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 21281, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

packet-tracer での確認

ciscoasa# packet-tracer input inside icmp 192.168.10.100 0 8 192.168.20.100
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.20.0    255.255.255.0   via 10.1.2.254, outside
!...上記ルーティングテーブルにより転送されている事を確認
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.20.100/0 to 192.168.20.100/0
!...上記 NAT 設定により、暗号化対象のフローは NAT 対象外となっている事を確認
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.10.100/0 to 192.168.10.100/0
<...snip...>
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
!...VPN により暗号化され、通信が許可されている事を確認
<...snip...>
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
!...最終的に該当通信を許可している事を確認

VyOS 設定例

IKE ポリシーの設定

set vpn ipsec ike-group IKE-1W lifetime 86400
set vpn ipsec ike-group IKE-1W proposal 1 dh-group 2
set vpn ipsec ike-group IKE-1W proposal 1 encryption aes128
set vpn ipsec ike-group IKE-1W proposal 1 hash sha1

Phase2ポリシーの設定

set vpn ipsec esp-group ESP-1W lifetime 28800
set vpn ipsec esp-group ESP-1W mode tunnel
set vpn ipsec esp-group ESP-1W pfs dh-group2
set vpn ipsec esp-group ESP-1W proposal 1 encryption aes128
set vpn ipsec esp-group ESP-1W proposal 1 hash sha1

インターフェースでの IPsec 有効化

set vpn ipsec ipsec-interfaces interface eth2

NAT-T 有効化

set vpn ipsec nat-traversal enable

IPsec ピアの設定

set vpn ipsec site-to-site peer 10.1.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 10.1.2.1 authentication pre-shared-secret cisco
set vpn ipsec site-to-site peer 10.1.2.1 default-esp-group ESP-1W
set vpn ipsec site-to-site peer 10.1.2.1 ike-group IKE-1W
set vpn ipsec site-to-site peer 10.1.2.1 local-address 10.1.1.2
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 esp-group ESP-1W
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 remote prefix 192.168.10.0/24

設定の有効化と保存

commit
save

IPsec 関連の最終設定

show | commands | grep vpn
set vpn ipsec esp-group ESP-1W lifetime '28800'
set vpn ipsec esp-group ESP-1W mode 'tunnel'
set vpn ipsec esp-group ESP-1W pfs 'dh-group2'
set vpn ipsec esp-group ESP-1W proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-1W proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1W lifetime '86400'
set vpn ipsec ike-group IKE-1W proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-1W proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-1W proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth2'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 10.1.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.1.2.1 authentication pre-shared-secret 'cisco'
set vpn ipsec site-to-site peer 10.1.2.1 default-esp-group 'ESP-1W'
set vpn ipsec site-to-site peer 10.1.2.1 ike-group 'IKE-1W'
set vpn ipsec site-to-site peer 10.1.2.1 local-address '10.1.1.2'
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 esp-group 'ESP-1W'
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 local prefix '192.168.20.0/24'
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 remote prefix '192.168.10.0/24'

IPsec の確認

vyos@vyos02# run show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.2.1                                10.1.1.2
    State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----    -------  -----  ------  ------
    up     aes128   sha1    2        no     11316   86400

vyos@vyos02# run show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.2.1                                10.1.1.2
    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    1       up     1.7M/1.7M      aes128   sha1    no     11319   28800   all

冗長試験

正常時

①ASA のフェイルオーバ状況を確認する。*2

ciscoasa# failover exec active show fail
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
Version: Ours 9.2(0)2, Mate 9.2(0)2
Last Failover at: 02:57:55 UTC Sep 19 2016
        This host: Primary - Active 		<--- プライマリ(ASA01)が Active
                Active time: 12055 (sec)
                slot 0: empty
                  Interface inside (192.168.10.1): Normal (Monitored)
                  Interface outside (10.1.2.1): Normal (Monitored)
                  Interface management (192.168.1.101): Normal (Monitored)
        Other host: Secondary - Standby Ready	<--- セカンダリ(ASA02)が Standby
                Active time: 12455 (sec)
                  Interface inside (192.168.10.2): Normal (Monitored)
                  Interface outside (10.1.2.2): Normal (Monitored)
                  Interface management (192.168.1.102): Normal (Monitored)

②CentOS01 から CentOS02 へ Ping を実行し、通信状況を確認する。

CentOS01の Ping 状況

[root@centos01 ~]# ping 192.168.20.100 -c 2
PING 192.168.20.100 (192.168.20.100) 56(84) bytes of data.
64 bytes from 192.168.20.100: icmp_seq=1 ttl=63 time=1.39 ms
64 bytes from 192.168.20.100: icmp_seq=2 ttl=63 time=1.45 ms
<...snip...>

ASA でパケットキャプチャ

ciscoasa# capture capout interface outside match esp any any
ciscoasa# show capture capout
<...snip...>
   1: 06:12:28.294433       10.1.2.1 > 10.1.1.2:  ip-proto-50, length 132
   2: 06:12:28.295227       10.1.1.2 > 10.1.2.1:  ip-proto-50, length 132
<...snip...>
ciscoasa# no capture capout interface outside match esp any any
故障時*3

①ASA のフェイルオーバ状況を確認する。*4

ciscoasa# failover exec active show fail
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
Version: Ours 9.2(0)2, Mate 9.2(0)2
Last Failover at: 06:27:56 UTC Sep 19 2016
        This host: Secondary - Active	<--- セカンダリ(ASA02)が Active へ遷移
                Active time: 40 (sec)
                slot 0: empty
                  Interface inside (192.168.10.1): Normal (Monitored)
                  Interface outside (10.1.2.1): Normal (Waiting)
                  Interface management (192.168.1.101): Normal (Monitored)
        Other host: Primary - Failed	<--- プライマリ(ASA01)が Failed へ遷移
                Active time: 12567 (sec)
                  Interface inside (192.168.10.2): Normal (Monitored)
                  Interface outside (10.1.2.2): No Link (Waiting)
                  Interface management (192.168.1.102): Normal (Monitored)

②CentOS01 から CentOS02 へ Ping を実行し、通信状況を確認する。

CentOS01の Ping 状況

[root@centos01 ~]# ping 192.168.20.100 -c 2
PING 192.168.20.100 (192.168.20.100) 56(84) bytes of data.
64 bytes from 192.168.20.100: icmp_seq=1 ttl=63 time=2.61 ms
64 bytes from 192.168.20.100: icmp_seq=2 ttl=63 time=12.6 ms
<...snip...>

ASA でパケットキャプチャ

ciscoasa# capture capout interface outside match esp any any
ciscoasa# show capture capout
<...snip...>
   1: 06:32:43.445243       10.1.2.1 > 10.1.1.2:  ip-proto-50, length 132
   2: 06:32:43.446067       10.1.1.2 > 10.1.2.1:  ip-proto-50, length 132
<...snip...>
ciscoasa# no capture capout interface outside match esp any any

*1:ASAv(OVA) のインストールは vCenter Server が必須。インストール後の起動には vCenter Server は不要

*2:SSH 経由のため、"failover exec"コマンドを使用し、active 側で確認コマンドを実行する。

*3:ASA01の Outside インターフェース(Ge0/1)で疑似故障発生時

*4:SSH 経由のため、"failover exec"コマンドを使用し、active 側で確認コマンドを実行する。