Non-RFC1918 Network에서 IPSec + BGP 연결을 시도했습니다.
■목적
드물게 Private Network에 Non-RFC1918 주소(Illegal Public Address)를 이용하고 싶을 수도 있습니다.
그때 이용되는 IP는 [1.1.1.1] 등 이른바 비정규(이리갈) 글로벌 주소
향후 Oracle Cloud Infrastructure(OCI)의 Public IP 서비스나 타사 Cloud(Office365, salesforce.com 등) 등을 이용할 때 정규로 이용되고 있는 사업자의 주소와 중복될 가능성이 있습니다.
따라서 Non-RFC1918 (비정규 글로벌 주소, Illegal Public Address)은 자기 책임으로 구현됩니다.
그래서 온프레미스와 OCI의 VCN 각각 Non-RFC1918 CIDR을 사용한 구성으로 IPSec 연결을 하고 사용하는 IP는 예로 잘 쓰이는 "1.2.3.4"로 유명한 Public IP "8.8.8.8"을 인스턴스로 설정하여 양방향으로 통신 연결할 수 있는지 시도해 봅니다.
■구성과 구축
절차는 평소처럼 그림과 같이 구축
사용 라우터는 NEC UNIVERGE IX2105를 사용합니다.
■ Router 설정
다음과 같이 NEC UNIVERGE IX2105 설정
Router# configure
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# show config
Using 3938 out of 524288 bytes
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2105 (magellan-sec) Software, Version 9.2.20, RELEASE SOFTWARE
! Compiled Aug 19-Wed-2015 16:25:46 JST #2
! Last updated Jul 12-Fri-2019 08:47:16 JST
!
!
hostname Router
timezone +09 00
!
!
!
username admin password hash 6B1R4JK2 administrator
!
!
!
!
!
!
logging buffered 131072
logging subsystem all warn
logging timestamp datetime
!
!
ip ufs-cache enable
ip multipath per-flow
ip route default GigaEthernet0.1
ip dhcp enable
ip prefix-list as-path-in 10 permit any
ip prefix-list as-path-out 10 permit any
ip access-list sec-list permit ip src any dest any
ip access-list web-http-acl permit ip src any dest 8.8.8.212/32
ip access-list web_console permit ip src any dest 8.8.8.212/32
!
!
!
ike nat-traversal
!
ike proposal ike-prop encryption aes-256 hash sha2-256 group 1536-bit
!
ike policy ike-pol1 peer 100.100.100.101 key IPSecKey01 ike-prop
!
ike policy ike-pol2 peer 100.100.100.102 key IPSecKey02 ike-prop
!
ipsec autokey-proposal ipsec-prop esp-aes-256 esp-sha lifetime time 3600
!
ipsec autokey-map ipsec-map1 sec-list peer 100.100.100.101 ipsec-prop pfs 1536-bit
!
ipsec autokey-map ipsec-map2 sec-list peer 100.100.100.102 ipsec-prop pfs 1536-bit
!
!
!
!
!
!
!
!
!
proxy-dns ip enable
proxy-dns interface GigaEthernet0.1 priority 254
!
telnet-server ip enable
!
!
http-server username admin
http-server ip access-list web-http-acl
http-server ip enable
!
web-console interface lan1 GigaEthernet1.0
!
!
!
vrrp enable
!
!
!
watch-group watch_tunnel0 10
event 20 ip unreach-host 8.8.8.212 Tunnel0.0 source GigaEthernet1.0
action 20 ipsec clear-sa Tunnel0.0
!
network-monitor watch_tunnel0 enable
!
watch-group watch_tunnel1 10
event 20 ip unreach-host 8.8.8.212 Tunnel1.0 source GigaEthernet1.0
action 20 ipsec clear-sa Tunnel1.0
!
network-monitor watch_tunnel1 enable
!
!
route-map bgp permit 65000
!
route-map rmap-in permit 10
match ip address prefix-list as-path-in
set as-path prepend 31898 31898
!
route-map rmap-out permit 10
match ip address prefix-list as-path-out
set as-path prepend 65000 65000
!
ppp profile web-ppp-gigaethernet0.1
authentication myname [email protected]
authentication password [email protected] passwd
!
ip dhcp profile web-dhcp-gigaethernet1.0
dns-server 8.8.8.212
!
router bgp 65000
neighbor 10.254.200.202 remote-as 31898
neighbor 10.254.200.202 timers 10 30
neighbor 10.254.200.206 remote-as 31898
neighbor 10.254.200.206 timers 10 30
address-family ipv4 unicast
neighbor 10.254.200.206 route-map rmap-in in
neighbor 10.254.200.206 route-map rmap-out out
network 8.8.8.0/24
!
device GigaEthernet0
!
device GigaEthernet1
!
interface GigaEthernet0.0
no ip address
shutdown
!
interface GigaEthernet1.0
description LAN1
ip address 8.8.8.212/24
ip dhcp binding web-dhcp-gigaethernet1.0
vrrp 254 ip 8.8.8.254
vrrp 254 priority 95
vrrp 254 ip virtual-host
no shutdown
!
interface GigaEthernet0.1
description WAN1
encapsulation pppoe
auto-connect
ppp binding web-ppp-gigaethernet0.1
ip address ipcp
ip tcp adjust-mss auto
ip napt enable
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
!
interface Tunnel0.0
tunnel mode ipsec
ip address 10.254.200.201/30
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map1 df-bit ignore pre-fragment out
no shutdown
!
interface Tunnel1.0
tunnel mode ipsec
ip address 10.254.200.205/30
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map2 df-bit ignore pre-fragment out
no shutdown
■ OCI IPSec 연결 확인
■BGP 설정 확인
● Route 정보 확인
Router(config)# show ip route
IP Routing Table - 8 entries, 4 hidden, 2036 frees
Entries: 5 Connected, 1 Static, 0 RIP, 0 OSPF, 2 BGP
Codes: C - Connected, S - Static, R - RIP, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, B - BGP
* - Candidate default, s - Summary
Timers: Age
S* 0.0.0.0/0 [1/1] is directly connected, GigaEthernet0.1, 16:34:07
1.0.0.0/8 is subnetted, 2 subnets
B 1.2.3.0/24 [20/0] via 10.254.200.202, Tunnel0.0, 0:28:28
B 1.2.10.0/24 [20/0] via 10.254.200.202, Tunnel0.0, 0:28:28
8.0.0.0/8 is subnetted, 2 subnets
C 8.8.8.0/24 [0/1] is directly connected, GigaEthernet1.0, 0:29:16
C 8.8.8.254/32 [0/1] is directly connected, Virtual254, 0:29:12
10.254.0.0/16 is subnetted, 2 subnets
C 10.254.200.202/30 [0/1] is directly connected, Tunnel0.0, 16:20:22
C 10.254.200.206/30 [0/1] is directly connected, Tunnel1.0, 16:20:22
● BGP 정보 확인
· 모든 BGP 연결 상태 확인
Router(config)# show ip bgp summary
BGP router ID 10.254.200.205, local AS number 65000
4 BGP AS-PATH entries
Neighbor V AS MsgRcvd MsgSent Up/DownTime State
10.254.200.202 4 31898 6381 5836 0:23:39 ESTABLISHED
10.254.200.206 4 31898 6421 5839 0:23:39 ESTABLISHED
Total number of neighbors 2
· BGP 정보 확인
Router(config)# show ip bgp
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
* 1.2.3.0/24 10.254.200.206 31898 31898 31898 i
*> 10.254.200.202 31898 i
* 1.2.10.0/24 10.254.200.206 31898 31898 31898 i
*> 10.254.200.202 31898 i
*> 8.8.8.0/24 0.0.0.0 1 i
10.254.200.0/24 0.0.0.0 0 i
Total number of prefixes 6
· Neighbor의 BGP 및 TCP 연결에 대한 정보 확인
Router(config)# show ip bgp neighbors 10.254.200.202 advertised-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 8.8.8.0/24 10.254.200.201 1 i
Total number of prefixes 1
Router(config)# show ip bgp neighbors 10.254.200.202 received-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 1.2.3.0/24 10.254.200.202 31898 i
*> 1.2.10.0/24 10.254.200.202 31898 i
Total number of prefixes 2
Router(config)# show ip bgp neighbors 10.254.200.206 advertised-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 8.8.8.0/24 10.254.200.205 1 65000 65000 i
Total number of prefixes 1
Router(config)# show ip bgp neighbors 10.254.200.206 received-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
* 1.2.3.0/24 10.254.200.206 31898 31898 31898 i
* 1.2.10.0/24 10.254.200.206 31898 31898 31898 i
Total number of prefixes 2
■연결 확인
● On-Premises -> OCI 연결 확인
· traceroute 확인
onp-inst01:~ root# traceroute 1.2.3.4
traceroute to 1.2.3.4 (1.2.3.4), 64 hops max, 52 byte packets
1 8.8.8.254 (8.8.8.254) 1.799 ms 3.034 ms 1.227 ms
2 * * *
3 1.2.3.4 (1.2.3.4) 5.682 ms 6.982 ms 5.358 ms
・핑 확인
onp-inst01:~ root# ping 1.2.3.4 -c 10
PING 1.2.3.4 (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: icmp_seq=0 ttl=62 time=7.716 ms
64 bytes from 1.2.3.4: icmp_seq=1 ttl=62 time=10.973 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=62 time=6.656 ms
64 bytes from 1.2.3.4: icmp_seq=3 ttl=62 time=6.813 ms
64 bytes from 1.2.3.4: icmp_seq=4 ttl=62 time=6.135 ms
64 bytes from 1.2.3.4: icmp_seq=5 ttl=62 time=7.018 ms
64 bytes from 1.2.3.4: icmp_seq=6 ttl=62 time=8.734 ms
64 bytes from 1.2.3.4: icmp_seq=7 ttl=62 time=6.887 ms
64 bytes from 1.2.3.4: icmp_seq=8 ttl=62 time=6.592 ms
64 bytes from 1.2.3.4: icmp_seq=9 ttl=62 time=6.771 ms
--- 1.2.3.4 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.135/7.429/10.973/1.364 ms
· ssh 연결 확인
onp-inst01:~ root# ssh -i id_rsa [email protected]
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
ECDSA key fingerprint is SHA256:agH9jrx4S2Kw2G.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '1.2.3.4' (ECDSA) to the list of known hosts.
Last login: Fri Jul 12 15:59:12 2019 from 8.8.8.2
[opc@oci-inst01 ~]$ hostname
oci-inst01
● OCI -> On-Premises 연결 확인
· traceroute 확인
[opc@oci-inst01 ~]$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 8.8.8.8 (8.8.8.8) 5.647 ms 6.229 ms 5.597 ms
・핑 확인
[opc@oci-inst01 ~]$ ping 8.8.8.8 -c 10
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=62 time=83.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=62 time=107 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=62 time=25.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=62 time=49.4 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=62 time=71.9 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=62 time=92.6 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=62 time=63.8 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=62 time=8.43 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=62 time=135 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=62 time=79.0 ms
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9015ms
rtt min/avg/max/mdev = 8.434/71.753/135.776/35.721 ms
· ssh 연결 확인
[opc@oci-inst01 ~]$ ssh [email protected]
The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established.
ECDSA key fingerprint is SHA256:FkidRp3f180gTMol.
ECDSA key fingerprint is MD5:98:4f:41:7c:24:b1:.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '8.8.8.8' (ECDSA) to the list of known hosts.
Password:
Last login: Sat Jul 13 01:00:23 2019 from 1.2.3.4
onp-inst01:~ root# hostname
onp-inst01.local
■ 참고
● OCI 사용 IP Address
Oracle Cloud Infrastructure(OCI)에서 사용되는 IP Address는 다음과 같습니다.
・ Networking Overview
・ Public IP Address Ranges
・ Public IP Addresses for VCNs and the Oracle Services Network
・ FastConnect Public Peering Advertised Routes
・ Object Storage IP Addresses
・ Network Setup for DB Systems: Requirements for IP Address Space
● 기타
・ Virtual Cloud Network FAQ
Reference
이 문제에 관하여(Non-RFC1918 Network에서 IPSec + BGP 연결을 시도했습니다.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/shirok/items/8c0084a16bdf62ba5050
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
절차는 평소처럼 그림과 같이 구축
사용 라우터는 NEC UNIVERGE IX2105를 사용합니다.
■ Router 설정
다음과 같이 NEC UNIVERGE IX2105 설정
Router# configure
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# show config
Using 3938 out of 524288 bytes
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2105 (magellan-sec) Software, Version 9.2.20, RELEASE SOFTWARE
! Compiled Aug 19-Wed-2015 16:25:46 JST #2
! Last updated Jul 12-Fri-2019 08:47:16 JST
!
!
hostname Router
timezone +09 00
!
!
!
username admin password hash 6B1R4JK2 administrator
!
!
!
!
!
!
logging buffered 131072
logging subsystem all warn
logging timestamp datetime
!
!
ip ufs-cache enable
ip multipath per-flow
ip route default GigaEthernet0.1
ip dhcp enable
ip prefix-list as-path-in 10 permit any
ip prefix-list as-path-out 10 permit any
ip access-list sec-list permit ip src any dest any
ip access-list web-http-acl permit ip src any dest 8.8.8.212/32
ip access-list web_console permit ip src any dest 8.8.8.212/32
!
!
!
ike nat-traversal
!
ike proposal ike-prop encryption aes-256 hash sha2-256 group 1536-bit
!
ike policy ike-pol1 peer 100.100.100.101 key IPSecKey01 ike-prop
!
ike policy ike-pol2 peer 100.100.100.102 key IPSecKey02 ike-prop
!
ipsec autokey-proposal ipsec-prop esp-aes-256 esp-sha lifetime time 3600
!
ipsec autokey-map ipsec-map1 sec-list peer 100.100.100.101 ipsec-prop pfs 1536-bit
!
ipsec autokey-map ipsec-map2 sec-list peer 100.100.100.102 ipsec-prop pfs 1536-bit
!
!
!
!
!
!
!
!
!
proxy-dns ip enable
proxy-dns interface GigaEthernet0.1 priority 254
!
telnet-server ip enable
!
!
http-server username admin
http-server ip access-list web-http-acl
http-server ip enable
!
web-console interface lan1 GigaEthernet1.0
!
!
!
vrrp enable
!
!
!
watch-group watch_tunnel0 10
event 20 ip unreach-host 8.8.8.212 Tunnel0.0 source GigaEthernet1.0
action 20 ipsec clear-sa Tunnel0.0
!
network-monitor watch_tunnel0 enable
!
watch-group watch_tunnel1 10
event 20 ip unreach-host 8.8.8.212 Tunnel1.0 source GigaEthernet1.0
action 20 ipsec clear-sa Tunnel1.0
!
network-monitor watch_tunnel1 enable
!
!
route-map bgp permit 65000
!
route-map rmap-in permit 10
match ip address prefix-list as-path-in
set as-path prepend 31898 31898
!
route-map rmap-out permit 10
match ip address prefix-list as-path-out
set as-path prepend 65000 65000
!
ppp profile web-ppp-gigaethernet0.1
authentication myname [email protected]
authentication password [email protected] passwd
!
ip dhcp profile web-dhcp-gigaethernet1.0
dns-server 8.8.8.212
!
router bgp 65000
neighbor 10.254.200.202 remote-as 31898
neighbor 10.254.200.202 timers 10 30
neighbor 10.254.200.206 remote-as 31898
neighbor 10.254.200.206 timers 10 30
address-family ipv4 unicast
neighbor 10.254.200.206 route-map rmap-in in
neighbor 10.254.200.206 route-map rmap-out out
network 8.8.8.0/24
!
device GigaEthernet0
!
device GigaEthernet1
!
interface GigaEthernet0.0
no ip address
shutdown
!
interface GigaEthernet1.0
description LAN1
ip address 8.8.8.212/24
ip dhcp binding web-dhcp-gigaethernet1.0
vrrp 254 ip 8.8.8.254
vrrp 254 priority 95
vrrp 254 ip virtual-host
no shutdown
!
interface GigaEthernet0.1
description WAN1
encapsulation pppoe
auto-connect
ppp binding web-ppp-gigaethernet0.1
ip address ipcp
ip tcp adjust-mss auto
ip napt enable
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
!
interface Tunnel0.0
tunnel mode ipsec
ip address 10.254.200.201/30
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map1 df-bit ignore pre-fragment out
no shutdown
!
interface Tunnel1.0
tunnel mode ipsec
ip address 10.254.200.205/30
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map2 df-bit ignore pre-fragment out
no shutdown
■ OCI IPSec 연결 확인
■BGP 설정 확인
● Route 정보 확인
Router(config)# show ip route
IP Routing Table - 8 entries, 4 hidden, 2036 frees
Entries: 5 Connected, 1 Static, 0 RIP, 0 OSPF, 2 BGP
Codes: C - Connected, S - Static, R - RIP, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, B - BGP
* - Candidate default, s - Summary
Timers: Age
S* 0.0.0.0/0 [1/1] is directly connected, GigaEthernet0.1, 16:34:07
1.0.0.0/8 is subnetted, 2 subnets
B 1.2.3.0/24 [20/0] via 10.254.200.202, Tunnel0.0, 0:28:28
B 1.2.10.0/24 [20/0] via 10.254.200.202, Tunnel0.0, 0:28:28
8.0.0.0/8 is subnetted, 2 subnets
C 8.8.8.0/24 [0/1] is directly connected, GigaEthernet1.0, 0:29:16
C 8.8.8.254/32 [0/1] is directly connected, Virtual254, 0:29:12
10.254.0.0/16 is subnetted, 2 subnets
C 10.254.200.202/30 [0/1] is directly connected, Tunnel0.0, 16:20:22
C 10.254.200.206/30 [0/1] is directly connected, Tunnel1.0, 16:20:22
● BGP 정보 확인
· 모든 BGP 연결 상태 확인
Router(config)# show ip bgp summary
BGP router ID 10.254.200.205, local AS number 65000
4 BGP AS-PATH entries
Neighbor V AS MsgRcvd MsgSent Up/DownTime State
10.254.200.202 4 31898 6381 5836 0:23:39 ESTABLISHED
10.254.200.206 4 31898 6421 5839 0:23:39 ESTABLISHED
Total number of neighbors 2
· BGP 정보 확인
Router(config)# show ip bgp
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
* 1.2.3.0/24 10.254.200.206 31898 31898 31898 i
*> 10.254.200.202 31898 i
* 1.2.10.0/24 10.254.200.206 31898 31898 31898 i
*> 10.254.200.202 31898 i
*> 8.8.8.0/24 0.0.0.0 1 i
10.254.200.0/24 0.0.0.0 0 i
Total number of prefixes 6
· Neighbor의 BGP 및 TCP 연결에 대한 정보 확인
Router(config)# show ip bgp neighbors 10.254.200.202 advertised-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 8.8.8.0/24 10.254.200.201 1 i
Total number of prefixes 1
Router(config)# show ip bgp neighbors 10.254.200.202 received-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 1.2.3.0/24 10.254.200.202 31898 i
*> 1.2.10.0/24 10.254.200.202 31898 i
Total number of prefixes 2
Router(config)# show ip bgp neighbors 10.254.200.206 advertised-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 8.8.8.0/24 10.254.200.205 1 65000 65000 i
Total number of prefixes 1
Router(config)# show ip bgp neighbors 10.254.200.206 received-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
* 1.2.3.0/24 10.254.200.206 31898 31898 31898 i
* 1.2.10.0/24 10.254.200.206 31898 31898 31898 i
Total number of prefixes 2
■연결 확인
● On-Premises -> OCI 연결 확인
· traceroute 확인
onp-inst01:~ root# traceroute 1.2.3.4
traceroute to 1.2.3.4 (1.2.3.4), 64 hops max, 52 byte packets
1 8.8.8.254 (8.8.8.254) 1.799 ms 3.034 ms 1.227 ms
2 * * *
3 1.2.3.4 (1.2.3.4) 5.682 ms 6.982 ms 5.358 ms
・핑 확인
onp-inst01:~ root# ping 1.2.3.4 -c 10
PING 1.2.3.4 (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: icmp_seq=0 ttl=62 time=7.716 ms
64 bytes from 1.2.3.4: icmp_seq=1 ttl=62 time=10.973 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=62 time=6.656 ms
64 bytes from 1.2.3.4: icmp_seq=3 ttl=62 time=6.813 ms
64 bytes from 1.2.3.4: icmp_seq=4 ttl=62 time=6.135 ms
64 bytes from 1.2.3.4: icmp_seq=5 ttl=62 time=7.018 ms
64 bytes from 1.2.3.4: icmp_seq=6 ttl=62 time=8.734 ms
64 bytes from 1.2.3.4: icmp_seq=7 ttl=62 time=6.887 ms
64 bytes from 1.2.3.4: icmp_seq=8 ttl=62 time=6.592 ms
64 bytes from 1.2.3.4: icmp_seq=9 ttl=62 time=6.771 ms
--- 1.2.3.4 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.135/7.429/10.973/1.364 ms
· ssh 연결 확인
onp-inst01:~ root# ssh -i id_rsa [email protected]
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
ECDSA key fingerprint is SHA256:agH9jrx4S2Kw2G.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '1.2.3.4' (ECDSA) to the list of known hosts.
Last login: Fri Jul 12 15:59:12 2019 from 8.8.8.2
[opc@oci-inst01 ~]$ hostname
oci-inst01
● OCI -> On-Premises 연결 확인
· traceroute 확인
[opc@oci-inst01 ~]$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 8.8.8.8 (8.8.8.8) 5.647 ms 6.229 ms 5.597 ms
・핑 확인
[opc@oci-inst01 ~]$ ping 8.8.8.8 -c 10
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=62 time=83.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=62 time=107 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=62 time=25.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=62 time=49.4 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=62 time=71.9 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=62 time=92.6 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=62 time=63.8 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=62 time=8.43 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=62 time=135 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=62 time=79.0 ms
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9015ms
rtt min/avg/max/mdev = 8.434/71.753/135.776/35.721 ms
· ssh 연결 확인
[opc@oci-inst01 ~]$ ssh [email protected]
The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established.
ECDSA key fingerprint is SHA256:FkidRp3f180gTMol.
ECDSA key fingerprint is MD5:98:4f:41:7c:24:b1:.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '8.8.8.8' (ECDSA) to the list of known hosts.
Password:
Last login: Sat Jul 13 01:00:23 2019 from 1.2.3.4
onp-inst01:~ root# hostname
onp-inst01.local
■ 참고
● OCI 사용 IP Address
Oracle Cloud Infrastructure(OCI)에서 사용되는 IP Address는 다음과 같습니다.
・ Networking Overview
・ Public IP Address Ranges
・ Public IP Addresses for VCNs and the Oracle Services Network
・ FastConnect Public Peering Advertised Routes
・ Object Storage IP Addresses
・ Network Setup for DB Systems: Requirements for IP Address Space
● 기타
・ Virtual Cloud Network FAQ
Reference
이 문제에 관하여(Non-RFC1918 Network에서 IPSec + BGP 연결을 시도했습니다.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/shirok/items/8c0084a16bdf62ba5050
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
● Route 정보 확인
Router(config)# show ip route
IP Routing Table - 8 entries, 4 hidden, 2036 frees
Entries: 5 Connected, 1 Static, 0 RIP, 0 OSPF, 2 BGP
Codes: C - Connected, S - Static, R - RIP, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, B - BGP
* - Candidate default, s - Summary
Timers: Age
S* 0.0.0.0/0 [1/1] is directly connected, GigaEthernet0.1, 16:34:07
1.0.0.0/8 is subnetted, 2 subnets
B 1.2.3.0/24 [20/0] via 10.254.200.202, Tunnel0.0, 0:28:28
B 1.2.10.0/24 [20/0] via 10.254.200.202, Tunnel0.0, 0:28:28
8.0.0.0/8 is subnetted, 2 subnets
C 8.8.8.0/24 [0/1] is directly connected, GigaEthernet1.0, 0:29:16
C 8.8.8.254/32 [0/1] is directly connected, Virtual254, 0:29:12
10.254.0.0/16 is subnetted, 2 subnets
C 10.254.200.202/30 [0/1] is directly connected, Tunnel0.0, 16:20:22
C 10.254.200.206/30 [0/1] is directly connected, Tunnel1.0, 16:20:22
● BGP 정보 확인
· 모든 BGP 연결 상태 확인
Router(config)# show ip bgp summary
BGP router ID 10.254.200.205, local AS number 65000
4 BGP AS-PATH entries
Neighbor V AS MsgRcvd MsgSent Up/DownTime State
10.254.200.202 4 31898 6381 5836 0:23:39 ESTABLISHED
10.254.200.206 4 31898 6421 5839 0:23:39 ESTABLISHED
Total number of neighbors 2
· BGP 정보 확인
Router(config)# show ip bgp
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
* 1.2.3.0/24 10.254.200.206 31898 31898 31898 i
*> 10.254.200.202 31898 i
* 1.2.10.0/24 10.254.200.206 31898 31898 31898 i
*> 10.254.200.202 31898 i
*> 8.8.8.0/24 0.0.0.0 1 i
10.254.200.0/24 0.0.0.0 0 i
Total number of prefixes 6
· Neighbor의 BGP 및 TCP 연결에 대한 정보 확인
Router(config)# show ip bgp neighbors 10.254.200.202 advertised-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 8.8.8.0/24 10.254.200.201 1 i
Total number of prefixes 1
Router(config)# show ip bgp neighbors 10.254.200.202 received-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 1.2.3.0/24 10.254.200.202 31898 i
*> 1.2.10.0/24 10.254.200.202 31898 i
Total number of prefixes 2
Router(config)# show ip bgp neighbors 10.254.200.206 advertised-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
*> 8.8.8.0/24 10.254.200.205 1 65000 65000 i
Total number of prefixes 1
Router(config)# show ip bgp neighbors 10.254.200.206 received-routes
BGP table version is 28, local router ID is 10.254.200.205
Local AS number 65000
Status codes: s - suppressed, * - valid, h - history
> - best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Path
* 1.2.3.0/24 10.254.200.206 31898 31898 31898 i
* 1.2.10.0/24 10.254.200.206 31898 31898 31898 i
Total number of prefixes 2
■연결 확인
● On-Premises -> OCI 연결 확인
· traceroute 확인
onp-inst01:~ root# traceroute 1.2.3.4
traceroute to 1.2.3.4 (1.2.3.4), 64 hops max, 52 byte packets
1 8.8.8.254 (8.8.8.254) 1.799 ms 3.034 ms 1.227 ms
2 * * *
3 1.2.3.4 (1.2.3.4) 5.682 ms 6.982 ms 5.358 ms
・핑 확인
onp-inst01:~ root# ping 1.2.3.4 -c 10
PING 1.2.3.4 (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: icmp_seq=0 ttl=62 time=7.716 ms
64 bytes from 1.2.3.4: icmp_seq=1 ttl=62 time=10.973 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=62 time=6.656 ms
64 bytes from 1.2.3.4: icmp_seq=3 ttl=62 time=6.813 ms
64 bytes from 1.2.3.4: icmp_seq=4 ttl=62 time=6.135 ms
64 bytes from 1.2.3.4: icmp_seq=5 ttl=62 time=7.018 ms
64 bytes from 1.2.3.4: icmp_seq=6 ttl=62 time=8.734 ms
64 bytes from 1.2.3.4: icmp_seq=7 ttl=62 time=6.887 ms
64 bytes from 1.2.3.4: icmp_seq=8 ttl=62 time=6.592 ms
64 bytes from 1.2.3.4: icmp_seq=9 ttl=62 time=6.771 ms
--- 1.2.3.4 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.135/7.429/10.973/1.364 ms
· ssh 연결 확인
onp-inst01:~ root# ssh -i id_rsa [email protected]
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
ECDSA key fingerprint is SHA256:agH9jrx4S2Kw2G.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '1.2.3.4' (ECDSA) to the list of known hosts.
Last login: Fri Jul 12 15:59:12 2019 from 8.8.8.2
[opc@oci-inst01 ~]$ hostname
oci-inst01
● OCI -> On-Premises 연결 확인
· traceroute 확인
[opc@oci-inst01 ~]$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 8.8.8.8 (8.8.8.8) 5.647 ms 6.229 ms 5.597 ms
・핑 확인
[opc@oci-inst01 ~]$ ping 8.8.8.8 -c 10
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=62 time=83.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=62 time=107 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=62 time=25.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=62 time=49.4 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=62 time=71.9 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=62 time=92.6 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=62 time=63.8 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=62 time=8.43 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=62 time=135 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=62 time=79.0 ms
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9015ms
rtt min/avg/max/mdev = 8.434/71.753/135.776/35.721 ms
· ssh 연결 확인
[opc@oci-inst01 ~]$ ssh [email protected]
The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established.
ECDSA key fingerprint is SHA256:FkidRp3f180gTMol.
ECDSA key fingerprint is MD5:98:4f:41:7c:24:b1:.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '8.8.8.8' (ECDSA) to the list of known hosts.
Password:
Last login: Sat Jul 13 01:00:23 2019 from 1.2.3.4
onp-inst01:~ root# hostname
onp-inst01.local
■ 참고
● OCI 사용 IP Address
Oracle Cloud Infrastructure(OCI)에서 사용되는 IP Address는 다음과 같습니다.
・ Networking Overview
・ Public IP Address Ranges
・ Public IP Addresses for VCNs and the Oracle Services Network
・ FastConnect Public Peering Advertised Routes
・ Object Storage IP Addresses
・ Network Setup for DB Systems: Requirements for IP Address Space
● 기타
・ Virtual Cloud Network FAQ
Reference
이 문제에 관하여(Non-RFC1918 Network에서 IPSec + BGP 연결을 시도했습니다.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/shirok/items/8c0084a16bdf62ba5050
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
onp-inst01:~ root# traceroute 1.2.3.4
traceroute to 1.2.3.4 (1.2.3.4), 64 hops max, 52 byte packets
1 8.8.8.254 (8.8.8.254) 1.799 ms 3.034 ms 1.227 ms
2 * * *
3 1.2.3.4 (1.2.3.4) 5.682 ms 6.982 ms 5.358 ms
onp-inst01:~ root# ping 1.2.3.4 -c 10
PING 1.2.3.4 (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: icmp_seq=0 ttl=62 time=7.716 ms
64 bytes from 1.2.3.4: icmp_seq=1 ttl=62 time=10.973 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=62 time=6.656 ms
64 bytes from 1.2.3.4: icmp_seq=3 ttl=62 time=6.813 ms
64 bytes from 1.2.3.4: icmp_seq=4 ttl=62 time=6.135 ms
64 bytes from 1.2.3.4: icmp_seq=5 ttl=62 time=7.018 ms
64 bytes from 1.2.3.4: icmp_seq=6 ttl=62 time=8.734 ms
64 bytes from 1.2.3.4: icmp_seq=7 ttl=62 time=6.887 ms
64 bytes from 1.2.3.4: icmp_seq=8 ttl=62 time=6.592 ms
64 bytes from 1.2.3.4: icmp_seq=9 ttl=62 time=6.771 ms
--- 1.2.3.4 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.135/7.429/10.973/1.364 ms
onp-inst01:~ root# ssh -i id_rsa [email protected]
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
ECDSA key fingerprint is SHA256:agH9jrx4S2Kw2G.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '1.2.3.4' (ECDSA) to the list of known hosts.
Last login: Fri Jul 12 15:59:12 2019 from 8.8.8.2
[opc@oci-inst01 ~]$ hostname
oci-inst01
[opc@oci-inst01 ~]$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 8.8.8.8 (8.8.8.8) 5.647 ms 6.229 ms 5.597 ms
[opc@oci-inst01 ~]$ ping 8.8.8.8 -c 10
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=62 time=83.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=62 time=107 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=62 time=25.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=62 time=49.4 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=62 time=71.9 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=62 time=92.6 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=62 time=63.8 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=62 time=8.43 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=62 time=135 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=62 time=79.0 ms
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9015ms
rtt min/avg/max/mdev = 8.434/71.753/135.776/35.721 ms
[opc@oci-inst01 ~]$ ssh [email protected]
The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established.
ECDSA key fingerprint is SHA256:FkidRp3f180gTMol.
ECDSA key fingerprint is MD5:98:4f:41:7c:24:b1:.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '8.8.8.8' (ECDSA) to the list of known hosts.
Password:
Last login: Sat Jul 13 01:00:23 2019 from 1.2.3.4
onp-inst01:~ root# hostname
onp-inst01.local
● OCI 사용 IP Address
Oracle Cloud Infrastructure(OCI)에서 사용되는 IP Address는 다음과 같습니다.
・ Networking Overview
・ Public IP Address Ranges
・ Public IP Addresses for VCNs and the Oracle Services Network
・ FastConnect Public Peering Advertised Routes
・ Object Storage IP Addresses
・ Network Setup for DB Systems: Requirements for IP Address Space
● 기타
・ Virtual Cloud Network FAQ
Reference
이 문제에 관하여(Non-RFC1918 Network에서 IPSec + BGP 연결을 시도했습니다.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/shirok/items/8c0084a16bdf62ba5050텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)