EdgeRouter 및 VyOS 1.2.2에서gre-bridge
10493 단어 UbiquitGRE-BridgeVyOSEdgeRouterubnt
개요
비망록
IPSec Site-to-Site를 통해 EdgeRouter-X(ER-X) 및 VyOS 연결
그리고gre-bridge에서 L2 터널을 만듭니다.
gre-bridge의 이유
ER-X 사이에서 MPLS를 사용하려면 어떻게든 VyOS를 집어야 할 때의 고육지책이 필요하다.
MPLS 설정에서 LDP를 사용할 때, 나는 멀티캐스트로neighbor를 찾을 것이다
VyOS는 MPLS를 지원하지 않아 멀티캐스트 라우팅을 수행하기 어렵습니다.
그럼 L2로 가면 되지 않을까요?그래서gre-bridge를 이용합니다.
네트워크 다이어그램
구성도
논리 그래프
단계 설정
VyOS 및 ER-X에 대한 IPSec, Bridge, Tunnel 설정
VyOS 설정
IP 주소: br0 192.168.0.1/24
lo 10.255.0.1/32
Global IP XXX.XXX.XXX.XXX
VyOS 설정
# IPSec 設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer 0.0.0.0 connection-type 'initiate'
set vpn ipsec site-to-site peer 0.0.0.0 ike-group 'IKE'
set vpn ipsec site-to-site peer 0.0.0.0 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 0.0.0.0 local-address 'any'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix '10.255.0.2/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 remote prefix '10.255.0.3/32'
# Bridge 設定
set interfaces bridge br0 address '192.168.0.1/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.1/32'
# Tunnel 設定
set interfaces tunnel tun1 encapsulation 'gre-bridge'
set interfaces tunnel tun1 local-ip '10.255.0.1'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun1 remote-ip '10.255.0.2'
set interfaces tunnel tun2 encapsulation 'gre-bridge'
set interfaces tunnel tun2 local-ip '10.255.0.1'
set interfaces tunnel tun2 multicast 'enable'
set interfaces tunnel tun2 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun2 remote-ip '10.255.0.3'
ER-X1 설정
전제: 인터넷에 연결할 수 있고 설정이 되어 있습니다.
인터넷과 통신하는 인터페이스는 pppoe이다.
VyOS에 대한 의사 소통이 가능합니다.
IP 주소: br0 192.168.0.2/24
lo 10.255.0.2/32
ER-X1 설정
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 local prefix 10.255.0.2/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 remote prefix 10.255.0.1/32
# Bridge 設定
set interfaces bridge br0 address '192.168.0.2/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.2/32'
# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.2'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'
ER-X 2 설정
전제: 인터넷에 연결할 수 있고 설정이 되어 있습니다.
인터넷과 통신하는 인터페이스는 pppoe이다.
VyOS에 대한 의사 소통이 가능합니다.
IP 주소: br0 192.168.0.3/24
lo 10.255.0.3/32
ER-X 2 설정
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 local prefix 10.255.0.3/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 remote prefix 10.255.0.1/32
# Bridge 設定
set interfaces bridge br0 address '192.168.0.3/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.3/32'
# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.3'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'
확인
· ER-X1에서 VyOS의 Br0에 대해 traceeroute를 실행하고 1 점프 도착
· ER-X1에서 ER-X2의 Br0에 대해traceroute를 실행하고 1 점프 도착
그게 다야.
Reference
이 문제에 관하여(EdgeRouter 및 VyOS 1.2.2에서gre-bridge), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/s64s_y/items/22ed0bd003b7506f9a92
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
ER-X 사이에서 MPLS를 사용하려면 어떻게든 VyOS를 집어야 할 때의 고육지책이 필요하다.
MPLS 설정에서 LDP를 사용할 때, 나는 멀티캐스트로neighbor를 찾을 것이다
VyOS는 MPLS를 지원하지 않아 멀티캐스트 라우팅을 수행하기 어렵습니다.
그럼 L2로 가면 되지 않을까요?그래서gre-bridge를 이용합니다.
네트워크 다이어그램
구성도
논리 그래프
단계 설정
VyOS 및 ER-X에 대한 IPSec, Bridge, Tunnel 설정
VyOS 설정
IP 주소: br0 192.168.0.1/24
lo 10.255.0.1/32
Global IP XXX.XXX.XXX.XXX
VyOS 설정
# IPSec 設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer 0.0.0.0 connection-type 'initiate'
set vpn ipsec site-to-site peer 0.0.0.0 ike-group 'IKE'
set vpn ipsec site-to-site peer 0.0.0.0 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 0.0.0.0 local-address 'any'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix '10.255.0.2/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 remote prefix '10.255.0.3/32'
# Bridge 設定
set interfaces bridge br0 address '192.168.0.1/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.1/32'
# Tunnel 設定
set interfaces tunnel tun1 encapsulation 'gre-bridge'
set interfaces tunnel tun1 local-ip '10.255.0.1'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun1 remote-ip '10.255.0.2'
set interfaces tunnel tun2 encapsulation 'gre-bridge'
set interfaces tunnel tun2 local-ip '10.255.0.1'
set interfaces tunnel tun2 multicast 'enable'
set interfaces tunnel tun2 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun2 remote-ip '10.255.0.3'
ER-X1 설정
전제: 인터넷에 연결할 수 있고 설정이 되어 있습니다.
인터넷과 통신하는 인터페이스는 pppoe이다.
VyOS에 대한 의사 소통이 가능합니다.
IP 주소: br0 192.168.0.2/24
lo 10.255.0.2/32
ER-X1 설정
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 local prefix 10.255.0.2/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 remote prefix 10.255.0.1/32
# Bridge 設定
set interfaces bridge br0 address '192.168.0.2/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.2/32'
# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.2'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'
ER-X 2 설정
전제: 인터넷에 연결할 수 있고 설정이 되어 있습니다.
인터넷과 통신하는 인터페이스는 pppoe이다.
VyOS에 대한 의사 소통이 가능합니다.
IP 주소: br0 192.168.0.3/24
lo 10.255.0.3/32
ER-X 2 설정
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 local prefix 10.255.0.3/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 remote prefix 10.255.0.1/32
# Bridge 設定
set interfaces bridge br0 address '192.168.0.3/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.3/32'
# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.3'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'
확인
· ER-X1에서 VyOS의 Br0에 대해 traceeroute를 실행하고 1 점프 도착
· ER-X1에서 ER-X2의 Br0에 대해traceroute를 실행하고 1 점프 도착
그게 다야.
Reference
이 문제에 관하여(EdgeRouter 및 VyOS 1.2.2에서gre-bridge), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/s64s_y/items/22ed0bd003b7506f9a92
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
VyOS 및 ER-X에 대한 IPSec, Bridge, Tunnel 설정
VyOS 설정
IP 주소: br0 192.168.0.1/24
lo 10.255.0.1/32
Global IP XXX.XXX.XXX.XXX
VyOS 설정
# IPSec 設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer 0.0.0.0 connection-type 'initiate'
set vpn ipsec site-to-site peer 0.0.0.0 ike-group 'IKE'
set vpn ipsec site-to-site peer 0.0.0.0 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 0.0.0.0 local-address 'any'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix '10.255.0.2/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 remote prefix '10.255.0.3/32'
# Bridge 設定
set interfaces bridge br0 address '192.168.0.1/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.1/32'
# Tunnel 設定
set interfaces tunnel tun1 encapsulation 'gre-bridge'
set interfaces tunnel tun1 local-ip '10.255.0.1'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun1 remote-ip '10.255.0.2'
set interfaces tunnel tun2 encapsulation 'gre-bridge'
set interfaces tunnel tun2 local-ip '10.255.0.1'
set interfaces tunnel tun2 multicast 'enable'
set interfaces tunnel tun2 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun2 remote-ip '10.255.0.3'
ER-X1 설정
전제: 인터넷에 연결할 수 있고 설정이 되어 있습니다.
인터넷과 통신하는 인터페이스는 pppoe이다.
VyOS에 대한 의사 소통이 가능합니다.
IP 주소: br0 192.168.0.2/24
lo 10.255.0.2/32
ER-X1 설정
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 local prefix 10.255.0.2/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 remote prefix 10.255.0.1/32
# Bridge 設定
set interfaces bridge br0 address '192.168.0.2/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.2/32'
# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.2'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'
ER-X 2 설정
전제: 인터넷에 연결할 수 있고 설정이 되어 있습니다.
인터넷과 통신하는 인터페이스는 pppoe이다.
VyOS에 대한 의사 소통이 가능합니다.
IP 주소: br0 192.168.0.3/24
lo 10.255.0.3/32
ER-X 2 설정
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 local prefix 10.255.0.3/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 remote prefix 10.255.0.1/32
# Bridge 設定
set interfaces bridge br0 address '192.168.0.3/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.3/32'
# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.3'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'
확인
· ER-X1에서 VyOS의 Br0에 대해 traceeroute를 실행하고 1 점프 도착
· ER-X1에서 ER-X2의 Br0에 대해traceroute를 실행하고 1 점프 도착
그게 다야.
Reference
이 문제에 관하여(EdgeRouter 및 VyOS 1.2.2에서gre-bridge), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/s64s_y/items/22ed0bd003b7506f9a92
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
Reference
이 문제에 관하여(EdgeRouter 및 VyOS 1.2.2에서gre-bridge), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/s64s_y/items/22ed0bd003b7506f9a92텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)