EdgeRouter 및 VyOS 1.2.2에서gre-bridge

개요


비망록
IPSec Site-to-Site를 통해 EdgeRouter-X(ER-X) 및 VyOS 연결
그리고gre-bridge에서 L2 터널을 만듭니다.

gre-bridge의 이유


ER-X 사이에서 MPLS를 사용하려면 어떻게든 VyOS를 집어야 할 때의 고육지책이 필요하다.
MPLS 설정에서 LDP를 사용할 때, 나는 멀티캐스트로neighbor를 찾을 것이다
VyOS는 MPLS를 지원하지 않아 멀티캐스트 라우팅을 수행하기 어렵습니다.
그럼 L2로 가면 되지 않을까요?그래서gre-bridge를 이용합니다.

네트워크 다이어그램


구성도



논리 그래프



단계 설정


VyOS 및 ER-X에 대한 IPSec, Bridge, Tunnel 설정

VyOS 설정


IP 주소: br0 192.168.0.1/24
      lo      10.255.0.1/32
      Global IP   XXX.XXX.XXX.XXX
VyOS 설정

# IPSec 設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer 0.0.0.0 connection-type 'initiate'
set vpn ipsec site-to-site peer 0.0.0.0 ike-group 'IKE'
set vpn ipsec site-to-site peer 0.0.0.0 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 0.0.0.0 local-address 'any'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix '10.255.0.2/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 remote prefix '10.255.0.3/32'


# Bridge 設定
set interfaces bridge br0 address '192.168.0.1/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'

# Loopback 設定
set interfaces loopback lo address '10.255.0.1/32'

# Tunnel 設定
set interfaces tunnel tun1 encapsulation 'gre-bridge'
set interfaces tunnel tun1 local-ip '10.255.0.1'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun1 remote-ip '10.255.0.2'

set interfaces tunnel tun2 encapsulation 'gre-bridge'
set interfaces tunnel tun2 local-ip '10.255.0.1'
set interfaces tunnel tun2 multicast 'enable'
set interfaces tunnel tun2 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun2 remote-ip '10.255.0.3'


ER-X1 설정


전제: 인터넷에 연결할 수 있고 설정이 되어 있습니다.
인터넷과 통신하는 인터페이스는 pppoe이다.
VyOS에 대한 의사 소통이 가능합니다.
IP 주소: br0 192.168.0.2/24
      lo  10.255.0.2/32
ER-X1 설정

# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'

set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 local prefix 10.255.0.2/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 remote prefix 10.255.0.1/32


# Bridge 設定
set interfaces bridge br0 address '192.168.0.2/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'


# Loopback 設定
set interfaces loopback lo address '10.255.0.2/32'


# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.2'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'



ER-X 2 설정


전제: 인터넷에 연결할 수 있고 설정이 되어 있습니다.
인터넷과 통신하는 인터페이스는 pppoe이다.
VyOS에 대한 의사 소통이 가능합니다.
IP 주소: br0 192.168.0.3/24
      lo  10.255.0.3/32
ER-X 2 설정


# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'

set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 local prefix 10.255.0.3/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 remote prefix 10.255.0.1/32


# Bridge 設定
set interfaces bridge br0 address '192.168.0.3/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'


# Loopback 設定
set interfaces loopback lo address '10.255.0.3/32'


# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.3'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'

확인


· ER-X1에서 VyOS의 Br0에 대해 traceeroute를 실행하고 1 점프 도착
· ER-X1에서 ER-X2의 Br0에 대해traceroute를 실행하고 1 점프 도착
그게 다야.

좋은 웹페이지 즐겨찾기