Oracle Cloud : Yamaha 라우터와 OCI를 BGP로 IPSec VPN에 연결해 보았습니다.
■목적
동적 라우팅의 BGP(Border Gateway Protocol)는 상호 연결에서 동적으로 서로의 라우팅 정보를 교환하는 데 사용되는 라우팅 프로토콜입니다.
이 BGP는 Oracle Cloud Infrastructure (OCI)에 IPSec 연결을 수행하여 루트 정보를 전파하여 온 프레미스 및 OCI 각각의 인스턴스가 소통 할 수 있는지 확인합니다.
■구성도
● 절차 개요
IPSec 연결까지는 정적 라우팅 절차와 동일하며 정적 라우팅 부분을 BGP 설정으로 변경하기 만하면됩니다.
・참고: Oracle Cloud : Yamaha NVR700w에서 OCI에 IPsec VPN 연결을 시도했습니다.
■ OCI 측 IPSec 및 BGP 설정
● IPSec Connection 생성
여기에서는 정적 루트의 Static Route CIDR은 비어 있는 채로 설정하지 않고 BGP를 설정합니다.
BGP 설정은 Create IPSec Connection 설정 화면 하단의 Advanced Options를 클릭하면 추가 설정 항목이 나타납니다.
· Create IPSec Connection 설정 화면
CPE 개체를 만들 때 지정한 CPE의 공용 IP 주소가 IKE ID로 사용되므로 CPE가 NAT 아래에 있는 경우 NAT에서 지불한 VPN 라우터의 Private IP를 설정합니다.
· IPSec BGP Tunnel1 설정 화면
· IPSec BGP Tunnel2 설정 화면
■YAMAHA IPSec 설정 순서
●NVR700w로LOGIN
· ssh, 콘솔 연결로 LOGIN
root@onp-inst01:~ # ssh [email protected]
[email protected]'s password:
>
· 관리 사용자로 마이그레이션
> administrator
Password:
There are changed configuration unsaved in nonvolatile memory!
The administrator password is factory default setting. Please change the password by the 'administrator password' command.
#
●NAT 설정
nat descriptor type 1000 masquerade
nat descriptor address outer 1000 200.200.200.201
nat descriptor masquerade static 1000 1 192.168.100.1 udp 500
nat descriptor masquerade static 1000 2 192.168.100.1 esp
● IPSec 연결 설정
다음과 같이 설정
tunnel select 1
description tunnel OCI-VPN1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes256-cbc
ipsec ike group 1 modp1536
ipsec ike hash 1 sha256
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on dpd 5 4
ipsec ike local address 1 200.200.200.201
ipsec ike local id 1 0.0.0.0/0
ipsec ike nat-traversal 1 on
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text ipsecNVR700wSecretKey01
ipsec ike remote address 1 100.100.100.101
ipsec ike remote id 1 0.0.0.0/0
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select 2
description tunnel OCI-VPN2
ipsec tunnel 2
ipsec sa policy 2 2 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 2 3600
ipsec ike duration isakmp-sa 2 28800
ipsec ike encryption 2 aes256-cbc
ipsec ike group 2 modp1536
ipsec ike hash 2 sha256
ipsec ike keepalive log 2 off
ipsec ike keepalive use 2 on dpd 5 4
ipsec ike local address 2 200.200.200.201
ipsec ike local id 2 0.0.0.0/0
ipsec ike nat-traversal 2 on
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text ipsecNVR700wSecretKey02
ipsec ike remote address 2 100.100.100.102
ipsec ike remote id 2 0.0.0.0/0
ip tunnel tcp mss limit auto
tunnel enable 2
● IPSec 설정 반영 및 확인
tunnel2# ipsec auto refresh on
tunnel2# show ipsec sa
Total: isakmp:2 send:2 recv:3
sa sgw isakmp connection dir life[s] remote-id
----------------------------------------------------------------------------
1 1 - isakmp - 28589 100.100.100.101
2 2 - isakmp - 28634 100.100.100.102
3 1 1 tun[0001]esp send 3391 100.100.100.101
4 1 1 tun[0001]esp recv 3391 100.100.100.101
5 2 2 tun[0002]esp send 3436 100.100.100.102
6 2 - tun[0002]esp recv 3392 100.100.100.102
7 2 2 tun[0002]esp recv 3436 100.100.100.102
■YAMAHA BGP 설정 순서
●BGP 설정
Oracle Cloud의 ASN은 31898입니다.
상세 설정은 구성도를 참고하여 아래와 같이 설정
tunnel select 1
ip tunnel address 192.168.0.102/31
ip tunnel remote address 192.168.0.103
tunnel select 2
ip tunnel address 192.168.0.104/31
ip tunnel remote address 192.168.0.105
bgp use on
bgp autonomous-system 65000
bgp log neighbor
bgp neighbor 1 31898 192.168.0.103 hold-time=180 local-address=192.168.0.102
bgp neighbor 2 31898 192.168.0.105 hold-time=180 local-address=192.168.0.104
bgp import filter 1 equal 0.0.0.0/0
bgp import 31898 static filter 1
●BGP 설정 반영과 확인
# bgp configure refresh
・BGP의 소통에는 수십초는 시간이 걸립니다.
BGP state가 Idol에서 Established가되면 OK입니다.
# show status bgp neighbor
BGP neighbor is 192.168.0.103, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.0.103
BGP state = Established, up for 00:02:19
Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds
Received 3 messages, 0 notifications, 0 in queue
Sent 8 messages, 1 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.0.102, Local port: 1027
Foreign host: 192.168.0.103, Foreign port: 179
BGP neighbor is 192.168.0.105, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.0.105
BGP state = Established, up for 00:02:27
Last read 00:00:34, hold time is 180, keepalive interval is 60 seconds
Received 3 messages, 0 notifications, 0 in queue
Sent 8 messages, 1 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.0.104, Local port: 1026
Foreign host: 192.168.0.105, Foreign port: 179
● 루트 전파 확인
OCI 측 Subnet의 CIDR 10.0.0.0/24가 루트에 추가되었는지 확인
tunnel2# show ip route
Destination Gateway Interface Kind Additional Info.
default - PP[01] static filter:500000
default - PP[01] static
10.0.0.0/24 192.168.0.103 TUNNEL[1] BGP path=31898
192.168.100.0/24 192.168.100.1 LAN1 implicit
192.168.0.102/31 - TUNNEL[1] implicit
192.168.0.104/31 - TUNNEL[2] implicit
・・・
● BGP Tunnel Interface IP 소통 확인
BGP 터널용 IP에 소통할 수 있는지 확인
# ping -c 3 192.168.0.102
received from 192.168.0.102: icmp_seq=0 ttl=255 time=0.028ms
received from 192.168.0.102: icmp_seq=1 ttl=255 time=0.014ms
received from 192.168.0.102: icmp_seq=2 ttl=255 time=0.013ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.013/0.018/0.028 ms
# ping -c 3 192.168.0.103
received from 192.168.0.103: icmp_seq=0 ttl=63 time=40.989ms
received from 192.168.0.103: icmp_seq=1 ttl=63 time=30.870ms
received from 192.168.0.103: icmp_seq=2 ttl=63 time=20.522ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 20.522/30.793/40.989 ms
# ping -c 3 192.168.0.104
received from 192.168.0.104: icmp_seq=0 ttl=255 time=0.019ms
received from 192.168.0.104: icmp_seq=1 ttl=255 time=0.014ms
received from 192.168.0.104: icmp_seq=2 ttl=255 time=0.013ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.013/0.015/0.019 ms
# ping -c 3 192.168.0.105
received from 192.168.0.105: icmp_seq=0 ttl=63 time=28.160ms
received from 192.168.0.105: icmp_seq=1 ttl=63 time=16.867ms
received from 192.168.0.105: icmp_seq=2 ttl=63 time=19.639ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 16.867/21.555/28.160 ms
● OCI 화면 확인
BGP Status가 UP인지 확인
■ 인스턴스 소통 확인
● OCI 인스턴스 -> 온프레미스 인스턴스 통신 확인
・핑 소통 확인
[opc@oci-inst01 ~]$ ping -c 3 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=62 time=6.56 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=62 time=4.73 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=62 time=7.83 ms
--- 192.168.100.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.736/6.380/7.836/1.272 ms
· ssh 소통 확인
ssh로 호스트 이름이 출력되는지 확인
[opc@oci-inst01 ~]$ ssh [email protected] hostname
The authenticity of host '192.168.100.2 (192.168.100.2)' can't be established.
ECDSA key fingerprint is SHA256:IyO/gHz8uoauFpQFb7zZHgWRD4.
ECDSA key fingerprint is MD5:5e:2c:5d:79::fb:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
onp-inst01
● 온프레미스 인스턴스 -> OCI 인스턴스 통신 확인
・핑 소통 확인
root@onp-inst01:~ # ping -c 3 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=62 time=19.6 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=62 time=4.42 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=62 time=13.9 ms
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.426/12.683/19.668/6.287 ms
· ssh 확인
ssh로 호스트 이름이 출력되는지 확인
root@onp-inst01:~ # ssh -i id_rsa [email protected] hostname
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
ECDSA key fingerprint is SHA256:GfDmeI//qisrVVjZWJAtSouA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.2' (ECDSA) to the list of known hosts.
oci-inst01
Reference
이 문제에 관하여(Oracle Cloud : Yamaha 라우터와 OCI를 BGP로 IPSec VPN에 연결해 보았습니다.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/shirok/items/199d624ff414b0441576
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
● 절차 개요
IPSec 연결까지는 정적 라우팅 절차와 동일하며 정적 라우팅 부분을 BGP 설정으로 변경하기 만하면됩니다.
・참고: Oracle Cloud : Yamaha NVR700w에서 OCI에 IPsec VPN 연결을 시도했습니다.
■ OCI 측 IPSec 및 BGP 설정
● IPSec Connection 생성
여기에서는 정적 루트의 Static Route CIDR은 비어 있는 채로 설정하지 않고 BGP를 설정합니다.
BGP 설정은 Create IPSec Connection 설정 화면 하단의 Advanced Options를 클릭하면 추가 설정 항목이 나타납니다.
· Create IPSec Connection 설정 화면
CPE 개체를 만들 때 지정한 CPE의 공용 IP 주소가 IKE ID로 사용되므로 CPE가 NAT 아래에 있는 경우 NAT에서 지불한 VPN 라우터의 Private IP를 설정합니다.
· IPSec BGP Tunnel1 설정 화면
· IPSec BGP Tunnel2 설정 화면
■YAMAHA IPSec 설정 순서
●NVR700w로LOGIN
· ssh, 콘솔 연결로 LOGIN
root@onp-inst01:~ # ssh [email protected]
[email protected]'s password:
>
· 관리 사용자로 마이그레이션
> administrator
Password:
There are changed configuration unsaved in nonvolatile memory!
The administrator password is factory default setting. Please change the password by the 'administrator password' command.
#
●NAT 설정
nat descriptor type 1000 masquerade
nat descriptor address outer 1000 200.200.200.201
nat descriptor masquerade static 1000 1 192.168.100.1 udp 500
nat descriptor masquerade static 1000 2 192.168.100.1 esp
● IPSec 연결 설정
다음과 같이 설정
tunnel select 1
description tunnel OCI-VPN1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes256-cbc
ipsec ike group 1 modp1536
ipsec ike hash 1 sha256
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on dpd 5 4
ipsec ike local address 1 200.200.200.201
ipsec ike local id 1 0.0.0.0/0
ipsec ike nat-traversal 1 on
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text ipsecNVR700wSecretKey01
ipsec ike remote address 1 100.100.100.101
ipsec ike remote id 1 0.0.0.0/0
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select 2
description tunnel OCI-VPN2
ipsec tunnel 2
ipsec sa policy 2 2 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 2 3600
ipsec ike duration isakmp-sa 2 28800
ipsec ike encryption 2 aes256-cbc
ipsec ike group 2 modp1536
ipsec ike hash 2 sha256
ipsec ike keepalive log 2 off
ipsec ike keepalive use 2 on dpd 5 4
ipsec ike local address 2 200.200.200.201
ipsec ike local id 2 0.0.0.0/0
ipsec ike nat-traversal 2 on
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text ipsecNVR700wSecretKey02
ipsec ike remote address 2 100.100.100.102
ipsec ike remote id 2 0.0.0.0/0
ip tunnel tcp mss limit auto
tunnel enable 2
● IPSec 설정 반영 및 확인
tunnel2# ipsec auto refresh on
tunnel2# show ipsec sa
Total: isakmp:2 send:2 recv:3
sa sgw isakmp connection dir life[s] remote-id
----------------------------------------------------------------------------
1 1 - isakmp - 28589 100.100.100.101
2 2 - isakmp - 28634 100.100.100.102
3 1 1 tun[0001]esp send 3391 100.100.100.101
4 1 1 tun[0001]esp recv 3391 100.100.100.101
5 2 2 tun[0002]esp send 3436 100.100.100.102
6 2 - tun[0002]esp recv 3392 100.100.100.102
7 2 2 tun[0002]esp recv 3436 100.100.100.102
■YAMAHA BGP 설정 순서
●BGP 설정
Oracle Cloud의 ASN은 31898입니다.
상세 설정은 구성도를 참고하여 아래와 같이 설정
tunnel select 1
ip tunnel address 192.168.0.102/31
ip tunnel remote address 192.168.0.103
tunnel select 2
ip tunnel address 192.168.0.104/31
ip tunnel remote address 192.168.0.105
bgp use on
bgp autonomous-system 65000
bgp log neighbor
bgp neighbor 1 31898 192.168.0.103 hold-time=180 local-address=192.168.0.102
bgp neighbor 2 31898 192.168.0.105 hold-time=180 local-address=192.168.0.104
bgp import filter 1 equal 0.0.0.0/0
bgp import 31898 static filter 1
●BGP 설정 반영과 확인
# bgp configure refresh
・BGP의 소통에는 수십초는 시간이 걸립니다.
BGP state가 Idol에서 Established가되면 OK입니다.
# show status bgp neighbor
BGP neighbor is 192.168.0.103, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.0.103
BGP state = Established, up for 00:02:19
Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds
Received 3 messages, 0 notifications, 0 in queue
Sent 8 messages, 1 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.0.102, Local port: 1027
Foreign host: 192.168.0.103, Foreign port: 179
BGP neighbor is 192.168.0.105, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.0.105
BGP state = Established, up for 00:02:27
Last read 00:00:34, hold time is 180, keepalive interval is 60 seconds
Received 3 messages, 0 notifications, 0 in queue
Sent 8 messages, 1 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.0.104, Local port: 1026
Foreign host: 192.168.0.105, Foreign port: 179
● 루트 전파 확인
OCI 측 Subnet의 CIDR 10.0.0.0/24가 루트에 추가되었는지 확인
tunnel2# show ip route
Destination Gateway Interface Kind Additional Info.
default - PP[01] static filter:500000
default - PP[01] static
10.0.0.0/24 192.168.0.103 TUNNEL[1] BGP path=31898
192.168.100.0/24 192.168.100.1 LAN1 implicit
192.168.0.102/31 - TUNNEL[1] implicit
192.168.0.104/31 - TUNNEL[2] implicit
・・・
● BGP Tunnel Interface IP 소통 확인
BGP 터널용 IP에 소통할 수 있는지 확인
# ping -c 3 192.168.0.102
received from 192.168.0.102: icmp_seq=0 ttl=255 time=0.028ms
received from 192.168.0.102: icmp_seq=1 ttl=255 time=0.014ms
received from 192.168.0.102: icmp_seq=2 ttl=255 time=0.013ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.013/0.018/0.028 ms
# ping -c 3 192.168.0.103
received from 192.168.0.103: icmp_seq=0 ttl=63 time=40.989ms
received from 192.168.0.103: icmp_seq=1 ttl=63 time=30.870ms
received from 192.168.0.103: icmp_seq=2 ttl=63 time=20.522ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 20.522/30.793/40.989 ms
# ping -c 3 192.168.0.104
received from 192.168.0.104: icmp_seq=0 ttl=255 time=0.019ms
received from 192.168.0.104: icmp_seq=1 ttl=255 time=0.014ms
received from 192.168.0.104: icmp_seq=2 ttl=255 time=0.013ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.013/0.015/0.019 ms
# ping -c 3 192.168.0.105
received from 192.168.0.105: icmp_seq=0 ttl=63 time=28.160ms
received from 192.168.0.105: icmp_seq=1 ttl=63 time=16.867ms
received from 192.168.0.105: icmp_seq=2 ttl=63 time=19.639ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 16.867/21.555/28.160 ms
● OCI 화면 확인
BGP Status가 UP인지 확인
■ 인스턴스 소통 확인
● OCI 인스턴스 -> 온프레미스 인스턴스 통신 확인
・핑 소통 확인
[opc@oci-inst01 ~]$ ping -c 3 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=62 time=6.56 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=62 time=4.73 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=62 time=7.83 ms
--- 192.168.100.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.736/6.380/7.836/1.272 ms
· ssh 소통 확인
ssh로 호스트 이름이 출력되는지 확인
[opc@oci-inst01 ~]$ ssh [email protected] hostname
The authenticity of host '192.168.100.2 (192.168.100.2)' can't be established.
ECDSA key fingerprint is SHA256:IyO/gHz8uoauFpQFb7zZHgWRD4.
ECDSA key fingerprint is MD5:5e:2c:5d:79::fb:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
onp-inst01
● 온프레미스 인스턴스 -> OCI 인스턴스 통신 확인
・핑 소통 확인
root@onp-inst01:~ # ping -c 3 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=62 time=19.6 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=62 time=4.42 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=62 time=13.9 ms
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.426/12.683/19.668/6.287 ms
· ssh 확인
ssh로 호스트 이름이 출력되는지 확인
root@onp-inst01:~ # ssh -i id_rsa [email protected] hostname
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
ECDSA key fingerprint is SHA256:GfDmeI//qisrVVjZWJAtSouA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.2' (ECDSA) to the list of known hosts.
oci-inst01
Reference
이 문제에 관하여(Oracle Cloud : Yamaha 라우터와 OCI를 BGP로 IPSec VPN에 연결해 보았습니다.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/shirok/items/199d624ff414b0441576
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
●NVR700w로LOGIN
· ssh, 콘솔 연결로 LOGIN
root@onp-inst01:~ # ssh [email protected]
[email protected]'s password:
>
· 관리 사용자로 마이그레이션
> administrator
Password:
There are changed configuration unsaved in nonvolatile memory!
The administrator password is factory default setting. Please change the password by the 'administrator password' command.
#
●NAT 설정
nat descriptor type 1000 masquerade
nat descriptor address outer 1000 200.200.200.201
nat descriptor masquerade static 1000 1 192.168.100.1 udp 500
nat descriptor masquerade static 1000 2 192.168.100.1 esp
● IPSec 연결 설정
다음과 같이 설정
tunnel select 1
description tunnel OCI-VPN1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes256-cbc
ipsec ike group 1 modp1536
ipsec ike hash 1 sha256
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on dpd 5 4
ipsec ike local address 1 200.200.200.201
ipsec ike local id 1 0.0.0.0/0
ipsec ike nat-traversal 1 on
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text ipsecNVR700wSecretKey01
ipsec ike remote address 1 100.100.100.101
ipsec ike remote id 1 0.0.0.0/0
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select 2
description tunnel OCI-VPN2
ipsec tunnel 2
ipsec sa policy 2 2 esp aes256-cbc sha-hmac
ipsec ike duration ipsec-sa 2 3600
ipsec ike duration isakmp-sa 2 28800
ipsec ike encryption 2 aes256-cbc
ipsec ike group 2 modp1536
ipsec ike hash 2 sha256
ipsec ike keepalive log 2 off
ipsec ike keepalive use 2 on dpd 5 4
ipsec ike local address 2 200.200.200.201
ipsec ike local id 2 0.0.0.0/0
ipsec ike nat-traversal 2 on
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text ipsecNVR700wSecretKey02
ipsec ike remote address 2 100.100.100.102
ipsec ike remote id 2 0.0.0.0/0
ip tunnel tcp mss limit auto
tunnel enable 2
● IPSec 설정 반영 및 확인
tunnel2# ipsec auto refresh on
tunnel2# show ipsec sa
Total: isakmp:2 send:2 recv:3
sa sgw isakmp connection dir life[s] remote-id
----------------------------------------------------------------------------
1 1 - isakmp - 28589 100.100.100.101
2 2 - isakmp - 28634 100.100.100.102
3 1 1 tun[0001]esp send 3391 100.100.100.101
4 1 1 tun[0001]esp recv 3391 100.100.100.101
5 2 2 tun[0002]esp send 3436 100.100.100.102
6 2 - tun[0002]esp recv 3392 100.100.100.102
7 2 2 tun[0002]esp recv 3436 100.100.100.102
■YAMAHA BGP 설정 순서
●BGP 설정
Oracle Cloud의 ASN은 31898입니다.
상세 설정은 구성도를 참고하여 아래와 같이 설정
tunnel select 1
ip tunnel address 192.168.0.102/31
ip tunnel remote address 192.168.0.103
tunnel select 2
ip tunnel address 192.168.0.104/31
ip tunnel remote address 192.168.0.105
bgp use on
bgp autonomous-system 65000
bgp log neighbor
bgp neighbor 1 31898 192.168.0.103 hold-time=180 local-address=192.168.0.102
bgp neighbor 2 31898 192.168.0.105 hold-time=180 local-address=192.168.0.104
bgp import filter 1 equal 0.0.0.0/0
bgp import 31898 static filter 1
●BGP 설정 반영과 확인
# bgp configure refresh
・BGP의 소통에는 수십초는 시간이 걸립니다.
BGP state가 Idol에서 Established가되면 OK입니다.
# show status bgp neighbor
BGP neighbor is 192.168.0.103, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.0.103
BGP state = Established, up for 00:02:19
Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds
Received 3 messages, 0 notifications, 0 in queue
Sent 8 messages, 1 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.0.102, Local port: 1027
Foreign host: 192.168.0.103, Foreign port: 179
BGP neighbor is 192.168.0.105, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.0.105
BGP state = Established, up for 00:02:27
Last read 00:00:34, hold time is 180, keepalive interval is 60 seconds
Received 3 messages, 0 notifications, 0 in queue
Sent 8 messages, 1 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.0.104, Local port: 1026
Foreign host: 192.168.0.105, Foreign port: 179
● 루트 전파 확인
OCI 측 Subnet의 CIDR 10.0.0.0/24가 루트에 추가되었는지 확인
tunnel2# show ip route
Destination Gateway Interface Kind Additional Info.
default - PP[01] static filter:500000
default - PP[01] static
10.0.0.0/24 192.168.0.103 TUNNEL[1] BGP path=31898
192.168.100.0/24 192.168.100.1 LAN1 implicit
192.168.0.102/31 - TUNNEL[1] implicit
192.168.0.104/31 - TUNNEL[2] implicit
・・・
● BGP Tunnel Interface IP 소통 확인
BGP 터널용 IP에 소통할 수 있는지 확인
# ping -c 3 192.168.0.102
received from 192.168.0.102: icmp_seq=0 ttl=255 time=0.028ms
received from 192.168.0.102: icmp_seq=1 ttl=255 time=0.014ms
received from 192.168.0.102: icmp_seq=2 ttl=255 time=0.013ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.013/0.018/0.028 ms
# ping -c 3 192.168.0.103
received from 192.168.0.103: icmp_seq=0 ttl=63 time=40.989ms
received from 192.168.0.103: icmp_seq=1 ttl=63 time=30.870ms
received from 192.168.0.103: icmp_seq=2 ttl=63 time=20.522ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 20.522/30.793/40.989 ms
# ping -c 3 192.168.0.104
received from 192.168.0.104: icmp_seq=0 ttl=255 time=0.019ms
received from 192.168.0.104: icmp_seq=1 ttl=255 time=0.014ms
received from 192.168.0.104: icmp_seq=2 ttl=255 time=0.013ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.013/0.015/0.019 ms
# ping -c 3 192.168.0.105
received from 192.168.0.105: icmp_seq=0 ttl=63 time=28.160ms
received from 192.168.0.105: icmp_seq=1 ttl=63 time=16.867ms
received from 192.168.0.105: icmp_seq=2 ttl=63 time=19.639ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 16.867/21.555/28.160 ms
● OCI 화면 확인
BGP Status가 UP인지 확인
■ 인스턴스 소통 확인
● OCI 인스턴스 -> 온프레미스 인스턴스 통신 확인
・핑 소통 확인
[opc@oci-inst01 ~]$ ping -c 3 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=62 time=6.56 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=62 time=4.73 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=62 time=7.83 ms
--- 192.168.100.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.736/6.380/7.836/1.272 ms
· ssh 소통 확인
ssh로 호스트 이름이 출력되는지 확인
[opc@oci-inst01 ~]$ ssh [email protected] hostname
The authenticity of host '192.168.100.2 (192.168.100.2)' can't be established.
ECDSA key fingerprint is SHA256:IyO/gHz8uoauFpQFb7zZHgWRD4.
ECDSA key fingerprint is MD5:5e:2c:5d:79::fb:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
onp-inst01
● 온프레미스 인스턴스 -> OCI 인스턴스 통신 확인
・핑 소통 확인
root@onp-inst01:~ # ping -c 3 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=62 time=19.6 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=62 time=4.42 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=62 time=13.9 ms
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.426/12.683/19.668/6.287 ms
· ssh 확인
ssh로 호스트 이름이 출력되는지 확인
root@onp-inst01:~ # ssh -i id_rsa [email protected] hostname
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
ECDSA key fingerprint is SHA256:GfDmeI//qisrVVjZWJAtSouA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.2' (ECDSA) to the list of known hosts.
oci-inst01
Reference
이 문제에 관하여(Oracle Cloud : Yamaha 라우터와 OCI를 BGP로 IPSec VPN에 연결해 보았습니다.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/shirok/items/199d624ff414b0441576
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
tunnel select 1
ip tunnel address 192.168.0.102/31
ip tunnel remote address 192.168.0.103
tunnel select 2
ip tunnel address 192.168.0.104/31
ip tunnel remote address 192.168.0.105
bgp use on
bgp autonomous-system 65000
bgp log neighbor
bgp neighbor 1 31898 192.168.0.103 hold-time=180 local-address=192.168.0.102
bgp neighbor 2 31898 192.168.0.105 hold-time=180 local-address=192.168.0.104
bgp import filter 1 equal 0.0.0.0/0
bgp import 31898 static filter 1
# bgp configure refresh
# show status bgp neighbor
BGP neighbor is 192.168.0.103, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.0.103
BGP state = Established, up for 00:02:19
Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds
Received 3 messages, 0 notifications, 0 in queue
Sent 8 messages, 1 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.0.102, Local port: 1027
Foreign host: 192.168.0.103, Foreign port: 179
BGP neighbor is 192.168.0.105, remote AS 31898, local AS 65000, external link
BGP version 4, remote router ID 192.168.0.105
BGP state = Established, up for 00:02:27
Last read 00:00:34, hold time is 180, keepalive interval is 60 seconds
Received 3 messages, 0 notifications, 0 in queue
Sent 8 messages, 1 notifications, 0 in queue
Connection established 1; dropped 0
Last reset never
Local host: 192.168.0.104, Local port: 1026
Foreign host: 192.168.0.105, Foreign port: 179
tunnel2# show ip route
Destination Gateway Interface Kind Additional Info.
default - PP[01] static filter:500000
default - PP[01] static
10.0.0.0/24 192.168.0.103 TUNNEL[1] BGP path=31898
192.168.100.0/24 192.168.100.1 LAN1 implicit
192.168.0.102/31 - TUNNEL[1] implicit
192.168.0.104/31 - TUNNEL[2] implicit
・・・
# ping -c 3 192.168.0.102
received from 192.168.0.102: icmp_seq=0 ttl=255 time=0.028ms
received from 192.168.0.102: icmp_seq=1 ttl=255 time=0.014ms
received from 192.168.0.102: icmp_seq=2 ttl=255 time=0.013ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.013/0.018/0.028 ms
# ping -c 3 192.168.0.103
received from 192.168.0.103: icmp_seq=0 ttl=63 time=40.989ms
received from 192.168.0.103: icmp_seq=1 ttl=63 time=30.870ms
received from 192.168.0.103: icmp_seq=2 ttl=63 time=20.522ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 20.522/30.793/40.989 ms
# ping -c 3 192.168.0.104
received from 192.168.0.104: icmp_seq=0 ttl=255 time=0.019ms
received from 192.168.0.104: icmp_seq=1 ttl=255 time=0.014ms
received from 192.168.0.104: icmp_seq=2 ttl=255 time=0.013ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.013/0.015/0.019 ms
# ping -c 3 192.168.0.105
received from 192.168.0.105: icmp_seq=0 ttl=63 time=28.160ms
received from 192.168.0.105: icmp_seq=1 ttl=63 time=16.867ms
received from 192.168.0.105: icmp_seq=2 ttl=63 time=19.639ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 16.867/21.555/28.160 ms
● OCI 인스턴스 -> 온프레미스 인스턴스 통신 확인
・핑 소통 확인
[opc@oci-inst01 ~]$ ping -c 3 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=62 time=6.56 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=62 time=4.73 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=62 time=7.83 ms
--- 192.168.100.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.736/6.380/7.836/1.272 ms
· ssh 소통 확인
ssh로 호스트 이름이 출력되는지 확인
[opc@oci-inst01 ~]$ ssh [email protected] hostname
The authenticity of host '192.168.100.2 (192.168.100.2)' can't be established.
ECDSA key fingerprint is SHA256:IyO/gHz8uoauFpQFb7zZHgWRD4.
ECDSA key fingerprint is MD5:5e:2c:5d:79::fb:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
onp-inst01
● 온프레미스 인스턴스 -> OCI 인스턴스 통신 확인
・핑 소통 확인
root@onp-inst01:~ # ping -c 3 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=62 time=19.6 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=62 time=4.42 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=62 time=13.9 ms
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.426/12.683/19.668/6.287 ms
· ssh 확인
ssh로 호스트 이름이 출력되는지 확인
root@onp-inst01:~ # ssh -i id_rsa [email protected] hostname
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
ECDSA key fingerprint is SHA256:GfDmeI//qisrVVjZWJAtSouA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.2' (ECDSA) to the list of known hosts.
oci-inst01
Reference
이 문제에 관하여(Oracle Cloud : Yamaha 라우터와 OCI를 BGP로 IPSec VPN에 연결해 보았습니다.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/shirok/items/199d624ff414b0441576텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
좋은 웹페이지 즐겨찾기
