差分

このページの2つのバージョン間の差分を表示します。

--- 05_network:04_vyatta:vyatta_l2tp_ipsec_bridge [2012/12/10 09:25] – [vyatta-A] matsui
+++ 05_network:04_vyatta:vyatta_l2tp_ipsec_bridge [2012/12/14 01:16] (現在) – matsui
@@ 行 1: / 行 1: @@
+====== Vyatta - IPSec Brige / L2TP(IPSec)+Nat ======
+|Name|eth0|eth1|localPC|
+|vyatta-A|10.10.10.246/24|192.168.10.246/24|192.168.10.5/24|
+|vyatta-B|10.10.20.75/24|192.168.20.75/24|192.168.20.250/24|
+<code>
++----------+         +----------+                           +----------+           +----------+
+|          |         |          |                           |          |           |          |
+|          |eth0 eth1|          |eth0                   eth0|          |eth1   eth0|          |
++localPC-A +---------+ vyatta-A +--------  INTERNET --------+ vyatta-B +-----------+localPC-B +
+|          |         |          |                           |          |           |          |
+|          |         |          |                           |          |           |          |
++----+-----+         +----+-----+                           +----+-----+           +----+-----+
+</code>
+====== インターフェース設定 ======
+===== vyatta-A =====
+<code>
+# set interfaces ethernet eth0 address 10.10.10.246/24
+# set interfaces ethernet eth1 address 192.168.10.246/24
+# set system gateway-address '10.10.10.1'
+# set system host-name 'vyatta-A'
+</code>
+===== vyatta-B =====
+<code>
+# set interfaces ethernet eth0 address 10.10.20.75/24
+# set interfaces ethernet eth1 address 192.168.20.75/24
+# set system gateway-address '10.10.20.1'
+# set system host-name 'vyatta-A'
+</code>
+====== VPN IPSec Bridge======
+===== vyatta-A =====
+<code>
+# set vpn ipsec esp-group ns-esp mode 'tunnel'
+# set vpn ipsec esp-group ns-esp pfs 'enable'
+# set vpn ipsec esp-group ns-esp proposal 1 encryption 'aes128'
+# set vpn ipsec ike-group ns-ike lifetime '28800'
+# set vpn ipsec ike-group ns-ike proposal 1 dh-group '2'
+# set vpn ipsec ike-group ns-ike proposal 1 encryption 'aes128'
+# set vpn ipsec ike-group ns-ike proposal 1 hash 'sha1'
+# set vpn ipsec ipsec-interfaces interface 'eth0'
+# set vpn ipsec nat-networks allowed-network '192.168.10.0/24'
+# set vpn ipsec nat-traversal 'enable'
+# set vpn ipsec site-to-site peer 10.10.20.75 authentication mode 'pre-shared-secret'
+# set vpn ipsec site-to-site peer 10.10.20.75 authentication pre-shared-secret 'pre-shared-secret'
+# set vpn ipsec site-to-site peer 10.10.20.75 connection-type 'initiate'
+# set vpn ipsec site-to-site peer 10.10.20.75 ike-group 'ns-ike'
+# set vpn ipsec site-to-site peer 10.10.20.75 local-ip '10.10.10.246'
+# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 esp-group 'ns-esp'
+# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 local subnet '192.168.10.0/24'
+# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 remote subnet '192.168.20.0/24'
+</code>
+<color red>※pre-shared-secretは任意のものを設定</color>
+===== vyatta-B =====
+vyatta-B側は、インターネットからL2TPで接続できるようにするので\\
+allow-networkは0.0.0.0/0にしておく
+<code>
+# set vpn ipsec esp-group ns-esp mode 'tunnel'
+# set vpn ipsec esp-group ns-esp pfs 'enable'
+# set vpn ipsec esp-group ns-esp proposal 1 encryption 'aes128'
+# set vpn ipsec ike-group ns-ike lifetime '28800'
+# set vpn ipsec ike-group ns-ike proposal 1 dh-group '2'
+# set vpn ipsec ike-group ns-ike proposal 1 encryption 'aes128'
+# set vpn ipsec ike-group ns-ike proposal 1 hash 'sha1'
+# set vpn ipsec ipsec-interfaces interface 'eth0'
+# set vpn ipsec nat-networks allowed-network '0.0.0.0/0'
+# set vpn ipsec nat-traversal 'enable'
+# set vpn ipsec site-to-site peer 10.10.20.75 authentication mode 'pre-shared-secret'
+# set vpn ipsec site-to-site peer 10.10.20.75 authentication pre-shared-secret 'pre-shared-secret'
+# set vpn ipsec site-to-site peer 10.10.20.75 connection-type 'initiate'
+# set vpn ipsec site-to-site peer 10.10.20.75 ike-group 'ns-ike'
+# set vpn ipsec site-to-site peer 10.10.20.75 local-ip '10.10.20.75'
+# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 esp-group 'ns-esp'
+# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 local subnet '192.168.20.0/24'
+# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 remote subnet '192.168.10.0/24'
+</code>
+<color red>※pre-shared-secretは任意のものを設定</color>
+====== Nat追加 ======
+下記のNat設定を追加して、LocalPC-A - LocalPC-B 間でPing疎通が取れて\\
+LocalPC-A - LocalPC-B共に外部へ接続する事ができれば完成。
+<color red>この際に、Natを通っては行けない相手側のネットワークを\\
+Not条件でしてしておくのがポイント。</color>
+===== vyatta-A =====
+<code>
+# set nat source rule 10 destination address '!192.168.20.0/24'
+# set nat source rule 10 outbound-interface 'eth0'
+# set nat source rule 10 translation address 'masquerade'
+</code>
+===== vyatta-B =====
+<code>
+# set nat source rule 10 destination address '!192.168.10.0/24'
+# set nat source rule 10 outbound-interface 'eth0'
+# set nat source rule 10 translation address 'masquerade'
+</code>
+====== L2TP接続 ======
+最後に、vyatta-Bへ外部からL2TPで接続する用の設定\\
+基本的に[[05_network:04_vyatta:vyatta_l2tp_ipsec|]]と同じ
+設定後、L2TPで接続したPCからLocalPC-A,LocalPC-BにPing疎通が取れていれば完成
+<code>
+# set vpn l2tp remote-access authentication local-users username vpn-user password 'vpn-user-passwod'
+# set vpn l2tp remote-access authentication mode 'local'
+# set vpn l2tp remote-access client-ip-pool start '192.168.20.200'
+# set vpn l2tp remote-access client-ip-pool stop '192.168.20.220'
+# set vpn l2tp remote-access dns-servers server-1 '10.10.20.1'
+# set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
+# set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'pre-shared-secret'
+# set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
+# set vpn l2tp remote-access outside-address '10.10.20.75'
+</code>
+<color red>※vpn-user-passwodは任意のものを設定</color>\\
+<color red>※pre-shared-secretは任意のものを設定</color>
+====== Error log ======
+KVMで同じethから出てる、3台目のサーバを追加してみたら下記のようなエラーでブツブツとVPNが切れて\\
+パケロスが50%くらい出ました。
+同じethが出てるのが問題なのかな・・・たぶん
+  Dec 14 00:45:12 vyatta01 pluto[20335]: packet from 10.10.20.76:500: Informational Exchange is for an unknown (expired?) SA

fl8 Wiki

ユーザ用ツール

サイト用ツール

差分

ページ用ツール