fl8 Wiki

この文書は読取専用です。文書のソースを閲覧することは可能ですが、変更はできません。もし変更したい場合は管理者に連絡してください。
====== Vyatta - IPSec Brige / L2TP(IPSec)+Nat ======


|Name|eth0|eth1|localPC|
|vyatta-A|10.10.10.246/24|192.168.10.246/24|192.168.10.5/24|
|vyatta-B|10.10.20.75/24|192.168.20.75/24|192.168.20.250/24|

<code>
+----------+         +----------+                           +----------+           +----------+
|          |         |          |                           |          |           |          |
|          |eth0 eth1|          |eth0                   eth0|          |eth1   eth0|          |
+localPC-A +---------+ vyatta-A +--------  INTERNET --------+ vyatta-B +-----------+localPC-B +
|          |         |          |                           |          |           |          |
|          |         |          |                           |          |           |          |
+----+-----+         +----+-----+                           +----+-----+           +----+-----+
</code>
====== インターフェース設定 ======
===== vyatta-A =====
<code>
# set interfaces ethernet eth0 address 10.10.10.246/24
# set interfaces ethernet eth1 address 192.168.10.246/24
# set system gateway-address '10.10.10.1'
# set system host-name 'vyatta-A'
</code>

===== vyatta-B =====
<code>
# set interfaces ethernet eth0 address 10.10.20.75/24
# set interfaces ethernet eth1 address 192.168.20.75/24
# set system gateway-address '10.10.20.1'
# set system host-name 'vyatta-A'
</code>

====== VPN IPSec Bridge======

===== vyatta-A =====
<code>
# set vpn ipsec esp-group ns-esp mode 'tunnel'
# set vpn ipsec esp-group ns-esp pfs 'enable'
# set vpn ipsec esp-group ns-esp proposal 1 encryption 'aes128'
# set vpn ipsec ike-group ns-ike lifetime '28800'
# set vpn ipsec ike-group ns-ike proposal 1 dh-group '2'
# set vpn ipsec ike-group ns-ike proposal 1 encryption 'aes128'
# set vpn ipsec ike-group ns-ike proposal 1 hash 'sha1'
# set vpn ipsec ipsec-interfaces interface 'eth0'
# set vpn ipsec nat-networks allowed-network '192.168.10.0/24'
# set vpn ipsec nat-traversal 'enable'
# set vpn ipsec site-to-site peer 10.10.20.75 authentication mode 'pre-shared-secret'
# set vpn ipsec site-to-site peer 10.10.20.75 authentication pre-shared-secret 'pre-shared-secret'
# set vpn ipsec site-to-site peer 10.10.20.75 connection-type 'initiate'
# set vpn ipsec site-to-site peer 10.10.20.75 ike-group 'ns-ike'
# set vpn ipsec site-to-site peer 10.10.20.75 local-ip '10.10.10.246'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 esp-group 'ns-esp'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 local subnet '192.168.10.0/24'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 remote subnet '192.168.20.0/24'
</code>
<color red>※pre-shared-secretは任意のものを設定</color>

===== vyatta-B =====
vyatta-B側は、インターネットからL2TPで接続できるようにするので\\
allow-networkは0.0.0.0/0にしておく


<code>
# set vpn ipsec esp-group ns-esp mode 'tunnel'
# set vpn ipsec esp-group ns-esp pfs 'enable'
# set vpn ipsec esp-group ns-esp proposal 1 encryption 'aes128'
# set vpn ipsec ike-group ns-ike lifetime '28800'
# set vpn ipsec ike-group ns-ike proposal 1 dh-group '2'
# set vpn ipsec ike-group ns-ike proposal 1 encryption 'aes128'
# set vpn ipsec ike-group ns-ike proposal 1 hash 'sha1'
# set vpn ipsec ipsec-interfaces interface 'eth0'
# set vpn ipsec nat-networks allowed-network '0.0.0.0/0'
# set vpn ipsec nat-traversal 'enable'
# set vpn ipsec site-to-site peer 10.10.20.75 authentication mode 'pre-shared-secret'
# set vpn ipsec site-to-site peer 10.10.20.75 authentication pre-shared-secret 'pre-shared-secret'
# set vpn ipsec site-to-site peer 10.10.20.75 connection-type 'initiate'
# set vpn ipsec site-to-site peer 10.10.20.75 ike-group 'ns-ike'
# set vpn ipsec site-to-site peer 10.10.20.75 local-ip '10.10.20.75'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 esp-group 'ns-esp'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 local subnet '192.168.20.0/24'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 remote subnet '192.168.10.0/24'
</code>
<color red>※pre-shared-secretは任意のものを設定</color>

====== Nat追加 ======
下記のNat設定を追加して、LocalPC-A - LocalPC-B 間でPing疎通が取れて\\
LocalPC-A - LocalPC-B共に外部へ接続する事ができれば完成。

<color red>この際に、Natを通っては行けない相手側のネットワークを\\
Not条件でしてしておくのがポイント。</color>
===== vyatta-A =====
<code>
# set nat source rule 10 destination address '!192.168.20.0/24'
# set nat source rule 10 outbound-interface 'eth0'
# set nat source rule 10 translation address 'masquerade'
</code>

===== vyatta-B =====
<code>
# set nat source rule 10 destination address '!192.168.10.0/24'
# set nat source rule 10 outbound-interface 'eth0'
# set nat source rule 10 translation address 'masquerade'
</code>

====== L2TP接続 ======
最後に、vyatta-Bへ外部からL2TPで接続する用の設定\\
基本的に[[05_network:04_vyatta:vyatta_l2tp_ipsec|]]と同じ

設定後、L2TPで接続したPCからLocalPC-A,LocalPC-BにPing疎通が取れていれば完成

<code>
# set vpn l2tp remote-access authentication local-users username vpn-user password 'vpn-user-passwod'
# set vpn l2tp remote-access authentication mode 'local'
# set vpn l2tp remote-access client-ip-pool start '192.168.20.200'
# set vpn l2tp remote-access client-ip-pool stop '192.168.20.220'
# set vpn l2tp remote-access dns-servers server-1 '10.10.20.1'
# set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
# set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'pre-shared-secret'
# set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
# set vpn l2tp remote-access outside-address '10.10.20.75'
</code>
<color red>※vpn-user-passwodは任意のものを設定</color>\\
<color red>※pre-shared-secretは任意のものを設定</color>


====== Error log ======
KVMで同じethから出てる、3台目のサーバを追加してみたら下記のようなエラーでブツブツとVPNが切れて\\
パケロスが50%くらい出ました。

同じethが出てるのが問題なのかな・・・たぶん

  Dec 14 00:45:12 vyatta01 pluto[20335]: packet from 10.10.20.76:500: Informational Exchange is for an unknown (expired?) SA
fl8 Wiki

ユーザ用ツール

サイト用ツール

ページ用ツール
