一.测试拓扑
备注:上面链接用VyOS1.1,IKEv2没有配置成功,用1.3的版本配置成功
二.配置步骤
1.基本配置
A.PC1路由器
interface Ethernet0/0
ip address 172.16.100.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.100.254
B.Site1(VyOS1)
set system host-name 'vyos1'
set interface ethernet eth1 address '202.100.1.1/24'
set interface ethernet eth2 address '172.16.100.254/24'
set protocols static route 0.0.0.0/0 next-hop '202.100.1.10'
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.100.0/24'
set nat source rule 20 translation address 'masquerade'
C.Internet路由器
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0
D.Site2(VyOS2)
set system host-name 'vyos2'
set interface ethernet eth1 address '61.128.1.1/24'
set interface ethernet eth2 address '172.16.200.254/24'
set protocols static route 0.0.0.0/0 next-hop '61.128.1.10'
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.200.0/24'
set nat source rule 20 translation address 'masquerade'
E.PC2路由器
interface Ethernet0/0
ip address 172.16.200.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.200.254
2.基本site-to-site VPN IKEv1配置
A.Site1(VyOS1)
--配置第一阶段策略集
set vpn ipsec ike-group vyos-ike proposal 10 dh-group '5'
set vpn ipsec ike-group vyos-ike proposal 10 encryption 'aes256'
set vpn ipsec ike-group vyos-ike proposal 10 hash 'md5'
--配置第二阶段策略集
set vpn ipsec esp-group vyos-esp pfs 'dh-group2'
set vpn ipsec esp-group vyos-esp proposal 10 encryption 'aes256'
set vpn ipsec esp-group vyos-esp proposal 10 hash 'md5'
--配置对等体
set vpn ipsec site-to-site peer 61.128.1.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 61.128.1.1 authentication pre-shared-secret 'Cisc0123'
set vpn ipsec site-to-site peer 61.128.1.1 ike-group 'vyos-ike'
set vpn ipsec site-to-site peer 61.128.1.1 local-address '202.100.1.1'
set vpn ipsec site-to-site peer 61.128.1.1 tunnel 0 esp-group 'vyos-esp'
set vpn ipsec site-to-site peer 61.128.1.1 tunnel 0 local prefix '172.16.100.0/24'
set vpn ipsec site-to-site peer 61.128.1.1 tunnel 0 remote prefix '172.16.200.0/24'
--在接口启用ipsec
set vpn ipsec ipsec-interfaces interface 'eth1'
--配置NAT免除
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 'exclude'
set nat source rule 10 source address '172.16.100.0/24'
set nat source rule 10 destination address '172.16.200.0/24'
B.Site2(VyOS2)
--配置第一阶段策略集
set vpn ipsec ike-group vyos-ike proposal 10 dh-group '5'
set vpn ipsec ike-group vyos-ike proposal 10 encryption 'aes256'
set vpn ipsec ike-group vyos-ike proposal 10 hash 'md5'
--配置第二阶段策略集
set vpn ipsec esp-group vyos-esp pfs 'dh-group2'
set vpn ipsec esp-group vyos-esp proposal 10 encryption 'aes256'
set vpn ipsec esp-group vyos-esp proposal 10 hash 'md5'
--配置对等体
set vpn ipsec site-to-site peer 202.100.1.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 202.100.1.1 authentication pre-shared-secret 'Cisc0123'
set vpn ipsec site-to-site peer 202.100.1.1 ike-group 'vyos-ike'
set vpn ipsec site-to-site peer 202.100.1.1 local-address '61.128.1.1'
set vpn ipsec site-to-site peer 202.100.1.1 tunnel 0 esp-group 'vyos-esp'
set vpn ipsec site-to-site peer 202.100.1.1 tunnel 0 local prefix '172.16.200.0/24'
set vpn ipsec site-to-site peer 202.100.1.1 tunnel 0 remote prefix '172.16.100.0/24'
--在接口启用ipsec
set vpn ipsec ipsec-interfaces interface 'eth1'
--配置NAT免除
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 'exclude'
set nat source rule 10 source address '172.16.200.0/24'
set nat source rule 10 destination address '172.16.100.0/24'
3.通过vti VPN IKEv1配置
相对前面的基本site-to-site VPN配置,使用vti不需要配置感兴趣流,也不需要配置nat免除,还可以跑动态路由协议。
A.Site1(VyOS1)
--添加VTI接口
set interfaces vti vti0 address '10.1.1.2/31'
set interfaces vti vti0 ip ospf network 'point-to-point'
--配置第一阶段策略集
set vpn ipsec ike-group vyos-ike proposal 10 dh-group '5'
set vpn ipsec ike-group vyos-ike proposal 10 encryption 'aes256'
set vpn ipsec ike-group vyos-ike proposal 10 hash 'md5'
备注:与前面相同
--配置第二阶段策略集
set vpn ipsec esp-group vyos-esp pfs 'dh-group2'
set vpn ipsec esp-group vyos-esp proposal 10 encryption 'aes256'
set vpn ipsec esp-group vyos-esp proposal 10 hash 'md5'
备注:与前面相同
--配置对等体,在vti接口调用第二阶段策略集
set vpn ipsec site-to-site peer 61.128.1.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 61.128.1.1 authentication pre-shared-secret 'Cisc0123'
set vpn ipsec site-to-site peer 61.128.1.1 ike-group 'vyos-ike'
set vpn ipsec site-to-site peer 61.128.1.1 local-address '202.100.1.1'
set vpn ipsec site-to-site peer 61.128.1.1 vti bind 'vti0'
set vpn ipsec site-to-site peer 61.128.1.1 vti esp-group 'vyos-esp'
--在接口启用ipsec
set vpn ipsec ipsec-interfaces interface 'eth1'
--配置动态路由OSPF
set protocols ospf parameters router-id '202.100.1.1'
set protocols ospf area 0.0.0.0 network '172.16.100.0/24'
set protocols ospf area 0.0.0.0 network '10.1.1.2/31'
B.Site2(VyOS2)
--添加VTI接口
set interfaces vti vti0 address '10.1.1.3/31'
set interfaces vti vti0 ip ospf network 'point-to-point'
--配置第一阶段策略集
set vpn ipsec ike-group vyos-ike proposal 10 dh-group '5'
set vpn ipsec ike-group vyos-ike proposal 10 encryption 'aes256'
set vpn ipsec ike-group vyos-ike proposal 10 hash 'md5'
备注:与前面相同
--配置第二阶段策略集
set vpn ipsec esp-group vyos-esp pfs 'dh-group2'
set vpn ipsec esp-group vyos-esp proposal 10 encryption 'aes256'
set vpn ipsec esp-group vyos-esp proposal 10 hash 'md5'
备注:与前面相同
--配置对等体,在vti接口调用第二阶段策略集
set vpn ipsec site-to-site peer 202.100.1.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 202.100.1.1 authentication pre-shared-secret 'Cisc0123'
set vpn ipsec site-to-site peer 202.100.1.1 ike-group 'vyos-ike'
set vpn ipsec site-to-site peer 202.100.1.1 local-address '61.128.1.1'
set vpn ipsec site-to-site peer 202.100.1.1 vti bind 'vti0'
set vpn ipsec site-to-site peer 202.100.1.1 vti esp-group 'vyos-esp'
--在接口启用ipsec
set vpn ipsec ipsec-interfaces interface 'eth0'
--配置动态路由OSPF
set protocols ospf parameters router-id '61.128.1.1'
set protocols ospf area 0.0.0.0 network '172.16.200.0/24'
set protocols ospf area 0.0.0.0 network '10.1.1.2/31'
4.通过vti VPN IKEv2配置
--IKEv2只需两边增加一句:set vpn ipsec ike-group vyos-ike key-exchange ikev2
建议把dpd也配置上:
set vpn ipsec ike-group vyos-ike dead-peer-detection action 'hold'
set vpn ipsec ike-group vyos-ike dead-peer-detection interval '30'
set vpn ipsec ike-group vyos-ike dead-peer-detection timeout '120'
三.验证
1.基本site-to-site VPN IKEv1验证
A.在两端vpn配置完成并commit之后,不像思科需要兴趣流触发,如下所示,第一次ping不会丢包
PC1#ping 172.16.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
PC1#
B.查看IKE sa
vyos@vyos1:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
61.128.1.1 202.100.1.1
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 aes256 md5_96 5(MODP_1536) no 3600 28800
C.查看IPSec sa
vyos@vyos1:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------
peer-61.128.1.1-tunnel-0 up 7m55s 1K/1K 20/20 61.128.1.1 N/A AES_CBC_256/HMAC_MD5_96/MODP_1024
vyos@vyos1:~$
2.验证vti VPN IKEv1配置
A.OSPF邻居已经建立
vyos@vyos1:~$ show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
61.128.1.1 1 Full/DROther 36.036s 10.1.1.3 vti0:10.1.1.2 0 0 0
vyos@vyos1:~$
B.可以通过OSPF学习对端身后路由
vyos@vyos1:~$ show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
61.128.1.1 1 Full/DROther 39.686s 10.1.1.3 vti0:10.1.1.2 0 0 0
vyos@vyos1:~$ show ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
O 10.1.1.2/31 [110/10] is directly connected, vti0, 00:03:33
O 172.16.100.0/24 [110/100] is directly connected, eth2, 00:06:43
O>* 172.16.200.0/24 [110/110] via 10.1.1.3, vti0, 00:02:42
vyos@vyos1:~$
C.ping也没有问题
PC1#ping 172.16.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
PC1#
D.也可以ping通对端vti接口地址
vyos@vyos1:~$ ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3) 56(84) bytes of data.
64 bytes from 10.1.1.3: icmp_req=1 ttl=64 time=0.909 ms
64 bytes from 10.1.1.3: icmp_req=2 ttl=64 time=0.925 ms
64 bytes from 10.1.1.3: icmp_req=3 ttl=64 time=0.972 ms
E.通过查看debug日志,可以确定用的是IKEv1
vyos@vyos1:~$ show vpn debug peer 61.128.1.1 tunnel vti
peer-61.128.1.1-tunnel-vti: 202.100.1.1...61.128.1.1 IKEv1
peer-61.128.1.1-tunnel-vti: local: [202.100.1.1] uses pre-shared key authentication
peer-61.128.1.1-tunnel-vti: remote: [61.128.1.1] uses pre-shared key authentication
peer-61.128.1.1-tunnel-vti: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL
peer-61.128.1.1-tunnel-vti[1]: ESTABLISHED 25 seconds ago, 202.100.1.1[202.100.1.1]...61.128.1.1[61.128.1.1]
peer-61.128.1.1-tunnel-vti[1]: IKEv1 SPIs: 6a743263076b448a_i* a18e52a51e11e6cc_r, pre-shared key reauthentication in 7 hours
peer-61.128.1.1-tunnel-vti[1]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
peer-61.128.1.1-tunnel-vti{1}: REKEYED, TUNNEL, reqid 1, expires in 59 minutes
peer-61.128.1.1-tunnel-vti{1}: 0.0.0.0/0 === 0.0.0.0/0
peer-61.128.1.1-tunnel-vti{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca5cb692_i cca72e28_o
peer-61.128.1.1-tunnel-vti{2}: AES_CBC_256/HMAC_MD5_96/MODP_1024, 828 bytes_i (11 pkts, 5s ago), 756 bytes_o (10 pkts, 5s ago), rekeying in 42 minutes
peer-61.128.1.1-tunnel-vti{2}: 0.0.0.0/0 === 0.0.0.0/0
3.验证vti VPN IKEv2配置
A.通过查看debug日志,可以确定用的是IKEv2
vyos@vyos1:~$ show vpn debug peer 61.128.1.1 tunnel vti
peer-61.128.1.1-tunnel-vti: 202.100.1.1...61.128.1.1 IKEv2, dpddelay=30s
peer-61.128.1.1-tunnel-vti: local: [202.100.1.1] uses pre-shared key authentication
peer-61.128.1.1-tunnel-vti: remote: [61.128.1.1] uses pre-shared key authentication
peer-61.128.1.1-tunnel-vti: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=hold
peer-61.128.1.1-tunnel-vti[1]: ESTABLISHED 20 seconds ago, 202.100.1.1[202.100.1.1]...61.128.1.1[61.128.1.1]
peer-61.128.1.1-tunnel-vti[1]: IKEv2 SPIs: 53148d89d998fc75_i* 5ae6823f58b475ef_r, rekeying in 7 hours
peer-61.128.1.1-tunnel-vti[1]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
peer-61.128.1.1-tunnel-vti{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c21d852f_i c1ccb3c1_o
peer-61.128.1.1-tunnel-vti{1}: AES_CBC_256/HMAC_MD5_96, 80 bytes_i (2 pkts, 0s ago), 144 bytes_o (3 pkts, 0s ago), rekeying in 42 minutes
peer-61.128.1.1-tunnel-vti{1}: 0.0.0.0/0 === 0.0.0.0/0
peer-61.128.1.1-tunnel-vti{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c98fba3a_i cd58bc3c_o
peer-61.128.1.1-tunnel-vti{2}: AES_CBC_256/HMAC_MD5_96/MODP_1024, 764 bytes_i (10 pkts, 0s ago), 708 bytes_o (9 pkts, 0s ago), rekeying in 45 minutes
peer-61.128.1.1-tunnel-vti{2}: 0.0.0.0/0 === 0.0.0.0/0