vyos site-to-site ipsec simple experiment
vyos site-to-site ipsec simple experiment
参考 https://docs.vyos.io/en/latest/configuration/vpn/ipsec.html
简单拓扑结构
hbcp1-vyos 配置内容
vyos@hbcp1-vyos:~$ show configuration all
interfaces {
ethernet eth0 {
address 192.168.110.8/24
description mgt
hw-id 00:90:27:e5:52:60
}
ethernet eth1 {
address 203.0.110.11/24
description wan
hw-id 00:90:27:e5:52:61
}
ethernet eth2 {
address 192.168.111.1/24
description lan11
hw-id 00:90:27:e5:52:62
}
ethernet eth3 {
address 172.16.111.1/24
description vpn11
hw-id 00:90:27:e5:52:63
}
loopback lo {
}
tunnel tun0 {
address 10.10.10.1/30
encapsulation gre
local-ip 203.0.110.11
remote-ip 203.0.110.12
}
}
nat {
destination {
rule 101 {
destination {
address 203.0.110.11
port 9075
}
inbound-interface eth1
protocol tcp
translation {
address 192.168.110.8
port 22
}
}
}
source {
rule 101 {
outbound-interface eth1
source {
address 192.168.111.0/24
}
translation {
address masquerade
}
}
rule 102 {
outbound-interface eth1
source {
address 172.16.111.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 203.0.110.12 {
}
}
route 172.16.112.0/24 {
next-hop 10.10.10.2 {
}
}
}
}
service {
dhcp-server {
shared-network-name LAN11 {
authoritative
subnet 192.168.111.0/24 {
default-router 192.168.111.1
dns-server 192.168.111.1
domain-name lan11.mytest.net
lease 86400
range pool {
start 192.168.111.11
stop 192.168.111.19
}
}
}
shared-network-name VPN11 {
authoritative
subnet 172.16.111.0/24 {
default-router 172.16.111.1
dns-server 172.16.111.1
domain-name vpn11.mytest.net
lease 86400
range pool {
start 172.16.111.11
stop 172.16.111.19
}
}
}
}
dns {
forwarding {
allow-from 192.168.111.0/24
allow-from 172.16.111.0/24
cache-size 0
listen-address 192.168.111.1
listen-address 172.16.111.1
name-server 114.114.114.114
}
}
ssh {
listen-address 192.168.110.8
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name hbcp1-vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
name-server 114.114.114.114
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
option {
ctrl-alt-delete ignore
reboot-on-panic
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
user all {
facility all {
level emerg
}
}
}
time-zone Asia/Shanghai
}
vpn {
ipsec {
esp-group MyESPGroup {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group MyIKEGroup {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth1
}
site-to-site {
peer 203.0.110.12 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group MyESPGroup
ike-group MyIKEGroup
ikev2-reauth inherit
local-address 203.0.110.11
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
protocol gre
}
}
}
}
}
vyos@hbcp1-vyos:~$
hbcp2-vyos 配置内容
vyos@hbcp2-vyos:~$ show configuration all
interfaces {
ethernet eth0 {
address 192.168.110.9/24
description mgt
hw-id 00:90:27:e5:52:64
}
ethernet eth1 {
address 203.0.110.12/24
description wan
hw-id 00:90:27:e5:52:65
}
ethernet eth2 {
address 192.168.112.1/24
description lan12
hw-id 00:90:27:e5:52:66
}
ethernet eth3 {
address 172.16.112.1/24
description vpn12
hw-id 00:90:27:e5:52:67
}
loopback lo {
}
tunnel tun0 {
address 10.10.10.2/30
encapsulation gre
local-ip 203.0.110.12
remote-ip 203.0.110.11
}
}
nat {
destination {
rule 101 {
destination {
address 203.0.110.12
port 9075
}
inbound-interface eth1
protocol tcp
translation {
address 192.168.110.9
port 22
}
}
}
source {
rule 101 {
outbound-interface eth1
source {
address 192.168.112.0/24
}
translation {
address masquerade
}
}
rule 102 {
outbound-interface eth1
source {
address 172.16.112.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 203.0.110.11 {
}
}
route 172.16.111.0/24 {
next-hop 10.10.10.1 {
}
}
}
}
service {
dhcp-server {
shared-network-name LAN12 {
authoritative
subnet 192.168.112.0/24 {
default-router 192.168.112.1
dns-server 192.168.112.1
domain-name lan12.mytest.net
lease 86400
range pool {
start 192.168.112.11
stop 192.168.112.19
}
}
}
shared-network-name VPN12 {
authoritative
subnet 172.16.112.0/24 {
default-router 172.16.112.1
dns-server 172.16.112.1
domain-name vpn12.mytest.net
lease 86400
range pool {
start 172.16.112.11
stop 172.16.112.19
}
}
}
}
dns {
forwarding {
allow-from 192.168.112.0/24
allow-from 172.16.112.0/24
cache-size 0
listen-address 192.168.112.1
listen-address 172.16.112.1
name-server 114.114.114.114
}
}
ssh {
listen-address 192.168.110.9
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name hbcp2-vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
name-server 114.114.114.114
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
option {
ctrl-alt-delete ignore
reboot-on-panic
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
user all {
facility all {
level emerg
}
}
}
time-zone Asia/Shanghai
}
vpn {
ipsec {
esp-group MyESPGroup {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group MyIKEGroup {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth1
}
site-to-site {
peer 203.0.110.11 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group MyESPGroup
ike-group MyIKEGroup
ikev2-reauth inherit
local-address 203.0.110.12
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
protocol gre
}
}
}
}
}
vyos@hbcp2-vyos:~$
在 hbcp1-vyos 上监视IPSEC通道接口流量
在 hbcp1-vyos 上启动iperf3服务端准备测速
在 hbcp2-vyos 上启动iperf3客户端发包测速
在 hbcp2-vyos 上从 172.16.112.1 追踪 172.16.111.1
============= End
浙公网安备 33010602011771号