VyOS site-to-site VPN IKEv1/IKEv2配置测试

碧云天 · ‎12-25-2019

一.测试拓扑

参考链接：https://vyos.readthedocs.io/en/latest/vpn/site2site_ipsec.html#examples

备注：上面链接用VyOS1.1，IKEv2没有配置成功，用1.3的版本配置成功

二.配置步骤

1.基本配置

A.PC1路由器

interface Ethernet0/0

ip address 172.16.100.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.100.254

B.Site1(VyOS1)

set system host-name 'vyos1'

set interface ethernet eth1 address '202.100.1.1/24'

set interface ethernet eth2 address '172.16.100.254/24'

set protocols static route 0.0.0.0/0 next-hop '202.100.1.10'

set nat source rule 20 outbound-interface 'eth1'

set nat source rule 20 source address '172.16.100.0/24'

set nat source rule 20 translation address 'masquerade'

C.Internet路由器

interface Ethernet0/0

ip address 202.100.1.10 255.255.255.0

interface Ethernet0/1

ip address 61.128.1.10 255.255.255.0

D.Site2(VyOS2)

set system host-name 'vyos2'

set interface ethernet eth1 address '61.128.1.1/24'

set interface ethernet eth2 address '172.16.200.254/24'

set protocols static route 0.0.0.0/0 next-hop '61.128.1.10'

set nat source rule 20 outbound-interface 'eth1'

set nat source rule 20 source address '172.16.200.0/24'

set nat source rule 20 translation address 'masquerade'

E.PC2路由器

interface Ethernet0/0

ip address 172.16.200.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.200.254

2.基本site-to-site VPN IKEv1配置

A.Site1(VyOS1)

--配置第一阶段策略集

set vpn ipsec ike-group vyos-ike proposal 10 dh-group '5'

set vpn ipsec ike-group vyos-ike proposal 10 encryption 'aes256'

set vpn ipsec ike-group vyos-ike proposal 10 hash 'md5'

--配置第二阶段策略集

set vpn ipsec esp-group vyos-esp pfs 'dh-group2'

set vpn ipsec esp-group vyos-esp proposal 10 encryption 'aes256'

set vpn ipsec esp-group vyos-esp proposal 10 hash 'md5'

--配置对等体

set vpn ipsec site-to-site peer 61.128.1.1 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 61.128.1.1 authentication pre-shared-secret 'Cisc0123'

set vpn ipsec site-to-site peer 61.128.1.1 ike-group 'vyos-ike'

set vpn ipsec site-to-site peer 61.128.1.1 local-address '202.100.1.1'

set vpn ipsec site-to-site peer 61.128.1.1 tunnel 0 esp-group 'vyos-esp'

set vpn ipsec site-to-site peer 61.128.1.1 tunnel 0 local prefix '172.16.100.0/24'

set vpn ipsec site-to-site peer 61.128.1.1 tunnel 0 remote prefix '172.16.200.0/24'

--在接口启用ipsec

set vpn ipsec ipsec-interfaces interface 'eth1'

--配置NAT免除

set nat source rule 10 outbound-interface 'eth1'

set nat source rule 10 'exclude'

set nat source rule 10 source address '172.16.100.0/24'

set nat source rule 10 destination address '172.16.200.0/24'

B.Site2(VyOS2)

--配置第一阶段策略集

set vpn ipsec ike-group vyos-ike proposal 10 dh-group '5'

set vpn ipsec ike-group vyos-ike proposal 10 encryption 'aes256'

set vpn ipsec ike-group vyos-ike proposal 10 hash 'md5'

--配置第二阶段策略集

set vpn ipsec esp-group vyos-esp pfs 'dh-group2'

set vpn ipsec esp-group vyos-esp proposal 10 encryption 'aes256'

set vpn ipsec esp-group vyos-esp proposal 10 hash 'md5'

--配置对等体

set vpn ipsec site-to-site peer 202.100.1.1 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 202.100.1.1 authentication pre-shared-secret 'Cisc0123'

set vpn ipsec site-to-site peer 202.100.1.1 ike-group 'vyos-ike'

set vpn ipsec site-to-site peer 202.100.1.1 local-address '61.128.1.1'

set vpn ipsec site-to-site peer 202.100.1.1 tunnel 0 esp-group 'vyos-esp'

set vpn ipsec site-to-site peer 202.100.1.1 tunnel 0 local prefix '172.16.200.0/24'

set vpn ipsec site-to-site peer 202.100.1.1 tunnel 0 remote prefix '172.16.100.0/24'

--在接口启用ipsec

set vpn ipsec ipsec-interfaces interface 'eth1'

--配置NAT免除

set nat source rule 10 outbound-interface 'eth1'

set nat source rule 10 'exclude'

set nat source rule 10 source address '172.16.200.0/24'

set nat source rule 10 destination address '172.16.100.0/24'

3.通过vti VPN IKEv1配置

相对前面的基本site-to-site VPN配置，使用vti不需要配置感兴趣流，也不需要配置nat免除，还可以跑动态路由协议。

A.Site1(VyOS1)

--添加VTI接口

set interfaces vti vti0 address '10.1.1.2/31'

set interfaces vti vti0 ip ospf network 'point-to-point'

--配置第一阶段策略集

set vpn ipsec ike-group vyos-ike proposal 10 dh-group '5'

set vpn ipsec ike-group vyos-ike proposal 10 encryption 'aes256'

set vpn ipsec ike-group vyos-ike proposal 10 hash 'md5'

备注：与前面相同

--配置第二阶段策略集

set vpn ipsec esp-group vyos-esp pfs 'dh-group2'

set vpn ipsec esp-group vyos-esp proposal 10 encryption 'aes256'

set vpn ipsec esp-group vyos-esp proposal 10 hash 'md5'

备注：与前面相同

--配置对等体,在vti接口调用第二阶段策略集

set vpn ipsec site-to-site peer 61.128.1.1 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 61.128.1.1 authentication pre-shared-secret 'Cisc0123'

set vpn ipsec site-to-site peer 61.128.1.1 ike-group 'vyos-ike'

set vpn ipsec site-to-site peer 61.128.1.1 local-address '202.100.1.1'

set vpn ipsec site-to-site peer 61.128.1.1 vti bind 'vti0'

set vpn ipsec site-to-site peer 61.128.1.1 vti esp-group 'vyos-esp'

--在接口启用ipsec

set vpn ipsec ipsec-interfaces interface 'eth1'

--配置动态路由OSPF

set protocols ospf parameters router-id '202.100.1.1'

set protocols ospf area 0.0.0.0 network '172.16.100.0/24'

set protocols ospf area 0.0.0.0 network '10.1.1.2/31'

B.Site2(VyOS2)

--添加VTI接口

set interfaces vti vti0 address '10.1.1.3/31'

set interfaces vti vti0 ip ospf network 'point-to-point'

--配置第一阶段策略集

set vpn ipsec ike-group vyos-ike proposal 10 dh-group '5'

set vpn ipsec ike-group vyos-ike proposal 10 encryption 'aes256'

set vpn ipsec ike-group vyos-ike proposal 10 hash 'md5'

备注：与前面相同

--配置第二阶段策略集

set vpn ipsec esp-group vyos-esp pfs 'dh-group2'

set vpn ipsec esp-group vyos-esp proposal 10 encryption 'aes256'

set vpn ipsec esp-group vyos-esp proposal 10 hash 'md5'

备注：与前面相同

--配置对等体,在vti接口调用第二阶段策略集

set vpn ipsec site-to-site peer 202.100.1.1 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 202.100.1.1 authentication pre-shared-secret 'Cisc0123'

set vpn ipsec site-to-site peer 202.100.1.1 ike-group 'vyos-ike'

set vpn ipsec site-to-site peer 202.100.1.1 local-address '61.128.1.1'

set vpn ipsec site-to-site peer 202.100.1.1 vti bind 'vti0'

set vpn ipsec site-to-site peer 202.100.1.1 vti esp-group 'vyos-esp'

--在接口启用ipsec

set vpn ipsec ipsec-interfaces interface 'eth0'

--配置动态路由OSPF

set protocols ospf parameters router-id '61.128.1.1'

set protocols ospf area 0.0.0.0 network '172.16.200.0/24'

set protocols ospf area 0.0.0.0 network '10.1.1.2/31'

4.通过vti VPN IKEv2配置

--IKEv2只需两边增加一句：set vpn ipsec ike-group vyos-ike key-exchange ikev2

建议把dpd也配置上：

set vpn ipsec ike-group vyos-ike dead-peer-detection action 'hold'

set vpn ipsec ike-group vyos-ike dead-peer-detection interval '30'

set vpn ipsec ike-group vyos-ike dead-peer-detection timeout '120'

三.验证

1.基本site-to-site VPN IKEv1验证

A.在两端vpn配置完成并commit之后，不像思科需要兴趣流触发，如下所示，第一次ping不会丢包

PC1#ping 172.16.200.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

PC1#

B.查看IKE sa

vyos@vyos1:~$ show vpn ike sa

Peer ID / IP Local ID / IP

------------ -------------

61.128.1.1 202.100.1.1

State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time

----- ------ ------- ---- --------- ----- ------ ------

up IKEv1 aes256 md5_96 5(MODP_1536) no 3600 28800

C.查看IPSec sa

vyos@vyos1:~$ show vpn ipsec sa

Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

------------------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------

peer-61.128.1.1-tunnel-0 up 7m55s 1K/1K 20/20 61.128.1.1 N/A AES_CBC_256/HMAC_MD5_96/MODP_1024

vyos@vyos1:~$

2.验证vti VPN IKEv1配置

A.OSPF邻居已经建立

vyos@vyos1:~$ show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL

61.128.1.1 1 Full/DROther 36.036s 10.1.1.3 vti0:10.1.1.2 0 0 0

vyos@vyos1:~$

B.可以通过OSPF学习对端身后路由

vyos@vyos1:~$ show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL

61.128.1.1 1 Full/DROther 39.686s 10.1.1.3 vti0:10.1.1.2 0 0 0

vyos@vyos1:~$ show ip route ospf

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,

F - PBR, f - OpenFabric,

> - selected route, * - FIB route, q - queued route, r - rejected route

O 10.1.1.2/31 [110/10] is directly connected, vti0, 00:03:33

O 172.16.100.0/24 [110/100] is directly connected, eth2, 00:06:43

O>* 172.16.200.0/24 [110/110] via 10.1.1.3, vti0, 00:02:42

vyos@vyos1:~$

C.ping也没有问题

PC1#ping 172.16.200.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

PC1#

D.也可以ping通对端vti接口地址

vyos@vyos1:~$ ping 10.1.1.3

PING 10.1.1.3 (10.1.1.3) 56(84) bytes of data.

64 bytes from 10.1.1.3: icmp_req=1 ttl=64 time=0.909 ms

64 bytes from 10.1.1.3: icmp_req=2 ttl=64 time=0.925 ms

64 bytes from 10.1.1.3: icmp_req=3 ttl=64 time=0.972 ms

E.通过查看debug日志，可以确定用的是IKEv1

vyos@vyos1:~$ show vpn debug peer 61.128.1.1 tunnel vti

peer-61.128.1.1-tunnel-vti: 202.100.1.1...61.128.1.1 IKEv1

peer-61.128.1.1-tunnel-vti: local: [202.100.1.1] uses pre-shared key authentication

peer-61.128.1.1-tunnel-vti: remote: [61.128.1.1] uses pre-shared key authentication

peer-61.128.1.1-tunnel-vti: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL

peer-61.128.1.1-tunnel-vti[1]: ESTABLISHED 25 seconds ago, 202.100.1.1[202.100.1.1]...61.128.1.1[61.128.1.1]

peer-61.128.1.1-tunnel-vti[1]: IKEv1 SPIs: 6a743263076b448a_i* a18e52a51e11e6cc_r, pre-shared key reauthentication in 7 hours

peer-61.128.1.1-tunnel-vti[1]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536

peer-61.128.1.1-tunnel-vti{1}: REKEYED, TUNNEL, reqid 1, expires in 59 minutes

peer-61.128.1.1-tunnel-vti{1}: 0.0.0.0/0 === 0.0.0.0/0

peer-61.128.1.1-tunnel-vti{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca5cb692_i cca72e28_o

peer-61.128.1.1-tunnel-vti{2}: AES_CBC_256/HMAC_MD5_96/MODP_1024, 828 bytes_i (11 pkts, 5s ago), 756 bytes_o (10 pkts, 5s ago), rekeying in 42 minutes

peer-61.128.1.1-tunnel-vti{2}: 0.0.0.0/0 === 0.0.0.0/0

3.验证vti VPN IKEv2配置

A.通过查看debug日志，可以确定用的是IKEv2

vyos@vyos1:~$ show vpn debug peer 61.128.1.1 tunnel vti

peer-61.128.1.1-tunnel-vti: 202.100.1.1...61.128.1.1 IKEv2, dpddelay=30s

peer-61.128.1.1-tunnel-vti: local: [202.100.1.1] uses pre-shared key authentication

peer-61.128.1.1-tunnel-vti: remote: [61.128.1.1] uses pre-shared key authentication

peer-61.128.1.1-tunnel-vti: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=hold

peer-61.128.1.1-tunnel-vti[1]: ESTABLISHED 20 seconds ago, 202.100.1.1[202.100.1.1]...61.128.1.1[61.128.1.1]

peer-61.128.1.1-tunnel-vti[1]: IKEv2 SPIs: 53148d89d998fc75_i* 5ae6823f58b475ef_r, rekeying in 7 hours

peer-61.128.1.1-tunnel-vti[1]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536

peer-61.128.1.1-tunnel-vti{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c21d852f_i c1ccb3c1_o

peer-61.128.1.1-tunnel-vti{1}: AES_CBC_256/HMAC_MD5_96, 80 bytes_i (2 pkts, 0s ago), 144 bytes_o (3 pkts, 0s ago), rekeying in 42 minutes

peer-61.128.1.1-tunnel-vti{1}: 0.0.0.0/0 === 0.0.0.0/0

peer-61.128.1.1-tunnel-vti{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c98fba3a_i cd58bc3c_o

peer-61.128.1.1-tunnel-vti{2}: AES_CBC_256/HMAC_MD5_96/MODP_1024, 764 bytes_i (10 pkts, 0s ago), 708 bytes_o (9 pkts, 0s ago), rekeying in 45 minutes

peer-61.128.1.1-tunnel-vti{2}: 0.0.0.0/0 === 0.0.0.0/0

VyOS site-to-site VPN IKEv1/IKEv2配置测试

【原创翻译】保护用户，揭开最后1％的威胁

【原创翻译】网络安全不是儿戏

【原创翻译】MWC系列：为5G时代准备FastWeb网络