2 vpn channels with vti-Interface ans ospf quagga
Ipsec VPN einrichten
ipsec-Routing deaktivieren
- vi /etc/strongswan.conf
charon { load_modular = yes install_routes = no plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf
ipsec.conf und ipsec.secrets einrichten
- vi /etc/ipsec.conf
conn routed-vpn right=10.84.252.44 left=10.84.252.43 leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 ike=aes256-sha256-modp2048 ikelifetime=3600s esp=aes256-sha256-modp2048 keylife=1800s rekeymargin=540s type=tunnel compress=no authby=secret mark=100 auto=start keyingtries=%forever conn routed-vpn2 right=10.84.244.44 left=10.84.244.43 leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 ike=aes256-sha256-modp2048 ikelifetime=3600s esp=aes256-sha256-modp2048 keylife=1800s rekeymargin=540s type=tunnel compress=no authby=secret mark=200 auto=start keyingtries=%forever
- vi /etc/ipsec.secrets
10.84.252.43 10.84.252.44 : PSK "suxer" 10.84.244.43 10.84.244.44 : PSK "suxer"
vti-interfaces einrichten
Rechner 1
vti0
- ip tunnel add vti0 local 10.84.252.43 remote 10.84.252.44 mode vti key 100
- ip link set vti0 up
- ip addr add 10.2.2.1 remote 10.2.2.2 dev vti0
vti1
- ip tunnel add vti1 local 10.84.244.43 remote 10.84.244.44 mode vti key 200
- ip link set vti1 up
- ip addr add 10.3.3.1 remote 10.3.3.2 dev vti1
Rechner 2
vti0
- ip tunnel add vti0 local 10.84.252.44 remote 10.84.252.43 mode vti key 100
- ip link set vti0 up
- ip addr add 10.2.2.2 remote 10.2.2.1 dev vti0
vti1
- ip tunnel add vti1 local 10.84.244.44 remote 10.84.244.43 mode vti key 200
- ip link set vti1 up
- ip addr add 10.3.3.2 remote 10.3.3.1 dev vti1
rp-filter, policy und xfrm einstellen
- echo 0 > /proc/sys/net/ipv4/conf/vti0/rp_filter
- echo 1 > /proc/sys/net/ipv4/conf/vti0/disable_policy
- echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_xfrm
- echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_policy
Routing-Tabelle 220 leeren
- ip route flush table 220
ospf einrichten
Wichtig!!! Da es sich beim vti-Interface um eine Point-to-Point-Verbindung handelt muss dies in der Quagga-Konfiguration so eingestellt werden. Das wird aber in der running-config nicht angezeigt.
- configure terminal
- interface vti0
- ip ospf network point-to-point
- exit
- interface vti1
- ip ospf network point-to-point
- exit
Rechner 1
nelson# show run Building configuration... Current configuration: ! log stdout ! service integrated-vtysh-config ! password zebra enable password zebra ! interface ens3 ipv6 nd suppress-ra no link-detect ! interface ens7 ipv6 nd suppress-ra no link-detect ! interface ens8 ipv6 nd suppress-ra no link-detect ! interface ip_vti0 ipv6 nd suppress-ra no link-detect ! interface lo no link-detect ! interface vti0 ip ospf cost 10 ip ospf dead-interval 15 ip ospf mtu-ignore ipv6 nd suppress-ra no link-detect ! interface vti1 ip ospf cost 20 ip ospf dead-interval 15 ip ospf mtu-ignore ipv6 nd suppress-ra no link-detect ! router ospf ospf router-id 10.83.43.1 passive-interface ens7 network 10.2.2.2/32 area 0.0.0.0 network 10.3.3.2/32 area 0.0.0.0 network 10.83.43.0/24 area 0.0.0.0 ! ip forwarding ! line vty ! end
Rechner 2
kekistan# show run Building configuration... Current configuration: ! log stdout ! service integrated-vtysh-config ! password zebra enable password zebra ! interface ens3 ipv6 nd suppress-ra no link-detect ! interface ens7 ipv6 nd suppress-ra no link-detect ! interface ens8 ipv6 nd suppress-ra no link-detect ! interface ip_vti0 ipv6 nd suppress-ra no link-detect ! interface lo no link-detect ! interface vti0 ip ospf cost 10 ip ospf dead-interval 10 ip ospf mtu-ignore ipv6 nd suppress-ra no link-detect ! interface vti1 ip ospf cost 20 ip ospf dead-interval 10 ip ospf mtu-ignore ipv6 nd suppress-ra no link-detect ! router ospf ospf router-id 10.83.44.1 passive-interface ens7 network 10.2.2.1/32 area 0.0.0.0 network 10.3.3.1/32 area 0.0.0.0 network 10.83.44.0/24 area 0.0.0.0 neighbor 10.2.2.1 priority 10 neighbor 10.3.3.1 priority 20 ! ip forwarding ! line vty ! end