{"id":572,"date":"2016-05-11T11:24:00","date_gmt":"2016-05-11T02:24:00","guid":{"rendered":"https:\/\/wp.zassoul.com\/?p=572"},"modified":"2016-05-11T11:24:00","modified_gmt":"2016-05-11T02:24:00","slug":"aws%e4%b8%8a%e3%81%aevyos%e3%81%a8%e5%ae%b6%e3%81%aec841%e3%81%a8%e3%81%a7gre-over-ipsec%e3%82%92%e8%a9%a6%e3%81%99","status":"publish","type":"post","link":"https:\/\/wp.zassoul.com\/?p=572","title":{"rendered":"AWS\u4e0a\u306eVyos\u3068\u5bb6\u306eC841\u3068\u3067GRE over IPSec\u3092\u8a66\u3059"},"content":{"rendered":"<p>\u3061\u3087\u3063\u3068\u3084\u308a\u305f\u3044\u3053\u3068\u3042\u3063\u3066AWS\u3068IPSec\u5f35\u308a\u305f\u3044\u306a\u3068\u3002<\/p>\n<p>\u69cb\u6210\u306f\u3053\u3093\u306a\u3002<\/p>\n<div style=\"clear: both; text-align: center;\"><\/div>\n<div style=\"clear: both; text-align: center;\"><a href=\"https:\/\/2.bp.blogspot.com\/-lz9zaBai_go\/VzKYvuYZ1NI\/AAAAAAAAAKg\/x_KOX-pvjMULhXMlwH19Bo9Q_OxF2SMagCLcB\/s1600\/GREIPSEC.png\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"137\" src=\"https:\/\/2.bp.blogspot.com\/-lz9zaBai_go\/VzKYvuYZ1NI\/AAAAAAAAAKg\/x_KOX-pvjMULhXMlwH19Bo9Q_OxF2SMagCLcB\/s320\/GREIPSEC.png\" width=\"320\" \/><\/a><\/div>\n<p><\/p>\n<div style=\"clear: both; text-align: center;\"><\/div>\n<p>OSPF\u306f\u5225\u306b\u3044\u3089\u306a\u3044\u3093\u3060\u3051\u3069\uff0c\u6298\u89d2\u306a\u3093\u3067\u30c0\u30a4\u30ca\u30df\u30c3\u30af\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u3092\u307e\u308f\u3057\u3066\u307f\u308b\u3002<\/p>\n<p>\u7c21\u5358\u306b\u3044\u3051\u308b\u304b\u306a\u30fc\u3068\u3082\u601d\u3063\u305f\u3051\u3069\u304b\u306a\u308a\u30cf\u30de\u3063\u305f\u3002\u53cc\u65b9NAT\u914d\u4e0b\u3067\u5bb6\u306e\u307b\u3046\u306f\u3055\u3089\u306b\u30b0\u30ed\u30fc\u30d0\u30eb\u306fDHCP\u5272\u5f53\u3067\u5909\u308f\u308b\u308fPAT\u3060\u304b\u3089NAT-T\u3084\u3089\u306a\u304d\u3083\u3060\u3068\u304b\uff0c\u307e\u30fc\u3044\u308d\u3044\u308d\u6c17\u306b\u3059\u308b\u30dd\u30a4\u30f3\u30c8\u304c\u3042\u3063\u305f\u3002<\/p>\n<p>\u3051\u3069\uff0c\u7121\u4e8b\u306b\u3064\u306a\u304c\u308a\u307e\u3057\u305f\u3002<br \/>\u5927\u304d\u304f\u30cf\u30de\u3063\u305f\u70b9\u306f\u4ee5\u4e0b2\u3064\u3002<\/p>\n<p>\u30fbCisco\u306eIPSec\u7528ACL\u3067gre\u6307\u5b9a\u3060\u3068NG\u3002ip \u6307\u5b9a\u3067\u89e3\u6d88\u3002<br \/>\u30fbVyos\u306eremote-id\u3067Cisco\u306e\u5b9fIP\u3092\u5165\u308c\u3066\u3042\u3052\u308b\u3002<\/p>\n<p>Vyos\u306f\u308f\u304b\u308b\u3093\u3060\u304c\uff0cCisco\u306eACL\u306f\u306a\u3093\u3067\u3060\u3002\u308f\u304b\u3089\u3093\u30fb\u30fb\u30fb\u3002<\/p>\n<p>VTI\u3068\u304b\u3067\u3084\u308c\u3070ACL\u4e0d\u8981\u3060\u304b\u3089\u3044\u3044\u306e\u304b\u3068\u601d\u3063\u305f\u304c\uff0c\u3053\u308c\u306f\u3053\u308c\u3067\u30cf\u30de\u3063\u305f\u306e\u3067\u53c8\u4eca\u5ea6\u3002<\/p>\n<p>Try&amp;Error\u3092\u3072\u305f\u3059\u3089\u8a66\u3059\u306f\u3081\u306b\u306a\u308a\u307e\u3057\u305f\u3002<br \/>\u3044\u3044\u52c9\u5f37\u3055\u305b\u3066\u3044\u305f\u3060\u304d\u307e\u3057\u305f\u3002<\/p>\n<p><\/p>\n<table cellpadding=\"20\" style=\"width: 100%;\">\n<tbody>\n<tr bgcolor=\"DDDDDD\">\n<td height=\"20\"><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">\u25a0 Cisco \u629c\u7c8b<\/span><\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">crypto isakmp policy 5<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;encr aes 256<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;hash sha256<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;authentication pre-share<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;group 14<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;lifetime 3600<\/span><br \/><span style=\"font-size: x-small;\">crypto isakmp key aws address A.A.A.A &nbsp;255.255.255.255<\/span><br \/><span style=\"font-size: x-small;\">crypto isakmp keepalive 30 30<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">crypto ipsec transform-set IPSEC esp-aes 256 esp-sha256-hmac&nbsp;<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;mode tunnel<\/span><br \/><span style=\"font-size: x-small;\"><span style=\"font-size: xx-small;\"><span style=\"background-color: transparent;\"><\/span><\/span><br \/><\/span><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">!<\/span><\/span><br \/><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">crypto map GRE_IPSEC 10 ipsec-isakmp&nbsp;<\/span><\/span><br \/><span style=\"font-size: x-small;\">&nbsp;set peer A.A.A.A<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;set transform-set IPSEC&nbsp;<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;set pfs group14<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;match address AWS_GRE<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">interface Loopback1<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;ip address 172.16.1.1 255.255.255.255<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">interface Tunnel1<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;ip address 192.168.254.1 255.255.255.0<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;ip mtu 1400<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;ip tcp adjust-mss 1360<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;ip ospf network broadcast<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;ip ospf hello-interval 5<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;keepalive 5 3<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;tunnel source Loopback1<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;tunnel destination 172.16.1.2<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">interface Vlan100<\/span><br \/><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">&nbsp;ip address 192.168.1.2 255.255.255.0<\/span><\/span><br \/><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">&nbsp;ip virtual-reassembly in<\/span><\/span><br \/><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">&nbsp;crypto map GRE_IPSEC<\/span><\/span><br \/><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">!<\/span><\/span><br \/><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">!<\/span><\/span><br \/><span style=\"background-color: transparent;\"><span style=\"font-size: x-small;\">!<\/span><\/span><br \/><span style=\"font-size: x-small;\">router ospf 1<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;network 192.168.10.0 0.0.0.255 area 0<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;network 192.168.254.0 0.0.0.255 area 0<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">!<\/span><br \/><span style=\"font-size: x-small;\">ip access-list extended AWS_GRE<\/span><br \/><span style=\"font-size: x-small;\"><span style=\"font-size: xx-small;\"><\/span>!<\/span><br \/><span style=\"font-size: x-small;\">&nbsp;permit ip host 172.16.1.1 host 172.16.1.2<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"20\" style=\"width: 100%;\">\n<tbody>\n<tr bgcolor=\"DDDDDD\">\n<td height=\"20\"><span style=\"font-size: x-small;\">\u25a0 Vyos \u629c\u7c8b<\/span><br \/><span style=\"font-size: x-small;\">set interfaces loopback lo address &#8216;172.16.1.2\/32&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 address &#8216;192.168.254.2\/24&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 encapsulation &#8216;gre&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 ip ospf dead-interval &#8217;20&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 ip ospf hello-interval &#8216;5&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 ip ospf priority &#8216;1&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 ip ospf retransmit-interval &#8216;5&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 ip ospf transmit-delay &#8216;1&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 local-ip &#8216;172.16.1.2&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 mtu &#8216;1400&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 multicast &#8216;enable&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set interfaces tunnel tun1 remote-ip &#8216;172.16.1.1&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set protocols ospf area 0 network &#8216;192.168.254.0\/24&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set protocols ospf area 0 network &#8216;10.1<span style=\"background-color: transparent;\">0.20.0\/24&#8242;<\/span><\/span><br \/><span style=\"font-size: x-small;\">set protocols ospf log-adjacency-changes &#8216;detail&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set protocols static route 0.0.0.0\/0 next-hop 10.10.10.1 distance &#8216;1&#8217;<\/span><br \/><span style=\"font-size: x-small;\">&#8212;-<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec esp-group ESP_AWS compression &#8216;disable&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec esp-group ESP_AWS lifetime &#8216;3600&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec esp-group ESP_AWS mode &#8216;tunnel&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec esp-group ESP_AWS pfs &#8216;enable&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec esp-group ESP_AWS proposal 1 encryption &#8216;aes256&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec esp-group ESP_AWS proposal 1 hash &#8216;sha256&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec ike-group IKE_AWS dead-peer-detection action &#8216;hold&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec ike-group IKE_AWS dead-peer-detection interval &#8217;30&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec ike-group IKE_AWS dead-peer-detection timeout &#8216;120&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec ike-group IKE_AWS lifetime &#8216;3600&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec ike-group IKE_AWS proposal 1 dh-group &#8217;14&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec ike-group IKE_AWS proposal 1 encryption &#8216;aes256&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec ike-group IKE_AWS proposal 1 hash &#8216;sha256&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec ipsec-interfaces interface &#8216;eth0&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec logging log-modes &#8216;all&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec nat-traversal &#8216;enable&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 authentication mode &#8216;pre-shared-secret&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret &#8216;aws&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 authentication remote-id &#8216;192.168.1.2&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 connection-type &#8216;respond&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 ike-group &#8216;IKE_AWS&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 local-address &#8216;10.10.10.50&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 esp-group &#8216;ESP_AWS&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix &#8216;172.16.1.2\/32&#8217;<\/span><br \/><span style=\"font-size: x-small;\">set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix &#8216;172.16.1.1\/32&#8217;<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u3061\u3087\u3063\u3068\u3084\u308a\u305f\u3044\u3053\u3068\u3042\u3063\u3066AWS\u3068IPSec\u5f35\u308a\u305f\u3044\u306a\u3068\u3002 \u69cb\u6210\u306f\u3053\u3093\u306a\u3002 OSPF\u306f\u5225\u306b\u3044\u3089\u306a\u3044\u3093\u3060\u3051\u3069\uff0c\u6298\u89d2\u306a\u3093\u3067\u30c0\u30a4\u30ca\u30df\u30c3\u30af\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u3092\u307e\u308f\u3057\u3066\u307f\u308b\u3002 \u7c21\u5358\u306b\u3044\u3051\u308b\u304b\u306a\u30fc\u3068\u3082\u601d\u3063\u305f\u3051\u3069\u304b\u306a\u308a\u30cf\u30de\u3063\u305f\u3002\u53cc\u65b9NAT\u914d\u2026 <span class=\"read-more\"><a href=\"https:\/\/wp.zassoul.com\/?p=572\">\u7d9a\u304d\u3092\u8aad\u3080 &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[54,11,15,8],"tags":[],"class_list":["post-572","post","type-post","status-publish","format-standard","hentry","category-aws","category-cisco","category-network","category-8"],"_links":{"self":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=572"}],"version-history":[{"count":0,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/572\/revisions"}],"wp:attachment":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}