FC2ブログ

下流ネットワークエンジニアの生活

上流工程を夢見る下流工程のネットワークエンジニアがネットワーク技術や資格、身の回りのことを情報発信! Juniper Cisco YAMAHA DELL D-Link AlaxalA F5 CCNA CCNP CCIE ネットワークスペシャリスト

YAMAHAルータでNTTのNGN網を使った拠点間NGN-VPNに挑戦してみた SRT100 FWX120 IPv4 over IPv6 ひかり電話有

2016.05.17 (Tue)

NTTのNGNは、IPv6で構成されたネットワークですが、
そのNGN上で、IPsecを使った拠点間VPNが組めるという話を聞いて、
IPv4 over IPv6 over IPsec over NGNを試してみたので、メモ。

プロバイダを経由しないため、
低遅延かつ高速なVPN接続が可能らしい。

また、200M契約でも、
NGN網内は1Gbps帯域を使用できるそうですが、
試験機材の関係で、今回はそれを試すことができない。


■条件
・回線:フレッツ光ネクスト
・ひかり電話有
・フレッツv6オプションに申し込み済み
・YAMAHAルータを使う(今回は、SRT100とFXW120の対向で試す)


■ネットワーク構成
DHCPv6-PD_PR-400KI_YAMAHA_NGN-VPN SRT100 FWX120







■SRT100コンフィグ
※セキュリティ関係は大雑把なため、
 環境に合わせて適宜設定したほうが良い。

console prompt SRT100
ip route change log on
ip route default gateway pp 1
ip route 192.168.10.0/24 gateway tunnel 1
ipv6 route default gateway dhcp lan2
description lan1 LAN
ipv6 lan1 address dhcp-prefix@lan2::1/64
description lan2 WAN
ip lan2 address 192.168.1.254/24
ipv6 lan2 address dhcp
ipv6 lan2 prefix change log on
ipv6 lan2 inbound filter list 1000 1001 1002 1003 1004 1005 1006 1007 1008 1100 1101 1102 1103 1104 1999
ipv6 lan2 dhcp service client
ngn type lan2 ntt
pp select 1
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname PPPoEアカウント パスワード
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ip pp mtu 1454
ip pp intrusion detection in on
ip pp intrusion detection in ip on reject=on
ip pp intrusion detection in ip-option on reject=on
ip pp intrusion detection in fragment on reject=on
ip pp intrusion detection in icmp on reject=on
ip pp intrusion detection in udp on reject=on
ip pp intrusion detection in tcp on reject=on
ip pp intrusion detection in default off
ip pp nat descriptor 1
ip pp tcp mss limit auto
pp enable 1
tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on
ipsec ike pre-shared-key 1 text 事前共通鍵
ipsec ike remote address 1 相手先IPv6アドレス
ip tunnel mtu 1420
ip tunnel tcp mss limit auto
tunnel enable 1
nat descriptor log off
nat descriptor type 1 masquerade
nat descriptor address outer 1 ipcp
nat descriptor address inner 1 192.168.11.0-192.168.11.255
nat descriptor masquerade incoming 1 discard
ipsec use on
ipsec auto refresh on
ipv6 inbound filter 1000 reject-nolog ::/96 * * *
ipv6 inbound filter 1001 reject-nolog ::1 * * *
ipv6 inbound filter 1002 reject-nolog ::ffff:0:0/96 * * *
ipv6 inbound filter 1003 reject-nolog 100::/64 * * *
ipv6 inbound filter 1004 reject-nolog 2001:2::/48 * * *
ipv6 inbound filter 1005 reject-nolog 2001:db8::/32 * * *
ipv6 inbound filter 1006 reject-nolog fc00::/7 * * *
ipv6 inbound filter 1007 reject-nolog fec0::/10 * * *
ipv6 inbound filter 1008 reject-nolog ff00::/8 * * *
ipv6 inbound filter 1100 pass-nolog fe80::/10 * * *
ipv6 inbound filter 1101 pass-nolog * * udp 547 546
ipv6 inbound filter 1102 pass-nolog * * icmp6
ipv6 inbound filter 1103 pass-nolog * * udp * 500
ipv6 inbound filter 1104 pass-nolog * * esp * *
ipv6 inbound filter 1999 reject-nolog * * * * *



■FWX120コンフィグ

console prompt FWX120
ip route change log on
ip route default gateway pp 1
ip route 192.168.11.0/24 gateway tunnel 1
ipv6 route default gateway dhcp lan2
description lan1 LAN
ip lan1 address 192.168.10.1/24
ipv6 lan1 address dhcp-prefix@lan2::1/64
description lan2 WAN
ipv6 lan2 address dhcp
ipv6 lan2 prefix change log on
ipv6 lan2 inbound filter list 1000 1001 1002 1003 1004 1005 1006 1007 1008 1100 1101 1102 1103 1104 1999
ipv6 lan2 dhcp service client
ngn type lan2 ntt
pp select 1
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname PPPoEアカウント パスワード
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ip pp mtu 1454
ip pp intrusion detection in on
ip pp intrusion detection in ip on reject=on
ip pp intrusion detection in ip-option on reject=on
ip pp intrusion detection in fragment on reject=on
ip pp intrusion detection in icmp on reject=on
ip pp intrusion detection in udp on reject=on
ip pp intrusion detection in tcp on reject=on
ip pp intrusion detection in default off
ip pp nat descriptor 1
ip pp tcp mss limit auto
pp enable 1
tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on
ipsec ike pre-shared-key 1 text 事前共通鍵
ipsec ike remote address 1 相手先IPv6アドレス
ip tunnel mtu 1420
ip tunnel tcp mss limit auto
tunnel enable 1
nat descriptor log off
nat descriptor type 1 masquerade
nat descriptor address outer 1 ipcp
nat descriptor address inner 1 192.168.10.0-192.168.10.255
nat descriptor masquerade incoming 1 discard
ipsec use on
ipsec auto refresh on
ipv6 inbound filter 1000 reject-nolog ::/96 * * *
ipv6 inbound filter 1001 reject-nolog ::1 * * *
ipv6 inbound filter 1002 reject-nolog ::ffff:0:0/96 * * *
ipv6 inbound filter 1003 reject-nolog 100::/64 * * *
ipv6 inbound filter 1004 reject-nolog 2001:2::/48 * * *
ipv6 inbound filter 1005 reject-nolog 2001:db8::/32 * * *
ipv6 inbound filter 1006 reject-nolog fc00::/7 * * *
ipv6 inbound filter 1007 reject-nolog fec0::/10 * * *
ipv6 inbound filter 1008 reject-nolog ff00::/8 * * *
ipv6 inbound filter 1100 pass-nolog fe80::/10 * * *
ipv6 inbound filter 1101 pass-nolog * * udp 547 546
ipv6 inbound filter 1102 pass-nolog * * icmp6
ipv6 inbound filter 1103 pass-nolog * * udp * 500
ipv6 inbound filter 1104 pass-nolog * * esp * *
ipv6 inbound filter 1999 reject-nolog * * * * *



上記の設定は、
SRT100や、FWX120特有のinbound filter等を除けば、
RX1200等でも流用可能。




■VPNトンネル確立後の状態


FWX120# show status tunnel 1
TUNNEL[1]:
Description:
Interface type: IPsec
Current status is Online.
from 2016/05/17 15:53:36.
48 seconds connection.
Received: (IPv4) 60 packets [1160 octets]
(IPv6) 0 packet [0 octet]
Transmitted: (IPv4) 61 packets [2410 octets]
(IPv6) 0 packet [0 octet]


FWX120# show ipsec sa
Total: isakmp:1 send:1 recv:1

sa sgw isakmp connection dir life[s] remote-id
--------------------------------------------------------------------
1 1 1 tun[002]esp send 28745 2408:xxxx:xxxx:xxxx::xxxx
2 1 1 tun[002]esp recv 28745 2408:xxxx:xxxx:xxxx::xxxx
3 1 - isakmp - 28799 2408:xxxx:xxxx:xxxx::xxxx


FWX120# ping -c 5 192.168.11.1
received from 192.168.11.1: icmp_seq=0 ttl=254 time=10.944ms
received from 192.168.11.1: icmp_seq=1 ttl=254 time=10.029ms
received from 192.168.11.1: icmp_seq=2 ttl=254 time=10.170ms
received from 192.168.11.1: icmp_seq=3 ttl=254 time=10.140ms
received from 192.168.11.1: icmp_seq=4 ttl=254 time=11.024ms

5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max = 10.029/10.461/11.024 ms



プロバイダ経由のIPv4インターネットVPNと比べ、RTTが1/2になった。

※他県同士のVPN接続
関連記事
スポンサーサイト



コメント


管理者のみに表示

トラックバック