사설망 구축 및 설치하기 2편 – IPSEC Multi Tunnel

1. 구성 목표

1.1 NAT없이 Multicenter private IP와 Bluemix Infra의 연결

IPSEC VPN 기능을 활용하여 고객 제1센터와 제2센터를 연결하고 고객 센터간 사설IP 변경 없이 Sorftlayer private network와 통신이 가능한 구성입니다.

1.2 Bluemix Infra center를 활용한 Bridge or Hub center 구성

IPSEC VPN 기능을 활용하여 여러 지역에 위치한 고객센터간 IP변경없이 사설 IP 통신이 가능한 구성입니다.

2. 구성 설명

설계

구성을 위해 Bluemix Infra에는 Vyatta, 고객의 각 센터에는 IPSEC VPN이 필요합니다,

고객1센터에는 서버 1존, 고객 2센터에는 서버 2존, 그리고 Bluemix Infra에는 서버 4, 5, 6존이 존재하고 서로 통신이 필요한 상황을 가정하여 구성합니다.

Bluemix Infra 내부에 있는 Server 4, 5, 6존은 Vyatta에 존속되어야 하며, Vyatta는 가상 interface에 각 존의 Gateway가 되어야 합니다.

3. 구성

3.1 IPSEC Tunnel 구성 내용 확인

A. Phase-01

Authentication Pre-Shared key : IPSecVPNPassword

Encryption method : 3DES

Hash method : SHA1

DH Group: 1

Lifetime: 3800 Second

B. PHASE-02

Encryption method : 3DES

Hash method : SHA1

DH Group : 1

Lifetime: 3800 Second

C. Vyatta connect IP: 50.23.69.194

Vyatta local IP: 10.52.0.0/16

D. 제1센터 connect IP: 192.155.223.54

제1센터 local IP: 10.91.31.0/24

F. 제2센터 connct IP: 119.81.184.214

제2센터 Local IP: 10.111.40.0/24

3.2 Vyatta 가상 interface 구성

set interfaces bonding bond0 vif 110 address ‘10.52.110.1/24’

set interfaces bonding bond0 vif 111 address ‘10.52.111.1/24’

set interfaces bonding bond0 vif 112 address ‘10.52.112.1/24’ a gateway IP

3.3 Vyatta 가상 interface 구성 확인

vyatta@vyatta:~$ show interfaces

Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down

Interface IP Address S/L Description

——— ———- — ———–

bond0 10.52.109.15/26 u/u

1bond0.110 10.152.110.0/24 u/u


1bond0.111 10.152.111.0/24 u/u


1bond0.112 10.152.112.0/24 u/u


bond0v1 10.52.109.8/26 u/u

bond1 50.23.69.197/29 u/u

2607:f0d0:2101:229::2/64

bond1v1 50.23.69.194/29 u/u

eth0 – u/u

eth1 – u/u

eth2 – u/D

eth3 – u/D

lo 127.0.0.1/8 u/u ethernet eth0 {

3.4 Vyatta Ipsec VPN 정책 설정

set vpn ipsec esp-group ESP-G0 lifetime ‘3600’

set vpn ipsec esp-group ESP-G0 pfs ‘dh-group1’

set vpn ipsec esp-group ESP-G0 proposal 1 encryption ‘3des’

set vpn ipsec esp-group ESP-G0 proposal 1 hash ‘sha1’

set vpn ipsec ike-group IKE-G0 lifetime ‘14400’

set vpn ipsec ike-group IKE-G0 proposal 1 dh-group ‘1’

set vpn ipsec ike-group IKE-G0 proposal 1 encryption ‘3des’

set vpn ipsec ike-group IKE-G0 proposal 1 hash ‘sha1’

set vpn ipsec ipsec-interfaces interface ‘bond1’

3.5 Vyatta Ipsec VPN tuunel 1 설정

set vpn ipsec site-to-site peer 192.155.223.54 authentication mode ‘pre-shared-secret’

set vpn ipsec site-to-site peer 192.155.223.54 authentication pre-shared-secret ‘IPSecVPNPassword’

set vpn ipsec site-to-site peer 192.155.223.54 default-esp-group ‘ESP-G0’

set vpn ipsec site-to-site peer 192.155.223.54 ike-group ‘IKE-G0’

set vpn ipsec site-to-site peer 192.155.223.54 local-address ‘50.23.69.194’

set vpn ipsec site-to-site peer 192.155.223.54 tunnel 1 local prefix ‘10.52.0.0/16’

set vpn ipsec site-to-site peer 192.155.223.54 tunnel 1 remote prefix ‘10.91.31.0/24’

3.6 Vyatta Ipsec VPN tuunel 2 설정

set vpn ipsec site-to-site peer 119.81.184.214 authentication mode ‘pre-shared-secret’

set vpn ipsec site-to-site peer 119.81.184.214 authentication pre-shared-secret ‘IPSecVPNPassword’

set vpn ipsec site-to-site peer 119.81.184.214 default-esp-group ‘ESP-G0’

set vpn ipsec site-to-site peer 119.81.184.214 ike-group ‘IKE-G0’

set vpn ipsec site-to-site peer 119.81.184.214 local-address ‘50.23.69.194’

set vpn ipsec site-to-site peer 119.81.184.214 tunnel 2 local prefix ‘10.52.0.0/16’

set vpn ipsec site-to-site peer 119.81.184.214 tunnel 2 remote prefix ‘10.111.40.0/24’

3.7 Vyatta Ipsec VPN tuunel 확인

vyatta@vyatta:~$ show vpn ipsec sa

Peer ID / IP Local ID / IP

———— ————-

192.155.223.54 50.23.69.194

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto

—— —– ————- ——- —- —– —— —— —–

2 up 0.0/1.2K 3des sha1 no 354 3600 all

Peer ID / IP Local ID / IP

———— ————-

119.81.184.214 50.23.69.194

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto

—— —– ————- ——- —- —– —— —— —–

1 up 0.0/1.4K 3des sha1 no 354 3600 all

3.8 Vyatta route table 확인

vyatta@vyatta:~$ show ip route

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

> – selected route, * – FIB route, p – stale info

Gateway of last resort is 50.23.69.193 to network 0.0.0.0

S *> 0.0.0.0/0 [1/0] via 50.23.69.193, bond1

S *> 10.0.0.0/8 [1/0] via 10.52.109.1, bond0

C * 10.52.109.0/26 is directly connected, bond0v1

C *> 10.52.109.0/26 is directly connected, bond0

1K *> 10.91.31.0/24 is directly connected, bond1v1


1K *> 10.111.40.0/24 is directly connected, bond1v1


C * 50.23.69.192/29 is directly connected, bond1v1

C *> 50.23.69.192/29 is directly connected, bond1

C *> 127.0.0.0/8 is directly connected, lo

결과 확인

제2센터 서버 2존의 10.111.40.80서버에서 tunnel 2와 tunnel1을 통해 제1센터 서버1존의 10.91.31.75 서버까지 ping test 확인