🎉
JANOG50 NETCON Level 3-1 解説
NETCON 問題解説(Level3-1)
Level3-1 概要
L2TP+IPSecのVPNが正常に構成できていないという状況の問題です。
トポロジ
問題文
PC1(10.0.0.1)からPC2(10.0.0.2)へのPing疎通ができない。
VPNの設定にミスがあるようだ。
設定ミスを修正し、疎通できるようにしてください。
初期Config
R1
janoger@vyos:~$ sh conf commands | no-more
set interfaces ethernet eth0 address '192.168.10.1/24'
set interfaces ethernet eth0 hw-id '50:01:00:01:00:00'
set interfaces ethernet eth1 address '192.168.20.1/24'
set interfaces ethernet eth1 hw-id '50:01:00:01:00:01'
set interfaces loopback lo
set protocols static route 192.168.10.0/24 next-hop 192.168.20.2
set protocols static route 192.168.20.0/24 next-hop 192.168.10.2
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'R0'
set system login user janoger authentication encrypted-password '$6$76iBTewwQV7hh32S$GTUnRb03nxjB18msIHhBPrsaEbemWqRmmDzUk45Fi0SrsQvNcg47JdRcXagrgbMWqf9ktDT0ilz0lxKRL9ZCW1'
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
R1
janoger@R1:~$ sh conf commands | no-more
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface l2tpeth0
set interfaces ethernet eth0 address '192.168.10.2/24'
set interfaces ethernet eth0 hw-id '50:01:00:02:00:00'
set interfaces ethernet eth1 hw-id '50:01:00:02:00:01'
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 peer-session-id '120'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '220'
set interfaces l2tpv3 l2tpeth0 remote '192.168.20.2'
set interfaces l2tpv3 l2tpeth0 session-id '110'
set interfaces l2tpv3 l2tpeth0 source-address '192.168.10.2'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '210'
set interfaces loopback lo
set protocols static route 192.168.20.0/24 next-hop 192.168.10.1
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'R1'
set system login user janoger authentication encrypted-password '$6$76iBTewwQV7hh32S$GTUnRb03nxjB18msIHhBPrsaEbemWqRmmDzUk45Fi0SrsQvNcg47JdRcXagrgbMWqf9ktDT0ilz0lxKRL9ZCW1'
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group ESP-1 compression 'disable'
set vpn ipsec esp-group ESP-1 lifetime '3600'
set vpn ipsec esp-group ESP-1 mode 'transport'
set vpn ipsec esp-group ESP-1 pfs 'enable'
set vpn ipsec esp-group ESP-1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1 close-action 'none'
set vpn ipsec ike-group IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE-1 lifetime '3600'
set vpn ipsec ike-group IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1 proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 192.168.20.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.20.2 authentication pre-shared-secret 'netcon'
set vpn ipsec site-to-site peer 192.168.20.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.20.2 ike-group 'IKE-1'
set vpn ipsec site-to-site peer 192.168.20.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.168.20.2 local-address '192.168.10.2'
set vpn ipsec site-to-site peer 192.168.20.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.168.20.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.168.20.2 tunnel 1 esp-group 'ESP-1'
set vpn ipsec site-to-site peer 192.168.20.2 tunnel 1 local port '5000'
set vpn ipsec site-to-site peer 192.168.20.2 tunnel 1 remote port '5000'
R2
janoger@R2:~$ sh conf commands | no-more
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface l2tpeth0
set interfaces ethernet eth0 address '192.168.20.2/24'
set interfaces ethernet eth0 hw-id '50:01:00:03:00:00'
set interfaces ethernet eth1 hw-id '50:01:00:03:00:01'
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 peer-session-id '120'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '220'
set interfaces l2tpv3 l2tpeth0 remote '192.168.10.2'
set interfaces l2tpv3 l2tpeth0 session-id '110'
set interfaces l2tpv3 l2tpeth0 source-address '192.168.20.2'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '210'
set interfaces loopback lo
set protocols static route 192.168.10.0/24 next-hop 192.168.20.1
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'R2'
set system login user janoger authentication encrypted-password '$6$76iBTewwQV7hh32S$GTUnRb03nxjB18msIHhBPrsaEbemWqRmmDzUk45Fi0SrsQvNcg47JdRcXagrgbMWqf9ktDT0ilz0lxKRL9ZCW1'
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group ESP-1 compression 'disable'
set vpn ipsec esp-group ESP-1 lifetime '3600'
set vpn ipsec esp-group ESP-1 mode 'transport'
set vpn ipsec esp-group ESP-1 pfs 'enable'
set vpn ipsec esp-group ESP-1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1 close-action 'none'
set vpn ipsec ike-group IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE-1 lifetime '3600'
set vpn ipsec ike-group IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1 proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 192.168.10.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.10.2 authentication pre-shared-secret 'netcon'
set vpn ipsec site-to-site peer 192.168.10.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.10.2 ike-group 'IKE-1'
set vpn ipsec site-to-site peer 192.168.10.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.168.10.2 local-address '192.168.20.2'
set vpn ipsec site-to-site peer 192.168.10.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.168.10.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.168.10.2 tunnel 1 esp-group 'ESP-1'
set vpn ipsec site-to-site peer 192.168.10.2 tunnel 1 local port '5000'
set vpn ipsec site-to-site peer 192.168.10.2 tunnel 1 remote port '5000'
問題解説
R1とR2のConfigを比較してみると、L2TPのトンネルIDとセッションIDが対応していません。
片方を修正することで解決します。
今回は例としてR2のConfigを修正します。
delete interfaces l2tpv3 l2tpeth0
delete interfaces bridge br0 member interface l2tpeth0
commit
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '210'
set interfaces l2tpv3 l2tpeth0 remote '192.168.10.2'
set interfaces l2tpv3 l2tpeth0 session-id '120'
set interfaces l2tpv3 l2tpeth0 source-address '192.168.20.2'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '220'
commit
set interfaces bridge br0 member interface l2tpeth0
commit
PC1からPC2にPingを打ち、正常に通信できることを確認します。
PC1> ping 10.0.0.2
84 bytes from 10.0.0.2 icmp_seq=1 ttl=64 time=2.523 ms
84 bytes from 10.0.0.2 icmp_seq=2 ttl=64 time=2.537 ms
84 bytes from 10.0.0.2 icmp_seq=3 ttl=64 time=2.367 ms
84 bytes from 10.0.0.2 icmp_seq=4 ttl=64 time=2.537 ms
84 bytes from 10.0.0.2 icmp_seq=5 ttl=64 time=2.850 ms
問題なく通信できているため、解決となります。
Discussion