본문 바로가기
정보공유/정보공유

EdgeRouter site to site vpn (CLI) 구축하기

iAdmin 2018. 11. 21. 11:35

EdgeRouter에서 아래 네트워크 토폴로지 인터페이스가 사용된다고 가정하겠습니다.




ER-R

eth0 (WAN) - 203.0.113.1

eth1 (LAN) - 192.168.1.1/24

vti0 - 10.255.12.1/30


ER-L

eth0 (WAN) - 192.0.2.1

eth1 (LAN) - 172.16.1.1/24

vti0 - 10.255.12.2/30

 

Route-Based VPN


ER-R에 명령  인터페이스 (CLI)로 액세스합니다
GUI CLI 단추를 클릭하거나 PuTTY 같은 프로그램을 사용 할  있습니다.


1. configuration 모드로 진입


configure


2. iptables 방화벽에서 IPsec 방화벽 / NAT 정책을 자동으로 생성하는 auto-firewall-nat-exclude 기능을 활성화.


set vpn ipsec auto-firewall-nat-exclude enable


3. Create the IKE / Phase 1 (P1) Security Associations (SAs). IKE / Phase 1 (P1) SA (보안 연결) 만듭니다.

set vpn ipsec ike-group FOO0 lifetime 28800

set vpn ipsec ike-group FOO0 proposal 1 dh-group 14

set vpn ipsec ike-group FOO0 proposal 1 encryption aes128

set vpn ipsec ike-group FOO0 proposal 1 hash sha1


4. ESP / Phase 2 (P2) SA 만들고 PFS (Perfect Forward Secrecy) 활성화.

set vpn ipsec esp-group FOO0 lifetime 3600

set vpn ipsec esp-group FOO0 pfs enable

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128

set vpn ipsec esp-group FOO0 proposal 1 hash sha1


5. 원격 피어링 주소를 정의 (<secret> 원하는 암호로 입력).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>

set vpn ipsec site-to-site peer 192.0.2.1 description ipsec

set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1


6. 위에서 작성한 SA 원격 피어에 연결하고 VPN 가상 터널 인터페이스 (vti0) 바인드.

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0

set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0

set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0


7. 가상 터널 인터페이스 (vti0) 구성하고 IP 주소를 할당.

set interfaces vti vti0 address 10.255.12.1/30


8. 원격 서브넷에 대한 고정 경로를 만듭니다.

set protocols static interface-route 172.16.1.0/24 next-hop-interface vti0


9. 변경 사항을 커밋하고 구성을 저장.

commit ; save



CLI : ER-L에 명령  인터페이스 (CLI)로 액세스합니다.


1. configuration 모드로 진입

configure


2. iptables 방화벽에서 IPsec 방화벽 / NAT 정책을 자동으로 생성하는 auto-firewall-nat-exclude 기능을 활성화.

set vpn ipsec auto-firewall-nat-exclude enable


3. Create the IKE / Phase 1 (P1) Security Associations (SAs). IKE / Phase 1 (P1) SA (보안 연결) 만듭니다.

set vpn ipsec ike-group FOO0 lifetime 28800

set vpn ipsec ike-group FOO0 proposal 1 dh-group 14

set vpn ipsec ike-group FOO0 proposal 1 encryption aes128

set vpn ipsec ike-group FOO0 proposal 1 hash sha1


4. ESP / Phase 2 (P2) SA 만들고 PFS (Perfect Forward Secrecy) 활성화.

set vpn ipsec esp-group FOO0 lifetime 3600

set vpn ipsec esp-group FOO0 pfs enable

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128

set vpn ipsec esp-group FOO0 proposal 1 hash sha1


5. 원격 피어링 주소를 정의 (<secret> 원하는 암호로 입력).

set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret <secret>

set vpn ipsec site-to-site peer 203.0.113.1 description ipsec

set vpn ipsec site-to-site peer 203.0.113.1 local-address 192.0.2.1


6. 위에서 작성한 SA 원격 피어에 연결하고 VPN 가상 터널 인터페이스 (vti0) 바인드.

set vpn ipsec site-to-site peer 203.0.113.1 ike-group FOO0

set vpn ipsec site-to-site peer 203.0.113.1 vti bind vti0

set vpn ipsec site-to-site peer 203.0.113.1 vti esp-group FOO0


7. 가상 터널 인터페이스 (vti0) 구성하고 IP 주소를 할당.

set interfaces vti vti0 address 10.255.12.2/30


8. 원격 서브넷에 대한 고정 경로를 만듭니다.

set protocols static interface-route 192.168.1.0/24 next-hop-interface vti0


9. 변경 사항을 커밋하고 구성을 저장.

commit ; save

 

저작자표시 비영리 변경금지

'정보공유/정보공유' Related Articles

티스토리툴바