LOG IN

SEIL/x86 Ayame de VPN to AWS

by otsuka752

SEIL が 8年越しでついにメジャーバージョンアップされたので、さっそく AWS と site-to-site VPN を張ってみました。ちなみに我が家には SEIL 2FE (plus?) が 1台と SEIL/x86 Fuji が 2つあって、家庭内VPN を張っていません。

下記のサイトからトライアル用のプロダクトキーを申し込めます。後から気付いたけど、同時に 2つ申し込んでおけば良かった。

Mac mini で動く VirtualBox 6.0.14 で seilx86-ovf.vmdk を指定して起動。公式マニュアルに書いてある通りにプロダクトキーを入力して準備完了。下記は、プロダクトキー入力後の画面です。

ネットワーク関連をセットアップ。Mac mini は en1 が Wi-Fi に接続されていて、DHCP で 192.168.3.192 が払い出されています。

ホスト(Mac mini)

Mac mini en1 : 192.168.3.192/20 (Wi-Fi / DHCP)

ゲスト(SEIL)

SEIL ge0 : 192.168.0.1/24 (IN)

SEIL ge1 : 10.0.3.15/24 (OUT)

SEIL ipsec1 : vpn-XXXX (アイルランドリージョン) : Static : 172.31.0.0/16

SEIL ipsec3 : vpn-YYYY (ロンドンリージョン) : BGP : 10.6.0.0/16

Virtual Box の Adapter 1 は "NAT Network" (内部ネットワーク)で、別のゲストOS と繋がってます。

Virtual Box の Adapter 2 は "NAT" で、ホストからポートフォワード経由でゲストにアクセスできます。

ホスト(192.168.3.192) の TCP/9999 は、ゲスト(10.0.3.15)の TCP/22 にフォワードされます。

ホスト(192.168.3.192) の TCP/9999 に SSH すると、ゲスト(10.0.3.15)の SEIL/x86 Ayame にログインできます。

AWS というサービスの site-to-site VPN を準備します。詳細は省略。

アイルランドリージョンへは Static に 172.31.0.0/16 で、ロンドンリージョンからは BGP で 10.6.0.0/16 が広告されます。SEIL の内側は 192.168.0.0/24 です。下記の例では、シンプルに VPNトンネルは 1本ずつ(ipsec1 と ipsec3) にしています。

SEIL ge0 : 192.168.0.1/24 (IN)

SEIL ge1 : 10.0.3.15/24 (OUT)

SEIL ipsec1 : 169.254.255.2 <--(Static)--> 169.254.255.1 : VPC-1 172.31.0.0/16

SEIL ipsec2 : 169.254.255.6 <--(Static)--> 169.254.255.5 : VPC-1 172.31.0.0/16

SEIL ipsec3 : 169.254.255.10 <--(BGP)--> 169.254.255.9 : VPC-2 10.6.0.0/16

SEIL ipsec4 : 169.254.255.14 <--(BGP)--> 169.254.25513 : VPC-2 10.6.0.0/16

雑にコンフィグを貼り付けておきます。"edit" コマンドでコンフィグを編集して "commit" できるのが便利でした。

ayame# show config

bgp.ipv4.network.100.prefix: 192.168.0.0/24

bgp.my-as-number: 65000

bgp.neighbor.100.address: 169.254.255.9

bgp.neighbor.100.remote-as: 64512

bgp.router-id: 169.254.255.2

hostname: ayame

ike.auto-initiation: enable

ike.dpd-interval: 10

ike.interval: 40

ike.phase1-timeout: 01m

ike.phase2-timeout: 02m20s

interface.ge0.ipv4.address: 192.168.0.1/24

interface.ge1.ipv4.address: dhcp

interface.ipsec1.ike.proposal.phase1.dh-group: modp1024

interface.ipsec1.ike.proposal.phase1.encryption.100.algorithm: aes128

interface.ipsec1.ike.proposal.phase1.hash.100.algorithm: sha1

interface.ipsec1.ike.proposal.phase1.lifetime: 28800s

interface.ipsec1.ike.proposal.phase2.authentication.100.algorithm: hmac-sha1

interface.ipsec1.ike.proposal.phase2.encryption.100.algorithm: aes128

interface.ipsec1.ike.proposal.phase2.lifetime-of-time: 3600s

interface.ipsec1.ike.proposal.phase2.pfs-group: modp1024

interface.ipsec1.ipv4.address: 169.254.255.2/30

interface.ipsec1.ipv4.destination: 52.50.xx.xx

interface.ipsec1.ipv4.remote: 169.254.255.1

interface.ipsec1.ipv4.source: 10.0.3.15

interface.ipsec1.ipv4.tcp-mss: 1379

interface.ipsec1.ipv6.forward: pass

interface.ipsec1.mtu: 1427

interface.ipsec1.preshared-key: 1111(snip)1111

interface.ipsec3.ike.proposal.phase1.dh-group: modp1024

interface.ipsec3.ike.proposal.phase1.encryption.100.algorithm: aes128

interface.ipsec3.ike.proposal.phase1.hash.100.algorithm: sha1

interface.ipsec3.ike.proposal.phase1.lifetime: 28800s

interface.ipsec3.ike.proposal.phase2.authentication.100.algorithm: hmac-sha1

interface.ipsec3.ike.proposal.phase2.encryption.100.algorithm: aes128

interface.ipsec3.ike.proposal.phase2.lifetime-of-time: 3600s

interface.ipsec3.ike.proposal.phase2.pfs-group: modp1024

interface.ipsec3.ipv4.address: 169.254.255.10/30

interface.ipsec3.ipv4.destination: 52.56.YY.YY

interface.ipsec3.ipv4.remote: 169.254.255.9

interface.ipsec3.ipv4.source: 10.0.3.15

interface.ipsec3.ipv4.tcp-mss: 1379

interface.ipsec3.ipv6.forward: pass

interface.ipsec3.mtu: 1427

interface.ipsec3.preshared-key: 2222(snip)2222

option.timezone: UTC

route.ipv4.100.destination: default

route.ipv4.100.gateway: 10.0.3.2

route.ipv4.200.destination: 172.31.0.0/16

route.ipv4.200.gateway: ipsec1

sshd.password-authentication: enable

sshd.service: enable

telnetd.service: disable

terminal.login-timer: 999999

terminal.pager: disable

見づらいけど IKE/IPSec のステータスも。

ayame# show status ike

PHASE1 (shared) 10.0.3.15[4500] <> 52.50.xx.xx[4500]

Cookies: 0xeb64efd3a5109cab:0xf7870f45bae8dd72

Status: established

Side: initiator

Phase2 Negotiations: 2

Create Time: 2019-12-25 12:41:17

Lifetime[sec]: 28800 (27799 left)

Identity (local): 10.0.3.15/32 (AddressPrefix)

Identity (remote): 52.50.xx.xx/32 (AddressPrefix)

DPD status: established

PHASE1 (shared) 10.0.3.15[4500] <> 52.56.yy.yy[4500]

Cookies: 0xb50db667e069c959:0x705f6ebffc1be30c

Status: established

Side: initiator

Phase2 Negotiations: 4

Create Time: 2019-12-25 11:39:39

Lifetime[sec]: 28800 (24101 left)

Identity (local): 10.0.3.15/32 (AddressPrefix)

Identity (remote): 52.56.yy.yy/32 (AddressPrefix)

DPD status: established

PHASE1 (shared) 10.0.3.15[4500] <> 52.50.xx.xx[4500]

Cookies: 0xe002d0427fed6a5a:0x870201d123bbe347

Status: established

Side: initiator

Phase2 Negotiations: 16

Create Time: 2019-12-25 06:17:17

Lifetime[sec]: 28800 (4759 left)

Identity (local): 10.0.3.15/32 (AddressPrefix)

Identity (remote): 52.50.xx.xx/32 (AddressPrefix)

DPD status: recv only (expired)

PHASE1 (shared) 10.0.3.15[4500] <> 52.56.yy.yy[4500]

Cookies: 0xd59a6a201a969acf:0xdb5b6ceefe0a2cc0

Status: established

Side: initiator

Phase2 Negotiations: 1

Create Time: 2019-12-25 10:51:48

Lifetime[sec]: 28800 (21230 left)

Identity (local): 10.0.3.15/32 (AddressPrefix)

Identity (remote): 52.56.yy.yy/32 (AddressPrefix)

DPD status: established

PHASE1 (shared) 10.0.3.15[4500] <> 52.56.yy.yy[4500]

Cookies: 0x2c213f6c0abdc3a4:0xc6fbab81854863db

Status: established

Side: initiator

Phase2 Negotiations: 1

Create Time: 2019-12-25 10:51:24

Lifetime[sec]: 28800 (21207 left)

Identity (local): 10.0.3.15/32 (AddressPrefix)

Identity (remote): 52.56.yy.yy/32 (AddressPrefix)

DPD status: established

ayame# show status ipsec

10.0.3.15[4500] 52.50.xx.xx[4500]

esp-udp mode=transport spi=1532467141(0x5b5797c5) reqid=8330(0x0000208a)

E: aes-cbc 59bac12c be0e1537 29d87014 533c922b

A: hmac-sha1 3ba1a8da d95bca4a 927837f4 6b5aed08 d30ce5fb

seq=0x000003c2 replay=32 flags=0x00000000 state=mature

created: Dec 25 12:41:59 2019 current: Dec 25 12:58:01 2019

diff: 962(s) hard: 3600(s) soft: 2880(s)

last: Dec 25 12:58:01 2019 hard: 0(s) soft: 0(s)

current: 153920(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 962 hard: 0 soft: 0

sadb_seq=7 pid=15118 refcnt=0

10.0.3.15[4500] 52.50.xx.xx[4500]

esp-udp mode=transport spi=697691505(0x2995ed71) reqid=8331(0x0000208b)

E: aes-cbc 1630bcca 1324130d e557dce0 5cd71824

A: hmac-sha1 958ac2a5 0b3777e3 1b5065e6 d19320d8 0f75e46b

seq=0x00000000 replay=32 flags=0x00000000 state=mature

created: Dec 25 12:41:49 2019 current: Dec 25 12:58:01 2019

diff: 972(s) hard: 3600(s) soft: 2880(s)

last: Dec 24 16:29:03 2019 hard: 0(s) soft: 0(s)

current: 0(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 0 hard: 0 soft: 0

sadb_seq=6 pid=15118 refcnt=0

10.0.3.15[4500] 52.56.yy.yy[4500]

esp-udp mode=transport spi=1031591935(0x3d7cd7ff) reqid=8335(0x0000208f)

E: aes-cbc 3d90323f 6352d870 394af846 ea88f4ab

A: hmac-sha1 8587814f 35b7494a 0e84b4ff 8280a3df 3011f21f

seq=0x00000000 replay=32 flags=0x00000000 state=mature

created: Dec 25 12:28:02 2019 current: Dec 25 12:58:01 2019

diff: 1799(s) hard: 3600(s) soft: 2880(s)

last: Dec 24 16:29:03 2019 hard: 0(s) soft: 0(s)

current: 0(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 0 hard: 0 soft: 0

sadb_seq=5 pid=15118 refcnt=0

10.0.3.15[4500] 52.56.yy.yy[4500]

esp-udp mode=transport spi=1622001410(0x60adc702) reqid=8334(0x0000208e)

E: aes-cbc 1b8a7080 390ada30 33824838 07236017

A: hmac-sha1 edf29d6f 2f856ff4 abe4ad6b aecc2449 0dd83ce3

seq=0x0000015e replay=32 flags=0x00000000 state=mature

created: Dec 25 12:27:56 2019 current: Dec 25 12:58:01 2019

diff: 1805(s) hard: 3600(s) soft: 2880(s)

last: Dec 25 12:58:00 2019 hard: 0(s) soft: 0(s)

current: 47824(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 350 hard: 0 soft: 0

sadb_seq=4 pid=15118 refcnt=0

52.50.xx.xx[4500] 10.0.3.15[4500]

esp-udp mode=transport spi=194103781(0x0b91c9e5) reqid=8330(0x0000208a)

E: aes-cbc 4157ed18 d02209b6 e6df0103 88d5e36e

A: hmac-sha1 6238e86d 33987b63 09a743e7 87006809 3855efe2

seq=0x000003c0 replay=32 flags=0x00000000 state=mature

created: Dec 25 12:41:59 2019 current: Dec 25 12:58:01 2019

diff: 962(s) hard: 3600(s) soft: 2880(s)

last: Dec 25 12:58:01 2019 hard: 0(s) soft: 0(s)

current: 99840(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 960 hard: 0 soft: 0

sadb_seq=3 pid=15118 refcnt=0

52.50.xx.xx[4500] 10.0.3.15[4500]

esp-udp mode=transport spi=104704418(0x063da9a2) reqid=8331(0x0000208b)

E: aes-cbc 0109616f c6112560 077c1b19 a5253d7d

A: hmac-sha1 f42adf9b 271682de 092331f2 22dec25a 83e76dd2

seq=0x0000000a replay=32 flags=0x00000000 state=mature

created: Dec 25 12:41:49 2019 current: Dec 25 12:58:01 2019

diff: 972(s) hard: 3600(s) soft: 2880(s)

last: Dec 25 12:41:59 2019 hard: 0(s) soft: 0(s)

current: 1040(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 10 hard: 0 soft: 0

sadb_seq=2 pid=15118 refcnt=0

52.56.yy.yy[4500] 10.0.3.15[4500]

esp-udp mode=transport spi=89435165(0x0554ac1d) reqid=8335(0x0000208f)

E: aes-cbc a40506a9 5f54bc79 92f66cc7 2745e09b

A: hmac-sha1 5fc8e780 4394c503 a7b7c11c 615c7bf4 419787af

seq=0x0000016a replay=32 flags=0x00000000 state=mature

created: Dec 25 12:28:02 2019 current: Dec 25 12:58:01 2019

diff: 1799(s) hard: 3600(s) soft: 2880(s)

last: Dec 25 12:58:00 2019 hard: 0(s) soft: 0(s)

current: 29580(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 362 hard: 0 soft: 0

sadb_seq=1 pid=15118 refcnt=0

52.56.yy.yy[4500] 10.0.3.15[4500]

esp-udp mode=transport spi=172081453(0x0a41c12d) reqid=8334(0x0000208e)

E: aes-cbc 309243a7 59875f40 3cd0f69c 7b3ef841

A: hmac-sha1 54cc16ee 3991903c c2f47102 2a0e5593 ed7af6f8

seq=0x00000002 replay=32 flags=0x00000000 state=mature

created: Dec 25 12:27:56 2019 current: Dec 25 12:58:01 2019

diff: 1805(s) hard: 3600(s) soft: 2880(s)

last: Dec 25 12:28:02 2019 hard: 0(s) soft: 0(s)

current: 163(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 2 hard: 0 soft: 0

sadb_seq=0 pid=15118 refcnt=0

ショートパケットで負荷かけるってレクリエーションはまた今度。

OTHER SNAPS