Azure と某プライベート コンテナ データセンターを VPN で繋いで BGP で経路交換してみたので、忘れないうちにメモっておきます。
構成図
- Azure 側は VPN Gateway を GwSku1 で Active / Active と BGP を有効化して、Public IPを 2 つ持つ構成。
(下図では a1.a1.a1.a1 / a2.a2.a2.a2) - オンプレミス側は対外接続用のルーター 3 台に固定の Public IP を 1 つずつ用意。
(下図では f.f.f.f / j.j.j.j / c.c.c.c)
Azure 側の構築手順
ドキュメントなどを参考に、VPN Gateway を Basic 以外の SKU (Standard / High Performance / VpnGw1 / VpnGw2 / VpnGw3) で作成。
作成時に Active / Active (+ Public IP 2 つ) と、BGP を忘れずに有効化して、Azure 側で使用する AS 番号も設定します。
ちなみに、Azure とオンプレミス間は eBGP で経路交換をすることになるので、オンプレミス側の ASN と同一にはできません。
(その他、Azure で予約されていて使用不可の ASN は FAQ 参照)
- Azure VPN ゲートウェイで、アクティブ/アクティブ S2S VPN 接続を構成する
https://docs.microsoft.com/ja-jp/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell
VPN Gateway の作成が完了したら、Public IP が 2 つ付与されていることを確認します。
(同一 VNET 内に VPN Gateway は 2 つ作れないので、Active / Active 構成の VPN Gateway を 1 つ作るだけです)
2 番目の Public IP が隠れていて見えないときは、[もっと見る] をクリックしましょう。
[構成] ブレードで Active / Active と BGP が有効化されていることを確認します。
また、オンプレミス側のルーターを設定する際に使用する BGP Peer IP (オンプレミスから見た Neighbor) をメモっておきます。
続いて、オンプレミス側の各ルーターの定義を [ローカル ネットワーク ゲートウェイ] として作成します。
各設定項目は以下のような感じで設定しましょう。
- IP アドレス: オンプレミス側のルーターの Public IP
- アドレス空間: オンプレミス側の BGP Peer IP (オンプレミスへの Static Route に使われるため、/32 付きで指定)
- BGP 設定の構成: チェック有
- 自立システム番号 (ASN): オンプレミス側の AS 番号
- BGP ピアの IP アドレス: オンプレミス側の BGP Peer IP (Neighbor の設定には /32 は不要)
同様に、オンプレミスのルーターの台数分の [ローカル ネットワーク ゲートウェイ] をつくります。(今回は 3 つ)
最後に、VPN Gateway とローカル ネットワーク ゲートウェイを [接続] します。
こちらも、BGP のオプションを忘れずに有効化します。
[接続] のリソースも、[ローカル ネットワーク ゲートウェイ] と同じくオンプレミス側の台数分作成します。
以下の図だと [状態] が [接続済み] になっていますが、オンプレミス側が未設定の場合は [接続中] の表示になっているはずです。
(英語だと Connecting で、接続を試みている最中、すなわち未接続の状態を意味します)
接続状態を読み込んだり更新している最中に、一時的に [状態] が [成功] と表示されますが、これはリソースの定義 (Provisioning State) が正常なことを意味するだけで、VPN がつながっているわけではないので誤解しないように。
オンプレミス側の構成 (FortiGate 100E)
FortiGate との VPN 接続については、CookBook が大変わかりやすいので、こちらを参照。
- IPsec VPN to Microsoft Azure
http://cookbook.fortinet.com/ipsec-vpn-microsoft-azure-56/
今回、Azure 側は Active / Active 構成で 2 つ Public IP があるため、FortiGate 側の VPN の設定も 2 つ定義します。
それから、BGP を使うので、[8. Creating the FortiGate static route] では、VNET のアドレス空間の代わりに、Azure 側の BGP Peer IP (今回は 10.0.255.4 / 10.0.255.5) を設定します。(別に VNET のアドレス空間宛に Static Route を書いてもいいですが、BGP の意味が…)
無事に VPN が接続できていれば、Azure とトンネルが 2 本確立されているはずです。(Phase 1 / 2 あるので、SA は 4 つ)
# diagnose vpn ike status detailed vd: root/0 name: Azure version: 2 connection: 1/712 IKE SA: created 1/713 IPsec SA: created 1/713 vd: root/0 name: AzureBGP version: 2 connection: 1/29 IKE SA: created 4/83 established 4/57 times 0/170/9040 ms IPsec SA: created 4/80 established 4/58 times 0/156/9040 ms vd: root/0 name: AzureBGP2 version: 2 connection: 1/2 IKE SA: created 2/55 established 2/54 times 10/886/26080 ms IPsec SA: created 2/55 established 2/55 times 0/383/21060 ms
VPN のトンネルが張れたら、続いて BGP で経路交換をしてみます。
このあたりは @kongou_ae さんの以下のブログが詳しいので大変参考になりました。
- FortiGateとAzureのVPN GatewayをBGPで接続する
https://aimless.jp/blog/archives/2017-07-17-connect-azure-and-fortgate-with-bgp/
気を付ける点としては、ebgp multihop の設定くらいですかね。(直接 Peer を張っているわけではなく、VPN トンネル越しなので。)
今回は適当に Loopback Interface (172.16.255.254) を作って、オンプレミス側の経路 (172.16.0.0/16) を広報しています。
routing tableに乗っていない経路を広報する関係上、network-import-check を disable していますが、これは構成次第では不要かと。
# show system interface config system interface edit "BGPloopback" set vdom "root" set ip 172.16.255.254 255.255.255.255 set type loopback next # show router bgp config router bgp set as 65521 set network-import-check disable config neighbor edit "10.0.255.4" set ebgp-enforce-multihop enable set next-hop-self enable set soft-reconfiguration enable set remote-as 65516 set update-source "BGPloopback" next edit "10.0.255.5" set ebgp-enforce-multihop enable set next-hop-self enable set soft-reconfiguration enable set remote-as 65516 set update-source "BGPloopback" next end config network edit 1 set prefix 172.16.0.0 255.255.0.0 next end
BGP の Neighbor が脹れていることを確認します。
# get router info bgp neighbors BGP neighbor is 10.0.255.4, remote AS 65516, local AS 65521, external link BGP version 4, remote router ID 10.0.255.4 BGP state = Established, up for 05:11:19 Last read 00:00:33, hold time is 180, keepalive interval is 60 seconds Configured hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received (new) Address family IPv4 Unicast: advertised and received Address family IPv6 Unicast: advertised and received Received 479 messages, 0 notifications, 0 in queue Sent 502 messages, 14 notifications, 0 in queue Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 30 seconds Update source is BGPloopback For address family: IPv4 Unicast BGP table version 39, neighbor version 38 Index 1, Offset 0, Mask 0x2 Graceful restart: received Inbound soft reconfiguration allowed NEXT_HOP is always this router Community attribute sent to this neighbor (both) 4 accepted prefixes 4 announced prefixes For address family: IPv6 Unicast BGP table version 1, neighbor version 1 Index 1, Offset 0, Mask 0x2 Graceful restart: received Community attribute sent to this neighbor (both) 0 accepted prefixes 0 announced prefixes Connections established 17; dropped 16 External BGP neighbor may be up to 255 hops away. Local host: 172.16.255.254, Local port: 13377 Foreign host: 10.0.255.4, Foreign port: 179 Nexthop: 172.16.255.254 Nexthop global: :: Nexthop local: :: BGP connection: non shared network Last Reset: 05:11:24, due to BGP Notification sent Notification Error Message: (Hold Timer Expired/Unspecified Error Subcode) BGP neighbor is 10.0.255.5, remote AS 65516, local AS 65521, external link BGP version 4, remote router ID 10.0.255.5 BGP state = Established, up for 05:14:23 Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds Configured hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received (new) Address family IPv4 Unicast: advertised and received Address family IPv6 Unicast: advertised and received Received 494 messages, 0 notifications, 0 in queue Sent 522 messages, 16 notifications, 0 in queue Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 30 seconds Update source is BGPloopback For address family: IPv4 Unicast BGP table version 39, neighbor version 38 Index 2, Offset 0, Mask 0x4 Graceful restart: received Inbound soft reconfiguration allowed NEXT_HOP is always this router Community attribute sent to this neighbor (both) 4 accepted prefixes 2 announced prefixes For address family: IPv6 Unicast BGP table version 1, neighbor version 1 Index 2, Offset 0, Mask 0x4 Graceful restart: received Community attribute sent to this neighbor (both) 0 accepted prefixes 0 announced prefixes Connections established 18; dropped 17 External BGP neighbor may be up to 255 hops away. Local host: 172.16.255.254, Local port: 24137 Foreign host: 10.0.255.5, Foreign port: 179 Nexthop: 172.16.255.254 Nexthop global: :: Nexthop local: :: BGP connection: non shared network Last Reset: 05:14:27, due to BGP Notification sent Notification Error Message: (Hold Timer Expired/Unspecified Error Subcode)
BGP で受け取った経路についても確認をしてみます。
Azure 側の BGP Peer IP (10.0.255.4 / 10.0.255.5) から、同じ経路を受け取っていることが分かります。
# get router info bgp neighbors 10.0.255.4 received-routes BGP table version is 39, local router ID is 172.16.255.254 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/16 10.0.255.4 0 65516 i *> 172.16.0.0 10.0.255.4 0 0 65516 65521 i *> 172.16.255.252/32 10.0.255.4 0 65516 i *> 172.16.255.253/32 10.0.255.4 0 65516 i *> 172.16.255.254/32 10.0.255.4 0 65516 i Total number of prefixes 5 # get router info bgp neighbors 10.0.255.5 received-routes BGP table version is 39, local router ID is 172.16.255.254 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0/16 10.0.255.5 0 65516 i *> 172.16.0.0 10.0.255.5 0 65516 65521 i *> 172.16.255.252/32 10.0.255.5 0 65516 i *> 172.16.255.253/32 10.0.255.5 0 65516 i *> 172.16.255.254/32 10.0.255.5 0 65516 i Total number of prefixes 5
オンプレミス側の構成 (Juniper SRX650)
SRX との VPN 接続については、ご丁寧に日本語の PDF があったので、こちらの動的ルーティングの設定 (P.30 – )を参照。
- Juniper SRX と Microsoft Azure 仮想ネット ワークとのサイト間 VPN 接続の構成
https://www.juniper.net/jp/jp/local/pdf/implementation-guides/SRX-AzureVPN-v3.pdf
FortiGate と同じく、VPN のトンネルを 2 本 (st0.0 / st0.1) つくり、static route も BGP Peer IP (10.0.255.4 / 10.0.255.5) を設定。
# show security ike { proposal azure-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy azure-policy { mode main; proposals azure-phase1-proposal; pre-shared-key ascii-text "xxxxxxxxxx"; ## SECRET-DATA } gateway azure-gw { ike-policy azure-policy; address a1.a1.a1.a1; dead-peer-detection { interval 10; threshold 5; } local-identity inet j.j.j.j; external-interface ge-0/0/0; version v2-only; } gateway azure-gw2 { ike-policy azure-policy; address a2.a2.a2.a2; dead-peer-detection { interval 10; threshold 5; } local-identity inet j.j.j.j; external-interface ge-0/0/0; version v2-only; } } ipsec { proposal azure-phase2-proposal { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; } policy azure-phase2-policy { proposals azure-phase2-proposal; } vpn azure-vpn { bind-interface st0.0; vpn-monitor { optimized; source-interface st0.0; destination-ip 10.0.0.0; } ike { gateway azure-gw; proxy-identity { local 0.0.0.0/0; remote 0.0.0.0/0; service any; } ipsec-policy azure-phase2-policy; } establish-tunnels immediately; } vpn azure-vpn2 { bind-interface st0.1; vpn-monitor { optimized; source-interface st0.1; destination-ip 10.0.0.0; } ike { gateway azure-gw2; proxy-identity { local 0.0.0.0/0; remote 0.0.0.0/0; service any; } ipsec-policy azure-phase2-policy; } establish-tunnels immediately; } } address-book { global { address Azure-VNET 10.0.0.0/16; address OnPremise-NW 172.16.0.0/16; } } flow { tcp-mss { ipsec-vpn { mss 1350; } } } policies { from-zone trust to-zone azure-zone { policy trust-to-azure-zone { match { source-address OnPremise-NW; destination-address Azure-VNET; application any; } then { permit; } } } from-zone azure-zone to-zone trust { policy azure-zone-to-trust { match { source-address Azure-VNET; destination-address OnPremise-NW; application any; } then { permit; } } } } zones { security-zone azure-zone { interfaces { st0.0; st0.1; } } } # show interfaces st0 { unit 0 { family inet; } unit 1 { family inet; } } # show routing-options static { route 10.0.255.4/32 next-hop st0.0; route 10.0.255.5/32 next-hop st0.1; }
無事に VPN が接続できていれば、Azure とトンネルが 2 本確立されているはずです。
# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 776365 UP 30964821a7e60fc5 7488a3d455c203f0 IKEv2 a2.a2.a2.a2 776366 UP 1c0743a73adbe841 e903979aed9c53b7 IKEv2 a1.a1.a1.a1 # run show security ipsec security-associations Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-256/sha256 9079c193 3565/ unlim U root 500 a1.a1.a1.a1 >131073 ESP:aes-cbc-256/sha256 ac1035a4 3565/ unlim U root 500 a1.a1.a1.a1 <131074 ESP:aes-cbc-256/sha256 83a51222 3507/ unlim U root 500 a2.a2.a2.a2 >131074 ESP:aes-cbc-256/sha256 fa64cbf2 3507/ unlim U root 500 a2.a2.a2.a2
VPN がつながったら、適当に Loopback Interface を作り、ebgp multihop を有効化して、BGP で経路を交換します。
SRX も routing table にない経路を広報しないようなので、static route に 172.16.0.0/16 を入れてみましたが、これでいいのかな…。
あと、今回は FortiGate 側の経路を優先させて、SRX や C841M はバックアップ用にしたいので、AS Path を追加しています。
# show interfaces lo0 { unit 0 { family inet { address 172.16.255.253/32; } } } # show routing-options static { route 10.0.255.4/32 next-hop st0.0; route 10.0.255.5/32 next-hop st0.1; route 172.16.0.0/16 reject; } autonomous-system 65521; # show protocols bgp local-address 172.16.255.253; group azure { type external; multihop { ttl 255; } neighbor 10.0.255.4 { export OnPremises; peer-as 65516; } neighbor 10.0.255.5 { export OnPremises; peer-as 65516; } } # show policy-options prefix-list OnPremises { 172.16.0.0/16; } policy-statement OnPremises { term 1 { from { protocol static; route-filter 172.16.0.0/16 exact; } then { as-path-prepend 65521; accept; } } }
SRX 側から広報している経路と、Azure 側から受け取っている経路を確認します。
AS Path Prepend もきちんと反映されているので問題なさそうです。
> show route advertising-protocol bgp 10.0.255.4 inet.0: 12 destinations, 18 routes (12 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.0.0/16 Self 65521 [65521] I > show route advertising-protocol bgp 10.0.255.5 inet.0: 12 destinations, 18 routes (12 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.0.0/16 Self 65521 [65521] I > show route receive-protocol bgp 10.0.255.4 inet.0: 12 destinations, 18 routes (12 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 10.0.0.0/16 10.0.255.4 65516 I * 172.16.255.252/32 10.0.255.4 65516 I 172.16.255.253/32 10.0.255.4 65516 I * 172.16.255.254/32 10.0.255.4 65516 I > show route receive-protocol bgp 10.0.255.5 inet.0: 12 destinations, 18 routes (12 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path 10.0.0.0/16 10.0.255.5 65516 I 172.16.255.252/32 10.0.255.5 65516 I 172.16.255.253/32 10.0.255.5 65516 I 172.16.255.254/32 10.0.255.5 65516 I
オンプレミス側の構成 (Cisco C841M)
Cisco IOS との VPN 接続に関しては、GitHub のサンプルやら、Azure ポータルからコンフィグとれるので、そのあたりを参考に。
基本的には FortiGate や SRX と何ら変わらないので、特に難しくないと思います。
crypto ikev2 proposal Azure-proposal encryption aes-cbc-256 aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy Azure-policy match address local c.c.c.c proposal Azure-proposal ! crypto ikev2 keyring Azure-keyring peer a1.a1.a1.a1 address a1.a1.a1.a1 pre-shared-key xxxxxxxxxx ! peer a2.a2.a2.a2 address a2.a2.a2.a2 pre-shared-key xxxxxxxxxx ! ! ! crypto ikev2 profile Azure-profile match address local c.c.c.c match identity remote address a1.a1.a1.a1 255.255.255.255 match identity remote address a2.a2.a2.a2 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local Azure-keyring lifetime 3600 ! ! crypto ipsec transform-set Azure-TransformSet esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile Azure-IPsecProfile set transform-set Azure-TransformSet set ikev2-profile Azure-profile ! ! interface Loopback11 ip address 172.16.255.252 255.255.255.255 ! interface Tunnel11 ip address 169.254.0.1 255.255.255.252 ip tcp adjust-mss 1350 tunnel source c.c.c.c tunnel mode ipsec ipv4 tunnel destination a1.a1.a1.a1 tunnel protection ipsec profile Azure-IPsecProfile ! interface Tunnel12 ip address 169.254.0.5 255.255.255.252 ip tcp adjust-mss 1350 tunnel source c.c.c.c tunnel mode ipsec ipv4 tunnel destination a2.a2.a2.a2 tunnel protection ipsec profile Azure-IPsecProfile ! ! router bgp 65521 bgp log-neighbor-changes neighbor 10.0.255.4 remote-as 65516 neighbor 10.0.255.4 ebgp-multihop 255 neighbor 10.0.255.4 update-source Loopback11 neighbor 10.0.255.5 remote-as 65516 neighbor 10.0.255.5 ebgp-multihop 255 neighbor 10.0.255.5 update-source Loopback11 ! address-family ipv4 network 172.16.0.0 neighbor 10.0.255.4 activate neighbor 10.0.255.4 route-map OnPremises out neighbor 10.0.255.5 activate neighbor 10.0.255.5 route-map OnPremises out exit-address-family ! ! ip route 10.0.255.4 255.255.255.255 Tunnel11 ip route 10.0.255.5 255.255.255.255 Tunnel12 ip route 172.16.0.0 255.255.0.0 Null0 200 ! ! ip prefix-list OnPremises seq 5 permit 172.16.0.0/16 ! route-map OnPremises permit 10 match ip address prefix-list OnPremises set as-path prepend 65521 65521 ! ! access-list 101 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255 access-list 102 permit esp host a1.a1.a1.a1 host c.c.c.c access-list 102 permit udp host a1.a1.a1.a1 eq isakmp host c.c.c.c access-list 102 permit esp host a2.a2.a2.a2 host c.c.c.c access-list 102 permit udp host a2.a2.a2.a2 eq isakmp host c.c.c.c !
VPN の接続状況と、BGP の経路も問題なく交換できました。
#show crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 2 c.c.c.c/500 a1.a1.a1.a1/500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 3600/1478 sec Tunnel-id Local Remote fvrf/ivrf Status 6 c.c.c.c/500 a2.a2.a2.a2/500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 3600/1972 sec IPv6 Crypto IKEv2 SA #show crypto ipsec sa interface: Tunnel11 Crypto map tag: Tunnel11-head-0, local addr c.c.c.c protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer a1.a1.a1.a1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24 #pkts decaps: 10351, #pkts decrypt: 10351, #pkts verify: 10351 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: c.c.c.c, remote crypto endpt.: a1.a1.a1.a1 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/4 current outbound spi: 0xED0535B2(3976541618) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x5CDC6A89(1557949065) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 438, flow_id: Onboard VPN:438, sibling_flags 80000040, crypto map: Tunnel11-head-0 sa timing: remaining key lifetime (k/sec): (4349436/1644) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xED0535B2(3976541618) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 437, flow_id: Onboard VPN:437, sibling_flags 80000040, crypto map: Tunnel11-head-0 sa timing: remaining key lifetime (k/sec): (4349447/1644) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: interface: Tunnel12 Crypto map tag: Tunnel12-head-0, local addr c.c.c.c protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer a2.a2.a2.a2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 85613, #pkts encrypt: 85613, #pkts digest: 85613 #pkts decaps: 79209, #pkts decrypt: 79209, #pkts verify: 79209 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: c.c.c.c, remote crypto endpt.: a2.a2.a2.a2 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/4 current outbound spi: 0x6EEC2E88(1860972168) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xBC5C8981(3160181121) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 436, flow_id: Onboard VPN:436, sibling_flags 80000040, crypto map: Tunnel12-head-0 sa timing: remaining key lifetime (k/sec): (4188027/1328) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6EEC2E88(1860972168) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 435, flow_id: Onboard VPN:435, sibling_flags 80000040, crypto map: Tunnel12-head-0 sa timing: remaining key lifetime (k/sec): (4188019/1328) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: #show bgp BGP table version is 204, local router ID is 172.16.255.252 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path * 10.0.0.0/16 10.0.255.4 0 65516 i *> 10.0.255.5 0 65516 i *> 172.16.0.0 0.0.0.0 0 32768 i r 172.16.255.252/32 10.0.255.4 0 65516 i r> 10.0.255.5 0 65516 i * 172.16.255.253/32 10.0.255.5 0 65516 i *> 10.0.255.4 0 65516 i * 172.16.255.254/32 10.0.255.4 0 65516 i *> 10.0.255.5 0 65516 i #show ip bgp neighbors 10.0.255.4 advertised-routes BGP table version is 204, local router ID is 172.16.255.252 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0 0.0.0.0 0 32768 i Total number of prefixes 1 #show ip bgp neighbors 10.0.255.5 advertised-routes BGP table version is 204, local router ID is 172.16.255.252 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0 0.0.0.0 0 32768 i Total number of prefixes 1 #show ip route bgp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 202.222.13.254 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks B 10.0.0.0/16 [20/0] via 10.0.255.5, 06:35:10 172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks B 172.16.255.253/32 [20/0] via 10.0.255.4, 05:55:15 B 172.16.255.254/32 [20/0] via 10.0.255.5, 06:35:10
Azure VPN Gateway 側からの確認
最後に、Azure 側からも VPN の接続状況や、BGP の Neighbor が張れて、経路交換ができているか確認します。
> Get-AzureRmVirtualNetworkGatewayConnection -Name FortiGate100E-BGP -ResourceGroupName caledfwlch Name : Fortigate100E-BGP ResourceGroupName : caledfwlch Location : japaneast Id : /subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/c onnections/Fortigate100E-BGP Etag : W/"aece2efa-9d05-4dd8-b928-9634bf6fd463" ResourceGuid : b85b8f35-8c61-4ad1-ac5f-a908c58b2b0e ProvisioningState : Succeeded Tags : AuthorizationKey : VirtualNetworkGateway1 : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/ virtualNetworkGateways/caledfwlch-vpngw" VirtualNetworkGateway2 : LocalNetworkGateway2 : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/ localNetworkGateways/Fortigate100E-BGP" Peer : RoutingWeight : 0 SharedKey : xxxxxxxxxx ConnectionStatus : Connected EgressBytesTransferred : 769116 IngressBytesTransferred : 630868 TunnelConnectionStatus : [ { "Tunnel": "Fortigate100E-BGP_13.78.115.150", "ConnectionStatus": "Connected", "IngressBytesTransferred": 296650, "EgressBytesTransferred": 359947, "LastConnectionEstablishedUtcTime": "05/03/2018 16:05:48" }, { "Tunnel": "Fortigate100E-BGP_52.185.132.141", "ConnectionStatus": "Connected", "IngressBytesTransferred": 334218, "EgressBytesTransferred": 409169, "LastConnectionEstablishedUtcTime": "05/03/2018 16:02:36" } ] > Get-AzureRmVirtualNetworkGatewayConnection -Name SRX650-BGP -ResourceGroupName caledfwlch Name : SRX650-BGP ResourceGroupName : caledfwlch Location : japaneast Id : /subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/c onnections/SRX650-BGP Etag : W/"554cf1f6-bea7-4c38-9905-c7423b332ae4" ResourceGuid : 1fa22476-2a6e-45f5-89f4-aadb2cfa0c56 ProvisioningState : Succeeded Tags : AuthorizationKey : VirtualNetworkGateway1 : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/ virtualNetworkGateways/caledfwlch-vpngw" VirtualNetworkGateway2 : LocalNetworkGateway2 : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/ localNetworkGateways/SRX650-BGP" Peer : RoutingWeight : 0 SharedKey : xxxxxxxxxx ConnectionStatus : Connected EgressBytesTransferred : 389914 IngressBytesTransferred : 663672 TunnelConnectionStatus : [ { "Tunnel": "SRX650-BGP_13.78.115.150", "ConnectionStatus": "Connected", "IngressBytesTransferred": 308264, "EgressBytesTransferred": 206306, "LastConnectionEstablishedUtcTime": "05/03/2018 16:03:48" }, { "Tunnel": "SRX650-BGP_52.185.132.141", "ConnectionStatus": "Connected", "IngressBytesTransferred": 355408, "EgressBytesTransferred": 183608, "LastConnectionEstablishedUtcTime": "05/03/2018 16:04:36" } ] > Get-AzureRmVirtualNetworkGatewayConnection -Name C841M-BGP -ResourceGroupName caledfwlch Name : C841M-BGP ResourceGroupName : caledfwlch Location : japaneast Id : /subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/c onnections/C841M-BGP Etag : W/"e1fcee4f-2f5b-4a6b-91be-89d6ee74b5ab" ResourceGuid : ba300bfb-e09e-4163-98bf-37e37265ce8a ProvisioningState : Succeeded Tags : AuthorizationKey : VirtualNetworkGateway1 : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/ virtualNetworkGateways/caledfwlch-vpngw" VirtualNetworkGateway2 : LocalNetworkGateway2 : "/subscriptions/49dde45f-5712-44b2-b0ab-296bde83af6b/resourceGroups/caledfwlch/providers/Microsoft.Network/ localNetworkGateways/C841M-BGP" Peer : RoutingWeight : 0 SharedKey : xxxxxxxxxx ConnectionStatus : Connected EgressBytesTransferred : 4209273 IngressBytesTransferred : 4178973 TunnelConnectionStatus : [ { "Tunnel": "C841M-BGP_13.78.115.150", "ConnectionStatus": "Connected", "IngressBytesTransferred": 0, "EgressBytesTransferred": 325920, "LastConnectionEstablishedUtcTime": "05/03/2018 16:05:48" }, { "Tunnel": "C841M-BGP_52.185.132.141", "ConnectionStatus": "Connected", "IngressBytesTransferred": 4178973, "EgressBytesTransferred": 3883353, "LastConnectionEstablishedUtcTime": "05/03/2018 16:00:36" } ] > Get-AzureRmVirtualNetworkGatewayBGPPeerStatus -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch | sort Neighbor | ft Asn ConnectedDuration LocalAddress MessagesReceived MessagesSent Neighbor RoutesReceived State --- ----------------- ------------ ---------------- ------------ -------- -------------- ----- 65516 10.0.255.4 0 0 10.0.255.4 0 Unknown 65516 06:45:41.7296384 10.0.255.4 502 549 10.0.255.5 5 Connected 65521 06:38:08.4475376 10.0.255.4 469 508 172.16.255.252 1 Connected 65521 05:57:19.8491887 10.0.255.4 804 829 172.16.255.253 1 Connected 65521 06:38:08.7202774 10.0.255.4 464 516 172.16.255.254 1 Connected > Get-AzureRmVirtualNetworkGatewayLearnedRoute -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch | where Origin -eq EBgp | sort Network, ASPath | ft AsPath LocalAddress Network NextHop Origin SourcePeer Weight ------ ------------ ------- ------- ------ ---------- ------ 65521 10.0.255.4 172.16.0.0/16 172.16.255.254 EBgp 172.16.255.254 32768 65521-65521 10.0.255.4 172.16.0.0/16 172.16.255.253 EBgp 172.16.255.253 32768 65521-65521-65521 10.0.255.4 172.16.0.0/16 172.16.255.252 EBgp 172.16.255.252 32768 > Get-AzureRmVirtualNetworkGatewayAdvertisedRoute -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch -Peer 172.16.255.254 | sort Network | ft AsPath LocalAddress Network NextHop Origin SourcePeer Weight ------ ------------ ------- ------- ------ ---------- ------ 65516 10.0.255.4 10.0.0.0/16 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.252/32 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.253/32 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.254/32 10.0.255.4 Igp 0 > Get-AzureRmVirtualNetworkGatewayAdvertisedRoute -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch -Peer 172.16.255.253 | sort Network | ft AsPath LocalAddress Network NextHop Origin SourcePeer Weight ------ ------------ ------- ------- ------ ---------- ------ 65516 10.0.255.4 10.0.0.0/16 10.0.255.4 Igp 0 65516-65521 10.0.255.4 172.16.0.0/16 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.252/32 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.253/32 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.254/32 10.0.255.4 Igp 0 > Get-AzureRmVirtualNetworkGatewayAdvertisedRoute -VirtualNetworkGatewayName caledfwlch-vpngw -ResourceGroupName caledfwlch -Peer 172.16.255.252 | sort Network | ft AsPath LocalAddress Network NextHop Origin SourcePeer Weight ------ ------------ ------- ------- ------ ---------- ------ 65516 10.0.255.4 10.0.0.0/16 10.0.255.4 Igp 0 65516-65521 10.0.255.4 172.16.0.0/16 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.252/32 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.253/32 10.0.255.4 Igp 0 65516 10.0.255.4 172.16.255.254/32 10.0.255.4 Igp 0
細かい部分は非常に怪しい気がしますが、まあ最低限は出来たということで。
間違ってる箇所があれば適宜コメントください。
1 comment for “Azure VPN Gateway (Active / Active) と、FortiGate 100E / Juniper SRX650 / Cisco C841M で VPN を張って、BGP で経路交換してみた”