質問編集履歴

2 イメージ図を追加しました

teketeke

teketeke score 47

2017/03/03 19:08  投稿

vyosへのVPN接続設定について
vyosを設定して、外からVPN接続できるようにしようとしています。
VPNの設定については以下のサイトを参考にしたのですが、接続できませんでした。
http://qiita.com/khayama/items/c63d4d5f02abdf348889
vyosの設定は以下になるのですが、何か設定が足りないのでしょうか。
※IPアドレス、パスワードなどは実際とは変更しています。
```ここに言語を入力
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth1 address '111.111.111.111/23'
set interfaces ethernet eth2 address '10.0.2.2/24'
set interfaces loopback 'lo'
set service 'ssh'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system gateway-address '111.111.111.1'
set system login user vyos authentication encrypted-password '$6$BGiAItm1UQuf$9uss08G.i6/yqswFBbFl.wV.idLASdkUEx2xwDijzt 1z1Pn6y15.iqm6.5ltqg/YdZVeA.g1sW0IK.tqlVCWq/'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '111.111.111.133'
set system name-server '111.111.111.134'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec nat-networks allowed-network '10.0.2.0/24'
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username TESTUSER password 'TESTPASS'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '10.0.2.101'
set vpn l2tp remote-access client-ip-pool stop '10.0.2.200'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'TESTSECRET'
set vpn l2tp remote-access outside-address '111.111.111.111'
set vpn l2tp remote-access outside-nexthop '111.111.111.1'
vyos@vyos:~$ show configuration
interfaces {
   ethernet eth1 {
       address 111.111.111.111/23
   }
   ethernet eth2 {
       address 10.0.2.2/24
   }
   loopback lo {
   }
}
service {
   ssh {
   }
}
system {
   config-management {
       commit-revisions 100
   }
   console {
       device ttyS0 {
           speed 9600
       }
   }
   gateway-address 111.111.111.1
   login {
       user vyos {
           authentication {
               encrypted-password ****************
               plaintext-password ****************
           }
           level admin
       }
   }
   name-server 111.111.111.133
   name-server 111.111.111.134
   ntp {
       server 0.pool.ntp.org {
       }
       server 1.pool.ntp.org {
       }
       server 2.pool.ntp.org {
       }
   }
   syslog {
       global {
           facility all {
               level notice
           }
           facility protocols {
               level debug
           }
       }
   }
}
vpn {
   ipsec {
       ipsec-interfaces {
           interface eth1
       }
       nat-networks {
           allowed-network 10.0.2.0/24 {
           }
       }
       nat-traversal enable
   }
   l2tp {
       remote-access {
           authentication {
               local-users {
                   username TESTUSER {
                       password ****************
                   }
               }
               mode local
           }
           client-ip-pool {
               start 10.0.2.101
               stop 10.0.2.200
           }
           ipsec-settings {
               authentication {
                   mode pre-shared-secret
                   pre-shared-secret ****************
               }
           }
           outside-address 111.111.111.111
           outside-nexthop 111.111.111.1
       }
   }
}
```
![イメージ説明](07960fd9c5083c5c6dfb62dbd49b2ec4.png)
■事前共有キーについて
vyosへの投入コマンドをテキストに書いてからコピペしていたので、間違えてはいないと思います。
■ログについて
ログは以下となっておりました。現在メッセージ内容について調査しています。
```
packet from xxx.xxx.xxx.xxx:11711: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
packet from xxx.xxx.xxx.xxx:11711: received Vendor ID payload [RFC 3947]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [FRAGMENTATION]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [Vid-Initial-Contact]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [IKE CGA version 1]
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx:11711
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: NAT-Traversal: Result using RFC 3947: peer is NATed
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Peer ID is ID_IPV4_ADDR: '192.168.250.111'
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:11711 #7: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sent MR3, ISAKMP SA established
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: cannot respond to IPsec SA request because no connection is known for 111.111.111.111:4500[111.111.111.111]:17/1701...xxx.xxx.xxx.xxx:27258[192.168.250.111]:17/%any===192.168.250.111/32
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_ID_INFORMATION to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: received Delete SA payload: deleting ISAKMP State #7
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
```
■接続設定に関して
PPPoE接続やNAPTについて知識が乏しくよくわからない状態で設定をしています。
参考にしたサイトのURLが抜けていたのですが、接続イメージはそこのサイトと同じと考えています。
外からvyosに繋いで、そこからvyosにつながっているローカル環境へつなげればと考えています。
http://qiita.com/khayama/items/c63d4d5f02abdf348889
http://qiita.com/khayama/items/c63d4d5f02abdf348889
![イメージ図](08ab9ec98a1790652ee746b2b6933fe7.png)
  • VPN

    138 questions

    VPN(Virtual Private Network)は、仮想プライベートネットワークとも呼ばれ、インターネットに接続してるユーザー間に仮想的な通信トンネルを構築した組織内ネットワークです。認証や暗号化を用いて通信経路を保護し安全なネットワークの構築ができます。

1 ログの追記、接続イメージを追記しました。

teketeke

teketeke score 47

2017/03/03 11:50  投稿

vyosへのVPN接続設定について
vyosを設定して、外からVPN接続できるようにしようとしています。
VPNの設定については以下のサイトを参考にしたのですが、接続できませんでした。
http://qiita.com/khayama/items/c63d4d5f02abdf348889  
 
vyosの設定は以下になるのですが、何か設定が足りないのでしょうか。
※IPアドレス、パスワードなどは実際とは変更しています。
```ここに言語を入力
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth1 address '111.111.111.111/23'
set interfaces ethernet eth2 address '10.0.2.2/24'
set interfaces loopback 'lo'
set service 'ssh'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system gateway-address '111.111.111.1'
set system login user vyos authentication encrypted-password '$6$BGiAItm1UQuf$9uss08G.i6/yqswFBbFl.wV.idLASdkUEx2xwDijzt 1z1Pn6y15.iqm6.5ltqg/YdZVeA.g1sW0IK.tqlVCWq/'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '111.111.111.133'
set system name-server '111.111.111.134'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec nat-networks allowed-network '10.0.2.0/24'
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username TESTUSER password 'TESTPASS'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '10.0.2.101'
set vpn l2tp remote-access client-ip-pool stop '10.0.2.200'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'TESTSECRET'
set vpn l2tp remote-access outside-address '111.111.111.111'
set vpn l2tp remote-access outside-nexthop '111.111.111.1'
vyos@vyos:~$ show configuration
interfaces {
   ethernet eth1 {
       address 111.111.111.111/23
   }
   ethernet eth2 {
       address 10.0.2.2/24
   }
   loopback lo {
   }
}
service {
   ssh {
   }
}
system {
   config-management {
       commit-revisions 100
   }
   console {
       device ttyS0 {
           speed 9600
       }
   }
   gateway-address 111.111.111.1
   login {
       user vyos {
           authentication {
               encrypted-password ****************
               plaintext-password ****************
           }
           level admin
       }
   }
   name-server 111.111.111.133
   name-server 111.111.111.134
   ntp {
       server 0.pool.ntp.org {
       }
       server 1.pool.ntp.org {
       }
       server 2.pool.ntp.org {
       }
   }
   syslog {
       global {
           facility all {
               level notice
           }
           facility protocols {
               level debug
           }
       }
   }
}
vpn {
   ipsec {
       ipsec-interfaces {
           interface eth1
       }
       nat-networks {
           allowed-network 10.0.2.0/24 {
           }
       }
       nat-traversal enable
   }
   l2tp {
       remote-access {
           authentication {
               local-users {
                   username TESTUSER {
                       password ****************
                   }
               }
               mode local
           }
           client-ip-pool {
               start 10.0.2.101
               stop 10.0.2.200
           }
           ipsec-settings {
               authentication {
                   mode pre-shared-secret
                   pre-shared-secret ****************
               }
           }
           outside-address 111.111.111.111
           outside-nexthop 111.111.111.1
       }
   }
}
```
![イメージ説明](07960fd9c5083c5c6dfb62dbd49b2ec4.png)
![イメージ説明](07960fd9c5083c5c6dfb62dbd49b2ec4.png)
■事前共有キーについて
vyosへの投入コマンドをテキストに書いてからコピペしていたので、間違えてはいないと思います。
■ログについて
ログは以下となっておりました。現在メッセージ内容について調査しています。
```
packet from xxx.xxx.xxx.xxx:11711: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
packet from xxx.xxx.xxx.xxx:11711: received Vendor ID payload [RFC 3947]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [FRAGMENTATION]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [Vid-Initial-Contact]
packet from xxx.xxx.xxx.xxx:11711: ignoring Vendor ID payload [IKE CGA version 1]
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx:11711
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: NAT-Traversal: Result using RFC 3947: peer is NATed
"remote-access-mac-zzz"[13] xxx.xxx.xxx.xxx:11711 #7: Peer ID is ID_IPV4_ADDR: '192.168.250.111'
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:11711 #7: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sent MR3, ISAKMP SA established
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: cannot respond to IPsec SA request because no connection is known for 111.111.111.111:4500[111.111.111.111]:17/1701...xxx.xxx.xxx.xxx:27258[192.168.250.111]:17/%any===192.168.250.111/32
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_ID_INFORMATION to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:27258
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258 #7: received Delete SA payload: deleting ISAKMP State #7
"remote-access-mac-zzz"[14] xxx.xxx.xxx.xxx:27258: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
```
■接続設定に関して
PPPoE接続やNAPTについて知識が乏しくよくわからない状態で設定をしています。
参考にしたサイトのURLが抜けていたのですが、接続イメージはそこのサイトと同じと考えています。
外からvyosに繋いで、そこからvyosにつながっているローカル環境へつなげればと考えています。
http://qiita.com/khayama/items/c63d4d5f02abdf348889
  • VPN

    138 questions

    VPN(Virtual Private Network)は、仮想プライベートネットワークとも呼ばれ、インターネットに接続してるユーザー間に仮想的な通信トンネルを構築した組織内ネットワークです。認証や暗号化を用いて通信経路を保護し安全なネットワークの構築ができます。

思考するエンジニアのためのQ&Aサイト「teratail」について詳しく知る