|
1、镜像用户名 :vyos 密码:vyos
2、vyos相关wiki :https://wiki.vyos.net/wiki/User_Guide
3、支持功能如下:
VLANs:
802.1q and QinQ
Static and dynamic routing:
BGP for IPv4 and IPv6, OSPFv2, RIP, RIPng, policy-based routing, equal cost multi-path
Firewall:
Firewall rulesets for IPv4 and IPv6 traffic you can assign to interfaces, zone-based firewall, address/network/port groups for IPv4 firewalls
Tunnel interfaces:
PPPoE, GRE, IPIP, SIT, static L2TPv3, VXLAN
VPN:
Site-to-site IPsec for IPv4 and IPv6, L2TP/IPsec server, PPTP server, OpenVPN for site-to-site and remote access
NAT:
Source NAT, port forwards, one to one, one to many, and many to many translations
DHCP:
DHCP and DHCPv6 server and relay
Redundancy:
VRRP, connection table synchronization
4、登录vyos后界面如下:会话以$为提示符
vyos@vyos:~$ s[tab]
set show
vyos@vyos:~$
5、支持tab键补齐
vyos@vyos:~$ show [tab]
Possible completions:
arp Show Address Resolution Protocol (ARP) information
bridge Show bridging information
cluster Show clustering information
configuration Show running configuration
conntrack Show conntrack entries in the conntrack table
conntrack-sync
Show connection syncing information
date Show system date and time
dhcp Show Dynamic Host Configuration Protocol (DHCP) information
dhcpv6 Show status related to DHCPv6
disk Show status of disk device
dns Show Domain Name Server (DNS) information
file Show files for a particular image
firewall Show firewall information
flow-accounting
Show flow accounting statistics
hardware Show system hardware details
history show command history
host Show host information
incoming Show ethernet input-policy information
: q
vyos@vyos:~$
6、进入配置模式:
vyos@vyos:~$ configure
[edit]
vyos@vyos:~#
7、修改主机名
vyos@vyos:~$ configure
[edit]
vyos@vyos:~#set system host-name host1
[edit]
vyos@vyos:~#
提交配置
vyos@vyos:~#commit
保存配置
vyos@vyos:~#save
退出配置模式
vyos@vyos:~#exit
重启系统后生效
vyos@vyos:~#reboot
8、配置网络接口
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'INSIDE'
9、配置ssh远程端口
set service ssh port '22'
10、配置源地址NAT
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade
11、配置DHCP 服务器
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start 192.168.0.9 stop '192.168.0.254'
12、配置DNS转发
set service dns forwarding cache-size '0'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
13、配置防火墙规则
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
14、生效防火墙规则
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
15、保存配置
vyos@vyos# commit
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
vyos@vyos# exit
vyos@vyos$
16、查看配置
vyos@vyos:~$ show configuration
interfaces {
ethernet eth0 {
address dhcp
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
login {
user vyos {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
repository community {
components main
distribution hydrogen
url http://packages.vyos.net/vyos
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
vyos@vyos:~$
17、查看接口配置信息
vyos@vyos:~$ configure
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
address dhcp
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
[edit]
vyos@vyos# set interfaces ethernet eth0 description 'OUTSIDE'
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
address dhcp
+ description OUTSIDE
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
[edit]
18、查看接口
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.16.51.129/24 u/u OUTSIDE
eth1 192.168.0.1/24 u/u INSIDE
lo 127.0.0.1/8 u/u
::1/128
vyos@vyos:~$
19、查看接口网卡信息
vyos@vyos:~$ show interfaces ethernet eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:44:3b:0f brd ff:ff:ff:ff:ff:ff
inet 172.16.51.129/24 brd 172.16.51.255 scope global eth0
inet6 fe80::20c:29ff:fe44:3b0f/64 scope link
valid_lft forever preferred_lft forever
Description: OUTSIDE
RX: bytes packets errors dropped overrun mcast
274397 3064 0 0 0 0
TX: bytes packets errors dropped carrier collisions
257276 1890 0 0 0 0
vyos@vyos:~$
20、配置接口描述和接口参数
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth0 address 'dhcp'
21、配置以太网接口
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'INSIDE'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 speed 'auto'
22、配置vlan
set interfaces ethernet eth1 vif 100 description 'VLAN 100'
set interfaces ethernet eth1 vif 100 address '192.168.100.1/24'
查看配置
ethernet eth1 {
address 192.168.0.1/24
description INSIDE
duplex auto
hw-id 00:0c:29:44:3b:19
smp_affinity auto
speed auto
vif 100 {
address 192.168.100.1/24
description "VLAN 100"
}
}
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.16.51.129/24 u/u OUTSIDE
eth1 192.168.0.1/24 u/u INSIDE
eth1.100 192.168.100.1/24 u/u VLAN 100
lo 127.0.0.1/8 u/u
::1/128
vyos@vyos:~$
23、配置桥口绑定
set interfaces bridge 'br100'
set interfaces ethernet eth1 vif 100 bridge-group bridge br100
配置桥IP地址
set interfaces bridge br100 address '192.168.100.1/24'
配置桥接模式开启STP
set interfaces bridge br100 stp true
查看桥信息
vyos@vyos:~$ show bridge
bridge name bridge id STP enabled interfaces
br100 0000.000c29443b19 yes eth1.100
vyos@vyos:~$
vyos@vyos:~$ show bridge br100 spanning-tree
br100
bridge id 0000.000c29443b19
designated root 0000.000c29443b19
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 15.00 bridge forward delay 15.00
ageing time 300.00
hello timer 0.47 tcn timer 0.00
topology change timer 0.00 gc timer 64.63
flags
eth1.100 (1)
port id 8001 state forwarding
designated root 0000.000c29443b19 path cost 4
designated bridge 0000.000c29443b19 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vyos@vyos:~$
vyos@vyos:~$ show bridge br100 macs
port no mac addr is local? ageing timer
1 00:0c:29:44:3b:19 yes 0.00
vyos@vyos:~$
24、配置端口绑定
set interfaces bonding bond0 description 'my-sw1 int 23 and 24'
vyos@vyos# set interfaces bonding bond0 hash-policy
Possible completions:
layer2 use MAC addresses to generate the hash (802.3ad)
layer2+3 combine MAC address and IP address to make hash
layer3+4 combine IP address and port to make hash
set interfaces bonding bond0 hash-policy 'layer2'
set interfaces bonding bond0 mode '802.3ad'
配置绑定模式
vyos@vyos# set interfaces bonding bond0 mode
Possible completions:
802.3ad IEEE 802.3ad Dynamic link aggregation (Default)
active-backup
Fault tolerant: only one slave in the bond is active
broadcast Fault tolerant: transmits everything on all slave interfaces
round-robin Load balance: transmit packets in sequential order
transmit-load-balance
Load balance: adapts based on transmit load and speed
adaptive-load-balance
Load balance: adapts based on transmit and receive plus ARP
xor-hash Load balance: distribute based on MAC address
绑定接口道bond0
set interfaces ethernet eth0 bond-group 'bond0'
set interfaces ethernet eth0 description 'member of bond0'
set interfaces ethernet eth1 bond-group 'bond0'
set interfaces ethernet eth1 description 'member of bond0'
查看绑定端口信息
vyos@vyos# run sh interfaces bonding
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
bond0 - u/u my-sw1 int 23 and 24
bond0.10 192.168.0.1/24 u/u office-net
bond0.100 10.10.10.1/24 u/u management-net
25、配置隧道接口
set interfaces vti vti0 address 192.168.2.249/30
vyos@vyos# show interfaces vti
vti vti0 {
address 192.168.2.249/30
description "Description"
}
26、配置路由
配置静态路由
set protocols static route 0.0.0.0/0 next-hop 203.0.113.1 distance '1'
查看配置信息
static {
route 0.0.0.0/0 {
next-hop 203.0.113.1 {
distance 1
}
}
}
配置黑洞路由
set protocols static route 10.0.0.0/8 blackhole distance '254'
set protocols static route 172.16.0.0/12 blackhole distance '254'
set protocols static route 192.168.0.0/16 blackhole distance '254'
route 10.0.0.0/8 {
blackhole {
distance 254
}
}
route 172.16.0.0/12 {
blackhole {
distance 254
}
}
route 192.168.0.0/16 {
blackhole {
distance 254
}
}
26、配置RIP
节点1
set interfaces loopback address 1.1.1.1/32
set protocols rip network 192.168.0.0/24
set protocols rip redistribute connected
节点2
set interfaces loopback address 2.2.2.2/32
set protocols rip network 192.168.0.0/24
set protocols rip redistribute connected
27、配置OSPF
IPV4
节点1
set interfaces loopback lo address 1.1.1.1/32
set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf default-information originate always
set protocols ospf default-information originate metric 10
set protocols ospf default-information originate metric-type 2
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 1.1.1.1
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT
set policy route-map CONNECT rule 10 action permit
set policy route-map CONNECT rule 10 match interface lo
节点2
set interfaces loopback lo address 2.2.2.2/32
set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 2.2.2.2
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT
set policy route-map CONNECT rule 10 action permit
set policy route-map CONNECT rule 10 match interface lo
IPV6
节点1
set protocols ospfv3 area 0.0.0.0 interface eth1
set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64
set protocols ospfv3 parameters router-id 192.168.1.1
set protocols ospfv3 redistribute connected
节点2
set protocols ospfv3 area 0.0.0.0 interface eth1
set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64
set protocols ospfv3 parameters router-id 192.168.2.1
set protocols ospfv3 redistribute connected
28、配置BGP
IPV4(eBGP)
节点1
set protocols bgp 65536 neighbor 192.168.0.2 ebgp-multihop '2'
set protocols bgp 65536 neighbor 192.168.0.2 remote-as '65537'
set protocols bgp 65536 neighbor 192.168.0.2 update-source ‘192.168.0.1
set protocols bgp 65536 network '1.0.0.0/16'
set protocols bgp 65536 parameters router-id ‘192.168.0.1
节点2
set protocols bgp 65537 neighbor 192.168.0.1 ebgp-multihop '2'
set protocols bgp 65537 neighbor 192.168.0.1 remote-as '65536’
set protocols bgp 65537 neighbor 192.168.0.1 update-source ‘192.168.0.2
set protocols bgp 65537 network 2.0.0.0/16'
set protocols bgp 65537 parameters router-id ‘192.168.0.2
配置黑洞路由
节点1
set protocols static route 1.0.0.0/16 blackhole distance '254'
节点2
set protocols static route 2.0.0.0/16 blackhole distance '254'
IPv6
节点一
set protocols bgp 65536 neighbor 2a00:100::2 ebgp-multihop '2'
set protocols bgp 65536 neighbor 2a00:100::2 remote-as '65537'
set protocols bgp 65536 neighbor 2a00:100::2 update-source '2a00:100::1'
set protocols bgp 65536 neighbor 2a00:100::2 address-family ipv6-unicast
set protocols bgp 65536 address-family ipv6-unicast network '2a00:100:1::/48'
set protocols bgp 65536 parameters router-id '1.1.1.1'
节点二
set protocols bgp 65537 neighbor 2a00:100::1 ebgp-multihop '2'
set protocols bgp 65537 neighbor 2a00:100::1 remote-as '65536'
set protocols bgp 65537 neighbor 2a00:100::1 update-source '2a00:100::2'
set protocols bgp 65536 neighbor 2a00:100::1 address-family ipv6-unicast
set protocols bgp 65537 address-family ipv6-unicast network '2a00:100:2::/48'
set protocols bgp 65537 parameters router-id '1.1.1.2'
配置黑洞路由
节点1
set protocols static route6 2a001:100:1::/48 blackhole distance '254'
节点2
set protocols static route6 2a00:100:2::/48 blackhole distance '254'
29、配置路由过滤
路由过滤可以使用路由映射应用
节点1
set policy prefix-list AS65537-IN rule 10 action 'permit'
set policy prefix-list AS65537-IN rule 10 prefix '2.0.0.0/16'
set policy prefix-list AS65537-OUT rule 10 action 'deny'
set policy prefix-list AS65537-OUT rule 10 prefix '2.0.0.0/16'
set policy prefix-list6 AS65537-IN rule 10 action 'permit'
set policy prefix-list6 AS65537-IN rule 10 prefix '2a00:100:2::/48'
set policy prefix-list6 AS65537-OUT rule 10 action 'deny'
set policy prefix-list6 AS65537-OUT rule 10 prefix '2a00:100:2::/48'
set policy route-map AS65537-IN rule 10 action 'permit'
set policy route-map AS65537-IN rule 10 match ip address prefix-list 'AS65537-IN'
set policy route-map AS65537-IN rule 10 match ipv6 address prefix-list 'AS65537-IN'
set policy route-map AS65537-IN rule 20 action 'deny'
set policy route-map AS65537-OUT rule 10 action 'deny'
set policy route-map AS65537-OUT rule 10 match ip address prefix-list 'AS65537-OUT'
set policy route-map AS65537-OUT rule 10 match ipv6 address prefix-list 'AS65537-OUT'
set policy route-map AS65537-OUT rule 20 action 'permit'
set protocols bgp 65536 neighbor 2a00:100::2 route-map export 'AS65537-OUT'
set protocols bgp 65536 neighbor 2a00:100::2 route-map import 'AS65537-IN'
节点2
set policy prefix-list AS65536-IN rule 10 action 'permit'
set policy prefix-list AS65536-IN rule 10 prefix '1.0.0.0/16'
set policy prefix-list AS65536-OUT rule 10 action 'deny'
set policy prefix-list AS65536-OUT rule 10 prefix '1.0.0.0/16'
set policy prefix-list6 AS65536-IN rule 10 action 'permit'
set policy prefix-list6 AS65536-IN rule 10 prefix '2a00:100:1::/48'
set policy prefix-list6 AS65536-OUT rule 10 action 'deny'
set policy prefix-list6 AS65536-OUT rule 10 prefix '2a00:100:1::/48'
set policy route-map AS65536-IN rule 10 action 'permit'
set policy route-map AS65536-IN rule 10 match ip address prefix-list 'AS65536-IN'
set policy route-map AS65536-IN rule 10 match ipv6 address prefix-list 'AS65536-IN'
set policy route-map AS65536-IN rule 20 action 'deny'
set policy route-map AS65536-OUT rule 10 action 'deny'
set policy route-map AS65536-OUT rule 10 match ip address prefix-list 'AS65536-OUT'
set policy route-map AS65536-OUT rule 10 match ipv6 address prefix-list 'AS65536-OUT'
set policy route-map AS65536-OUT rule 20 action 'permit'
set protocols bgp 65537 neighbor 2a00:100::1 route-map export 'AS65536-OUT'
set protocols bgp 65537 neighbor 2a00:100::1 route-map import 'AS65536-IN'
30、配置策略路由
VyOS支持策略路由,允许将流量分配给不同的路由表。流量可以使用标准的5元组匹配(源地址,目的地址,协议,源端口,目的端口)进行匹配
以下示例将显示如何使用VyOS将Web流量重定向到外部透明代理
set policy route FILTER-WEB rule 1000 destination port 80
set policy route FILTER-WEB rule 1000 protocol tcp
set policy route FILTER-WEB rule 1000 set table 100
在这里我们创建了一个名为FILTER-WEB的路由策略,其中一条规则将路由表设置为匹配流量(TCP端口80)到表ID 100而不是默认路由表
这可以使用show ip route table 100操作命令来确认,最后,我们使用在LAN接口上应用策略路由到流量。
set interfaces ethernet eth1 policy route FILTER-WEB
31、防火墙规则
创建组
set firewall group network-group NET-INSIDE network 192.168.0.0/24
set firewall group network-group NET-INSIDE network 192.168.1.0/24
配置规则集合
set firewall name INSIDE-OUT default-action drop
set firewall name INSIDE-OUT rule 1010 action accept
set firewall name INSIDE-OUT rule 1010 state established enable
set firewall name INSIDE-OUT rule 1010 state related enable
set firewall name INSIDE-OUT rule 1020 action drop
set firewall name INSIDE-OUT rule 1020 state invalid enable
应用规则到接口
set interfaces ethernet eth1 firewall out name INSIDE-OUT
应用规则到zone
set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT
32、配置NAT
配置源地址NAT
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address 'masquerade'
配置目的地址NAT
set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.168.0.100'
配置1to1 NAT
set interfaces ethernet eth0 address '192.168.1.1/24'
set interfaces ethernet eth0 description 'Inside interface'
set interfaces ethernet eth1 address '1.2.3.4/24'
set interfaces ethernet eth1 description 'Outside interface'
set nat destination rule 2000 description '1-to-1 NAT example'
set nat destination rule 2000 destination address '1.2.3.4'
set nat destination rule 2000 inbound-interface 'eth1'
set nat destination rule 2000 translation address '192.168.1.10'
set nat source rule 2000 description '1-to-1 NAT example'
set nat source rule 2000 outbound-interface 'eth1'
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '1.2.3.4'
33、配置VPN
a)、配置OpenVPN 点对点模式
本地配置
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 local-host '198.51.100.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
set interfaces openvpn vtun1 local-address '10.255.1.1'
set interfaces openvpn vtun1 remote-address '10.255.1.2'
远程配置
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 remote-host '198.51.100.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
set interfaces openvpn vtun1 local-address '10.255.1.2'
set interfaces openvpn vtun1 remote-address '10.255.1.1'
vyos@vyos# set interfaces openvpn vtun1 encryption
Possible completions:
des DES algorithm
3des DES algorithm with triple encryption
bf128 Blowfish algorithm with 128-bit key
bf256 Blowfish algorithm with 256-bit key
aes128 AES algorithm with 128-bit key
aes192 AES algorithm with 192-bit key
aes256 AES algorithm with 256-bit key
vyos@vyos# set interfaces openvpn vtun1 hash
Possible completions:
md5 MD5 algorithm
sha1 SHA-1 algorithm
sha256 SHA-256 algorithm
sha512 SHA-512 algorithm
配置本地通道
set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
配置远程通道
set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
b)、配置L2TP over IPsec
c)、配置点对点IPsec
服务器端配置
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '10.0.0.0/21'
远程办公室配置
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix '192.168.0.0/24
查看配置
vyos@srv-gw0:~$ sh vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
2.2.2.2 1.1.1.1
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1 5 no 734 3600
vyos@srv-gw0:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
2.2.2.2 1.1.1.1
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 7.5M/230.6K aes256 sha1 no 567 1800 all
如果在eth1上有SNAT规则,需要添加排除规则
服务器上
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '192.168.0.0/24'
远程办公室配置
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '10.0.0.0/24'
要允许流量传递给客户端,您需要添加以下规则
服务器配置
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
远程配置
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
34、配置DHCP server
set service dhcp-server shared-network-name 'LAN' authoritative enable
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' start '192.168.0.128' stop '192.168.0.254'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' default-router '192.168.0.1'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' dns-server '192.168.0.1'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' domain-name 'internal-net'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' lease 86400
配置静态dhcp地址
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' static-mapping 'SERVER' ip-address '192.168.0.10'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' static-mapping 'SERVER' mac-address '00:53:00:00:00:01'
35、配置DHCP-Rely
set service dhcp‐relay interface eth0
set service dhcp-relay interface eth1
set service dhcp‐relay server 192.168.0.4
set service dhcp‐relay server 192.168.0.5
配置其他保护功能,以匹配DHCP数据包的跳数限制和最大大小
set service dhcp‐relay hop-count 10
set service dhcp‐relay max-size 576
|
|