[technique] Mise en place tunnel gw <-> chiwawa
Jérôme Nicolle
jerome at ceriz.fr
Dim 11 Déc 14:47:12 CET 2011
Bonjour,
Le tunnel est en place depuis cette nuit, stable, mais vyatta soufre de
quelques bugs qui empêchent l'enregistrement de l'adresse IPv6 dans la conf.
J'ai plusieurs options pour la conf BGP afin de gérer la bascule entre
le lien primaire et le lien de secours (tunnel) :
- Prepending (sur AS privé 64600)
- Multi Exit Discriminator (légère modification de la conf coté ttn
requise pour forcer la comparaison)
- Communautés et route-map : plus grosse modification, mais donnerai
l'occasion d'un chantier plus poussé pour commencer à utiliser les
communities sur notre optimisation de trafic.
A titre purement informel, voilà la conf "en chantier" de mon routeur
vyatta :
interfaces {
ethernet eth0 {
address 192.168.1.130/24
address 2a01:e35:2e00:a630::1/64
duplex auto
hw-id 00:03:1d:07:06:1e
smp_affinity auto
speed auto
}
ethernet eth1 {
address 91.224.149.175/24
address 2a01:6600:8081:af00::1/56
description "*** radio uplink to tetaneutral ***"
duplex auto
hw-id 00:03:1d:07:06:1f
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 00:03:1d:07:06:20
smp_affinity auto
speed auto
}
ethernet eth3 {
duplex auto
hw-id 00:03:1d:07:06:21
smp_affinity auto
speed auto
}
ethernet eth4 {
duplex auto
hw-id 00:03:1d:07:06:22
smp_affinity auto
speed auto
}
ethernet eth5 {
address 10.35.74.254/24
address 2a01:6600:8040:c000::1/64
description "*** LAN ***"
duplex auto
hw-id 00:03:1d:07:06:23
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
other-config-flag false
prefix 2a01:6600:8040:c000::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
smp_affinity auto
speed auto
vif 74 {
address 91.224.148.38/29
address 2a01:6600:8040:8000::1/64
description "*** LAN public ***"
}
}
loopback lo {
}
openvpn vtun0 {
description "*** point-to-point tunnel to gw.tetaneutral.net
through backup ADSL ***"
device-type tap
local-address 91.224.148.19 {
subnet-mask 255.255.255.254
}
mode site-to-site
openvpn-option "--cipher none --comp-lzo yes --shaper 120000"
protocol udp
remote-address 91.224.148.18
remote-host 91.224.148.1
remote-port 65007
shared-secret-key-file /config/auth/static-65007.key
}
}
policy {
prefix-list eBGP-OUT {
rule 1 {
action permit
prefix 91.224.148.32/29
}
}
prefix-list6 eBGP-OUT6 {
rule 1 {
action permit
prefix 2a01:6600:8040::/48
}
}
route-map eBGP-EXPORT-ttn-pri {
rule 10 {
action permit
match {
ip {
address {
prefix-list eBGP-OUT
}
}
ipv6 {
address {
prefix-list eBGP-OUT6
}
}
}
set {
ipv6-next-hop {
global 2a01:6600:8081:af00::1
local fe80::203:1dff:fe07:61e
}
ip-next-hop 91.224.149.175
}
}
}
route-map eBGP-EXPORT-ttn-sec {
rule 10 {
action permit
match {
ip {
address {
prefix-list eBGP-OUT
}
}
ipv6 {
address {
prefix-list eBGP-OUT6
}
}
}
set {
ipv6-next-hop {
global 2a01:6600:8000::202
local fe80::6404:9fff:fed7:adba
}
ip-next-hop 91.224.148.19
}
}
}
}
protocols {
bgp 64600 {
address-family {
ipv6-unicast {
network 2a01:6600:8040::/48 {
}
}
}
neighbor 91.224.148.18 {
description "*** BGP session to gw.tetaneutral.net through
backup link ***"
password ****************
remote-as 197422
route-map {
export eBGP-EXPORT-ttn-sec
}
shutdown
weight 100
}
neighbor 91.224.149.254 {
description "*** BGP session to h3.tetaneutral.net through
radio link ***"
password ****************
remote-as 197422
route-map {
export eBGP-EXPORT-ttn-pri
}
shutdown
weight 200
}
network 91.224.148.32/29 {
}
parameters {
router-id 91.224.148.32
}
}
static {
route 91.224.148.1/32 {
next-hop 192.168.1.254 {
}
}
route6 ::/0 {
next-hop fe80::224:d4ff:fe5e:f530 {
interface eth0
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name ETH5_POOL {
authoritative disable
subnet 10.35.74.0/24 {
default-router 10.35.74.254
lease 86400
start 10.35.74.128 {
stop 10.35.74.191
}
static-mapping mybeep {
ip-address 10.35.74.65
mac-address 64:b9:e8:d5:05:4e
}
}
}
}
nat {
rule 10 {
outbound-interface eth1
source {
address 10.35.74.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
domain-name nicolbolas.org
gateway-address 192.168.1.254
host-name heavengate
login {
user vyatta {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 192.168.1.254
ntp {
server 0.vyatta.pool.ntp.org {
}
server 1.vyatta.pool.ntp.org {
}
server 2.vyatta.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution stable
password ****************
url http://packages.vyatta.com/vyatta
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}
--
Jérôme Nicolle
06 19 31 27 14
Plus d'informations sur la liste de diffusion technique