前提:
基礎ネットワークとVMインスタンスはTerraformで作成
その他はCLIで作成
Alibaba VPN Gateway作成画面でService-linked Role作成済み
IPSec tunnel使用本数: 1本
macから実施
設定の流れ:
1. Alibaba Cloud側での設定
VPN Gateway作成
2. OCI側での設定
動的ルーティング・ゲートウェイ作成
顧客構内機器作成
サイト間VPN作成
3. Alibaba Cloud側での設定
Customer Gateways作成
IPsec Connection作成
4. 動作確認
※OCI側のASNは固定値31898を使用する必要あり
OCI:
Ashburnリージョン
VPC : 10.0.0.0/16
サブネット : 10.0.1.0/24
Security Group : ICMP,SSH
ASN: 31898
Alibaba:
北京リージョン
VPC : 172.16.0.0/16
vSwitch : 172.16.1.0/24
Security Group : ICMP,SSH
ASN: 65000
-- 1. VPC、サブネット、コンピュートインスタンス作成【OCI】
mkdir oci
cd oci
cat <<-'EOF' > variables.tf
locals {
tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"
}
variable "compartment_name" {
description = "compartment_name"
type = string
default = "cmp01"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
oci = {
source = "hashicorp/oci"
version = "= 5.23.0"
}
}
}
provider "oci" {
tenancy_ocid = local.tenancy_ocid
user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111"
private_key_path = "~/.oci/oci_api_key.pem"
fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
region = "us-ashburn-1"
}
resource "oci_identity_compartment" "cmp01" {
# Required
compartment_id = local.tenancy_ocid
description = var.compartment_name
name = var.compartment_name
enable_delete = true
}
resource "oci_core_vcn" "vcn01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
#Optional
cidr_block = "10.0.0.0/16"
display_name = "vcn01"
dns_label = "vcn01"
}
resource "oci_core_internet_gateway" "igw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
enabled = true
display_name = "igw01"
}
resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "rt01"
route_rules {
network_entity_id = oci_core_internet_gateway.igw01.id
destination = "0.0.0.0/0"
}
}
resource "oci_core_security_list" "sl01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "sl01"
egress_security_rules {
protocol = "all"
destination = "0.0.0.0/0"
stateless = false
}
ingress_security_rules {
protocol = "6"
source = "0.0.0.0/0"
stateless = false
tcp_options {
max = 22
min = 22
}
}
ingress_security_rules {
protocol = "all"
source = "172.16.1.0/24"
stateless = false
}
}
resource "oci_core_subnet" "subnet01" {
#Required
cidr_block = "10.0.1.0/24"
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "subnet01"
dns_label = "subnet01"
route_table_id = oci_core_route_table.rt01.id
security_list_ids = [oci_core_security_list.sl01.id]
}
data "oci_core_images" "ol9_latest" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
#Optional
operating_system = "Oracle Linux"
operating_system_version = "9"
shape = "VM.Standard.E2.1"
sort_by = "TIMECREATED"
sort_order = "DESC"
filter {
name = "display_name"
values = ["Oracle-Linux-9.*"]
regex = true
}
}
resource "oci_core_instance" "vm01" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = "VM.Standard.E2.1"
agent_config {
plugins_config {
desired_state = "ENABLED"
name = "OS Management Service Agent"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Run Command"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Monitoring"
}
}
create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet01.id
}
display_name = "vm01"
fault_domain = "FAULT-DOMAIN-1"
metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
}
source_details {
#Required
source_id = data.oci_core_images.ol9_latest.images[0].id
source_type = "image"
#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
preemptible_instance_config {
preemption_action {
type = "TERMINATE"
preserve_boot_volume = false
}
}
}
EOF
cat <<-'EOF' > outputs.tf
output "cmp01_id" {
value = oci_identity_compartment.cmp01.id
description = "cmp01.id"
}
output "vcn01_id" {
value = oci_core_vcn.vcn01.id
description = "vcn01.id"
}
output "igw01_id" {
value = oci_core_internet_gateway.igw01.id
description = "igw01.id"
}
output "rt01_id" {
value = oci_core_route_table.rt01.id
description = "rt01.id"
}
output "sl01_id" {
value = oci_core_security_list.sl01.id
description = "sl01.id"
}
output "subnet01_id" {
value = oci_core_subnet.subnet01.id
description = "subnet01.id"
}
EOF
terraform init
terraform fmt
terraform -version
export TF_VAR_compartment_name=cmp01
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
cd ..
-- 2. VPC、VSwitch、ECS作成【Alibaba】
mkdir alibaba
cd alibaba
cat <<-'EOF' > variables.tf
locals {
availability_zone1 = "cn-beijing-k"
availability_zone2 = "cn-beijing-l"
}
variable "instance_type" {
description = "instance_type"
type = string
default = "ecs.t6-c4m1.large"
}
variable "image_id" {
description = "image_id"
type = string
default = "aliyun_2_1903_x64_20G_alibase_20231221.vhd"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
alicloud = {
source = "aliyun/alicloud"
version = "= 1.217.0"
}
}
}
provider "alicloud" {
region = "cn-beijing"
}
resource "alicloud_vpc" "vpc01" {
vpc_name = "vpc01"
description = "vpc01"
cidr_block = "172.16.0.0/16"
}
resource "alicloud_vswitch" "sw01" {
vswitch_name = "sw01"
description = "sw01"
vpc_id = alicloud_vpc.vpc01.id
cidr_block = "172.16.1.0/24"
zone_id = local.availability_zone1
}
resource "alicloud_vswitch" "sw02" {
vswitch_name = "sw02"
description = "sw02"
vpc_id = alicloud_vpc.vpc01.id
cidr_block = "172.16.2.0/24"
zone_id = local.availability_zone2
}
resource "alicloud_security_group" "sg01" {
name = "sg01"
description = "sg01"
vpc_id = alicloud_vpc.vpc01.id
security_group_type = "normal"
}
resource "alicloud_security_group_rule" "sg0101" {
type = "ingress"
ip_protocol = "tcp"
port_range = "22/22"
security_group_id = alicloud_security_group.sg01.id
nic_type = "intranet"
policy = "accept"
priority = 10
cidr_ip = "0.0.0.0/0"
description = "sg0101"
}
resource "alicloud_security_group_rule" "sg0102" {
type = "ingress"
ip_protocol = "icmp"
port_range = "-1/-1"
security_group_id = alicloud_security_group.sg01.id
nic_type = "intranet"
policy = "accept"
priority = 10
cidr_ip = "10.0.1.0/24"
description = "sg0102"
}
resource "alicloud_vpc_ipv4_gateway" "gw01" {
ipv4_gateway_name = "gw01"
ipv4_gateway_description = "gw01"
vpc_id = alicloud_vpc.vpc01.id
enabled = true
}
# ルートテーブルへvSwitchの関連付け
resource "alicloud_route_table_attachment" "sw01_rt01" {
vswitch_id = alicloud_vswitch.sw01.id
route_table_id = alicloud_vpc.vpc01.route_table_id
}
# ルートテーブルへカスタムルート追加
resource "alicloud_route_entry" "rt0101" {
name = "rt0101"
route_table_id = alicloud_vpc.vpc01.route_table_id
destination_cidrblock = "0.0.0.0/0"
nexthop_type = "Ipv4Gateway"
nexthop_id = alicloud_vpc_ipv4_gateway.gw01.id
}
resource "alicloud_instance" "instance01" {
image_id = var.image_id
instance_type = var.instance_type
security_groups = [alicloud_security_group.sg01.id]
instance_name = "instance01"
system_disk_category = "cloud_essd"
system_disk_name = "instance01"
system_disk_size = 20
description = "instance01"
internet_charge_type = "PayByBandwidth"
internet_max_bandwidth_out = 0
host_name = "instance01"
vswitch_id = alicloud_vswitch.sw01.id
instance_charge_type = "PostPaid"
key_name = "alibabakey04"
deletion_protection = false
credit_specification = "Standard"
}
resource "alicloud_eip_address" "eip01" {
address_name = "eip01"
bandwidth = 1
deletion_protection = false
description = "eip01"
internet_charge_type = "PayByTraffic"
isp = "BGP"
payment_type = "PayAsYouGo"
netmode = "public"
}
# インスタンスとEIPの関連付け
resource "alicloud_eip_association" "instance01_eip01" {
instance_id = alicloud_instance.instance01.id
allocation_id = alicloud_eip_address.eip01.id
}
EOF
cat <<-'EOF' > outputs.tf
output "vpc01_id" {
value = alicloud_vpc.vpc01.id
description = "vpc01.id"
}
output "vpc01_route_table_id" {
value = alicloud_vpc.vpc01.route_table_id
description = "vpc01.route_table_id"
}
output "sw01_id" {
value = alicloud_vswitch.sw01.id
description = "sw01.id"
}
output "sw02_id" {
value = alicloud_vswitch.sw02.id
description = "sw02.id"
}
output "sg01_id" {
value = alicloud_security_group.sg01.id
description = "sg01.id"
}
output "gw01_id" {
value = alicloud_vpc_ipv4_gateway.gw01.id
description = "gw01.id"
}
output "instance01_id" {
value = alicloud_instance.instance01.id
description = "instance01.id"
}
output "eip01_id" {
value = alicloud_eip_address.eip01.id
description = "eip01.id"
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
cd ..
aliyun vpc CreateVpnGateway \
--Name vgw01 \
--VpcId vpc-111111111111111111111 \
--InstanceChargeType POSTPAY \
--AutoPay false \
--Bandwidth 10 \
--EnableIpsec true \
--EnableSsl false \
--VSwitchId vsw-111111111111111111111 \
--VpnType Normal \
--NetworkType public \
--DisasterRecoveryVSwitchId vsw-111111111111111111111 \
--force
コマンドは正常終了するが、DescribeVpnGatewaysしてもリソースは確認できない
→ GUIから実施
作成後、画面から「Enable Automatic Route」有効化も必要
aliyun vpc DescribeVpnGateways
aliyun vpc DescribeVpnGateway \
--VpnGatewayId vpn-111111111111111111111
-- 4. 動的ルーティング・ゲートウェイ作成 【OCI】
oci network drg create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--display-name drg01
oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111
VCNへのDRGのアタッチ
oci network drg-attachment create --generate-full-command-json-input
oci network drg-attachment create \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg0101 \
--network-details '{
"id": "ocid1.vcn.oc1.iad.111111111111111111111111111111111111111111111111111111111111",
"route-table-id": null,
"type": "VCN",
"vcn-route-type": "SUBNET_CIDRS"
}'
-- 5. 顧客構内機器作成【OCI】
oci network cpe-device-shape list \
--query 'data.{"vendor":"cpe-device-info"."vendor","id":"id"}' \
--output table
oci network cpe create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--ip-address 192.0.2.1 \
--display-name cpe01 \
--cpe-device-shape-id 0c14a129-ce70-43f3-bf07-e980a6784ae8
ip-addressはAlibaba VPN Gatewayの外部IPアドレス#1
oci network cpe list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111
-- 6. サイト間VPN作成【OCI】
oci network ip-sec-connection create --generate-full-command-json-input
oci network ip-sec-connection create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--cpe-id ocid1.cpe.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--static-routes '["172.16.1.0/24"]' \
--display-name vpn01 \
--tunnel-configuration '[
{
"associatedVirtualCircuits": ,
"bgpSessionConfig": {
"customerBgpAsn": "65000",
"customerInterfaceIp": "169.254.20.2/30",
"customerInterfaceIpv6": null,
"oracleInterfaceIp": "169.254.20.1/30",
"oracleInterfaceIpv6": null
},
"displayName": "tun01",
"dpdConfig": {
"dpdMode": "INITIATE_AND_RESPOND",
"dpdTimeoutInSec": "20"
},
"drgRouteTableId": null,
"encryptionDomainConfig": null,
"ikeVersion": "V2",
"natTranslationEnabled": "AUTO",
"oracleInitiation": "INITIATOR_OR_RESPONDER",
"oracleTunnelIp": null,
"phaseOneConfig": {
"authenticationAlgorithm": "SHA2_256",
"diffieHelmanGroup": "GROUP2",
"encryptionAlgorithm": "AES_256_CBC",
"isCustomPhaseOneConfig": true,
"lifetimeInSeconds": 28800
},
"phaseTwoConfig": {
"authenticationAlgorithm": "HMAC_SHA2_256_128",
"encryptionAlgorithm": "AES_256_CBC",
"isCustomPhaseTwoConfig": true,
"isPfsEnabled": true,
"lifetimeInSeconds": 3600,
"pfsDhGroup": "GROUP2"
},
"routing": "BGP",
"sharedSecret": "PreSharedKey1"
}
]'
oci network ip-sec-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111
oci network ip-sec-tunnel list \
--ipsc-id ocid1.ipsecconnection.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--all
-- 7. カスタマーゲートウェイ作成【Alibaba】
aliyun vpc CreateCustomerGateway \
--IpAddress 192.0.2.2 \
--Name cgw01 \
--Asn 31898
※ IpAddressはOCI側トンネルのBGP動的ルーティング用IPアドレス
aliyun vpc DescribeCustomerGateways
aliyun vpc DescribeCustomerGateway \
--CustomerGatewayId cgw-111111111111111111111
-- 8. IPsec Connection作成【Alibaba】
aliyun vpc CreateVpnConnection \
--region cn-beijing \
--RegionId 'cn-beijing' \
--CustomerGatewayId 'cgw-111111111111111111111' \
--VpnGatewayId 'vpn-111111111111111111111' \
--Name vpn01 \
--LocalSubnet '0.0.0.0/0' \
--RemoteSubnet '0.0.0.0/0' \
--EffectImmediately true \
--TunnelOptionsSpecification.1.TunnelBgpConfig.LocalAsn 65000 \
--TunnelOptionsSpecification.1.TunnelBgpConfig.LocalBgpIp '169.254.20.2' \
--TunnelOptionsSpecification.1.TunnelBgpConfig.TunnelCidr '169.254.20.0/30' \
--TunnelOptionsSpecification.1.CustomerGatewayId 'cgw-111111111111111111111' \
--TunnelOptionsSpecification.1.EnableDpd true \
--TunnelOptionsSpecification.1.EnableNatTraversal true \
--TunnelOptionsSpecification.1.Role master \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeAuthAlg sha256 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeEncAlg aes256 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeLifetime 86400 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeMode main \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkePfs group2 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeVersion ikev2 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.LocalId '192.0.2.1' \
--TunnelOptionsSpecification.1.TunnelIkeConfig.Psk PreSharedKey1 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.RemoteId '192.0.2.2' \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecAuthAlg sha256 \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecEncAlg aes256 \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecLifetime 86400 \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecPfs group2 \
--TunnelOptionsSpecification.2.TunnelBgpConfig.LocalAsn 65000 \
--TunnelOptionsSpecification.2.TunnelBgpConfig.LocalBgpIp '169.254.21.2' \
--TunnelOptionsSpecification.2.TunnelBgpConfig.TunnelCidr '169.254.21.0/30' \
--TunnelOptionsSpecification.2.CustomerGatewayId 'cgw-111111111111111111111' \
--TunnelOptionsSpecification.2.EnableDpd true \
--TunnelOptionsSpecification.2.EnableNatTraversal true \
--TunnelOptionsSpecification.2.Role slave \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeAuthAlg sha256 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeEncAlg aes256 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeLifetime 86400 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeMode main \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkePfs group2 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeVersion ikev2 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.LocalId '192.0.2.3' \
--TunnelOptionsSpecification.2.TunnelIkeConfig.Psk PreSharedKey1 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.RemoteId '192.0.2.2' \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecAuthAlg sha256 \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecEncAlg aes256 \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecLifetime 86400 \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecPfs group2 \
--force \
--EnableTunnelsBgp true
aliyun vpc DescribeVpnConnections
aliyun vpc DescribeVpnConnection \
--VpnConnectionId vco-111111111111111111
-- 9. VPN GatewayのPolicy-based Routing設定【Alibaba】
aliyun vpc CreateVpnPbrRouteEntry \
--VpnGatewayId vpn-111111111111111111111 \
--RouteSource "172.16.1.0/24" \
--RouteDest "10.0.1.0/24" \
--NextHop vco-111111111111111111 \
--Weight 100 \
--PublishVpc true \
--Priority 10
aliyun vpc DescribeVpnPbrRouteEntries \
--VpnGatewayId vpn-111111111111111111111
-- 10. BGPステータス確認 【OCI】
IPSecステータスとIPv4 BGPステータスが「稼働中」になるまで待つ
-- 11. ルートテーブル修正
-- 11.1 Alibaba(172.16.1.0/24)への経路(ターゲットは動的ルーティング・ゲートウェイ)をサブネットのルートテーブルに追加【OCI】
resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "rt01"
route_rules {
network_entity_id = oci_core_internet_gateway.igw01.id
destination = "0.0.0.0/0"
}
route_rules {
network_entity_id = "ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
destination = "172.16.1.0/24"
}
}
terraform apply -auto-approve
-- 11.2 OCI側(10.0.1.0/24)への経路(ターゲットはVPN Gateway)をサブネットのルートテーブルに追加【Alibaba】
自動で追加されるため、不要
-- 12. pingで疎通確認【OCI】
ping 172.16.1.186
-- 13. pingで疎通確認【Alibaba】
ping 10.0.1.181
-- 14. クリーンアップ【OCI】
-- サイト間VPN削除
oci network ip-sec-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111
oci network ip-sec-connection delete \
--ipsc-id ocid1.ipsecconnection.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force
-- 顧客構内機器削除
oci network cpe list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111
oci network cpe delete \
--cpe-id ocid1.cpe.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force
-- 動的ルーティング・ゲートウェイ削除(VCNからデタッチしてから)
oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111
oci network drg-attachment delete \
--drg-attachment-id ocid1.drgattachment.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force
oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111
oci network drg delete \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force
cd oci
terraform destroy -auto-approve
cd ..
-- 15. クリーンアップ【Alibaba】
-- Policy-based Routing削除
aliyun vpc DescribeVpnPbrRouteEntries \
--VpnGatewayId vpn-111111111111111111111
aliyun vpc DeleteVpnPbrRouteEntry \
--VpnGatewayId vpn-111111111111111111111 \
--RouteSource "172.16.1.0/24" \
--RouteDest "10.0.1.0/24" \
--NextHop vco-111111111111111111 \
--Weight 100 \
--Priority 10
-- IPsec Connection削除
aliyun vpc DescribeVpnConnections
aliyun vpc DeleteVpnConnection \
--VpnConnectionId vco-111111111111111111
-- Customer Gateways削除
aliyun vpc DescribeCustomerGateways
aliyun vpc DeleteCustomerGateway \
--CustomerGatewayId cgw-111111111111111111111
-- VPN Gateway削除
aliyun vpc DescribeVpnGateways
aliyun vpc DeleteVpnGateway \
--VpnGatewayId vpn-111111111111111111111
cd alibaba
terraform destroy -auto-approve
cd ..
