ich spiele im Moment ein wenig mit dem BGP rum und habe ein paar Fragen,
da die Verbindung gar nicht erst ins open-send kommen.
Der Hintergrund dazu: ich möchte gerne mit 2 Routern am DN42 teilnehmen.
Jetzt wollte ich erst einmal die beiden Lancoms miteinander reden lassen,
und scheinbar scheitert es im ersten Schritt daran, dass die Router den Port 179 nicht öffnen.
Grunddaten:
AS Nummer: 4242421341
Netz Lancom Weis: 172.22.111.128/28
Netz Lancom RT01: 172.20.45.0/27
Später möchte ich mit AS76124 (172.23.45.0/24) peeren,
um meine Routen im DN42 zu verteilen.
Ich habe die Netze als DMZ im Router (RoutingId: 201) registriert
(Weis: 172.22.111.129/27 | RT01: 172.20.45.1/28)
und per IKEv2 verbunden.
(Dazu tunnel ich auch meine privaten Netze 10.20.0.0/16 <-> 10.30.0.0/16)
Code: Alles auswählen
root@RT01:/
> show vpn
VPN SPD and IKE configuration:
Rule #1 ikev2 10.30.0.0/255.255.0.0:0 <-> 10.20.0.0/255.255.0.0:0 any
Name: WEISHOME
Unique Id: ipsec-0-WEISHOME-pr0-l0-r0
Flags: IKE_SA_INIT
Local Network: IPV4_ADDR_SUBNET(any:0, 10.30.0.0/255.255.0.0)
Local Gateway: IPV4_ADDR(any:0, x.x.x.x)
Remote Gateway: IPV4_ADDR(any:0, x.x.x.x)
Remote Network: IPV4_ADDR_SUBNET(any:0, 10.20.0.0/255.255.0.0)
Rule #2 ikev2 172.20.0.0/255.252.0.0:0 <-> 172.20.0.0/255.252.0.0:0 any
Name: WEISHOME
Unique Id: ipsec-1-WEISHOME-pr0-l0-r0
Flags: IKE_SA_INIT
Local Network: IPV4_ADDR_SUBNET(any:0, 172.20.0.0/255.252.0.0)
Local Gateway: IPV4_ADDR(any:0, x.x.x.x)
Remote Gateway: IPV4_ADDR(any:0, x.x.x.x)
Remote Network: IPV4_ADDR_SUBNET(any:0, 172.20.0.0/255.252.0.0)
Code: Alles auswählen
root@Weis:/
> show vpn
VPN SPD and IKE configuration:
Rule #7 ikev2 10.20.0.0/255.255.0.0:0 <-> 10.30.0.0/255.255.0.0:0 any
Name: WEISRT01
Unique Id: ipsec-0-WEISRT01-pr0-l0-r0
Flags: IKE_SA_INIT
Local Network: IPV4_ADDR_SUBNET(any:0, 10.20.0.0/255.255.0.0)
Local Gateway: IPV4_ADDR(any:0, x.x.x.x)
Remote Gateway: IPV4_ADDR(any:0, x.x.x.x)
Remote Network: IPV4_ADDR_SUBNET(any:0, 10.30.0.0/255.255.0.0)
Rule #12 ikev2 172.20.0.0/255.252.0.0:0 <-> 172.20.0.0/255.252.0.0:0 any
Name: WEISRT01
Unique Id: ipsec-1-WEISRT01-pr0-l0-r0
Flags: IKE_SA_INIT
Local Network: IPV4_ADDR_SUBNET(any:0, 172.20.0.0/255.252.0.0)
Local Gateway: IPV4_ADDR(any:0, x.x.x.x)
Remote Gateway: IPV4_ADDR(any:0, x.x.x.x)
Remote Network: IPV4_ADDR_SUBNET(any:0, 172.20.0.0/255.252.0.0)
Code: Alles auswählen
root@RT01:/
> ls /Setup/Routing-Protocols/BGP/BGP-Instance/
Name Operating AS-Number Router-ID Syslog Port Check-First-AS AS-Path-Limit Cluster-ID Route-Reflector TX-Loop-Detection Comment
==================
DEFAULT Yes 4242421341 172.20.45.1 Yes 179 Yes 0 0.0.0.0 No Yes Default Instance
> ls /Setup/Routing-Protocols/BGP/Neighbors/
IP-Address Port Loopback-Address Rtg-tag Remote-AS Name Operating Password Neighbor-Profile Connection-Mode Connection-Delay Instance-Name Inbound-Policy Outbound-Policy Route-Reflector-Client Comment
==================
172.22.111.129 179 DN42 201 4242421341 DN42WEISHOME Yes DEFAULT Active 120 DEFAULT No
> show bgp-connection
connection registry
pending connections
listening connections
Port: 179
16: src 172.22.111.129 dst 172.20.45.1 rtg-tag 201 local port 179
range connections
Code: Alles auswählen
root@Weis:/
> ls /Setup/Routing-Protocols/BGP/BGP-Instance/
Name Operating AS-Number Router-ID Syslog Port Check-First-AS AS-Path-Limit Cluster-ID Route-Reflector TX-Loop-Detection Comment
==================
DEFAULT Yes 4242421341 172.22.111.129 Yes 179 Yes 0 0.0.0.0 No Yes Default Instance
> ls /Setup/Routing-Protocols/BGP/Neighbors/
IP-Address Port Loopback-Address Rtg-tag Remote-AS Name Operating Password Neighbor-Profile Connection-Mode Connection-Delay Instance-Name Inbound-Policy Outbound-Policy Route-Reflector-Client Comment
==================
172.20.45.1 179 DN42 201 4242421341 DN42WEISRT01 Yes DN42WEISHOME Active 120 DEFAULT No
> show bgp-connection
connection registry
pending connections
listening connections
Port: 179
8: src 172.20.45.1 dst 172.22.111.129 rtg-tag 201 local port 179
range connections
Die Router können sich auf beiden Seiten mit ping -a DN42 172.20.45.1 bzw. 172.22.111.129 erreichen.
Ein TCP Trace zeigt, dass der jeweils andere Router nicht auf Port 179 lauscht.
Code: Alles auswählen
root@RT01:/
> trace # tcp @ ":179"
TCP ON @ ":179"
root@RT01:/
>
[TCP] 2017/10/01 21:08:41,583 [TCP] : - info : remote: 172.22.111.129:179 / local: 172.20.45.1:0, tag: 201
[TCP] 2017/10/01 21:08:41,583 [TCP] : - info : @:ffff80000defccc0, (c) remote: 172.22.111.129:179 / local: 172.20.45.1:10066, tag: 201 (dynamic)
[TCP] 2017/10/01 21:08:41,583 [TCP] : LoCt 485 to 172.22.111.129:179 Port:10066 syn-sent [SYN ] Seq 0 Ack 0 Win 2920 Len 0 MSS 1360 WinScale 4 rto 3000
[TCP] 2017/10/01 21:08:41,603 [TCP] : LoCt 485 from 172.22.111.129:179 Port:10066 syn-sent [RST ACK ] Seq 0 Ack 1 Win 0 Len 0 rto 3000
[TCP] 2017/10/01 21:08:46,604 [TCP] : - info : remote: 172.22.111.129:179 / local: 172.20.45.1:0, tag: 201
[TCP] 2017/10/01 21:08:46,604 [TCP] : - info : @:ffff80000defccc0, (c) remote: 172.22.111.129:179 / local: 172.20.45.1:9129, tag: 201 (dynamic)
[TCP] 2017/10/01 21:08:46,604 [TCP] : LoCt 486 to 172.22.111.129:179 Port:9129 syn-sent [SYN ] Seq 0 Ack 0 Win 2920 Len 0 MSS 1360 WinScale 4 rto 3000
[TCP] 2017/10/01 21:08:46,626 [TCP] : LoCt 486 from 172.22.111.129:179 Port:9129 syn-sent [RST ACK ] Seq 0 Ack 1 Win 0 Len 0 rto 3000
Gruß Björn
Falls die konfigurierten Routing-Tabellen interessant sind:
Code: Alles auswählen
root@RT01:/
> ls /Setup/IP-Router/IP-Routing-Table/
IP-Address IP-Netmask Rtg-tag Peer-or-IP Distance Masquerade Active Comment
===========================================-----------------------------------------------------------------------------------------------------------------
172.22.111.128 255.255.255.240 201 WEISHOME 0 No Yes
10.20.0.0 255.255.0.0 1 WEISHOME 0 No Yes
192.168.0.0 255.255.0.0 0 0.0.0.0 0 No Yes block private networks: 192.168.x.y
172.16.0.0 255.240.0.0 0 0.0.0.0 0 No Yes block private networks: 172.16-31.x.y
10.0.0.0 255.0.0.0 0 0.0.0.0 0 No Yes block private network: 10.x.y.z
224.0.0.0 224.0.0.0 0 0.0.0.0 0 No Yes block multicasts: 224-255.x.y.z
255.255.255.255 0.0.0.0 0 UNITYMEDIABIZ 0 on Yes
root@Weis:/
> ls /Setup/IP-Router/IP-Routing-Table/
IP-Address IP-Netmask Rtg-tag Peer-or-IP Distance Masquerade Active Comment
===========================================-----------------------------------------------------------------------------------------------------------------
[...]
172.20.45.0 255.255.255.224 201 WEISRT01 0 No Yes
[...]
10.30.0.0 255.255.0.0 1 WEISRT01 0 No Yes
192.168.0.0 255.255.0.0 0 0.0.0.0 0 No Yes block private networks: 192.168.x.y
172.16.0.0 255.240.0.0 0 0.0.0.0 0 No Yes block private networks: 172.16-31.x.y
10.0.0.0 255.0.0.0 0 0.0.0.0 0 No Yes block private network: 10.x.y.z
224.0.0.0 224.0.0.0 0 0.0.0.0 0 No Yes block multicasts: 224-255.x.y.z
255.255.255.255 0.0.0.0 0 UNITYMEDIABIZ 0 on Yes