This project is aimed to help you understand routing, IPSec, packet filtering and networking in general.
- Virtualbox https://www.virtualbox.org/wiki/Downloads
- Vagrant https://www.vagrantup.com/downloads.html
- git https://git-scm.com/downloads
- ruby 2.x https://www.ruby-lang.org/en/downloads/
- bundler http://bundler.io/
+----------------+
| |
| client_jp |
| |
+-------+--------+
| 192.168.101.10/24
|
| 192.168.101.254/24
+-------+--------+
| |
| gw_jp |
| |
+-------+--------+
| 172.16.1.10/24
|
| 172.16.1.254/24
+-------+--------+
| |
| router | (do not configure this VM)
| |
+-------+--------+
| 172.16.2.254/24
|
| 172.16.2.10/24
+-------+--------+
| |
| gw_uk |
| |
+-------+--------+
| 192.168.102.254/24
|
| 192.168.102.10/24
+-------+--------+
| |
| client_uk |
| |
+----------------+
> git clone git@github.com:reallyenglish/ansible-project-networking-example.git
> cd ansible-project-networking-example
> bundle install --path vendor/bundle
> vagrant up
...
> vagrant status
Current machine states:
client_jp running (virtualbox)
gw_jp running (virtualbox)
router running (virtualbox)
gw_uk running (virtualbox)
client_uk running (virtualbox)
This environment represents multiple VMs. The VMs are all listed
above with their current state. For more information about a specific
VM, run `vagrant status NAME`.
> bundle exec rake spec
> vagrant ssh $HOSTNAME
If you want to start from scratch, run:
> vagrant destroy
then,
> vagrant up
For OpenBSD, see:
- The FAQ http://www.openbsd.org/faq/index.html
- FAQ 6 - Networking http://www.openbsd.org/faq/faq6.html
For TCP/IP, see:
- The TCP/IP Guide http://www.tcpipguide.com/
Create your own branch.
> git branch mybranch
> git checkout mybranch
Complete the following tasks.
Make sure:
- client_jp can reach to gw_jp
- client_jp can NOT reach to gw_uk
- gw_jp can reach to gw_uk
- gw_jp can NOT reach to client_uk
Configure gw_jp to NAT packets from 192.168.101.0/24 to 172.16.0.0/16. Make sure client_jp can reach to gw_uk. Configure the same settings on gw_uk. The both clients should be able to reach the gateways.
Create test cases that cover all the tasks. See how to write tests at:
Make sure tests pass.
> bundle exec rake spec
Finished in 8.02 seconds (files took 6.69 seconds to load)
6 examples, 0 failures
Create IPSec VPN (IKE v1) tunnel.
| parameter name | value |
|---|---|
| encapsulation | main mode, ESP tunnel |
| phase 1 crypt | HMAC SHA1, AES 128 bit |
| phase 2 crypt | HMAC SHA1, AES 128 bit |
| preshared key | mypassword |
| src and dest address | 172.16.1.10 and 172.16.2.10 |
Make sure you can ping from gw1.jp to gw2.jp.
Make sure ICMP packets are encrypted by running tcpdump(8).
Create and enable enc(4) virtual interface.
Make sure you can see unencrypted ICMP packets by tcpdump -ni enc0.
Create gre(4) tunnel.
| parameter name | value |
|---|---|
| outer tunnel addresses | 172.16.1.10 (gw1.jp) and 172.16.2.10 (gw1.uk) |
| inner addresses | 192.168.255.1/30 (gw1.jp) and 192.168.255.2/30 (gw1.uk) |
| operation mode | IPPROTO_GRE |
Make sure you can ping 192.168.255.2 (gw1.uk's inner address) on gw1.jp.
Make sure GRE packets are encrypted by tcpdump.
Enable and start ospfd(8) on gw1.jp. Area 0 should be the subnet of gre(4).
Make sure ospfd(8) advertises on gre(4).
Configure gw1.uk exactly same except network addresses.
Make sure OSPF adjacency is FULL by ospfctl(8). See http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13685-13.html
Make sure ospfd(8) on gw1.jp imports 192.168.102.10/24 (the subnet of UK) by ospfctl show rib detail.
Add the internal interfaces to the zone zero. ospfd(8) should not advertise on the internal networks.
Make sure no OSPF packets can be seen on the internal network interfaces by tcpdump(8).
Make sure both client_jp and client_uk can ping(8) each other. Make sure the packets are encrypted.