Linux: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
- Eth0 1.1.1.1/32 IP yakunja
- ipip-ipsec0 192.168.0.1/30 idzakhala ngalande yathu
Miktoik: CCR 1009, RouterOS 6.46.5
- Eth0 10.0.0.2/30 IP mkati kuchokera kwa wothandizira. NAT IP yakunja ya wothandizirayo ndi yamphamvu.
- ipip-ipsec0 192.168.0.2/30 idzakhala ngalande yathu
Tidzapanga njira ya IPsec pamakina a Linux pogwiritsa ntchito racoon. Sindikufotokoza zambiri, pali zabwino
Ikani phukusi lofunikira:
sudo install racoon ipsec-tools
Timakonza racoon, ikhala ngati seva ya ipsec. Popeza mikrotik mumayendedwe akuluakulu sangathe kufalitsa chizindikiritso chowonjezera chamakasitomala, ndipo adilesi yakunja ya IP yomwe imalumikizana ndi Linux ndi yamphamvu, kugwiritsa ntchito kiyi yogawana (chilolezo chachinsinsi) sikungagwire ntchito, chifukwa mawu achinsinsi ayenera kufananizidwa ndi adilesi ya IP. cholumikizira cholumikizira, kapena ndi chizindikiritso.
Tidzagwiritsa ntchito chilolezo pogwiritsa ntchito makiyi a RSA.
Daemon ya racoon imagwiritsa ntchito makiyi amtundu wa RSA, ndipo mikrotik imagwiritsa ntchito mtundu wa PEM. Ngati mupanga makiyi pogwiritsa ntchito plainrsa-gen utility yomwe imabwera ndi racoon, ndiye kuti simungathe kusintha kiyi yapagulu ya Mikrotika kukhala mtundu wa PEM ndi chithandizo chake - imatembenuza mbali imodzi yokha: PEM kupita ku RSA. Ngakhale openssl kapena ssh-keygen samatha kuwerenga makiyi opangidwa ndi plainrsa-gen, kotero kutembenuka sikungathe kugwiritsanso ntchito.
Tidzapanga kiyi ya PEM pogwiritsa ntchito openssl ndikuisintha kukhala racoon pogwiritsa ntchito plainrsa-gen:
# ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΊΠ»ΡΡ
openssl genrsa -out server-name.pem 1024
# ΠΠ·Π²Π»Π΅ΠΊΠ°Π΅ΠΌ ΠΏΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key
Tiyika makiyi omwe talandila mufoda: /etc/racoon/certs/server. Musaiwale kukhazikitsa mwiniwake wa wosuta yemwe dzina lake la racoon daemon limakhazikitsidwa (nthawi zambiri mizu) ku zilolezo 600.
Ndikufotokozerani kukhazikitsidwa kwa mikrotik mukalumikiza kudzera pa WinBox.
Kwezani kiyi ya seva-name.pub.pem ku mikrotik: Menyu "Mafayilo" - "Kwezani".
Tsegulani gawo la "IP" - "IP sec" - "Makiyi" tabu. Tsopano tikupanga makiyi - batani la "Generate Key", kenako tumizani kiyi yapagulu ya mikrotika "Expor Pub. Key", mutha kutsitsa kuchokera kugawo la "Mafayilo", dinani pomwepa pafayilo - "Koperani".
Timatumiza kiyi yapagulu ya racoon, "Import", pamndandanda wotsikira pansi wa "Fayilo dzina" timayang'ana seva-name.pub.pem yomwe tidatsitsa kale.
Kiyi yapagulu ya mikrotik iyenera kusinthidwa
plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key
ndikuyiyika mu /etc/racoon/certs foda, osaiwala za mwiniwake ndi ufulu.
racoon config ndi ndemanga: /etc/racoon/racoon.conf
log info; # Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΏΡΠΈ ΠΎΡΠ»Π°Π΄ΠΊΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ Debug ΠΈΠ»ΠΈ Debug2.
listen {
isakmp 1.1.1.1 [500]; # ΠΠ΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π±ΡΠ΄Π΅Ρ ΡΠ»ΡΡΠ°ΡΡ Π΄Π΅ΠΌΠΎΠ½.
isakmp_natt 1.1.1.1 [4500]; # ΠΠ΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π±ΡΠ΄Π΅Ρ ΡΠ»ΡΡΠ°ΡΡ Π΄Π΅ΠΌΠΎΠ½ Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ² Π·Π° NAT.
strict_address; # ΠΡΠΏΠΎΠ»Π½ΡΡΡ ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»ΡΠ½ΡΡ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΠΏΡΠΈΠ²ΡΠ·ΠΊΠΈ ΠΊ ΡΠΊΠ°Π·Π°Π½Π½ΡΠΌ Π²ΡΡΠ΅ IP.
}
path certificate "/etc/racoon/certs"; # ΠΡΡΡ Π΄ΠΎ ΠΏΠ°ΠΏΠΊΠΈ Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ.
remote anonymous { # Π‘Π΅ΠΊΡΠΈΡ, Π·Π°Π΄Π°ΡΡΠ°Ρ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Π΄Π΅ΠΌΠΎΠ½Π° Ρ ISAKMP ΠΈ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ΅ΠΆΠΈΠΌΠΎΠ² Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠΈΠΌΠΈΡΡ Ρ
ΠΎΡΡΠ°ΠΌΠΈ. Π’Π°ΠΊ ΠΊΠ°ΠΊ IP, Ρ ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ Mikrotik, Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠΉ, ΡΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ anonymous, ΡΡΠΎ ΡΠ°Π·ΡΠ΅ΡΠ°Π΅Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ Ρ Π»ΡΠ±ΠΎΠ³ΠΎ Π°Π΄ΡΠ΅ΡΠ°. ΠΡΠ»ΠΈ IP Ρ Ρ
ΠΎΡΡΠΎΠ² ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ, ΡΠΎ ΠΌΠΎΠΆΠ½ΠΎ ΡΠΊΠ°Π·Π°ΡΡ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠΉ Π°Π΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ.
passive on; # ΠΠ°Π΄Π°Π΅Ρ "ΡΠ΅ΡΠ²Π΅ΡΠ½ΡΠΉ" ΡΠ΅ΠΆΠΈΠΌ ΡΠ°Π±ΠΎΡΡ Π΄Π΅ΠΌΠΎΠ½Π°, ΠΎΠ½ Π½Π΅ Π±ΡΠ΄Π΅Ρ ΠΏΡΡΠ°ΡΡΡΡ ΠΈΠ½ΠΈΡΠΈΠΈΡΠΎΠ²Π°ΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ.
nat_traversal on; # ΠΠΊΠ»ΡΡΠ°Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΠΆΠΈΠΌΠ° NAT-T Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ², Π΅ΡΠ»ΠΈ ΠΎΠ½ΠΈ Π·Π° NAT.
exchange_mode main; # Π Π΅ΠΆΠΈΠΌ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ°ΠΌΠΈ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ, Π² Π΄Π°Π½Π½ΠΎΠΌ ΡΠ»ΡΡΠ°Π΅ ---ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΠ΅.
my_identifier address 1.1.1.1; # ΠΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΠΌ Π½Π°Ρ linux Ρ
ΠΎΡΡ ΠΏΠΎ Π΅Π³ΠΎ ip Π°Π΄ΡΠ΅ΡΡ.
certificate_type plain_rsa "server/server-name.priv.key"; # ΠΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ ΡΠ΅ΡΠ²Π΅ΡΠ°.
peers_certfile plain_rsa "mikrotik.pub.key"; # ΠΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ Mikrotik.
proposal_check claim; # Π Π΅ΠΆΠΈΠΌ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² ISAKMP ΡΡΠ½Π½Π΅Π»Ρ. Racoon Π±ΡΠ΄Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠ΅Π³ΠΎΡΡ Ρ
ΠΎΡΡΠ° (ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°) Π΄Π»Ρ ΡΡΠΎΠΊΠ° Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΈ Π΄Π»ΠΈΠ½Ρ ΠΊΠ»ΡΡΠ°, Π΅ΡΠ»ΠΈ Π΅Π³ΠΎ ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ Π±ΠΎΠ»ΡΡΠ΅, ΠΈΠ»ΠΈ Π΄Π»ΠΈΠ½Π° Π΅Π³ΠΎ ΠΊΠ»ΡΡΠ° ΠΊΠΎΡΠΎΡΠ΅, ΡΠ΅ΠΌ Ρ ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°. ΠΡΠ»ΠΈ ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΊΠΎΡΠΎΡΠ΅, ΡΠ΅ΠΌ Ρ ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°, racoon ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΡΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎΠ΅ Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ ΡΡΠΎΠΊΠ° Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΈ Π±ΡΠ΄Π΅Ρ ΠΎΡΠΏΡΠ°Π²Π»ΡΡΡ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠ΅ RESPONDER-LIFETIME.
proposal { # ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
encryption_algorithm aes; # ΠΠ΅ΡΠΎΠ΄ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
hash_algorithm sha512; # ΠΠ»Π³ΠΎΡΠΈΡΠΌ Ρ
Π΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ Π΄Π»Ρ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
authentication_method rsasig; # Π Π΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ Π΄Π»Ρ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ - ΠΏΠΎ RSA ΠΊΠ»ΡΡΠ°ΠΌ.
dh_group modp2048; # ΠΠ»ΠΈΠ½Π° ΠΊΠ»ΡΡΠ° Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° ΠΠΈΡΡΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° ΠΏΡΠΈ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΠΈ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
lifetime time 86400 sec; ΠΡΠ΅ΠΌΡ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ.
}
generate_policy on; # ΠΠ²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ ΠΈΠ· Π·Π°ΠΏΡΠΎΡΠ°, ΠΏΡΠΈΡΠ΅Π΄ΡΠ΅Π³ΠΎ ΠΎΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠ΅Π³ΠΎΡΡ Ρ
ΠΎΡΡΠ°.
}
sainfo anonymous { # ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ, anonymous - ΡΠΊΠ°Π·Π°Π½Π½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π±ΡΠ΄ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½Ρ ΠΊΠ°ΠΊ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ. ΠΠ»Ρ ΡΠ°Π·Π½ΡΡ
ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ², ΠΏΠΎΡΡΠΎΠ², ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ² ΠΌΠΎΠΆΠ½ΠΎ Π·Π°Π΄Π°Π²Π°ΡΡ ΡΠ°Π·Π½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ, ΡΠΎΠΏΠΎΡΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ ΠΏΠΎ ip Π°Π΄ΡΠ΅ΡΠ°ΠΌ, ΠΏΠΎΡΡΠ°ΠΌ, ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π°ΠΌ.
pfs_group modp2048; # ΠΠ»ΠΈΠ½Π° ΠΊΠ»ΡΡΠ° Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° ΠΠΈΡΡΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° Π΄Π»Ρ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
lifetime time 28800 sec; # Π‘ΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
encryption_algorithm aes; # ΠΠ΅ΡΠΎΠ΄ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
authentication_algorithm hmac_sha512; # ΠΠ»Π³ΠΎΡΠΈΡΠΌ Ρ
Π΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ Π΄Π»Ρ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
compression_algorithm deflate; # Π‘ΠΆΠΈΠΌΠ°ΡΡ ΠΏΠ΅ΡΠ΅Π΄Π°Π²Π°Π΅ΠΌΡΠ΅ Π΄Π°Π½Π½ΡΠ΅, Π°Π»Π³ΠΎΡΠΈΡΠΌ ΡΠΆΠ°ΡΠΈΡ ΠΏΡΠ΅Π΄Π»Π°Π³Π°Π΅ΡΡΡ ΡΠΎΠ»ΡΠΊΠΎ ΠΎΠ΄ΠΈΠ½.
}
mikrotik config
Bwererani ku gawo la "IP" - "IPsec"
"Profaili" tabu
chizindikiro
mtengo
dzina
Mwakufuna kwanu (mwachisawawa)
Algorithm ya Hash
sha512
Algorithm ya encryption
gawo-128
DH Gulu
Chithunzi cha 2048
Proposhal_check
Funsani
Moyo wonse
1d 00:00:00
Mtengo wa NAT
zoona (onani bokosilo)
DPD
120
Kulephera kwakukulu kwa DPD
5
Peers tab
chizindikiro
mtengo
dzina
Mwakufuna kwanu (pano ndikutchedwa MyPeer)
Address
1.1.1.1 (makina a IP Linux)
Adilesi Yanu
10.0.0.2 (IP WAN mawonekedwe mikrotik)
mbiri
chosasintha
Kusinthana mumalowedwe
waukulu
Osasamala
zabodza
Tumizani INITIAL_CONTACT
koona
Tabu yamalingaliro
chizindikiro
mtengo
dzina
Mwakufuna kwanu (pano ndikutchedwa MyPeerProposal)
Auth. Algorithms
sha512
Encr. Algorithms
gawo-128-cbc
Moyo wonse
08:00:00
Gulu la PFS
Chithunzi cha 2048
"Identities" tabu
chizindikiro
mtengo
Zochita
MyPeer
Atuh. Njira
rsa kiyi
Mfungulo
mikrotik.privet.key
Kiyi Yakutali
seva-name.pub.pem
Policy Template Group
chosasintha
Zotsatira Notrack Chain
opanda kanthu
Mtundu Wanga Wa ID
galimoto
Mtundu wa ID wakutali
galimoto
Match By
id kutali
Kusintha kwa Mode
opanda kanthu
Pangani Ndondomeko
ayi
Tabu "Policies - General"
chizindikiro
mtengo
Zochita
MyPeer
mumphangayo
koona
Src. Adilesi
192.168.0.0/30
Dest. Adilesi
192.168.0.0/30
Pulogalamu
255 (onse)
Chinsinsi
zabodza
Tabu "Policies - Action"
chizindikiro
mtengo
Action
chitetezo
mlingo
wopempha
IPsec Protocol
esp
Kutsatsa
MyPeerProposal
Mwachidziwikire, monga ine, muli ndi snat/masquerade yosinthidwa pa mawonekedwe anu a WAN; lamuloli liyenera kusinthidwa kuti mapaketi a ipsec otuluka apite mumsewu wathu:
Pitani ku gawo la "IP" - "Firewall".
"NAT" tabu, tsegulani lamulo lathu la snat/masquerade.
Zapamwamba Tabu
chizindikiro
mtengo
IPsec Policy
kunja: palibe
Kuyambitsanso chiwanda cha racoon
sudo systemctl restart racoon
Ngati racoon sichiyamba pakuyambiranso, ndiye kuti pali cholakwika mu config; mu syslog, racoon imawonetsa zambiri za nambala ya mzere womwe cholakwikacho chidapezeka.
Maboti a OS akayamba, racoon daemon imayamba ma network asanachitike, ndipo tidatchula njira ya strict_address mu gawo lomvera; muyenera kuwonjezera gawo la racoon ku fayilo ya systemd.
/lib/systemd/system/racoon.service, mu gawo la [Unit], mzere After=network.target.
Tsopano ma tunnel athu a ipsec ayenera kukhala mmwamba, yang'anani zomwe zatuluka:
sudo ip xfrm policy
src 192.168.255.0/30 dst 192.168.255.0/30
dir out priority 2147483648
tmpl src 1.1.1.1 dst "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik"
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir fwd priority 2147483648
tmpl src "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir in priority 2147483648
tmpl src "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
Ngati ngalandezo sizikukwera, yang'anani pa syslog, kapena journalctl -u racoon.
Tsopano muyenera kukonza mawonekedwe a L3 kuti magalimoto athe kuyendetsedwa. Pali zosankha zosiyanasiyana, tidzagwiritsa ntchito IPIP, popeza mikrotik imathandizira, ndingagwiritse ntchito vti, koma, mwatsoka, sichinayambe kugwiritsidwa ntchito mu mikrotik. Imasiyana ndi IPIP chifukwa imathanso kuyika ma multicast ndikuyika ma fwmark pamapaketi, omwe amatha kusefedwa mu iptables ndi iproute2 (njira yotengera mfundo). Ngati mukufuna magwiridwe antchito kwambiri, ndiye, mwachitsanzo, GRE. Koma musaiwale kuti timalipira ntchito zowonjezera ndi mutu waukulu.
Mutha kuwona kumasuliridwa kwa ndemanga yabwino yolumikizirana ndi tunnel
Pa Linux:
# Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ
sudo ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
# ΠΠΊΡΠΈΠ²ΠΈΡΡΠ΅ΠΌ
sudo ip link set ipip-ipsec0 up
# ΠΠ°Π·Π½Π°ΡΠ°Π΅ΠΌ Π°Π΄ΡΠ΅Ρ
sudo ip addr add 192.168.255.1/30 dev ipip-ipsec0
Tsopano mutha kuwonjezera njira zama netiweki kuseri kwa mikrotik
sudo ip route add A.B.C.D/Prefix via 192.168.255.2
Kuti mawonekedwe athu ndi njira zikwezedwe pambuyo poyambiranso, tiyenera kufotokozera mawonekedwe mu / etc/network/interfaces ndikuwonjezera mayendedwe apo positi, kapena lembani chilichonse mufayilo imodzi, mwachitsanzo, /etc/ ipip-ipsec0.conf ndikuyikoka podutsa, musaiwale za mwiniwake wa fayilo, ufulu ndikupangitsa kuti ikwaniritsidwe.
Pansipa pali fayilo yachitsanzo
#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.255.1/30 dev ipip-ipsec0
ip route add A.B.C.D/Prefix via 192.168.255.2
Pa Mikrotik:
Gawo la "Interfaces", onjezani mawonekedwe atsopano "IP tunnel":
Tabu "IP tunnel" - "General"
chizindikiro
mtengo
dzina
Mwakufuna kwanu (pamenepa amatchedwa IPIP-IPsec0)
MTU
1480 (ngati sichinatchulidwe, mikrotik iyamba kudula munthu mpaka 68)
Adilesi Yanu
192.168.0.2
Adilesi Yakutali
192.168.0.1
Chinsinsi cha IPsec
Tsetsani gawolo (kupanda kutero Mnzanu watsopano apangidwe)
Sungani
Tsetsani gawolo (kupanda kutero mawonekedwe azimitsa nthawi zonse, popeza mikrotika ili ndi mawonekedwe ake pamaphukusiwa ndipo sagwira ntchito ndi Linux)
Zamgululi
cholowa
Osaphwanya Chidutswa
ayi
Chotsani TCP MSS
koona
Lolani Njira Yofulumira
koona
Gawo "IP" - "Maadiresi", onjezani adilesi:
chizindikiro
mtengo
Address
192.168.0.2/30
Chiyankhulo
IPIP-IPsec0
Tsopano mutha kuwonjezera njira pamaneti kuseri kwa makina a Linux; powonjezera njira, chipata chidzakhala mawonekedwe athu a IPIP-IPsec0.
PS
Popeza seva yathu ya Linux ndi yosinthika, ndizomveka kukhazikitsa gawo la Clamp TCP MSS pamipata ya ipip pamenepo:
pangani fayilo /etc/iptables.conf ndi izi:
*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
ndi /etc/network/interfaces
post-up iptables-restore </etc/iptables.conf
Ndili ndi nginx yomwe ikuyenda pa netiweki kuseri kwa mikrotik (ip 10.10.10.1), ipangitseni kupezeka pa intaneti, yonjezerani ku /etc/iptables.conf:
*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
#ΠΠ° mikrotik, Π² ΡΠ°Π±Π»ΠΈΡΠ΅ mangle, Π½Π°Π΄ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ route Ρ Π½Π°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ΠΌ 192.168.0.1 Π΄Π»Ρ ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² Ρ Π°Π΄ΡΠ΅ΡΠΎΠΌ ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠ° 10.10.10.1 ΠΈ ΠΏΠΎΡΡΠΎΠ² 80, 443.
# Π’Π°ΠΊ ΠΆΠ΅ Π½Π° linux ΡΠ°Π±ΠΎΡΠ°Π΅Ρ OpenVPN ΡΠ΅ΡΠ²Π΅Ρ 172.16.0.1/24, Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ² ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΊ Π½Π΅ΠΌΡ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΡΠ»ΡΠ·Π° Π΄Π°Π΅ΠΌ Π΄ΠΎΡΡΡΠΏ Π² ΠΈΠ½ΡΠ΅ΡΠ½Π΅Ρ
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT
Musaiwale kuwonjezera zilolezo zoyenera ku iptables ngati muli ndi zosefera zapaketi.
Akudalitseni!
Source: www.habr.com