ProHoster > Blog > Utongi > IPIP IPsec VPN mugero pakati peLinux muchina uye Mikrotik kuseri kweNAT mupi

IPIP IPsec VPN mugero pakati peLinux muchina uye Mikrotik kuseri kweNAT mupi

Linux: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

  • Eth0 1.1.1.1/32 ekunze IP
  • ipip-ipsec0 192.168.0.1/30 ichava mugero wedu

Miktoik: CCR 1009, RouterOS 6.46.5

  • Eth0 10.0.0.2/30 yemukati IP kubva kumupi. Mupi wekunze weNAT IP ane simba.
  • ipip-ipsec0 192.168.0.2/30 ichava mugero wedu

Isu tichagadzira IPsec mugero pamushini weLinux uchishandisa racoon. Ini handisi kuzotsanangura izvo, pane yakanaka chinyorwa Ρƒ vvpoloskin.

Isa mapakeji anodiwa:

sudo install racoon ipsec-tools

Isu tinogadzirisa racoon, ichaita senge ipsec server. Sezvo mikrotik iri muhombe modhi isingakwanise kuendesa imwezve mutengi identifier, uye yekunze IP kero yainobatanidza kuLinux ine simba, kushandisa preshared kiyi (password mvumo) haishande, sezvo password inofanirwa kufananidzwa pamwe neiyo IP kero. iyo inobatanidza host, kana nechiziviso.

Tichashandisa mvumo tichishandisa makiyi eRSA.

Iyo racoon daemon inoshandisa makiyi muRSA fomati, uye mikrotik inoshandisa iyo PEM fomati. Kana iwe ukagadzira makiyi uchishandisa plainrsa-gen utility inouya neracoon, saka haugone kushandura kiyi yeruzhinji yeMikrotika kuPEM fomati nerubatsiro rwayo - inoshandura chete munzira imwe: PEM kuenda kuRSA. Kana openssl kana ssh-keygen yaigona kuverenga kiyi yakagadzirwa ne plainrsa-gen, saka shanduko haigone kuitwa uchishandisa ivo.

Isu tichagadzira kiyi yePEM tichishandisa openssl tozoishandura kuti ive racoon tichishandisa plainrsa-gen:

#  Π“Π΅Π½Π΅Ρ€ΠΈΡ€ΡƒΠ΅ΠΌ ΠΊΠ»ΡŽΡ‡
openssl genrsa -out server-name.pem 1024
# ИзвлСкаСм ΠΏΡƒΠ±Π»ΠΈΡ‡Π½Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# ΠšΠΎΠ½Π²Π΅Ρ€Ρ‚ΠΈΡ€ΡƒΠ΅ΠΌ
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key

Tichaisa makiyi akagamuchirwa mufolda: /etc/racoon/certs/server. Usakanganwa kuseta muridzi wemushandisi pasi pezita rake racoon daemon inotangwa (kazhinji midzi) kune mazana matanhatu emvumo.

Ini ndichatsanangura iyo mikrotik setup kana ichibatanidza kuburikidza neWinBox.

Isa kiyi ye server-name.pub.pem ku mikrotik: Menyu "Mafaira" - "Kuisa".

Vhura chikamu che "IP" - "IP sec" - "Kiyi" tab. Ikozvino isu tinogadzira makiyi - bhatani re "Gadzira Kiyi", wozotumira iyo mikrotika yeruzhinji kiyi "Expor Pub. Kiyi", unogona kuidhawunirodha kubva kuchikamu che "Files", tinya-kurudyi pane faira - "Download".

Isu tinopinza kiyi yeruzhinji racoon, "Import", mune yekudonhedza pasi ye "Faira zita" ndima tinotsvaga server-name.pub.pem yatakadhawunirodha kare.

Iyo mikrotik yeruzhinji kiyi inoda kushandurwa 

plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key

woiisa mu/etc/racoon/certs folda, usingakanganwe nezvemuridzi nekodzero.

racoon config pamwe nemashoko: /etc/racoon/racoon.conf

log info; # Π£Ρ€ΠΎΠ²Π΅Π½ΡŒ логирования, ΠΏΡ€ΠΈ ΠΎΡ‚Π»Π°Π΄ΠΊΠ΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌ Debug ΠΈΠ»ΠΈ Debug2.

listen {

    isakmp 1.1.1.1 [500]; # АдрСс ΠΈ ΠΏΠΎΡ€Ρ‚, Π½Π° ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠΌ Π±ΡƒΠ΄Π΅Ρ‚ ΡΠ»ΡƒΡˆΠ°Ρ‚ΡŒ Π΄Π΅ΠΌΠΎΠ½.
    isakmp_natt 1.1.1.1 [4500]; # АдрСс ΠΈ ΠΏΠΎΡ€Ρ‚, Π½Π° ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠΌ Π±ΡƒΠ΄Π΅Ρ‚ ΡΠ»ΡƒΡˆΠ°Ρ‚ΡŒ Π΄Π΅ΠΌΠΎΠ½ для ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ² Π·Π° NAT.
    strict_address; # Π’Ρ‹ΠΏΠΎΠ»Π½ΡΡ‚ΡŒ ΠΎΠ±ΡΠ·Π°Ρ‚Π΅Π»ΡŒΠ½ΡƒΡŽ ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΡƒ привязки ΠΊ ΡƒΠΊΠ°Π·Π°Π½Π½Ρ‹ΠΌ Π²Ρ‹ΡˆΠ΅ IP.
}

path certificate "/etc/racoon/certs"; # ΠŸΡƒΡ‚ΡŒ Π΄ΠΎ ΠΏΠ°ΠΏΠΊΠΈ с сСртификатами.

remote anonymous { # БСкция, Π·Π°Π΄Π°ΡŽΡ‰Π°Ρ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ для Ρ€Π°Π±ΠΎΡ‚Ρ‹ Π΄Π΅ΠΌΠΎΠ½Π° с ISAKMP ΠΈ согласования Ρ€Π΅ΠΆΠΈΠΌΠΎΠ² с ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°ΡŽΡ‰ΠΈΠΌΠΈΡΡ хостами. Π’Π°ΠΊ ΠΊΠ°ΠΊ IP, с ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠ³ΠΎ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ΡΡ Mikrotik, динамичСский, Ρ‚ΠΎ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌ anonymous, Ρ‡Ρ‚ΠΎ Ρ€Π°Π·Ρ€Π΅ΡˆΠ°Π΅Ρ‚ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅ с любого адрСса. Если IP Ρƒ хостов статичСский, Ρ‚ΠΎ ΠΌΠΎΠΆΠ½ΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ ΠΊΠΎΠ½ΠΊΡ€Π΅Ρ‚Π½Ρ‹ΠΉ адрСс ΠΈ ΠΏΠΎΡ€Ρ‚.

    passive on; # Π—Π°Π΄Π°Π΅Ρ‚ "сСрвСрный" Ρ€Π΅ΠΆΠΈΠΌ Ρ€Π°Π±ΠΎΡ‚Ρ‹ Π΄Π΅ΠΌΠΎΠ½Π°, ΠΎΠ½ Π½Π΅ Π±ΡƒΠ΄Π΅Ρ‚ ΠΏΡ‹Ρ‚Π°Ρ‚ΡŒΡΡ ΠΈΠ½ΠΈΡ†ΠΈΠΈΡ€ΠΎΠ²Π°Ρ‚ΡŒ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΡ.
    nat_traversal on; # Π’ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ использованиС Ρ€Π΅ΠΆΠΈΠΌΠ° NAT-T для ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ², Ссли ΠΎΠ½ΠΈ Π·Π° NAT. 
    exchange_mode main; # Π Π΅ΠΆΠΈΠΌ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Π°ΠΌΠΈ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΡ, Π² Π΄Π°Π½Π½ΠΎΠΌ случаС ---согласованиС.
    my_identifier address 1.1.1.1; # Π˜Π΄Π΅Π½Ρ‚ΠΈΡ„ΠΈΡ†ΠΈΡ€ΡƒΠ΅ΠΌ наш linux хост ΠΏΠΎ Π΅Π³ΠΎ ip адрСсу.
    certificate_type plain_rsa "server/server-name.priv.key"; # ΠŸΡ€ΠΈΠ²Π°Ρ‚Π½Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡ сСрвСра.
    peers_certfile plain_rsa "mikrotik.pub.key"; # ΠŸΡƒΠ±Π»ΠΈΡ‡Π½Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡ Mikrotik.

    proposal_check claim; # Π Π΅ΠΆΠΈΠΌ согласования ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€ΠΎΠ² ISAKMP туннСля. Racoon Π±ΡƒΠ΄Π΅Ρ‚ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ значСния ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°ΡŽΡ‰Π΅Π³ΠΎΡΡ хоста (ΠΈΠ½ΠΈΡ†ΠΈΠ°Ρ‚ΠΎΡ€Π°) для срока дСйствия сСссии                   ΠΈ Π΄Π»ΠΈΠ½Ρ‹ ΠΊΠ»ΡŽΡ‡Π°, Ссли Π΅Π³ΠΎ срок дСйствия сСссии большС, ΠΈΠ»ΠΈ Π΄Π»ΠΈΠ½Π° Π΅Π³ΠΎ ΠΊΠ»ΡŽΡ‡Π° ΠΊΠΎΡ€ΠΎΡ‡Π΅, Ρ‡Π΅ΠΌ Ρƒ ΠΈΠ½ΠΈΡ†ΠΈΠ°Ρ‚ΠΎΡ€Π°. Если срок дСйствия сСссии ΠΊΠΎΡ€ΠΎΡ‡Π΅, Ρ‡Π΅ΠΌ Ρƒ ΠΈΠ½ΠΈΡ†ΠΈΠ°Ρ‚ΠΎΡ€Π°, racoon ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅Ρ‚ собствСнноС Π·Π½Π°Ρ‡Π΅Π½ΠΈΠ΅ срока дСйствия сСссии ΠΈ Π±ΡƒΠ΄Π΅Ρ‚ ΠΎΡ‚ΠΏΡ€Π°Π²Π»ΡΡ‚ΡŒ сообщСниС RESPONDER-LIFETIME.
    proposal { # ΠŸΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ ISAKMP туннСля.

        encryption_algorithm aes; # ΠœΠ΅Ρ‚ΠΎΠ΄ ΡˆΠΈΡ„Ρ€ΠΎΠ²Π°Π½ΠΈΡ ISAKMP туннСля.
        hash_algorithm sha512; # Алгоритм Ρ…Π΅ΡˆΠΈΡ€ΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌΡ‹ΠΉ для ISAKMP туннСля.
        authentication_method rsasig; # Π Π΅ΠΆΠΈΠΌ Π°ΡƒΡ‚Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ†ΠΈΠΈ для ISAKMP туннСля - ΠΏΠΎ RSA ΠΊΠ»ΡŽΡ‡Π°ΠΌ.
        dh_group modp2048; # Π”Π»ΠΈΠ½Π° ΠΊΠ»ΡŽΡ‡Π° для Π°Π»Π³ΠΎΡ€ΠΈΡ‚ΠΌΠ° Π”ΠΈΡ„Ρ„ΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° ΠΏΡ€ΠΈ согласовании ISAKMP туннСля.
        lifetime time 86400 sec; ВрСмя дСйствия сСссии.
    }

    generate_policy on; # АвтоматичСскоС созданиС ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ ΠΈΠ· запроса, ΠΏΡ€ΠΈΡˆΠ΅Π΄ΡˆΠ΅Π³ΠΎ ΠΎΡ‚ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°ΡŽΡ‰Π΅Π³ΠΎΡΡ хоста.
}

sainfo anonymous { # ΠŸΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ, anonymous - ΡƒΠΊΠ°Π·Π°Π½Π½Ρ‹Π΅ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ Π±ΡƒΠ΄ΡƒΡ‚ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Π½Ρ‹ ΠΊΠ°ΠΊ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ ΠΏΠΎ ΡƒΠΌΠΎΠ»Ρ‡Π°Π½ΠΈΡŽ. Для Ρ€Π°Π·Π½Ρ‹Ρ… ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ², ΠΏΠΎΡ€Ρ‚ΠΎΠ², ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ² ΠΌΠΎΠΆΠ½ΠΎ              Π·Π°Π΄Π°Π²Π°Ρ‚ΡŒ Ρ€Π°Π·Π½Ρ‹Π΅ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹, сопоставлСниС происходит ΠΏΠΎ ip адрСсам, ΠΏΠΎΡ€Ρ‚Π°ΠΌ, ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π°ΠΌ.

    pfs_group modp2048; # Π”Π»ΠΈΠ½Π° ΠΊΠ»ΡŽΡ‡Π° для Π°Π»Π³ΠΎΡ€ΠΈΡ‚ΠΌΠ° Π”ΠΈΡ„Ρ„ΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° для ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ.
    lifetime time 28800 sec; # Π‘Ρ€ΠΎΠΊ дСйствия ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ.
    encryption_algorithm aes; # ΠœΠ΅Ρ‚ΠΎΠ΄ ΡˆΠΈΡ„Ρ€ΠΎΠ²Π°Π½ΠΈΡ ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ.
    authentication_algorithm hmac_sha512; # Алгоритм Ρ…Π΅ΡˆΠΈΡ€ΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌΡ‹ΠΉ для Π°ΡƒΡ‚Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ†ΠΈΠΈ ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ.
    compression_algorithm deflate; # Π‘ΠΆΠΈΠΌΠ°Ρ‚ΡŒ ΠΏΠ΅Ρ€Π΅Π΄Π°Π²Π°Π΅ΠΌΡ‹Π΅ Π΄Π°Π½Π½Ρ‹Π΅, Π°Π»Π³ΠΎΡ€ΠΈΡ‚ΠΌ сТатия прСдлагаСтся Ρ‚ΠΎΠ»ΡŒΠΊΠΎ ΠΎΠ΄ΠΈΠ½.
}

mikrotik config

Dzokera ku "IP" chikamu - "IPsec"

"Profiles" tab
Parameter
ukoshi

zita
Nekuda kwako (nedefault default)

Hash algorithm
sha512

Encryption algorithm
aes-128

DH-Group
modp2048

Proposhal_check
murandu

Lifetime
1d 00:00:00

NAT Traversal
chokwadi (tarisa bhokisi)

DPD
120

DPD Kutadza kukuru
5

Peers tab
Parameter
ukoshi

zita
Pakufunga kwako (zvino zvinozonzi MyPeer)

adhiresi
1.1.1.1 (IP Linux michina)

Kero Yenzvimbo
10.0.0.2 (IP WAN interface mikrotik)

Profile
Default

Shanduro Yemamiriro
kuru

Passive
venhema

Tumira INITIAL_CONTACT
zvechokwadi

Proposal tab
Parameter
ukoshi

zita
Pakufunga kwako (pano MyPeerProposal)

Auth. Algorithms
sha512

Encr. Algorithms
aes-128-cbc

Lifetime
08:00:00

PFS Group
modp2048

"Identities" tab
Parameter
ukoshi

Vezera rangu
MyPeer

Atuh. Nzira
rsa kiyi

Key
mikrotik.privet.key

Remote Key
server-zita.pub.pem

Policy Template Group
Default

Notrack Chain
empty

Chitupa changu Type
motokari

Remote ID Type
motokari

Match By
kure id

Mode Configuration
empty

Gadzira Policy
kwete

Tab "Mitemo - General"
Parameter
ukoshi

Vezera rangu
MyPeer

Tunnel
zvechokwadi

Src. Kero
192.168.0.0/30

Dest. Kero
192.168.0.0/30

Protocol
255 (vose)

Template
venhema

Tab "Mitemo - Chiito"
Parameter
ukoshi

Action
encrypt

Level
zvinoda

IPsec Protocols
kunyanya

Proposal
MyPeerProposal

Zvingangodaro, seni, une snat/masquerade yakagadziridzwa pane yako WAN interface; mutemo uyu unofanirwa kugadziridzwa kuitira kuti inobuda ipsec mapaketi apinde mugero redu:
Enda kune "IP" - "Firewall" chikamu.
"NAT" tab, vhura mutemo wedu we snat/masquerade.

Advanced Tab
Parameter
ukoshi

IPsec Policy
kunze: hapana

Kutangazve racoon dhimoni

sudo systemctl restart racoon

Kana racoon ikasatanga pakatangazve, ipapo pane kukanganisa mukugadzirisa; mu syslog, racoon inoratidza ruzivo nezve nhamba yemutsara umo kukanganisa kwakawanikwa.

Kana iyo OS bhutsu, iyo racoon daemon inotanga isati yaunzwa network network, uye isu takatsanangura iyo yakasimba_kero sarudzo muchikamu chekuteerera; iwe unofanirwa kuwedzera iyo racoon unit kune systemd faira.
/lib/systemd/system/racoon.service, muchikamu che[Unit], mutsetse After=network.target.

Zvino yedu ipsec tunnels inofanira kunge iri kumusoro, tarisa zvinobuda:

sudo ip xfrm policy

src 192.168.255.0/30 dst 192.168.255.0/30 
    dir out priority 2147483648 
    tmpl src 1.1.1.1 dst "IP NAT Ρ‡Π΅Ρ€Π΅Π· ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ΡΡ mikrotik"
        proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30 
    dir fwd priority 2147483648 
    tmpl src "IP NAT Ρ‡Π΅Ρ€Π΅Π· ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ΡΡ mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30 
    dir in priority 2147483648 
    tmpl src "IP NAT Ρ‡Π΅Ρ€Π΅Π· ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ΡΡ mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel

Kana migero isiri kumusoro, tarisa syslog, kana journalctl -u racoon.

Iye zvino iwe unofanirwa kugadzirisa L3 interfaces kuitira kuti traffic inogona kufambiswa. Pane zvingasarudzwa zvakasiyana, tichashandisa IPIP, sezvo mikrotik ichitsigira, ndingashandisa vti, asi, zvinosuruvarisa, haisati yashandiswa mu mikrotik. Iyo yakasiyana neIPIP pakuti inogona kuwedzera encapsulate multicast uye kuisa fwmarks pamapakiti, ayo anogona kusefa muma iptables uye iproute2 (policy-based routing). Kana iwe uchida yakanyanya kushanda, saka, semuenzaniso, GRE. Asi usakanganwa kuti tinobhadhara kune mamwe maitiro ane musoro mukuru wepamusoro.

Iwe unogona kuona kududzirwa kweongororo yakanaka yetunnel interfaces pano.

PaLinux:

# Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ интСрфСйс
sudo ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
# АктивируСм
sudo ip link set ipip-ipsec0 up
# НазначаСм адрСс
sudo ip addr add 192.168.255.1/30 dev ipip-ipsec0

Iye zvino unogona kuwedzera nzira dzenetiweki kuseri kwe mikrotik

sudo ip route add A.B.C.D/Prefix via 192.168.255.2

Kuti chimiro chedu uye nzira dzisimudzwe mushure mekutangazve, tinoda kutsanangura iyo interface mu /etc/network/interfaces uye kuwedzera nzira ipapo mune post-up, kana kunyora zvese mune imwe faira, semuenzaniso, /etc/ ipip-ipsec0.conf uye dhonza iyo kuburikidza ne-post-up, usakanganwa nezvemuridzi wefaira, kodzero uye ita kuti iite.

Pazasi pane muenzaniso faira

#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.255.1/30 dev ipip-ipsec0

ip route add A.B.C.D/Prefix via 192.168.255.2

Pamusoro peMikrotik:

Chikamu "Interfaces", wedzera chimiro chitsva "IP tunnel":

Tab "IP tunnel" - "General"
Parameter
ukoshi

zita
Pakufunga kwako (zvino zvazonzi IPIP-IPsec0)

MUNHU
1480 (kana isina kutaurwa, mikrotik inotanga kucheka munhu kusvika 68)

Kero Yenzvimbo
192.168.0.2

Remote Address
192.168.0.1

IPsec Secret
Deactivate munda (zvikasadaro Peer nyowani ichagadzirwa)

Kuchengeta
Deactivate munda (zvikasadaro iyo interface inogara yakadzima, sezvo mikrotika ine yayo fomati yemapakeji aya uye isingashande neLinux)

DSCP
nhaka

Usaite Chimedu
kwete

Bata TCP MSS
zvechokwadi

Bvumira Fast Nzira
zvechokwadi

Chikamu "IP" - "Kero", wedzera kero:

Parameter
ukoshi

adhiresi
192.168.0.2/30

inowanikwa
IPIP-IPsec0

Iye zvino unogona kuwedzera nzira kunetiweki kuseri kweLinux muchina; kana uchiwedzera nzira, gedhi richave redu IPIP-IPsec0 interface.

PS

Sezvo yedu Linux server ichichinja, zvine musoro kuseta iyo Clamp TCP MSS parameter yeipip interfaces pairi:

gadzira faira /etc/iptables.conf ine zvinotevera zviri mukati:

*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT

uye mukati /etc/network/interfaces
post-up iptables-restore </etc/iptables.conf

Ndine nginx inomhanya pane network kuseri kwe mikrotik (ip 10.10.10.1), ita kuti iwanikwe kubva paInternet, wedzera kune /etc/iptables.conf:

*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
#На mikrotik, Π² Ρ‚Π°Π±Π»ΠΈΡ†Π΅ mangle, Π½Π°Π΄ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡ‚ΡŒ ΠΏΡ€Π°Π²ΠΈΠ»ΠΎ route с Π½Π°Π·Π½Π°Ρ‡Π΅Π½ΠΈΠ΅ΠΌ 192.168.0.1 для ΠΏΠ°ΠΊΠ΅Ρ‚ΠΎΠ² с адрСсом источника 10.10.10.1 ΠΈ ΠΏΠΎΡ€Ρ‚ΠΎΠ² 80, 443.

# Π’Π°ΠΊ ΠΆΠ΅ Π½Π° linux Ρ€Π°Π±ΠΎΡ‚Π°Π΅Ρ‚ OpenVPN сСрвСр 172.16.0.1/24, для ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ² ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΡŽΡ‚ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅ ΠΊ Π½Π΅ΠΌΡƒ Π² качСствС шлюза Π΄Π°Π΅ΠΌ доступ Π² ΠΈΠ½Ρ‚Π΅Ρ€Π½Π΅Ρ‚
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT

Usakanganwa kuwedzera mvumo yakakodzera kune iptables kana uine mafirita epaketi akagoneswa.

Ropafadza iwe!

Source: www.habr.com

Voeg