Linux: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-guud x86_64)
- Eth0 1.1.1.1/32 dibadda IP
- ipip-ipsec0 192.168.0.1/30 ayaa noqon doonta tunnelkeena
Miktoik: CCR 1009, RouterOS 6.46.5
- Eth0 10.0.0.2/30 gudaha IP ka bixiyaha. NAT IP-ga dibadda ee bixiyaha waa mid firfircoon.
- ipip-ipsec0 192.168.0.2/30 ayaa noqon doonta tunnelkeena
Waxaan ku abuuri doonaa IPsec tunnel mashiinka Linux anagoo adeegsanayna racoon. Ma qeexi doono faahfaahinta, waxaa jira mid wanaagsan
Ku rakib xirmooyinka lagama maarmaanka ah:
sudo install racoon ipsec-tools
Waxaan dejineynaa racoon, waxay shuruud ahaan u shaqeyn doontaa sidii server-ka ipsec. Maaddaama mikrotik ee qaabka ugu weyn uusan gudbin karin aqoonsi macmiil oo dheeri ah, iyo cinwaanka IP-ga dibadda ee uu ku xirayo Linux waa firfircoon yahay, adeegsiga furaha horay loo wadaagay (ogolaanshaha erayga sirta ah) ma shaqeyn doono, maadaama erayga sirta ah uu la mid yahay cinwaanka IP-ga martigeliyaha isku xira, ama leh aqoonsi.
Waxaan isticmaali doonaa oggolaanshaha anagoo adeegsanayna furayaasha RSA.
Daemon-ka racoon wuxuu isticmaalaa furayaasha qaabka RSA, mikrotikna wuxuu isticmaalaa qaabka PEM. Haddii aad abuurto furayaal adoo isticmaalaya utility plainrsa-gen ee la socota racoon, markaa ma awoodi doontid inaad u beddesho furaha dadweynaha ee Mikrotika qaabka PEM iyada oo caawinteeda - waxay u beddeshaa kaliya hal jiho: PEM ilaa RSA. Openssl iyo ssh-keygen midkoodna ma akhrin karo furaha uu soo saaray plainrsa-gen, markaa beddelaaddu suurtagal ma noqon doonto iyaga oo la isticmaalo.
Waxaan soo saari doonaa furaha PEM anagoo adeegsanayna openssl ka dibna waxaan u bedeli doonaa racoon anagoo adeegsanayna plainrsa-gen:
# ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΊΠ»ΡΡ
openssl genrsa -out server-name.pem 1024
# ΠΠ·Π²Π»Π΅ΠΊΠ°Π΅ΠΌ ΠΏΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key
Waxaan gelin doonaa furayaasha la helay galka: /etc/racoon/certs/server. Ha iloobin inaad dejiso milkiilaha isticmaalaha magaciisa hoostiisa racoon daemon la bilaabay (badanaa xidid) ilaa 600 ogolaansho.
Waxaan sharxi doonaa dejinta mikrotik marka la isku xiro WinBox.
U soo deji server-name.pub.pem furaha mikrotik: Menu βFilesβ - βUploadβ.
Fur qaybta "IP" - "IP sec" - "Furayaasha" tab. Hadda waxaan soo saareynaa furayaasha - badhanka "Samee Furaha", ka dibna dhoofin furaha dadweynaha ee mikrotika "Expor Pub. Furaha", waxaad ka soo dejisan kartaa qaybta "Files", midig-guji faylka - "Download".
Waxaan soo dejineynaa furaha dadweynaha ee racoon, "Import", liiska hoos-u-hoosaadka ee "Magaca faylka" ee goobta waxaan ka raadineynaa server-name.pub.pem aan horay u soo dejinay.
Furaha guud ee mikrotik wuxuu u baahan yahay in la beddelo
plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key
oo geli faylka /etc/racoon/certs, adigoon iloobin milkiilaha iyo xuquuqda.
racoon config oo leh faallooyin: /etc/racoon/racoon.conf
log info; # Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΏΡΠΈ ΠΎΡΠ»Π°Π΄ΠΊΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ Debug ΠΈΠ»ΠΈ Debug2.
listen {
isakmp 1.1.1.1 [500]; # ΠΠ΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π±ΡΠ΄Π΅Ρ ΡΠ»ΡΡΠ°ΡΡ Π΄Π΅ΠΌΠΎΠ½.
isakmp_natt 1.1.1.1 [4500]; # ΠΠ΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π±ΡΠ΄Π΅Ρ ΡΠ»ΡΡΠ°ΡΡ Π΄Π΅ΠΌΠΎΠ½ Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ² Π·Π° NAT.
strict_address; # ΠΡΠΏΠΎΠ»Π½ΡΡΡ ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»ΡΠ½ΡΡ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΠΏΡΠΈΠ²ΡΠ·ΠΊΠΈ ΠΊ ΡΠΊΠ°Π·Π°Π½Π½ΡΠΌ Π²ΡΡΠ΅ IP.
}
path certificate "/etc/racoon/certs"; # ΠΡΡΡ Π΄ΠΎ ΠΏΠ°ΠΏΠΊΠΈ Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ.
remote anonymous { # Π‘Π΅ΠΊΡΠΈΡ, Π·Π°Π΄Π°ΡΡΠ°Ρ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Π΄Π΅ΠΌΠΎΠ½Π° Ρ ISAKMP ΠΈ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ΅ΠΆΠΈΠΌΠΎΠ² Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠΈΠΌΠΈΡΡ Ρ
ΠΎΡΡΠ°ΠΌΠΈ. Π’Π°ΠΊ ΠΊΠ°ΠΊ IP, Ρ ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ Mikrotik, Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠΉ, ΡΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ anonymous, ΡΡΠΎ ΡΠ°Π·ΡΠ΅ΡΠ°Π΅Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ Ρ Π»ΡΠ±ΠΎΠ³ΠΎ Π°Π΄ΡΠ΅ΡΠ°. ΠΡΠ»ΠΈ IP Ρ Ρ
ΠΎΡΡΠΎΠ² ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ, ΡΠΎ ΠΌΠΎΠΆΠ½ΠΎ ΡΠΊΠ°Π·Π°ΡΡ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠΉ Π°Π΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ.
passive on; # ΠΠ°Π΄Π°Π΅Ρ "ΡΠ΅ΡΠ²Π΅ΡΠ½ΡΠΉ" ΡΠ΅ΠΆΠΈΠΌ ΡΠ°Π±ΠΎΡΡ Π΄Π΅ΠΌΠΎΠ½Π°, ΠΎΠ½ Π½Π΅ Π±ΡΠ΄Π΅Ρ ΠΏΡΡΠ°ΡΡΡΡ ΠΈΠ½ΠΈΡΠΈΠΈΡΠΎΠ²Π°ΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ.
nat_traversal on; # ΠΠΊΠ»ΡΡΠ°Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΠΆΠΈΠΌΠ° NAT-T Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ², Π΅ΡΠ»ΠΈ ΠΎΠ½ΠΈ Π·Π° NAT.
exchange_mode main; # Π Π΅ΠΆΠΈΠΌ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ°ΠΌΠΈ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ, Π² Π΄Π°Π½Π½ΠΎΠΌ ΡΠ»ΡΡΠ°Π΅ ---ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΠ΅.
my_identifier address 1.1.1.1; # ΠΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΠΌ Π½Π°Ρ linux Ρ
ΠΎΡΡ ΠΏΠΎ Π΅Π³ΠΎ ip Π°Π΄ΡΠ΅ΡΡ.
certificate_type plain_rsa "server/server-name.priv.key"; # ΠΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ ΡΠ΅ΡΠ²Π΅ΡΠ°.
peers_certfile plain_rsa "mikrotik.pub.key"; # ΠΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ Mikrotik.
proposal_check claim; # Π Π΅ΠΆΠΈΠΌ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² ISAKMP ΡΡΠ½Π½Π΅Π»Ρ. Racoon Π±ΡΠ΄Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠ΅Π³ΠΎΡΡ Ρ
ΠΎΡΡΠ° (ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°) Π΄Π»Ρ ΡΡΠΎΠΊΠ° Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΈ Π΄Π»ΠΈΠ½Ρ ΠΊΠ»ΡΡΠ°, Π΅ΡΠ»ΠΈ Π΅Π³ΠΎ ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ Π±ΠΎΠ»ΡΡΠ΅, ΠΈΠ»ΠΈ Π΄Π»ΠΈΠ½Π° Π΅Π³ΠΎ ΠΊΠ»ΡΡΠ° ΠΊΠΎΡΠΎΡΠ΅, ΡΠ΅ΠΌ Ρ ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°. ΠΡΠ»ΠΈ ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΊΠΎΡΠΎΡΠ΅, ΡΠ΅ΠΌ Ρ ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°, racoon ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΡΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎΠ΅ Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ ΡΡΠΎΠΊΠ° Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΈ Π±ΡΠ΄Π΅Ρ ΠΎΡΠΏΡΠ°Π²Π»ΡΡΡ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠ΅ RESPONDER-LIFETIME.
proposal { # ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
encryption_algorithm aes; # ΠΠ΅ΡΠΎΠ΄ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
hash_algorithm sha512; # ΠΠ»Π³ΠΎΡΠΈΡΠΌ Ρ
Π΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ Π΄Π»Ρ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
authentication_method rsasig; # Π Π΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ Π΄Π»Ρ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ - ΠΏΠΎ RSA ΠΊΠ»ΡΡΠ°ΠΌ.
dh_group modp2048; # ΠΠ»ΠΈΠ½Π° ΠΊΠ»ΡΡΠ° Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° ΠΠΈΡΡΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° ΠΏΡΠΈ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΠΈ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
lifetime time 86400 sec; ΠΡΠ΅ΠΌΡ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ.
}
generate_policy on; # ΠΠ²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ ΠΈΠ· Π·Π°ΠΏΡΠΎΡΠ°, ΠΏΡΠΈΡΠ΅Π΄ΡΠ΅Π³ΠΎ ΠΎΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠ΅Π³ΠΎΡΡ Ρ
ΠΎΡΡΠ°.
}
sainfo anonymous { # ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ, anonymous - ΡΠΊΠ°Π·Π°Π½Π½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π±ΡΠ΄ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½Ρ ΠΊΠ°ΠΊ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ. ΠΠ»Ρ ΡΠ°Π·Π½ΡΡ
ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ², ΠΏΠΎΡΡΠΎΠ², ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ² ΠΌΠΎΠΆΠ½ΠΎ Π·Π°Π΄Π°Π²Π°ΡΡ ΡΠ°Π·Π½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ, ΡΠΎΠΏΠΎΡΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ ΠΏΠΎ ip Π°Π΄ΡΠ΅ΡΠ°ΠΌ, ΠΏΠΎΡΡΠ°ΠΌ, ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π°ΠΌ.
pfs_group modp2048; # ΠΠ»ΠΈΠ½Π° ΠΊΠ»ΡΡΠ° Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° ΠΠΈΡΡΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° Π΄Π»Ρ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
lifetime time 28800 sec; # Π‘ΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
encryption_algorithm aes; # ΠΠ΅ΡΠΎΠ΄ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
authentication_algorithm hmac_sha512; # ΠΠ»Π³ΠΎΡΠΈΡΠΌ Ρ
Π΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ Π΄Π»Ρ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
compression_algorithm deflate; # Π‘ΠΆΠΈΠΌΠ°ΡΡ ΠΏΠ΅ΡΠ΅Π΄Π°Π²Π°Π΅ΠΌΡΠ΅ Π΄Π°Π½Π½ΡΠ΅, Π°Π»Π³ΠΎΡΠΈΡΠΌ ΡΠΆΠ°ΡΠΈΡ ΠΏΡΠ΅Π΄Π»Π°Π³Π°Π΅ΡΡΡ ΡΠΎΠ»ΡΠΊΠΎ ΠΎΠ΄ΠΈΠ½.
}
mikrotik config
Ku noqo qaybta "IP" - "IPsec"
"Profiles" tab
Xildhibaan
qiimaha
magaca
Go'aankaaga (by default default)
Hash Algorithm
sha512
Algorithm-ka sirta
aes-128
Kooxda DH-Group
modp2048
Proposhal_check
sheegasho
Lifetime
1d 00:00:00
Socdaalka NAT
run ( calaamee sanduuqa)
DPD
120
DPD fashilka ugu badan
5
Saaxiibada tab
Xildhibaan
qiimaha
magaca
Go'aankaaga (hadda kadib waxaa loo yaqaan MyPeer)
Cinwaanka
1.1.1.1 (Mashiinnada IP Linux)
Cinwaanka Maxaliga ah
10.0.0.2 (IP WAN interface mikrotik)
Profile
Default
Habka Beddelka
ugu weyn ee
dadban
been ah
Dir INITIAL_CONTACT
run
Tabaha soo jeedinta
Xildhibaan
qiimaha
magaca
Go'aankaaga (hadda kadib waxaa loo yaqaan MyPeerProposal)
Xaqiijin Algorithms
sha512
Encr. Algorithms
aes-128-cbc
Lifetime
08:00:00
Kooxda PFS
modp2048
"Aqoonsiga" tab
Xildhibaan
qiimaha
Asxaabta
MyPeer
Atuuh. Habka
rsa key
Key
mikrotik.privet.key
Furaha Fog
server-name.pub.pem
Kooxda Qaababka Siyaasadda
Default
Silsiladda Notrack
madhan
Nooca Aqoonsigayga
baabuur
Nooca Aqoonsiga fog
baabuur
Ciyaarta By
id fog
Habaynta Qaabka
madhan
Siyaasad abuur
maya
Tab "Siyaasadaha - Guud"
Xildhibaan
qiimaha
Asxaabta
MyPeer
tunnel
run
Src. Cinwaanka
192.168.0.0/30
Dest. Cinwaanka
192.168.0.0/30
Protocol
255 (dhammaan)
Template
been ah
Tab "Siyaasadaha - Tallaabo"
Xildhibaan
qiimaha
Action
qarsoodi
heerka
u baahan
IPsec Protocols
gaar ahaan
Soo jeedinta
MyPeerProposal
Waxay u badan tahay, sidayda oo kale, inaad ku dhejisay is-dhexgalka WAN-gaaga; xeerkan wuxuu u baahan yahay in la hagaajiyo si baakadaha ipsec ee baxaya ay u galaan tunnel-kayaga:
Tag qaybta "IP" - "Firewall".
"NAT" tab, fur qaanuunka snt/masquerade.
Tab horumarsan
Xildhibaan
qiimaha
Siyaasadda IPsec
baxay: midna
Dib u bilaabaya shaydaanka racoon
sudo systemctl restart racoon
Haddii racoon uusan bilaabin dib u bilaabashada, markaa waxaa jira qalad ku jira qaabeynta; syslog, racoon wuxuu soo bandhigayaa macluumaadka ku saabsan lambarka khadka ee qaladka lagu ogaaday.
Marka OS-ga kabaha la geliyo, daemon-ka racoon-ku wuxuu bilaabmaa ka hor inta aan la soo saarin is-dhexgalka shabakada, waxaanan ku qeexnay ikhtiyaarka adag_address ee qaybta dhegeysiga; waxaad u baahan tahay inaad ku darto unugga racoon faylka nidaamka
/lib/systemd/system/racoon.service, ee qaybta [Unit], line After=network.target.
Hadda tunnel-kayaga ipsec waa inuu kor u kacaa, fiiri wax soo saarka:
sudo ip xfrm policy
src 192.168.255.0/30 dst 192.168.255.0/30
dir out priority 2147483648
tmpl src 1.1.1.1 dst "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik"
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir fwd priority 2147483648
tmpl src "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir in priority 2147483648
tmpl src "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
Haddii tunneladu aysan kor u kicin, fiiri syslog, ama journalctl -u racoon.
Hadda waxaad u baahan tahay inaad habayso interfaces L3 si taraafikada loo maro. Waxaa jira xulashooyin kala duwan, waxaan isticmaali doonaa IPIP, maadaama mikrotik ay taageerto, waxaan isticmaali lahaa vti, laakiin, nasiib daro, weli laguma hirgelin mikrotik. Waxay kaga duwan tahay IPIP in ay sidoo kale koobin karto multicast oo ay ku dhejin karto fwmarks baakadaha kuwaas oo lagu sifeyn karo iptables iyo iproute2 (routing siyaasadda ku salaysan). Haddii aad u baahan tahay shaqada ugu badan, markaa, tusaale ahaan, GRE. Laakin ha iloobin in aan ku bixino shaqeyn dheeraad ah oo leh madax weyn.
Waxaad arki kartaa tarjumaadda dulmar wanaagsan oo ku saabsan is-dhexgalka tunnel-ka
On Linux:
# Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ
sudo ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
# ΠΠΊΡΠΈΠ²ΠΈΡΡΠ΅ΠΌ
sudo ip link set ipip-ipsec0 up
# ΠΠ°Π·Π½Π°ΡΠ°Π΅ΠΌ Π°Π΄ΡΠ΅Ρ
sudo ip addr add 192.168.255.1/30 dev ipip-ipsec0
Hadda waxaad ku dari kartaa waddooyinka shabakadaha ka dambeeya mikrotik
sudo ip route add A.B.C.D/Prefix via 192.168.255.2
Si interface-kayaga iyo dariiqaheenna kor loogu qaado ka dib dib-u-kicinta, waxaan u baahanahay inaan ku qeexno interface-ka /etc/network/interfaces oo aan ku darno dariiqyada halkaas ka dambeeya, ama wax kasta ku qor hal fayl, tusaale ahaan, / iwm/ ipip-ipsec0.conf oo u soo jiid boostada, ha ilaawin milkiilaha faylka, xuquuqaha oo ka dhig mid la fulin karo.
Hoos waxaa ku yaal fayl tusaale
#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.255.1/30 dev ipip-ipsec0
ip route add A.B.C.D/Prefix via 192.168.255.2
On Mikrotik:
Qaybta "Interfaces", ku dar interface cusub "tunnel IP":
Tabka "tunalka IP" - "Guud"
Xildhibaan
qiimaha
magaca
Adigoo go'aankaaga ah (hadda kadib waxaa loo yaqaan IPIP-IPsec0)
QOFKA
1480 (haddii aan la cayimin, mikrotik wuxuu bilaabay inuu gooyo mtu ilaa 68)
Cinwaanka Maxaliga ah
192.168.0.2
Ciwaanka Fog
192.168.0.1
IPsec Secret
Demi garoonka (hadii kale Peer cusub ayaa la abuuri doonaa)
Ilaali
Demi goobta (haddii kale interface-ku si joogto ah ayuu u dami doonaa, maadaama mikrotika uu leeyahay qaab u gaar ah xirmooyinkan oo aanu la shaqayn Linux)
DSCP
dhaxasho
Ha jajabin
maya
Ku dheji TCP MSS
run
Allow Dariiqa Dhakhso leh
run
Qaybta "IP" - "Cinwaanka", ku dar cinwaanka:
Xildhibaan
qiimaha
Cinwaanka
192.168.0.2/30
Wajahadda
IPIP-IPsec0
Hadda waxaad ku dari kartaa dariiqyada shabakadda ee ka dambeeya mishiinka Linux; markaad ku darto waddo, albaabku wuxuu noqon doonaa interface IPIP-IPsec0.
PS
Maaddaama server-keena Linux uu yahay ku-meel-gaar, waxaa macno leh in la dejiyo cabbirka Clamp TCP MSS ee is-dhexgalka ipip:
samee fayl /etc/iptables.conf oo wata waxyaabahan soo socda:
*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
iyo gudaha /etc/network/interfaces
Dib-u-soo-celinta iptables-ka-soo-celinta </etc/iptables.conf
Waxaan haystaa nginx oo ku shaqeeya shabakada ka dambeysa mikrotik (ip 10.10.10.1), ka dhig mid laga heli karo internetka, ku dar /etc/iptables.conf:
*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
#ΠΠ° mikrotik, Π² ΡΠ°Π±Π»ΠΈΡΠ΅ mangle, Π½Π°Π΄ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ route Ρ Π½Π°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ΠΌ 192.168.0.1 Π΄Π»Ρ ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² Ρ Π°Π΄ΡΠ΅ΡΠΎΠΌ ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠ° 10.10.10.1 ΠΈ ΠΏΠΎΡΡΠΎΠ² 80, 443.
# Π’Π°ΠΊ ΠΆΠ΅ Π½Π° linux ΡΠ°Π±ΠΎΡΠ°Π΅Ρ OpenVPN ΡΠ΅ΡΠ²Π΅Ρ 172.16.0.1/24, Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ² ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΊ Π½Π΅ΠΌΡ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΡΠ»ΡΠ·Π° Π΄Π°Π΅ΠΌ Π΄ΠΎΡΡΡΠΏ Π² ΠΈΠ½ΡΠ΅ΡΠ½Π΅Ρ
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT
Ha iloobin inaad ku darto rukhsadaha ku habboon iptables haddii aad leedahay filtarrada baakadaha karti u leh.
Caafimaadkaagu ha ahaado!
Source: www.habr.com