linux: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-umumiy x86_64)
- Eth0 1.1.1.1/32 tashqi IP
- ipip-ipsec0 192.168.0.1/30 bizning tunnelimiz bo'ladi
Miktoik: CCR 1009, RouterOS 6.46.5
- Provayderdan Eth0 10.0.0.2/30 ichki IP. Provayderning tashqi NAT IP-si dinamikdir.
- ipip-ipsec0 192.168.0.2/30 bizning tunnelimiz bo'ladi
Rakun yordamida Linux mashinasida IPsec tunnelini yaratamiz. Tafsilotlarni tasvirlamayman, yaxshisi bor
Kerakli paketlarni o'rnating:
sudo install racoon ipsec-tools
Biz racoon-ni sozlaymiz, u shartli ravishda ipsec serveri sifatida ishlaydi. Mikrotik asosiy rejimda qo'shimcha mijoz identifikatorini uzata olmasligi va Linuxga ulanadigan tashqi IP-manzil dinamik bo'lgani uchun oldindan ulashilgan kalitdan (parolni avtorizatsiya qilish) ishlamaydi, chunki parol ham IP manziliga mos kelishi kerak. bog'lovchi xost yoki identifikator bilan.
RSA kalitlari yordamida avtorizatsiyadan foydalanamiz.
Rakun demoni RSA formatidagi kalitlardan, mikrotik esa PEM formatidan foydalanadi. Agar siz racoon bilan birga keladigan plainrsa-gen yordam dasturi yordamida kalitlarni yaratsangiz, uning yordami bilan Mikrotika uchun ochiq kalitni PEM formatiga o'zgartira olmaysiz - u faqat bitta yo'nalishda o'zgartiradi: PEM dan RSA ga. Openssl ham, ssh-keygen ham plainrsa-gen tomonidan yaratilgan kalitni o'qiy olmadi, shuning uchun ularni ishlatish ham mumkin bo'lmaydi.
Biz openssl yordamida PEM kalitini yaratamiz va keyin uni plainrsa-gen yordamida racoon uchun aylantiramiz:
# ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΊΠ»ΡΡ
openssl genrsa -out server-name.pem 1024
# ΠΠ·Π²Π»Π΅ΠΊΠ°Π΅ΠΌ ΠΏΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key
Qabul qilingan kalitlarni papkaga joylashtiramiz: /etc/racoon/certs/server. Rakun demoni (odatda root) nomi ostida ishga tushirilgan foydalanuvchining egasini 600 ta ruxsatga belgilashni unutmang.
WinBox orqali ulanishda mikrotik sozlamalarini tasvirlab beraman.
Server-name.pub.pem kalitini mikrotik-ga yuklang: "Fayllar" menyusi - "Yuklash".
"IP" bo'limini oching - "IP sek" - "Kalitlar" yorlig'i. Endi biz kalitlarni yaratamiz - "Kalit yaratish" tugmasi, so'ngra "Export Pub" mikrotika ochiq kalitini eksport qilamiz. Kalit, uni "Fayllar" bo'limidan yuklab olishingiz mumkin, faylni o'ng tugmasini bosing - "Yuklab olish".
Biz racoon ochiq kalitini import qilamiz, "Import", "Fayl nomi" maydonining ochiladigan ro'yxatida biz avval yuklab olgan server-name.pub.pem ni qidiramiz.
Mikrotik ochiq kaliti konvertatsiya qilinishi kerak
plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key
va uni /etc/racoon/certs jildiga qo'ying, egasi va huquqlarini unutmang.
izohlar bilan racoon konfiguratsiyasi: /etc/racoon/racoon.conf
log info; # Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΏΡΠΈ ΠΎΡΠ»Π°Π΄ΠΊΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ Debug ΠΈΠ»ΠΈ Debug2.
listen {
isakmp 1.1.1.1 [500]; # ΠΠ΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π±ΡΠ΄Π΅Ρ ΡΠ»ΡΡΠ°ΡΡ Π΄Π΅ΠΌΠΎΠ½.
isakmp_natt 1.1.1.1 [4500]; # ΠΠ΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π±ΡΠ΄Π΅Ρ ΡΠ»ΡΡΠ°ΡΡ Π΄Π΅ΠΌΠΎΠ½ Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ² Π·Π° NAT.
strict_address; # ΠΡΠΏΠΎΠ»Π½ΡΡΡ ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»ΡΠ½ΡΡ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΠΏΡΠΈΠ²ΡΠ·ΠΊΠΈ ΠΊ ΡΠΊΠ°Π·Π°Π½Π½ΡΠΌ Π²ΡΡΠ΅ IP.
}
path certificate "/etc/racoon/certs"; # ΠΡΡΡ Π΄ΠΎ ΠΏΠ°ΠΏΠΊΠΈ Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ.
remote anonymous { # Π‘Π΅ΠΊΡΠΈΡ, Π·Π°Π΄Π°ΡΡΠ°Ρ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Π΄Π΅ΠΌΠΎΠ½Π° Ρ ISAKMP ΠΈ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ΅ΠΆΠΈΠΌΠΎΠ² Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠΈΠΌΠΈΡΡ Ρ
ΠΎΡΡΠ°ΠΌΠΈ. Π’Π°ΠΊ ΠΊΠ°ΠΊ IP, Ρ ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ Mikrotik, Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠΉ, ΡΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ anonymous, ΡΡΠΎ ΡΠ°Π·ΡΠ΅ΡΠ°Π΅Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ Ρ Π»ΡΠ±ΠΎΠ³ΠΎ Π°Π΄ΡΠ΅ΡΠ°. ΠΡΠ»ΠΈ IP Ρ Ρ
ΠΎΡΡΠΎΠ² ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ, ΡΠΎ ΠΌΠΎΠΆΠ½ΠΎ ΡΠΊΠ°Π·Π°ΡΡ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠΉ Π°Π΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ.
passive on; # ΠΠ°Π΄Π°Π΅Ρ "ΡΠ΅ΡΠ²Π΅ΡΠ½ΡΠΉ" ΡΠ΅ΠΆΠΈΠΌ ΡΠ°Π±ΠΎΡΡ Π΄Π΅ΠΌΠΎΠ½Π°, ΠΎΠ½ Π½Π΅ Π±ΡΠ΄Π΅Ρ ΠΏΡΡΠ°ΡΡΡΡ ΠΈΠ½ΠΈΡΠΈΠΈΡΠΎΠ²Π°ΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ.
nat_traversal on; # ΠΠΊΠ»ΡΡΠ°Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΠΆΠΈΠΌΠ° NAT-T Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ², Π΅ΡΠ»ΠΈ ΠΎΠ½ΠΈ Π·Π° NAT.
exchange_mode main; # Π Π΅ΠΆΠΈΠΌ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ°ΠΌΠΈ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ, Π² Π΄Π°Π½Π½ΠΎΠΌ ΡΠ»ΡΡΠ°Π΅ ---ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΠ΅.
my_identifier address 1.1.1.1; # ΠΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΠΌ Π½Π°Ρ linux Ρ
ΠΎΡΡ ΠΏΠΎ Π΅Π³ΠΎ ip Π°Π΄ΡΠ΅ΡΡ.
certificate_type plain_rsa "server/server-name.priv.key"; # ΠΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ ΡΠ΅ΡΠ²Π΅ΡΠ°.
peers_certfile plain_rsa "mikrotik.pub.key"; # ΠΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ Mikrotik.
proposal_check claim; # Π Π΅ΠΆΠΈΠΌ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² ISAKMP ΡΡΠ½Π½Π΅Π»Ρ. Racoon Π±ΡΠ΄Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠ΅Π³ΠΎΡΡ Ρ
ΠΎΡΡΠ° (ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°) Π΄Π»Ρ ΡΡΠΎΠΊΠ° Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΈ Π΄Π»ΠΈΠ½Ρ ΠΊΠ»ΡΡΠ°, Π΅ΡΠ»ΠΈ Π΅Π³ΠΎ ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ Π±ΠΎΠ»ΡΡΠ΅, ΠΈΠ»ΠΈ Π΄Π»ΠΈΠ½Π° Π΅Π³ΠΎ ΠΊΠ»ΡΡΠ° ΠΊΠΎΡΠΎΡΠ΅, ΡΠ΅ΠΌ Ρ ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°. ΠΡΠ»ΠΈ ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΊΠΎΡΠΎΡΠ΅, ΡΠ΅ΠΌ Ρ ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°, racoon ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΡΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎΠ΅ Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ ΡΡΠΎΠΊΠ° Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΈ Π±ΡΠ΄Π΅Ρ ΠΎΡΠΏΡΠ°Π²Π»ΡΡΡ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠ΅ RESPONDER-LIFETIME.
proposal { # ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
encryption_algorithm aes; # ΠΠ΅ΡΠΎΠ΄ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
hash_algorithm sha512; # ΠΠ»Π³ΠΎΡΠΈΡΠΌ Ρ
Π΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ Π΄Π»Ρ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
authentication_method rsasig; # Π Π΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ Π΄Π»Ρ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ - ΠΏΠΎ RSA ΠΊΠ»ΡΡΠ°ΠΌ.
dh_group modp2048; # ΠΠ»ΠΈΠ½Π° ΠΊΠ»ΡΡΠ° Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° ΠΠΈΡΡΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° ΠΏΡΠΈ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΠΈ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
lifetime time 86400 sec; ΠΡΠ΅ΠΌΡ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ.
}
generate_policy on; # ΠΠ²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ ΠΈΠ· Π·Π°ΠΏΡΠΎΡΠ°, ΠΏΡΠΈΡΠ΅Π΄ΡΠ΅Π³ΠΎ ΠΎΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠ΅Π³ΠΎΡΡ Ρ
ΠΎΡΡΠ°.
}
sainfo anonymous { # ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ, anonymous - ΡΠΊΠ°Π·Π°Π½Π½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π±ΡΠ΄ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½Ρ ΠΊΠ°ΠΊ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ. ΠΠ»Ρ ΡΠ°Π·Π½ΡΡ
ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ², ΠΏΠΎΡΡΠΎΠ², ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ² ΠΌΠΎΠΆΠ½ΠΎ Π·Π°Π΄Π°Π²Π°ΡΡ ΡΠ°Π·Π½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ, ΡΠΎΠΏΠΎΡΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ ΠΏΠΎ ip Π°Π΄ΡΠ΅ΡΠ°ΠΌ, ΠΏΠΎΡΡΠ°ΠΌ, ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π°ΠΌ.
pfs_group modp2048; # ΠΠ»ΠΈΠ½Π° ΠΊΠ»ΡΡΠ° Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° ΠΠΈΡΡΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° Π΄Π»Ρ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
lifetime time 28800 sec; # Π‘ΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
encryption_algorithm aes; # ΠΠ΅ΡΠΎΠ΄ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
authentication_algorithm hmac_sha512; # ΠΠ»Π³ΠΎΡΠΈΡΠΌ Ρ
Π΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ Π΄Π»Ρ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
compression_algorithm deflate; # Π‘ΠΆΠΈΠΌΠ°ΡΡ ΠΏΠ΅ΡΠ΅Π΄Π°Π²Π°Π΅ΠΌΡΠ΅ Π΄Π°Π½Π½ΡΠ΅, Π°Π»Π³ΠΎΡΠΈΡΠΌ ΡΠΆΠ°ΡΠΈΡ ΠΏΡΠ΅Π΄Π»Π°Π³Π°Π΅ΡΡΡ ΡΠΎΠ»ΡΠΊΠΎ ΠΎΠ΄ΠΈΠ½.
}
mikrotik konfiguratsiya
"IP" bo'limiga qaytish - "IPsec"
"Profillar" yorlig'i
Parametr
ma'no
Ism
Sizning ixtiyoringiz bo'yicha (sukut bo'yicha)
Xesh algoritmi
sha512
Shifrlash algoritmi
aes-128
DH-guruhi
modp2048
Taklif_tekshirish
Talab
Hayot paytida
1d 00:00:00
NAT traversal
rost (qutichani belgilang)
DPD
120
DPD Maksimal nosozlik
5
Tengdoshlar sahifasi
Parametr
ma'no
Ism
Sizning ixtiyoringiz bilan (keyingi o'rinlarda MyPeer deb yuritiladi)
Manzil
1.1.1.1 (IP Linux mashinalari)
Mahalliy manzil
10.0.0.2 (IP WAN interfeysi mikrotik)
Profil
default
Almashish rejimi
asosiy
Passiv
yolg'on
INITIAL_CONTACT yuboring
haqiqiy
Taklif yorlig'i
Parametr
ma'no
Ism
Sizning ixtiyoringiz bilan (keyingi o'rinlarda MyPeerProposal deb yuritiladi)
Avtor. Algoritmlar
sha512
Encr. Algoritmlar
aes-128-cbc
Hayot paytida
08:00:00
PFS guruhi
modp2048
"Identifikatsiya" yorlig'i
Parametr
ma'no
Tengdosh
MyPeer
Atuh. Usul
rsa kaliti
kalit
mikrotik.privet.key
Masofaviy kalit
server-name.pub.pem
Siyosat shablonlari guruhi
default
Notrack zanjiri
bo'sh
Mening ID turim
avtomobil
Masofaviy ID turi
avtomobil
Match By
masofaviy identifikator
Rejim konfiguratsiyasi
bo'sh
Siyosat yaratish
Yo'q
"Siyosatlar - Umumiy" yorlig'i
Parametr
ma'no
Tengdosh
MyPeer
tunnel
haqiqiy
Src. Manzil
192.168.0.0/30
Maqsad. Manzil
192.168.0.0/30
Protokol
255 (barchasi)
Andoza
yolg'on
"Siyosatlar - Harakat" yorlig'i
Parametr
ma'no
harakat
shifrlash
daraja
talab qiladi
IPsec protokollari
esp
Taklif
MyPeerProposal
Ehtimol, men kabi sizda WAN interfeysida snat/maskarad sozlangan; bu qoida chiquvchi ipsec paketlari bizning tunnelimizga kirishi uchun sozlanishi kerak:
"IP" - "Xavfsizlik devori" bo'limiga o'ting.
"NAT" yorlig'i, bizning snat/masquerade qoidamizni oching.
Kengaytirilgan tab
Parametr
ma'no
IPsec siyosati
chiqib: yo'q
Rakun iblis qayta ishga tushirilmoqda
sudo systemctl restart racoon
Agar racoon qayta ishga tushirilganda ishga tushmasa, unda konfiguratsiyada xatolik bor; syslogda racoon xatolik aniqlangan qator raqami haqidagi ma'lumotlarni ko'rsatadi.
OT ishga tushganda, tarmoq interfeyslari paydo bo'lishidan oldin racoon demoni ishga tushadi va biz tinglash bo'limida strict_address opsiyasini belgiladik; siz systemd fayliga racoon blokini qo'shishingiz kerak.
/lib/systemd/system/racoon.service, [Unit] bo'limida After=network.target qatori.
Endi bizning ipsec tunnellarimiz yuqorida bo'lishi kerak, chiqishga qarang:
sudo ip xfrm policy
src 192.168.255.0/30 dst 192.168.255.0/30
dir out priority 2147483648
tmpl src 1.1.1.1 dst "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik"
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir fwd priority 2147483648
tmpl src "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir in priority 2147483648
tmpl src "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
Agar tunnellar yuqori bo'lmasa, syslog yoki journalctl -u racoon ga qarang.
Endi siz L3 interfeyslarini trafikni yo'naltirish uchun sozlashingiz kerak. Turli xil variantlar mavjud, biz IPIP dan foydalanamiz, chunki mikrotik uni qo'llab-quvvatlaydi, men vti dan foydalanardim, lekin afsuski, u hali mikrotikda amalga oshirilmagan. U IPIP dan farq qiladi, chunki u multicastni qo'shimcha ravishda qamrab olishi va paketlarga fwmarks qo'yishi mumkin, buning yordamida ularni iptables va iproute2 (siyosatga asoslangan marshrutlash) filtrlash mumkin. Agar sizga maksimal funksionallik kerak bo'lsa, masalan, GRE. Lekin unutmangki, biz katta bosh bilan qo'shimcha funksionallik uchun to'laymiz.
Tunnel interfeyslarining yaxshi umumiy ko'rinishining tarjimasini ko'rishingiz mumkin
Linuxda:
# Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ
sudo ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
# ΠΠΊΡΠΈΠ²ΠΈΡΡΠ΅ΠΌ
sudo ip link set ipip-ipsec0 up
# ΠΠ°Π·Π½Π°ΡΠ°Π΅ΠΌ Π°Π΄ΡΠ΅Ρ
sudo ip addr add 192.168.255.1/30 dev ipip-ipsec0
Endi siz mikrotik orqasidagi tarmoqlar uchun marshrutlarni qo'shishingiz mumkin
sudo ip route add A.B.C.D/Prefix via 192.168.255.2
Qayta ishga tushirilgandan so'ng interfeysimiz va marshrutlarimiz ko'tarilishi uchun biz /etc/network/interfaces-da interfeysni tasvirlashimiz va post-upda u erga marshrutlarni qo'shishimiz yoki hamma narsani bitta faylga yozishimiz kerak, masalan, /etc/ ipip-ipsec0.conf va uni post-up orqali torting, fayl egasi, huquqlari haqida unutmang va uni bajariladigan qilib qo'ying.
Quyida misol fayli keltirilgan
#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.255.1/30 dev ipip-ipsec0
ip route add A.B.C.D/Prefix via 192.168.255.2
Mikrotikda:
"Interfeyslar" bo'limiga yangi "IP tunnel" interfeysini qo'shing:
"IP tunnel" yorlig'i - "Umumiy"
Parametr
ma'no
Ism
Sizning ixtiyoringiz bilan (keyingi o'rinlarda IPIP-IPsec0 deb yuritiladi)
MTU
1480 (agar ko'rsatilmagan bo'lsa, mikrotik mtu ni 68 ga qisqartirishni boshlaydi)
Mahalliy manzil
192.168.0.2
Masofaviy manzil
192.168.0.1
IPsec siri
Maydonni o'chiring (aks holda yangi Peer yaratiladi)
Yashirin
Maydonni o'chiring (aks holda interfeys doimiy ravishda o'chadi, chunki mikrotika ushbu paketlar uchun o'z formatiga ega va Linux bilan ishlamaydi)
DSCP
meros qilib oladi
Bo'laklarga bo'lmang
Yo'q
TCP MSS-ni mahkamlang
haqiqiy
Tez yo'lga ruxsat bering
haqiqiy
"IP" bo'limi - "Manzillar", manzilni qo'shing:
Parametr
ma'no
Manzil
192.168.0.2/30
Interface
IPIP-IPsec0
Endi siz tarmoqqa marshrutlarni Linux mashinasi ortida qo'shishingiz mumkin; marshrut qo'shganda, shlyuz bizning IPIP-IPsec0 interfeysimiz bo'ladi.
PS
Bizning Linux serverimiz tranzitiv bo'lgani uchun, ipip interfeyslari uchun Clamp TCP MSS parametrini o'rnatish mantiqan to'g'ri keladi:
quyidagi tarkibga ega /etc/iptables.conf faylini yarating:
*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
va /etc/network/interfeyslarida
post-up iptables-restore </etc/iptables.conf
Menda mikrotik (ip 10.10.10.1) ortidagi tarmoqda ishlayotgan nginx bor, uni Internetdan foydalanish mumkin qilib qo'ying, uni /etc/iptables.conf ga qo'shing:
*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
#ΠΠ° mikrotik, Π² ΡΠ°Π±Π»ΠΈΡΠ΅ mangle, Π½Π°Π΄ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ route Ρ Π½Π°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ΠΌ 192.168.0.1 Π΄Π»Ρ ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² Ρ Π°Π΄ΡΠ΅ΡΠΎΠΌ ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠ° 10.10.10.1 ΠΈ ΠΏΠΎΡΡΠΎΠ² 80, 443.
# Π’Π°ΠΊ ΠΆΠ΅ Π½Π° linux ΡΠ°Π±ΠΎΡΠ°Π΅Ρ OpenVPN ΡΠ΅ΡΠ²Π΅Ρ 172.16.0.1/24, Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ² ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΊ Π½Π΅ΠΌΡ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΡΠ»ΡΠ·Π° Π΄Π°Π΅ΠΌ Π΄ΠΎΡΡΡΠΏ Π² ΠΈΠ½ΡΠ΅ΡΠ½Π΅Ρ
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT
Agar sizda paketli filtrlar yoqilgan bo'lsa, iptables-ga tegishli ruxsatlarni qo'shishni unutmang.
Sog 'bo'ling!
Manba: www.habr.com