ProHoster > Blog > Ma'muriyat > NAT provayderi orqasida Linux mashinasi va Mikrotik o'rtasidagi IPIP IPsec VPN tuneli

NAT provayderi orqasida Linux mashinasi va Mikrotik o'rtasidagi IPIP IPsec VPN tuneli

linux: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-umumiy x86_64)

  • Eth0 1.1.1.1/32 tashqi IP
  • ipip-ipsec0 192.168.0.1/30 bizning tunnelimiz bo'ladi

Miktoik: CCR 1009, RouterOS 6.46.5

  • Provayderdan Eth0 10.0.0.2/30 ichki IP. Provayderning tashqi NAT IP-si dinamikdir.
  • ipip-ipsec0 192.168.0.2/30 bizning tunnelimiz bo'ladi

Rakun yordamida Linux mashinasida IPsec tunnelini yaratamiz. Tafsilotlarni tasvirlamayman, yaxshisi bor maqola Ρƒ vvpoloskin.

Kerakli paketlarni o'rnating:

sudo install racoon ipsec-tools

Biz racoon-ni sozlaymiz, u shartli ravishda ipsec serveri sifatida ishlaydi. Mikrotik asosiy rejimda qo'shimcha mijoz identifikatorini uzata olmasligi va Linuxga ulanadigan tashqi IP-manzil dinamik bo'lgani uchun oldindan ulashilgan kalitdan (parolni avtorizatsiya qilish) ishlamaydi, chunki parol ham IP manziliga mos kelishi kerak. bog'lovchi xost yoki identifikator bilan.

RSA kalitlari yordamida avtorizatsiyadan foydalanamiz.

Rakun demoni RSA formatidagi kalitlardan, mikrotik esa PEM formatidan foydalanadi. Agar siz racoon bilan birga keladigan plainrsa-gen yordam dasturi yordamida kalitlarni yaratsangiz, uning yordami bilan Mikrotika uchun ochiq kalitni PEM formatiga o'zgartira olmaysiz - u faqat bitta yo'nalishda o'zgartiradi: PEM dan RSA ga. Openssl ham, ssh-keygen ham plainrsa-gen tomonidan yaratilgan kalitni o'qiy olmadi, shuning uchun ularni ishlatish ham mumkin bo'lmaydi.

Biz openssl yordamida PEM kalitini yaratamiz va keyin uni plainrsa-gen yordamida racoon uchun aylantiramiz:

#  Π“Π΅Π½Π΅Ρ€ΠΈΡ€ΡƒΠ΅ΠΌ ΠΊΠ»ΡŽΡ‡
openssl genrsa -out server-name.pem 1024
# ИзвлСкаСм ΠΏΡƒΠ±Π»ΠΈΡ‡Π½Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# ΠšΠΎΠ½Π²Π΅Ρ€Ρ‚ΠΈΡ€ΡƒΠ΅ΠΌ
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key

Qabul qilingan kalitlarni papkaga joylashtiramiz: /etc/racoon/certs/server. Rakun demoni (odatda root) nomi ostida ishga tushirilgan foydalanuvchining egasini 600 ta ruxsatga belgilashni unutmang.

WinBox orqali ulanishda mikrotik sozlamalarini tasvirlab beraman.

Server-name.pub.pem kalitini mikrotik-ga yuklang: "Fayllar" menyusi - "Yuklash".

"IP" bo'limini oching - "IP sek" - "Kalitlar" yorlig'i. Endi biz kalitlarni yaratamiz - "Kalit yaratish" tugmasi, so'ngra "Export Pub" mikrotika ochiq kalitini eksport qilamiz. Kalit, uni "Fayllar" bo'limidan yuklab olishingiz mumkin, faylni o'ng tugmasini bosing - "Yuklab olish".

Biz racoon ochiq kalitini import qilamiz, "Import", "Fayl nomi" maydonining ochiladigan ro'yxatida biz avval yuklab olgan server-name.pub.pem ni qidiramiz.

Mikrotik ochiq kaliti konvertatsiya qilinishi kerak 

plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key

va uni /etc/racoon/certs jildiga qo'ying, egasi va huquqlarini unutmang.

izohlar bilan racoon konfiguratsiyasi: /etc/racoon/racoon.conf

log info; # Π£Ρ€ΠΎΠ²Π΅Π½ΡŒ логирования, ΠΏΡ€ΠΈ ΠΎΡ‚Π»Π°Π΄ΠΊΠ΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌ Debug ΠΈΠ»ΠΈ Debug2.

listen {

    isakmp 1.1.1.1 [500]; # АдрСс ΠΈ ΠΏΠΎΡ€Ρ‚, Π½Π° ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠΌ Π±ΡƒΠ΄Π΅Ρ‚ ΡΠ»ΡƒΡˆΠ°Ρ‚ΡŒ Π΄Π΅ΠΌΠΎΠ½.
    isakmp_natt 1.1.1.1 [4500]; # АдрСс ΠΈ ΠΏΠΎΡ€Ρ‚, Π½Π° ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠΌ Π±ΡƒΠ΄Π΅Ρ‚ ΡΠ»ΡƒΡˆΠ°Ρ‚ΡŒ Π΄Π΅ΠΌΠΎΠ½ для ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ² Π·Π° NAT.
    strict_address; # Π’Ρ‹ΠΏΠΎΠ»Π½ΡΡ‚ΡŒ ΠΎΠ±ΡΠ·Π°Ρ‚Π΅Π»ΡŒΠ½ΡƒΡŽ ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΡƒ привязки ΠΊ ΡƒΠΊΠ°Π·Π°Π½Π½Ρ‹ΠΌ Π²Ρ‹ΡˆΠ΅ IP.
}

path certificate "/etc/racoon/certs"; # ΠŸΡƒΡ‚ΡŒ Π΄ΠΎ ΠΏΠ°ΠΏΠΊΠΈ с сСртификатами.

remote anonymous { # БСкция, Π·Π°Π΄Π°ΡŽΡ‰Π°Ρ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ для Ρ€Π°Π±ΠΎΡ‚Ρ‹ Π΄Π΅ΠΌΠΎΠ½Π° с ISAKMP ΠΈ согласования Ρ€Π΅ΠΆΠΈΠΌΠΎΠ² с ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°ΡŽΡ‰ΠΈΠΌΠΈΡΡ хостами. Π’Π°ΠΊ ΠΊΠ°ΠΊ IP, с ΠΊΠΎΡ‚ΠΎΡ€ΠΎΠ³ΠΎ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ΡΡ Mikrotik, динамичСский, Ρ‚ΠΎ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌ anonymous, Ρ‡Ρ‚ΠΎ Ρ€Π°Π·Ρ€Π΅ΡˆΠ°Π΅Ρ‚ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅ с любого адрСса. Если IP Ρƒ хостов статичСский, Ρ‚ΠΎ ΠΌΠΎΠΆΠ½ΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ ΠΊΠΎΠ½ΠΊΡ€Π΅Ρ‚Π½Ρ‹ΠΉ адрСс ΠΈ ΠΏΠΎΡ€Ρ‚.

    passive on; # Π—Π°Π΄Π°Π΅Ρ‚ "сСрвСрный" Ρ€Π΅ΠΆΠΈΠΌ Ρ€Π°Π±ΠΎΡ‚Ρ‹ Π΄Π΅ΠΌΠΎΠ½Π°, ΠΎΠ½ Π½Π΅ Π±ΡƒΠ΄Π΅Ρ‚ ΠΏΡ‹Ρ‚Π°Ρ‚ΡŒΡΡ ΠΈΠ½ΠΈΡ†ΠΈΠΈΡ€ΠΎΠ²Π°Ρ‚ΡŒ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΡ.
    nat_traversal on; # Π’ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ использованиС Ρ€Π΅ΠΆΠΈΠΌΠ° NAT-T для ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ², Ссли ΠΎΠ½ΠΈ Π·Π° NAT. 
    exchange_mode main; # Π Π΅ΠΆΠΈΠΌ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Π°ΠΌΠΈ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΡ, Π² Π΄Π°Π½Π½ΠΎΠΌ случаС ---согласованиС.
    my_identifier address 1.1.1.1; # Π˜Π΄Π΅Π½Ρ‚ΠΈΡ„ΠΈΡ†ΠΈΡ€ΡƒΠ΅ΠΌ наш linux хост ΠΏΠΎ Π΅Π³ΠΎ ip адрСсу.
    certificate_type plain_rsa "server/server-name.priv.key"; # ΠŸΡ€ΠΈΠ²Π°Ρ‚Π½Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡ сСрвСра.
    peers_certfile plain_rsa "mikrotik.pub.key"; # ΠŸΡƒΠ±Π»ΠΈΡ‡Π½Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡ Mikrotik.

    proposal_check claim; # Π Π΅ΠΆΠΈΠΌ согласования ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€ΠΎΠ² ISAKMP туннСля. Racoon Π±ΡƒΠ΄Π΅Ρ‚ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚ΡŒ значСния ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°ΡŽΡ‰Π΅Π³ΠΎΡΡ хоста (ΠΈΠ½ΠΈΡ†ΠΈΠ°Ρ‚ΠΎΡ€Π°) для срока дСйствия сСссии                   ΠΈ Π΄Π»ΠΈΠ½Ρ‹ ΠΊΠ»ΡŽΡ‡Π°, Ссли Π΅Π³ΠΎ срок дСйствия сСссии большС, ΠΈΠ»ΠΈ Π΄Π»ΠΈΠ½Π° Π΅Π³ΠΎ ΠΊΠ»ΡŽΡ‡Π° ΠΊΠΎΡ€ΠΎΡ‡Π΅, Ρ‡Π΅ΠΌ Ρƒ ΠΈΠ½ΠΈΡ†ΠΈΠ°Ρ‚ΠΎΡ€Π°. Если срок дСйствия сСссии ΠΊΠΎΡ€ΠΎΡ‡Π΅, Ρ‡Π΅ΠΌ Ρƒ ΠΈΠ½ΠΈΡ†ΠΈΠ°Ρ‚ΠΎΡ€Π°, racoon ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅Ρ‚ собствСнноС Π·Π½Π°Ρ‡Π΅Π½ΠΈΠ΅ срока дСйствия сСссии ΠΈ Π±ΡƒΠ΄Π΅Ρ‚ ΠΎΡ‚ΠΏΡ€Π°Π²Π»ΡΡ‚ΡŒ сообщСниС RESPONDER-LIFETIME.
    proposal { # ΠŸΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ ISAKMP туннСля.

        encryption_algorithm aes; # ΠœΠ΅Ρ‚ΠΎΠ΄ ΡˆΠΈΡ„Ρ€ΠΎΠ²Π°Π½ΠΈΡ ISAKMP туннСля.
        hash_algorithm sha512; # Алгоритм Ρ…Π΅ΡˆΠΈΡ€ΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌΡ‹ΠΉ для ISAKMP туннСля.
        authentication_method rsasig; # Π Π΅ΠΆΠΈΠΌ Π°ΡƒΡ‚Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ†ΠΈΠΈ для ISAKMP туннСля - ΠΏΠΎ RSA ΠΊΠ»ΡŽΡ‡Π°ΠΌ.
        dh_group modp2048; # Π”Π»ΠΈΠ½Π° ΠΊΠ»ΡŽΡ‡Π° для Π°Π»Π³ΠΎΡ€ΠΈΡ‚ΠΌΠ° Π”ΠΈΡ„Ρ„ΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° ΠΏΡ€ΠΈ согласовании ISAKMP туннСля.
        lifetime time 86400 sec; ВрСмя дСйствия сСссии.
    }

    generate_policy on; # АвтоматичСскоС созданиС ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ ΠΈΠ· запроса, ΠΏΡ€ΠΈΡˆΠ΅Π΄ΡˆΠ΅Π³ΠΎ ΠΎΡ‚ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°ΡŽΡ‰Π΅Π³ΠΎΡΡ хоста.
}

sainfo anonymous { # ΠŸΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ, anonymous - ΡƒΠΊΠ°Π·Π°Π½Π½Ρ‹Π΅ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ Π±ΡƒΠ΄ΡƒΡ‚ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Π½Ρ‹ ΠΊΠ°ΠΊ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹ ΠΏΠΎ ΡƒΠΌΠΎΠ»Ρ‡Π°Π½ΠΈΡŽ. Для Ρ€Π°Π·Π½Ρ‹Ρ… ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ², ΠΏΠΎΡ€Ρ‚ΠΎΠ², ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ² ΠΌΠΎΠΆΠ½ΠΎ              Π·Π°Π΄Π°Π²Π°Ρ‚ΡŒ Ρ€Π°Π·Π½Ρ‹Π΅ ΠΏΠ°Ρ€Π°ΠΌΠ΅Ρ‚Ρ€Ρ‹, сопоставлСниС происходит ΠΏΠΎ ip адрСсам, ΠΏΠΎΡ€Ρ‚Π°ΠΌ, ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Π°ΠΌ.

    pfs_group modp2048; # Π”Π»ΠΈΠ½Π° ΠΊΠ»ΡŽΡ‡Π° для Π°Π»Π³ΠΎΡ€ΠΈΡ‚ΠΌΠ° Π”ΠΈΡ„Ρ„ΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° для ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ.
    lifetime time 28800 sec; # Π‘Ρ€ΠΎΠΊ дСйствия ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ.
    encryption_algorithm aes; # ΠœΠ΅Ρ‚ΠΎΠ΄ ΡˆΠΈΡ„Ρ€ΠΎΠ²Π°Π½ΠΈΡ ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ.
    authentication_algorithm hmac_sha512; # Алгоритм Ρ…Π΅ΡˆΠΈΡ€ΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌΡ‹ΠΉ для Π°ΡƒΡ‚Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ†ΠΈΠΈ ESP Ρ‚ΡƒΠ½Π½Π΅Π»Π΅ΠΉ.
    compression_algorithm deflate; # Π‘ΠΆΠΈΠΌΠ°Ρ‚ΡŒ ΠΏΠ΅Ρ€Π΅Π΄Π°Π²Π°Π΅ΠΌΡ‹Π΅ Π΄Π°Π½Π½Ρ‹Π΅, Π°Π»Π³ΠΎΡ€ΠΈΡ‚ΠΌ сТатия прСдлагаСтся Ρ‚ΠΎΠ»ΡŒΠΊΠΎ ΠΎΠ΄ΠΈΠ½.
}

mikrotik konfiguratsiya

"IP" bo'limiga qaytish - "IPsec"

"Profillar" yorlig'i
Parametr
ma'no

Ism
Sizning ixtiyoringiz bo'yicha (sukut bo'yicha)

Xesh algoritmi
sha512

Shifrlash algoritmi
aes-128

DH-guruhi
modp2048

Taklif_tekshirish
Talab

Hayot paytida
1d 00:00:00

NAT traversal
rost (qutichani belgilang)

DPD
120

DPD Maksimal nosozlik
5

Tengdoshlar sahifasi
Parametr
ma'no

Ism
Sizning ixtiyoringiz bilan (keyingi o'rinlarda MyPeer deb yuritiladi)

Manzil
1.1.1.1 (IP Linux mashinalari)

Mahalliy manzil
10.0.0.2 (IP WAN interfeysi mikrotik)

Profil
default

Almashish rejimi
asosiy

Passiv
yolg'on

INITIAL_CONTACT yuboring
haqiqiy

Taklif yorlig'i
Parametr
ma'no

Ism
Sizning ixtiyoringiz bilan (keyingi o'rinlarda MyPeerProposal deb yuritiladi)

Avtor. Algoritmlar
sha512

Encr. Algoritmlar
aes-128-cbc

Hayot paytida
08:00:00

PFS guruhi
modp2048

"Identifikatsiya" yorlig'i
Parametr
ma'no

Tengdosh
MyPeer

Atuh. Usul
rsa kaliti

kalit
mikrotik.privet.key

Masofaviy kalit
server-name.pub.pem

Siyosat shablonlari guruhi
default

Notrack zanjiri
bo'sh

Mening ID turim
avtomobil

Masofaviy ID turi
avtomobil

Match By
masofaviy identifikator

Rejim konfiguratsiyasi
bo'sh

Siyosat yaratish
Yo'q

"Siyosatlar - Umumiy" yorlig'i
Parametr
ma'no

Tengdosh
MyPeer

tunnel
haqiqiy

Src. Manzil
192.168.0.0/30

Maqsad. Manzil
192.168.0.0/30

Protokol
255 (barchasi)

Andoza
yolg'on

"Siyosatlar - Harakat" yorlig'i
Parametr
ma'no

harakat
shifrlash

daraja
talab qiladi

IPsec protokollari
esp

Taklif
MyPeerProposal

Ehtimol, men kabi sizda WAN interfeysida snat/maskarad sozlangan; bu qoida chiquvchi ipsec paketlari bizning tunnelimizga kirishi uchun sozlanishi kerak:
"IP" - "Xavfsizlik devori" bo'limiga o'ting.
"NAT" yorlig'i, bizning snat/masquerade qoidamizni oching.

Kengaytirilgan tab
Parametr
ma'no

IPsec siyosati
chiqib: yo'q

Rakun iblis qayta ishga tushirilmoqda

sudo systemctl restart racoon

Agar racoon qayta ishga tushirilganda ishga tushmasa, unda konfiguratsiyada xatolik bor; syslogda racoon xatolik aniqlangan qator raqami haqidagi ma'lumotlarni ko'rsatadi.

OT ishga tushganda, tarmoq interfeyslari paydo bo'lishidan oldin racoon demoni ishga tushadi va biz tinglash bo'limida strict_address opsiyasini belgiladik; siz systemd fayliga racoon blokini qo'shishingiz kerak.
/lib/systemd/system/racoon.service, [Unit] bo'limida After=network.target qatori.

Endi bizning ipsec tunnellarimiz yuqorida bo'lishi kerak, chiqishga qarang:

sudo ip xfrm policy

src 192.168.255.0/30 dst 192.168.255.0/30 
    dir out priority 2147483648 
    tmpl src 1.1.1.1 dst "IP NAT Ρ‡Π΅Ρ€Π΅Π· ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ΡΡ mikrotik"
        proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30 
    dir fwd priority 2147483648 
    tmpl src "IP NAT Ρ‡Π΅Ρ€Π΅Π· ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ΡΡ mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30 
    dir in priority 2147483648 
    tmpl src "IP NAT Ρ‡Π΅Ρ€Π΅Π· ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ΡΡ mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel

Agar tunnellar yuqori bo'lmasa, syslog yoki journalctl -u racoon ga qarang.

Endi siz L3 interfeyslarini trafikni yo'naltirish uchun sozlashingiz kerak. Turli xil variantlar mavjud, biz IPIP dan foydalanamiz, chunki mikrotik uni qo'llab-quvvatlaydi, men vti dan foydalanardim, lekin afsuski, u hali mikrotikda amalga oshirilmagan. U IPIP dan farq qiladi, chunki u multicastni qo'shimcha ravishda qamrab olishi va paketlarga fwmarks qo'yishi mumkin, buning yordamida ularni iptables va iproute2 (siyosatga asoslangan marshrutlash) filtrlash mumkin. Agar sizga maksimal funksionallik kerak bo'lsa, masalan, GRE. Lekin unutmangki, biz katta bosh bilan qo'shimcha funksionallik uchun to'laymiz.

Tunnel interfeyslarining yaxshi umumiy ko'rinishining tarjimasini ko'rishingiz mumkin shu yerda.

Linuxda:

# Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ интСрфСйс
sudo ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
# АктивируСм
sudo ip link set ipip-ipsec0 up
# НазначаСм адрСс
sudo ip addr add 192.168.255.1/30 dev ipip-ipsec0

Endi siz mikrotik orqasidagi tarmoqlar uchun marshrutlarni qo'shishingiz mumkin

sudo ip route add A.B.C.D/Prefix via 192.168.255.2

Qayta ishga tushirilgandan so'ng interfeysimiz va marshrutlarimiz ko'tarilishi uchun biz /etc/network/interfaces-da interfeysni tasvirlashimiz va post-upda u erga marshrutlarni qo'shishimiz yoki hamma narsani bitta faylga yozishimiz kerak, masalan, /etc/ ipip-ipsec0.conf va uni post-up orqali torting, fayl egasi, huquqlari haqida unutmang va uni bajariladigan qilib qo'ying.

Quyida misol fayli keltirilgan

#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.255.1/30 dev ipip-ipsec0

ip route add A.B.C.D/Prefix via 192.168.255.2

Mikrotikda:

"Interfeyslar" bo'limiga yangi "IP tunnel" interfeysini qo'shing:

"IP tunnel" yorlig'i - "Umumiy"
Parametr
ma'no

Ism
Sizning ixtiyoringiz bilan (keyingi o'rinlarda IPIP-IPsec0 deb yuritiladi)

MTU
1480 (agar ko'rsatilmagan bo'lsa, mikrotik mtu ni 68 ga qisqartirishni boshlaydi)

Mahalliy manzil
192.168.0.2

Masofaviy manzil
192.168.0.1

IPsec siri
Maydonni o'chiring (aks holda yangi Peer yaratiladi)

Yashirin
Maydonni o'chiring (aks holda interfeys doimiy ravishda o'chadi, chunki mikrotika ushbu paketlar uchun o'z formatiga ega va Linux bilan ishlamaydi)

DSCP
meros qilib oladi

Bo'laklarga bo'lmang
Yo'q

TCP MSS-ni mahkamlang
haqiqiy

Tez yo'lga ruxsat bering
haqiqiy

"IP" bo'limi - "Manzillar", manzilni qo'shing:

Parametr
ma'no

Manzil
192.168.0.2/30

Interface
IPIP-IPsec0

Endi siz tarmoqqa marshrutlarni Linux mashinasi ortida qo'shishingiz mumkin; marshrut qo'shganda, shlyuz bizning IPIP-IPsec0 interfeysimiz bo'ladi.

PS

Bizning Linux serverimiz tranzitiv bo'lgani uchun, ipip interfeyslari uchun Clamp TCP MSS parametrini o'rnatish mantiqan to'g'ri keladi:

quyidagi tarkibga ega /etc/iptables.conf faylini yarating:

*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT

va /etc/network/interfeyslarida
post-up iptables-restore </etc/iptables.conf

Menda mikrotik (ip 10.10.10.1) ortidagi tarmoqda ishlayotgan nginx bor, uni Internetdan foydalanish mumkin qilib qo'ying, uni /etc/iptables.conf ga qo'shing:

*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
#На mikrotik, Π² Ρ‚Π°Π±Π»ΠΈΡ†Π΅ mangle, Π½Π°Π΄ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡ‚ΡŒ ΠΏΡ€Π°Π²ΠΈΠ»ΠΎ route с Π½Π°Π·Π½Π°Ρ‡Π΅Π½ΠΈΠ΅ΠΌ 192.168.0.1 для ΠΏΠ°ΠΊΠ΅Ρ‚ΠΎΠ² с адрСсом источника 10.10.10.1 ΠΈ ΠΏΠΎΡ€Ρ‚ΠΎΠ² 80, 443.

# Π’Π°ΠΊ ΠΆΠ΅ Π½Π° linux Ρ€Π°Π±ΠΎΡ‚Π°Π΅Ρ‚ OpenVPN сСрвСр 172.16.0.1/24, для ΠΊΠ»ΠΈΠ΅Π½Ρ‚ΠΎΠ² ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΡŽΡ‚ ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅ ΠΊ Π½Π΅ΠΌΡƒ Π² качСствС шлюза Π΄Π°Π΅ΠΌ доступ Π² ΠΈΠ½Ρ‚Π΅Ρ€Π½Π΅Ρ‚
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT

Agar sizda paketli filtrlar yoqilgan bo'lsa, iptables-ga tegishli ruxsatlarni qo'shishni unutmang.

Sog 'bo'ling!

Manba: www.habr.com

a Izoh qo'shish