××× ×קס: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
- ×¢××0 1.1.1.1/32 ×€×× ×ך×××¡× ××ק IP
- ipip-ipsec0 192.168.0.1/30 ×××¢× ×××× ××× ××עך ××× ×¢×
××ק××Öž×ק: CCR 1009, RouterOS 6.46.5
- Eth0 10.0.0.2/30 ×× ×¢×š××¢× IP ×€Ö¿×× ×עך ש׀֌××Ö·×עך. ×× ×€×× ×ך×××¡× ××ק NAT IP ×€×× ×עך ש׀֌××Ö·×עך ××× ××× ×Ö·××ש.
- ipip-ipsec0 192.168.0.2/30 ×××¢× ×××× ××× ××עך ××× ×¢×
××ך ×××¢×× ×©×Ö·×€Ö¿× ×Ö·× IPsec ××× ×¢× ××××£ ×Ö· ××× ×קס ××ַש×× × ××Š× ×š×ַק×Öž×Öž×. ××× ×××¢× × ××©× ××ַשך××Ö·×× ×× ×€×š×××, עס ××× ×Ö· ××× ×××× ×¢×š
×× ×¡××Ö·×××š× ×× × ××××ק ×€ÖŒ×ַק×Ö·××ש×Ö·×:
sudo install racoon ipsec-tools
××ך ק×Ö·× ×€×××עך ך×ַק×Öž×Öž×, עס ×××¢× ×§×Ö·× ××ש×Ö·× ×Ö·×× ×Ö·×§× ××× ×Ö· ×׀֌סעק סעך××עך. ××× × ××קך×Öž××ק ××× ××××€ÖŒ× ××Öž××¢ ×§×¢× × ××©× ×ַך××עך׀××š× ×Ö·× × ×Öž× ×§×××¢× × ×××¢× ×××€×עך, ××× ×× ×€×× ×ך×××¡× ××ק IP ×Ö·×ךעס ×××š× ×××֞ס עס ק×Ö·× ×¢×§×¥ ×Š× ××× ×קס ××× ××× ×Ö·××ש, × ××Š× ×Ö· ׀֌ך××©×¢×š× ×©×××¡× (×€ÖŒ×ַך×Öž× ×עך×××××¢× ×ש) ×××¢× × ××©× ×ַך××¢××, ××××Ö·× ×× ×€ÖŒ×ַך×Öž× ×××× ×××× ××Ö·××©× ××× ×× IP ×Ö·×ךעס ×€×× ×× ×§×Ö·× ×¢×§××× × ××Ö·××¢××֞ס, ×Öž×עך ××× ××××¢× ×Ö·×€×××.
××ך ×××¢×× × ××Š× ×עך×××××¢× ×ש × ××Š× RSA ש××ס××¢×.
×× ×š×ַק×Öž×Öž× ×××××Ö·× × ××Š× ×©××ס××¢× ××× ×× RSA ×€Ö¿×֞ך××Ö·×, ××× ××קך×Öž××ק × ××Š× ×× PEM ×€Ö¿×֞ך××Ö·×. ×××× ××ך ×××©×¢× ×¢×š××× ×©××ס××¢× ××× ×× plainrsa-gen × ××Š× ×××֞ס ק××× ××× ×š×ַק×Öž×Öž×, ××ך ×××¢× × ××©× ×§×¢× ×¢× ×Š× ×עך ××¢× ×Š×××ך ש×××¡× ×€Ö¿×ַך Mikrotika ×Š× PEM ×€Ö¿×֞ך××Ö·× ××× ×××× ××××£ - עס ק×Ö·× ××עךץ ××××× ××× ×××× ×š××××× ×: PEM ×Š× RSA. × ×× ×Öž×€ÖŒ×¢× ×¡×¡× ××עך ssh-keygen ×§×¢× ××××¢× ×¢× ×× ×××©×¢× ×¢×š××××Ö·× ×©×××¡× ×××š× plainrsa-gen, ×Ö·××× ×× ×§×Ö·× ××עך×ש×Ö·× ×××¢× × ××©× ×××× ××¢×××¢× ××× ××× ××××.
××ך ×××¢×× ×××©×¢× ×¢×š××× ×Ö· PEM ש×××¡× × ××Š× ×Öž×€ÖŒ×¢× ×¡×¡× ××× ××¢××Öž×× ×עך עס ×€Ö¿×ַך ך×ַק×Öž×Öž× × ××Š× plainrsa-gen:
# ÐеМеÑОÑÑеЌ клÑÑ
openssl genrsa -out server-name.pem 1024
# ÐзвлекаеЌ пÑблОÑÐœÑй клÑÑ
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# ÐПМвеÑÑОÑÑеЌ
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key
××ך ש××¢×× ×× ××ק×××¢× ×©××ס××¢× ××× ×עך ×עקע: /etc/racoon/certs/server. ×× ××××¡× × ××©× ×€×ַך××¢×¡× ×Š× ×©××¢×× ×× ××Ö·××׊עך ×€×× ×× ××Ö·× ×׊עך ××× ×עך ×××¢××¢× ×¡ × ×Öž××¢× ×× ×š×ַק×Öž×Öž× ×××××Ö·× ××× ××Öž× ××©× (×××ש×Ö·×××Ö·×× ×××֞ך׊×) ×Š× 600 ׀֌עך××ש×Ö·× ×.
××× ×××¢× ××ַשך××Ö·×× ×× ××קך×Öž××ק סע××Ö·×€ÖŒ ×××¢× ×§×Ö·× ×¢×§××× × ×××š× WinBox.
׊××€Ö¿×¢××קעך ×× ×¡×¢×š××עך-name.pub.pem ש×××¡× ×Š× ××קך×Öž××ק: ××¢× ×× "Files" - "××€ÖŒ××Öž×Ö·×".
×¢×€Ö¿×¢× ×¢× ×× "IP" ×Öž×€ÖŒ×××××× × - "IP sec" - "ק××" ק×××××. ×××Š× ××ך ×××©×¢× ×¢×š××× ×©××ס××¢× - ×× "××¢× ×¢×š×Ö·××¢ ש××ס×" ×§× ×¢×€ÖŒ×, ××× ×ַך××ס׀××š× ×× ××קך×Öž××ק×Ö· ×¢×€× ×××¢× ×©×××¡× "עקס׀֌×֞ך ×€ÖŒ××. ש××ס×", ××ך ×§×¢× ×¢× ×ך×׀ק××€××¢ עס ×€Ö¿×× ×× "Files" ×Öž×€ÖŒ×××××× ×, ךע×× ××× ××××£ ×× ×עקע - "Download".
××ך ×ַך××Ö·× ×€×ך ×× ×©×Ö·×€ÖŒ ×¢×€× ×××¢× ×©××ס×, "×××€ÖŒ×֞ך×", ××× ×× ×€×Ö·×-×ַך×Öž×€ÖŒ ךש××× ×€×× ×× "×עקע × ×Öž××¢×" ×€×¢×× ××ך ק××§× ×€Ö¿×ַך ×× ×¡×¢×š××עך-name.pub.pem ××ך ××Ö·×× ××Öž×××× ×€×š×עך.
×× ××קך×Öž××ק ×¢×€× ×××¢× ×©×××¡× ××ַךף ×××× ×§×Öž× ××עך××¢×
plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key
××× ×©××¢×× ×¢×¡ ××× ×× /etc/racoon/certs ×עקע, × ×× ×€×ַך××¢×¡× ×××¢×× ×× ××Ö·××׊עך ××× ×š×¢××.
ך×ַק×Öž×Öž× ×§×Öž× ×€×× ××× ××Ö·×עךק×× ××¢×: /etc/racoon/racoon.conf
log info; # УÑÐŸÐ²ÐµÐœÑ Ð»ÐŸÐ³ÐžÑПваМОÑ, пÑО ПÑлаЎке ОÑпПлÑзÑеЌ Debug ОлО Debug2.
listen {
isakmp 1.1.1.1 [500]; # ÐÐŽÑÐµÑ Ðž пПÑÑ, Ма кПÑПÑПЌ бÑÐŽÐµÑ ÑлÑÑаÑÑ ÐŽÐµÐŒÐŸÐœ.
isakmp_natt 1.1.1.1 [4500]; # ÐÐŽÑÐµÑ Ðž пПÑÑ, Ма кПÑПÑПЌ бÑÐŽÐµÑ ÑлÑÑаÑÑ ÐŽÐµÐŒÐŸÐœ ÐŽÐ»Ñ ÐºÐ»ÐžÐµÐœÑПв за NAT.
strict_address; # ÐÑпПлМÑÑÑ ÐŸÐ±ÑзаÑелÑÐœÑÑ Ð¿ÑПвеÑÐºÑ Ð¿ÑОвÑзкО к ÑказаММÑÐŒ вÑÑе IP.
}
path certificate "/etc/racoon/certs"; # ÐÑÑÑ ÐŽÐŸ папкО Ñ ÑеÑÑОÑОкаÑаЌО.
remote anonymous { # СекÑОÑ, заЎаÑÑÐ°Ñ Ð¿Ð°ÑаЌеÑÑÑ ÐŽÐ»Ñ ÑабПÑÑ ÐŽÐµÐŒÐŸÐœÐ° Ñ ISAKMP О ÑПглаÑÐŸÐ²Ð°ÐœÐžÑ ÑежОЌПв Ñ Ð¿ÐŸÐŽÐºÐ»ÑÑаÑÑОЌОÑÑ Ñ
ПÑÑаЌО. Так как IP, Ñ ÐºÐŸÑПÑПгП пПЎклÑÑаеÑÑÑ Mikrotik, ЎОМаЌОÑеÑкОй, ÑП ОÑпПлÑзÑеЌ anonymous, ÑÑП ÑазÑеÑÐ°ÐµÑ Ð¿ÐŸÐŽÐºÐ»ÑÑеМОе Ñ Ð»ÑбПгП аЎÑеÑа. ÐÑлО IP Ñ Ñ
ПÑÑПв ÑÑаÑОÑеÑкОй, ÑП ЌПжМП ÑказаÑÑ ÐºÐŸÐœÐºÑеÑÐœÑй аЎÑÐµÑ Ðž пПÑÑ.
passive on; # ÐÐ°ÐŽÐ°ÐµÑ "ÑеÑвеÑÐœÑй" ÑежОЌ ÑабПÑÑ ÐŽÐµÐŒÐŸÐœÐ°, ПМ Ме бÑÐŽÐµÑ Ð¿ÑÑаÑÑÑÑ ÐžÐœÐžÑООÑПваÑÑ Ð¿ÐŸÐŽÐºÐ»ÑÑеМОÑ.
nat_traversal on; # ÐклÑÑÐ°ÐµÑ ÐžÑпПлÑзПваМОе ÑежОЌа NAT-T ÐŽÐ»Ñ ÐºÐ»ÐžÐµÐœÑПв, еÑлО ПМО за NAT.
exchange_mode main; # РежОЌ ПбЌеМа паÑаЌеÑÑаЌО пПЎклÑÑеМОÑ, в ЎаММПЌ ÑлÑÑае ---ÑПглаÑПваМОе.
my_identifier address 1.1.1.1; # ÐЎеМÑОÑОÑОÑÑеЌ ÐœÐ°Ñ linux Ñ
ПÑÑ Ð¿ÐŸ егП ip аЎÑеÑÑ.
certificate_type plain_rsa "server/server-name.priv.key"; # ÐÑОваÑÐœÑй клÑÑ ÑеÑвеÑа.
peers_certfile plain_rsa "mikrotik.pub.key"; # ÐÑблОÑÐœÑй клÑÑ Mikrotik.
proposal_check claim; # РежОЌ ÑПглаÑÐŸÐ²Ð°ÐœÐžÑ Ð¿Ð°ÑаЌеÑÑПв ISAKMP ÑÑММелÑ. Racoon бÑÐŽÐµÑ ÐžÑпПлÑзПваÑÑ Ð·ÐœÐ°ÑÐµÐœÐžÑ Ð¿ÐŸÐŽÐºÐ»ÑÑаÑÑегПÑÑ Ñ
ПÑÑа (ОМОÑОаÑПÑа) ÐŽÐ»Ñ ÑÑПка ЎейÑÑÐ²ÐžÑ ÑеÑÑОО О ÐŽÐ»ÐžÐœÑ ÐºÐ»ÑÑа, еÑлО егП ÑÑПк ЎейÑÑÐ²ÐžÑ ÑеÑÑОО бПлÑÑе, ОлО ЎлОМа егП клÑÑа кПÑПÑе, ÑеЌ Ñ ÐžÐœÐžÑОаÑПÑа. ÐÑлО ÑÑПк ЎейÑÑÐ²ÐžÑ ÑеÑÑОО кПÑПÑе, ÑеЌ Ñ ÐžÐœÐžÑОаÑПÑа, racoon ОÑпПлÑзÑÐµÑ ÑПбÑÑвеММПе зМаÑеМОе ÑÑПка ЎейÑÑÐ²ÐžÑ ÑеÑÑОО О бÑÐŽÐµÑ ÐŸÑпÑавлÑÑÑ ÑППбÑеМОе RESPONDER-LIFETIME.
proposal { # ÐаÑаЌеÑÑÑ ISAKMP ÑÑММелÑ.
encryption_algorithm aes; # ÐеÑПЎ ÑОÑÑÐŸÐ²Ð°ÐœÐžÑ ISAKMP ÑÑММелÑ.
hash_algorithm sha512; # ÐлгПÑОÑÐŒ Ñ
еÑОÑПваМОÑ, ОÑпПлÑзÑеЌÑй ÐŽÐ»Ñ ISAKMP ÑÑММелÑ.
authentication_method rsasig; # РежОЌ аÑÑеМÑОÑОкаÑОО ÐŽÐ»Ñ ISAKMP ÑÑÐœÐœÐµÐ»Ñ - пП RSA клÑÑаЌ.
dh_group modp2048; # ÐлОМа клÑÑа ÐŽÐ»Ñ Ð°Ð»Ð³ÐŸÑОÑЌа ÐОÑÑО-ХеллЌаМа пÑО ÑПглаÑПваМОО ISAKMP ÑÑММелÑ.
lifetime time 86400 sec; ÐÑÐµÐŒÑ ÐŽÐµÐ¹ÑÑÐ²ÐžÑ ÑеÑÑОО.
}
generate_policy on; # ÐвÑПЌаÑОÑеÑкПе ÑПзЎаМОе ESP ÑÑММелей Оз запÑПÑа, пÑОÑеЎÑегП ÐŸÑ Ð¿ÐŸÐŽÐºÐ»ÑÑаÑÑегПÑÑ Ñ
ПÑÑа.
}
sainfo anonymous { # ÐаÑаЌеÑÑÑ ESP ÑÑММелей, anonymous - ÑказаММÑе паÑаЌеÑÑÑ Ð±ÑÐŽÑÑ ÐžÑпПлÑÐ·ÐŸÐ²Ð°ÐœÑ ÐºÐ°Ðº паÑаЌеÑÑÑ Ð¿ÐŸ ÑЌПлÑаМОÑ. ÐÐ»Ñ ÑазМÑÑ
клОеМÑПв, пПÑÑПв, пÑПÑПкПлПв ЌПжМП заЎаваÑÑ ÑазМÑе паÑаЌеÑÑÑ, ÑПпПÑÑавлеМОе пÑПОÑÑ
ÐŸÐŽÐžÑ Ð¿ÐŸ ip аЎÑеÑаЌ, пПÑÑаЌ, пÑПÑПкПлаЌ.
pfs_group modp2048; # ÐлОМа клÑÑа ÐŽÐ»Ñ Ð°Ð»Ð³ÐŸÑОÑЌа ÐОÑÑО-ХеллЌаМа ÐŽÐ»Ñ ESP ÑÑММелей.
lifetime time 28800 sec; # СÑПк ЎейÑÑÐ²ÐžÑ ESP ÑÑММелей.
encryption_algorithm aes; # ÐеÑПЎ ÑОÑÑÐŸÐ²Ð°ÐœÐžÑ ESP ÑÑММелей.
authentication_algorithm hmac_sha512; # ÐлгПÑОÑÐŒ Ñ
еÑОÑПваМОÑ, ОÑпПлÑзÑеЌÑй ÐŽÐ»Ñ Ð°ÑÑеМÑОÑОкаÑОО ESP ÑÑММелей.
compression_algorithm deflate; # СжОЌаÑÑ Ð¿ÐµÑеЎаваеЌÑе ЎаММÑе, алгПÑОÑÐŒ ÑжаÑÐžÑ Ð¿ÑеЎлагаеÑÑÑ ÑПлÑкП ПЎОМ.
}
mikrotik config
׊×ך×קק×××¢× ×Š× ×× "IP" ×Öž×€ÖŒ×××××× × - "IPsec"
"׀֌ך×Öž×€××עס" ק×××××
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
× ×Öž××¢×
×××× ×××× ××סקךעש×Ö·× (×××š× ×€×¢××ק××Ö·× ×€×¢××ק××Ö·×)
××ַש ×Ö·××עך×××Ö·×
sha512
×¢× ×§×š×׀֌ש×Ö·× ×Ö·××עך×××Ö·×
aes-128
DH-×ך×׀֌ע
modp2048
׀֌ך×Öž×€ÖŒ×֞ס×Ö·×_×שעק
×€×Öž×עך×
××¢××
1× 00:00:00
NAT ×ך×Ö·××עךס×Ö·×
××ת (×שעק ×× ×§×¢×¡××)
××€ÖŒ×
120
××€ÖŒ× ××ַקס×××× ××ך××€×Ö·×
5
×€ÖŒ××š× ×§×××××
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
× ×Öž××¢×
×××× ×××× ××סקךעש×Ö·× (××¢×š× ×Öž× ×š××€×¢×š× ×Š× ××× MyPeer)
×Ö·×ךעס
1.1.1.1 (IP ××× ×קס ××ש×× ×¢×)
××ק×××¢ ×Ö·×ךעס
10.0.0.2 (IP WAN ׊×××× × ××קך×Öž××ק)
׀֌ך×Öž×€××
× ×× ××ס׊×Öž××
×××¢×§×¡× ××Öž××¢
××××€ÖŒ×
Passive
×€×Ö·×ש
ש××§× INITIAL_CONTACT
ך××××ק
×€×֞ךש××Öž× ×§×××××
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
× ×Öž××¢×
×××× ×××× ××סקךעש×Ö·× (××¢×š× ×Öž× ×š××€×¢×š× ×Š× ××× MyPeerProposal)
Auth. ×Ö·××עך×××Ö·××
sha512
×¢× ×§×š. ×Ö·××עך×××Ö·××
aes-128-cbc
××¢××
08:00:00
PFS ×ך××€×¢
modp2048
×× ×§××××× "××××¢× ××××¢×".
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
××Ö·× ×§××§× ×××
MyPeer
×Ö·×××. ××¢××Öž×
rsa key
ש××ס×
mikrotik.privet.key
××××Ö·× ×©××ס×
סעך××עך × ×Öž××¢×.×€ÖŒ××.׀֌ע×
×€ÖŒ×Öž××××ק ××ס×עך ×ך××€×¢
× ×× ××ס׊×Öž××
× ×Öž×ך×ַק ק×××
×××××ק
×××× ID ×××€ÖŒ
×Ö·×××Öž
ך×××Öž×× ×©××Ö·× ×××€ÖŒ
×Ö·×××Öž
××××Ö·×× ××ך×
××××Ö·× ×©××Ö·×
××Öž××¢ ק×Öž× ×€×××ך×Ö·×××Öž×
×××××ק
ש×Ö·×€Ö¿× ×€ÖŒ×Öž××××ק
ק×××
ק××××× "×€ÖŒ×Ö·××ַס×× - ×Ö·×××¢×××× ×¢"
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
××Ö·× ×§××§× ×××
MyPeer
××× ×¢×
ך××××ק
Src. ×Ö·×ךעס
192.168.0.0/30
×עס×. ×Ö·×ךעס
192.168.0.0/30
׀֌ך×Öž××֞ק×Öž×
255 (×Ö·××¢)
××ס×עך
×€×Ö·×ש
ק××××× "×€ÖŒ×Ö·××ַס×× - ק×Ö·××£"
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
ק×Ö·××£
×¢× ×§×š××€ÖŒ×
××××Ö·×
××¢××
IPsec ׀֌ך×Öž××֞ק×Öž×
ESP
×€×֞ךש××Öž×
MyPeerProposal
ך××Ö¿ ×סת֌××, ××× ××ך, ××ך ××Öž× ×§×Ö·× ×€××××¢×š× ×¡× ×Ö·× / ××ַסקעך××× ××××£ ×××× WAN ׊×××× ×; ×× ××¢×š×©× ××ַךף ×××× ×Ö·××ש×ַס××× ×Ö·××× ×Ö·× ×Ö·××××Öž××× × ×׀֌סעק ×€ÖŒ×ַק××¥ ×××× ××× ××× ××עך ××× ×¢×:
×××× ×Š× ×× ×Öž×€ÖŒ×××××× × "IP" - "Firewall".
"NAT" ק×××××, ×¢×€Ö¿×¢× ×¢× ××× ××עך ×¡× ×Ö·× / ××ַסקעך××× ×עךש×.
Advanced Tab
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
IPsec ×€ÖŒ×Öž××××ק
×××ס: ××Öž×š× ××
ך×ס××ַך××× × ×× ×©×Ö·×€ÖŒ שע×
sudo systemctl restart racoon
×××× ×š×ַק×Öž×Öž× ××× × ××©× ×Öž× ××××× ××× ×š×ס××ַך×, עס ××× ×Ö· ××¢×ת ××× ×× ×§×Ö·× ×€×××עך××ש×Ö·×; ××× ×¡×ס××Öž×, ך×ַק×Öž×Öž× ××ס׀֌×××× ××× ×€Ö¿×֞ך××ַ׊××¢ ×××¢×× ×× ×©××š× × ××עך ××× ×××֞ס ×עך ××¢×ת ××× ××¢×××¢× ×××עק××Ö·×.
×××¢× ×× ×ַס ש××, ×× ×š×ַק×Öž×Öž× ×××××Ö·× ×¡××ַךץ ××××עך ×× × ×¢×¥ ×× ×עך׀××ס×× ××¢× ×¢× ××¢×ך×××, ××× ××ך ס׀֌ע׊××€×׊××š× ×× strict_address ×֞׀֌׊××¢ ××× ×× ××¢×š× ×Öž×€ÖŒ×××××× ×; ××ך ××Ö·×š×€Ö¿× ×Š× ××××× ×× ×š×ַק×Öž×Öž× ×Ö·×€ÖŒ×ַך×Ö·× ×Š× ×× ×¡×ס××¢× ×עקע
/lib/systemd/system/racoon.service, ××× ×× [×× ××] ×Öž×€ÖŒ×××××× ×, ש××š× × ×Öž× = × ×¢×¥.××ַך××¢×.
×××Š× ××× ××עך ×׀֌סעק ××Ö·× ×Ö·×× ××Öž× ×××× ×ַך×××£, ק×ק ××× ×× ×š×¢×××××Ö·×:
sudo ip xfrm policy
src 192.168.255.0/30 dst 192.168.255.0/30
dir out priority 2147483648
tmpl src 1.1.1.1 dst "IP NAT ÑеÑез кПÑПÑÑй пПЎклÑÑаеÑÑÑ mikrotik"
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir fwd priority 2147483648
tmpl src "IP NAT ÑеÑез кПÑПÑÑй пПЎклÑÑаеÑÑÑ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir in priority 2147483648
tmpl src "IP NAT ÑеÑез кПÑПÑÑй пПЎклÑÑаеÑÑÑ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
×××× ×× ××Ö·× ×Ö·×× ××¢× ×¢× × ××©× ×ַך×××£, ק×ק ××× syslog ×Öž×עך journalctl -u racoon.
×××Š× ××ך ××Ö·×š×€Ö¿× ×Š× ×§×Ö·× ×€×××עך L3 ×× ×עך׀××ס×× ×Ö·××× ×Ö·× ×€×ַךקעך ×§×¢× ×¢× ×××× ×š×Ö·××××. עס ××¢× ×¢× ×€×ַךש×××¢× ×¢ ×֞׀֌׊×עס, ××ך ×××¢×× × ××Š× IPIP, ××××Ö·× ××קך×Öž××ק ש×××Š× ×¢×¡, ××× ×××Öž×× × ××Š× vti, ×Öž×עך ××××עך, עס ××× × ×Öž× × ××©× ×××€ÖŒ××Ö·××¢× ×Ö·× ××× ××קך×Öž××ק. עס ××× ×Ö·× ×עךש ×€×× IPIP ××× ×Ö·× ×¢×¡ ×§×¢× ×¢× ×Ö·×××©× ×Ö·×× ×¢× ×§×ַ׀֌ס×Ö·×××× ×××××ק×Ö·×¡× ××× ×©××¢×× ×€××××ַךקס ××××£ ×€ÖŒ×ַק××¥, ×××š× ×××֞ס ××× ×§×¢× ×¢× ×××× ×€××××¢×š× ××× ××€ÖŒ××Ö·××עס ××× iproute2 (×€ÖŒ×Öž××××ק-×××××š× ×š×××× ×). ×××× ××ך ××Ö·×š×€Ö¿× ××ַקס×××× ×€×Ö·× ×קש×Ö·× ×Ö·××××, ×€Ö¿×ַך ×××ַש׀֌××, GRE. ×Öž×עך ××Öž× × ×× ×€×ַך××¢×¡× ×Ö·× ××ך ××ַ׊×Öž×× ×€Ö¿×ַך × ×Öž× ×€×Ö·× ×קש×Ö·× ×Ö·×××× ××× ×Ö· ×ך××ס ×Öž×××עך××¢× ×§×Öž×€ÖŒ.
××ך ×§×¢× ×¢× ××¢× ×× ×××עך×ע׊×× × ×€×× ×Ö· ××× ×š×¢×Š×¢× ×××¢ ×€×× ââ××× ×¢× ×× ×עך׀××ס××
××××£ ××× ×קס:
# СПзЎаеЌ ОМÑеÑÑейÑ
sudo ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
# ÐкÑОвОÑÑеЌ
sudo ip link set ipip-ipsec0 up
# ÐазМаÑаеЌ аЎÑеÑ
sudo ip addr add 192.168.255.1/30 dev ipip-ipsec0
×××Š× ××ך ×§×¢× ×¢× ××××× ×š××¥ ×€Ö¿×ַך × ×¢××××֞ךקס ××× ×עך ××קך×Öž××ק
sudo ip route add A.B.C.D/Prefix via 192.168.255.2
×ÖŒ×× ××× ××עך ׊×××× × ××× ×š××¥ ××Öž× ×××× ×××׀ש×××× × ×Öž× ×Ö· ךע××Öž×Öž×, ××ך ××Ö·×š×€Ö¿× ×Š× ××ַשך××Ö·×× ×× ×Š×××× × ××× /etc/network/interfaces ××× ××××× ×š××¥ ××Öž×š× ××× ×× ×€ÖŒ×֞ס××-×ַך×××£, ×Öž×עך שך××Ö·×× ×Ö·××¥ ××× ×××× ×עקע, ×€Ö¿×ַך ×××ַש׀֌××, /etc/ ipip-ipsec0.conf ××× ×Š××¢× ×¢×¡ ×××š× ×€ÖŒ×֞ס××-×ַך×××£, ××Öž× × ×× ×€×ַך××¢×¡× ×××¢×× ×× ×עקע ××Ö·××׊עך, ךע×× ××× ××Ö·×× ×¢×¡ עקס×ַק××××Ö·××Ö·×.
×× ×עך ××× ×Ö· ×××ַש׀֌×× ×עקע
#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.255.1/30 dev ipip-ipsec0
ip route add A.B.C.D/Prefix via 192.168.255.2
××××£ ××קך×Öž××ק:
×Öž×€ÖŒ×××××× × "×× ×עך׀××ס××", ××××× ×Ö· × ××Ö·×¢ ׊×××× × "IP ××× ×¢×":
ק××××× "IP ××× ×¢×" - "×Ö·×××¢×××× ×¢"
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
× ×Öž××¢×
×××× ×××× ××סקךעש×Ö·× (××¢×š× ×Öž× ×š××€×¢×š× ×Š× ××× IPIP-IPsec0)
×××
1480 (×××× × ×× ×¡×€ÖŒ×¢×¡××€××¢×, ××קך×Öž××ק ס××ַךץ ק×Ö·××× × ××× ×Š× 68)
××ק×××¢ ×Ö·×ךעס
192.168.0.2
××××Ö·× ×Ö·×ךעס
192.168.0.1
IPsec ס××
×××ַק××××××× ×× ×€×¢×× (×Ö·× ×עךש ×Ö· × ××Ö·×¢ ×€ÖŒ×ך ×××¢× ×××× ××ש××€×)
××××× ××¢××
×××ַק××××××× ×× ×€×¢×× (×Ö·× ×עךש ×× ×Š×××× × ×××¢× ×§×¢×¡×××עך קעך ×Ö·××עק, ××××Ö·× mikrotika ××× ×××× ×××××¢× ×¢ ×€Ö¿×֞ך××Ö·× ×€Ö¿×ַך ×× ×€ÖŒ×ַק×Ö·××ש×Ö·× ××× ××× × ××©× ×ַך××¢×× ××× ××× ×קס)
×סק׀֌
××š×©×¢× ×¢×
×Š× × ×× ×€×š×Ö·×××¢× ×
ק×××
ק××Ö·××¢×š× TCP MSS
ך××××ק
××Öž×× ×©× ×¢× ×€ÖŒ×Ö·×
ך××××ק
×Öž×€ÖŒ×××××× × "IP" - "×Ö·×ךעסס", ×××× ×× ×Ö·×ךעס:
×€ÖŒ×ַך×Ö·××¢×עך
××עך×
×Ö·×ךעס
192.168.0.2/30
׊×××× ×
IPIP-IPsec0
×××Š× ××ך ×§×¢× ×¢× ××××× ×š××¥ ×Š× ×× × ×¢×¥ ××× ×עך ×Ö· ××× ×קס ××ַש××; ×××¢× ×Ö·××× × ×Ö· ××ַךשך××, ×××××××× ×××¢× ×××× ××× ××עך IPIP-IPsec0 ׊×××× ×.
PS
××× × ××× ××עך ××× ×קס סעך××עך ××× ×ך×Ö·× ××××××, עס ××× ××× ×¢× ×Š× ×©××¢×× ×× Clamp TCP MSS ×€ÖŒ×ַך×Ö·××¢×עך ×€Ö¿×ַך ipip ×× ×עך׀××ס×× ××××£ עס:
ש×Ö·×€Ö¿× ×Ö· ×עקע /etc/iptables.conf ××× ×× ×€××××¢× ××¢ ××× ××Ö·××:
*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
××× ××× /etc/network/interfaces
×€ÖŒ×֞ס×-×ַך×××£ iptables-restore < /etc/iptables.conf
××× ××Öž×× nginx ×€×××¡× ××ק ××××£ ×× × ×¢×¥ ××× ×עך ××קך×Öž××ק (××€ÖŒ 10.10.10.1), ××Ö·×× ×¢×¡ ׊××ך××××¢× ×€Ö¿×× ×× ××× ××¢×š× ×¢×, ××××× ×¢×¡ ×Š× /etc/iptables.conf:
*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
#Ðа mikrotik, в ÑаблОÑе mangle, МаЎП ЎПбавОÑÑ Ð¿ÑавОлП route Ñ ÐœÐ°Ð·ÐœÐ°ÑеМОеЌ 192.168.0.1 ÐŽÐ»Ñ Ð¿Ð°ÐºÐµÑПв Ñ Ð°ÐŽÑеÑПЌ ОÑÑПÑМОка 10.10.10.1 О пПÑÑПв 80, 443.
# Так же Ма linux ÑабПÑÐ°ÐµÑ OpenVPN ÑеÑÐ²ÐµÑ 172.16.0.1/24, ÐŽÐ»Ñ ÐºÐ»ÐžÐµÐœÑПв кПÑПÑÑе ОÑпПлÑзÑÑÑ Ð¿ÐŸÐŽÐºÐ»ÑÑеМОе к ÐœÐµÐŒÑ Ð² каÑеÑÑве ÑлÑза ЎаеЌ ЎПÑÑÑп в ОМÑеÑМеÑ
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT
×× ××××¡× × ××©× ×€×ַך××¢×¡× ×Š× ××××× ×× ×Š×× ×¢××¢× ×€ÖŒ×¢×š××ש×Ö·× × ×Š× iptables ×××× ××ך ××Öž×× ×€ÖŒ×ַק×Ö·× ×€×××עךס ×¢× ××××Ö·××.
×××× ××¢××× ×!
×ק×ך: www.habr.com