Linux: Ubuntu 18.04.4 LTS (GNU / Linux 4.15.0-91-generic x86_64)
- Eth0 1.1.1.1/32 external IP
- ipip-ipsec0 192.168.0.1/30 will be our tunnel
Miktoik: CCR 1009, RouterOS 6.46.5
- Eth0 10.0.0.2/30 internal IP from the provider. The external IP NAT of the provider is dynamic.
- ipip-ipsec0 192.168.0.2/30 will be our tunnel
We will raise the IPsec tunnel on the Linux machine using racoon. I will not describe the details, there is a good article invvpoloskin.
Install the necessary packages:
sudo install racoon ipsec-tools
We configure racoon, it will conditionally act as an ipsec server. Since mikrotik in main mode cannot transmit an additional client identifier, and the external ip address through which it connects to Linux is dynamic, you cannot use the preshared key (password authorization), since the password must be mapped either to the ip address of the connecting host or to identifier.
We will use authorization by RSA keys.
racoon RSA, mikrotik â PEM. plainrsa-gen racoon, Mikrotika PEM â : PEM RSA. plainrsa-gen openssl, ssh-keygen, .
PEM openssl, racoon plainrsa-gen:
openssl genrsa -out server-name.pem 1024
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key
: /etc/racoon/certs/server. , racoon ( root), 600.
mikrotik WinBox.
server-name.pub.pem mikrotik: «Files» â «Upload».
«IP» â «IP sec» â «Keys». â «Generate Key», mikrotika «Expor Pub. Key», «Files», â «Download».
racoon, «Import», «File name» server-name.pub.pem.
mikrotik
plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key
/etc/racoon/certs .
racoon : /etc/racoon/racoon.conflog info;
listen {
isakmp 1.1.1.1 [500];
isakmp_natt 1.1.1.1 [4500];
strict_address;
}
path certificate "/etc/racoon/certs";
remote anonymous {
passive on;
nat_traversal on;
exchange_mode main;
my_identifier address 1.1.1.1;
certificate_type plain_rsa "server/server-name.priv.key";
peers_certfile plain_rsa "mikrotik.pub.key";
proposal_check claim;
proposal {
encryption_algorithm aes;
hash_algorithm sha512;
authentication_method rsasig;
dh_group modp2048;
lifetime time 86400 sec; .
}
generate_policy on;
}
sainfo anonymous {
pfs_group modp2048;
lifetime time 28800 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha512;
compression_algorithm deflate;
}
mikrotik"IP" â "IPsec"
, , WAN snat/masquerade, , ipsec :
"IP" â "Firewall".
"NAT", snat/masquerade.
racoon
sudo systemctl restart racoon
racoon , , syslog racoon , .
racoon , listen strict_address, systemd racoon
/lib/systemd/system/racoon.service, [Unit], After=network.target.
ipsec , :
sudo ip xfrm policy
src 192.168.0.0/30 dst 192.168.0.0/30
dir out priority 2147483648
tmpl src 1.1.1.1 dst "IP NAT mikrotik"
proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30
dir fwd priority 2147483648
tmpl src "IP NAT mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30
dir in priority 2147483648
tmpl src "IP NAT mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
, syslog, journalctl -u racoon.
L3 , . , IPIP, mikrotik , vti, , , mikrotik . IPIP , multicast (fwmark) , iptables iproute2 (policy-based routing). â , , GRE. , .
.
Linux:
sudo ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
sudo ip link set ipip-ipsec0 up
sudo ip addr add 192.168.0.1/30 dev ipip-ipsec0
mikrotik
sudo ip route add A.B.C.D/Prefix via 192.168.0.2
, /etc/network/interfaces post-up , , , /etc/ipip-ipsec0.conf post-up, , .
#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.0.1/30 dev ipip-ipsec0
ip route add A.B.C.D/Prefix via 192.168.0.2
Mikrotik:
«Interfaces», «IP tunnel»:
«IP» â «Addresses», :
linux , , gateway IPIP-IPsec0.
PS
linux , Clamp TCP MSS ipip :
/etc/iptables.conf :
*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
/etc/network/interfaces
post-up iptables-restore < /etc/iptables.conf
mikrotik nginx (ip 10.10.10.1), , /etc/iptables.conf:
*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT
iptables, .
!