IPIP IPsec VPN tunnel antara mesin Linux dan Mikrotik di belakang penyedia NAT

Linux: Ubuntu 18.04.4 LTS (GNU / Linux 4.15.0-91-generic x86_64)

• Eth0 1.1.1.1/32 IP eksternal
• ipip-ipsec0 192.168.0.1/30 akan menjadi terowongan kami

Miktoik: CCR 1009, RouterOS 6.46.5

• Eth0 10.0.0.2/30 IP internal dari penyedia. IP NAT eksternal penyedia bersifat dinamis.
• ipip-ipsec0 192.168.0.2/30 akan menjadi terowongan kami

Kami akan meningkatkan terowongan IPsec pada mesin Linux menggunakan racoon. Saya tidak akan menjelaskan detailnya, ada artikel bagus divvpoloskin.

Instal paket yang diperlukan:

sudo install racoon ipsec-tools

Kami mengonfigurasi racoon, itu akan berfungsi sebagai server ipsec. Karena mikrotik dalam mode utama tidak dapat mengirimkan pengenal klien tambahan, dan alamat ip eksternal yang digunakan untuk menghubungkannya ke Linux bersifat dinamis, Anda tidak dapat menggunakan kunci preshared (otorisasi kata sandi), karena kata sandi harus dipetakan baik ke alamat ip dari host penghubung atau ke pengidentifikasi.

Kami akan menggunakan otorisasi oleh kunci RSA.

racoon RSA, mikrotik — PEM. plainrsa-gen racoon, Mikrotika PEM — : PEM RSA. plainrsa-gen openssl, ssh-keygen, .

PEM openssl, racoon plainrsa-gen:

#   
openssl genrsa -out server-name.pem 1024
#   
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# 
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key

: /etc/racoon/certs/server. , racoon ( root), 600.

mikrotik WinBox.

server-name.pub.pem mikrotik: «Files» — «Upload».

«IP» — «IP sec» — «Keys». — «Generate Key», mikrotika «Expor Pub. Key», «Files», — «Download».

racoon, «Import», «File name» server-name.pub.pem.

mikrotik

plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key

/etc/racoon/certs .

log info; #  ,    Debug  Debug2.

listen {

    isakmp 1.1.1.1 [500]; #   ,     .
    isakmp_natt 1.1.1.1 [4500]; #   ,         NAT.
    strict_address; #        IP.
}

path certificate "/etc/racoon/certs"; #     .

remote anonymous { # ,       ISAKMP      .   IP,    Mikrotik, ,   anonymous,      .  IP   ,       .

    passive on; #  ""   ,      .
    nat_traversal on; #    NAT-T  ,    NAT. 
    exchange_mode main; #    ,    ---.
    my_identifier address 1.1.1.1; #   linux    ip .
    certificate_type plain_rsa "server/server-name.priv.key"; #   .
    peers_certfile plain_rsa "mikrotik.pub.key"; #   Mikrotik.

    proposal_check claim; #    ISAKMP . Racoon      ()                         ,      ,     ,   .     ,   , racoon           RESPONDER-LIFETIME.
    proposal { #  ISAKMP .

        encryption_algorithm aes; #   ISAKMP .
        hash_algorithm sha512; #  ,   ISAKMP .
        authentication_method rsasig; #    ISAKMP  -  RSA .
        dh_group modp2048; #     -   ISAKMP .
        lifetime time 86400 sec;   .
    }

    generate_policy on; #   ESP   ,    .
}

sainfo anonymous { #  ESP , anonymous -        .   , ,                  ,    ip , , .

    pfs_group modp2048; #     -  ESP .
    lifetime time 28800 sec; #   ESP .
    encryption_algorithm aes; #   ESP .
    authentication_algorithm hmac_sha512; #  ,    ESP .
    compression_algorithm deflate; #   ,     .
}

racoon

sudo systemctl restart racoon

racoon , , syslog racoon , .

racoon , listen strict_address, systemd racoon
/lib/systemd/system/racoon.service, [Unit], After=network.target.

ipsec , :

sudo ip xfrm policy

src 192.168.0.0/30 dst 192.168.0.0/30 
    dir out priority 2147483648 
    tmpl src 1.1.1.1 dst "IP NAT    mikrotik"
        proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30 
    dir fwd priority 2147483648 
    tmpl src "IP NAT    mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30 
    dir in priority 2147483648 
    tmpl src "IP NAT    mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel

, syslog, journalctl -u racoon.

L3 , . , IPIP, mikrotik , vti, , , mikrotik . IPIP , multicast (fwmark) , iptables iproute2 (policy-based routing). — , , GRE. , .

.

Linux:

#  
sudo ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
# 
sudo ip link set ipip-ipsec0 up
#  
sudo ip addr add 192.168.0.1/30 dev ipip-ipsec0

mikrotik

sudo ip route add A.B.C.D/Prefix via 192.168.0.2

, /etc/network/interfaces post-up , , , /etc/ipip-ipsec0.conf post-up, , .

#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.0.1/30 dev ipip-ipsec0

ip route add A.B.C.D/Prefix via 192.168.0.2

Mikrotik:

«Interfaces», «IP tunnel»:

«IP» — «Addresses», :

linux , , gateway IPIP-IPsec0.

PS

linux , Clamp TCP MSS ipip :

/etc/iptables.conf :

*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT

/etc/network/interfaces
post-up iptables-restore < /etc/iptables.conf

mikrotik nginx (ip 10.10.10.1), , /etc/iptables.conf:

*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
# mikrotik,   mangle,    route   192.168.0.1      10.10.10.1   80, 443.

#    linux  OpenVPN  172.16.0.1/24,              
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT 

iptables, .

!