Linux: Ubuntu 18.04.4 LTS (GNU / Linux 4.15.0-91-generic x86_64)
- Eth0 1.1.1.1/32 IP eksternal
- ipip-ipsec0 192.168.0.1/30 akan menjadi terowongan kami
Miktoik: CCR 1009, RouterOS 6.46.5
- Eth0 10.0.0.2/30 IP internal dari penyedia. IP NAT eksternal penyedia bersifat dinamis.
- ipip-ipsec0 192.168.0.2/30 akan menjadi terowongan kami
Kami akan meningkatkan terowongan IPsec pada mesin Linux menggunakan racoon. Saya tidak akan menjelaskan detailnya, ada artikel bagus divvpoloskin.
Instal paket yang diperlukan:
sudo install racoon ipsec-tools
Kami mengonfigurasi racoon, itu akan berfungsi sebagai server ipsec. Karena mikrotik dalam mode utama tidak dapat mengirimkan pengenal klien tambahan, dan alamat ip eksternal yang digunakan untuk menghubungkannya ke Linux bersifat dinamis, Anda tidak dapat menggunakan kunci preshared (otorisasi kata sandi), karena kata sandi harus dipetakan baik ke alamat ip dari host penghubung atau ke pengidentifikasi.
Kami akan menggunakan otorisasi oleh kunci RSA.
racoon RSA, mikrotik — PEM. plainrsa-gen racoon, Mikrotika PEM — : PEM RSA. plainrsa-gen openssl, ssh-keygen, .
PEM openssl, racoon plainrsa-gen:
openssl genrsa -out server-name.pem 1024
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key
: /etc/racoon/certs/server. , racoon ( root), 600.
mikrotik WinBox.
server-name.pub.pem mikrotik: «Files» — «Upload».
«IP» — «IP sec» — «Keys». — «Generate Key», mikrotika «Expor Pub. Key», «Files», — «Download».
racoon, «Import», «File name» server-name.pub.pem.
mikrotik
plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key
/etc/racoon/certs .
racoon : /etc/racoon/racoon.conflog info;
listen {
isakmp 1.1.1.1 [500];
isakmp_natt 1.1.1.1 [4500];
strict_address;
}
path certificate "/etc/racoon/certs";
remote anonymous {
passive on;
nat_traversal on;
exchange_mode main;
my_identifier address 1.1.1.1;
certificate_type plain_rsa "server/server-name.priv.key";
peers_certfile plain_rsa "mikrotik.pub.key";
proposal_check claim;
proposal {
encryption_algorithm aes;
hash_algorithm sha512;
authentication_method rsasig;
dh_group modp2048;
lifetime time 86400 sec; .
}
generate_policy on;
}
sainfo anonymous {
pfs_group modp2048;
lifetime time 28800 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha512;
compression_algorithm deflate;
}
mikrotik"IP" — "IPsec"
, , WAN snat/masquerade, , ipsec :
"IP" — "Firewall".
"NAT", snat/masquerade.
racoon
sudo systemctl restart racoon
racoon , , syslog racoon , .
racoon , listen strict_address, systemd racoon
/lib/systemd/system/racoon.service, [Unit], After=network.target.
ipsec , :
sudo ip xfrm policy
src 192.168.0.0/30 dst 192.168.0.0/30
dir out priority 2147483648
tmpl src 1.1.1.1 dst "IP NAT mikrotik"
proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30
dir fwd priority 2147483648
tmpl src "IP NAT mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30
dir in priority 2147483648
tmpl src "IP NAT mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
, syslog, journalctl -u racoon.
L3 , . , IPIP, mikrotik , vti, , , mikrotik . IPIP , multicast (fwmark) , iptables iproute2 (policy-based routing). — , , GRE. , .
.
Linux:
sudo ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
sudo ip link set ipip-ipsec0 up
sudo ip addr add 192.168.0.1/30 dev ipip-ipsec0
mikrotik
sudo ip route add A.B.C.D/Prefix via 192.168.0.2
, /etc/network/interfaces post-up , , , /etc/ipip-ipsec0.conf post-up, , .
#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.0.1/30 dev ipip-ipsec0
ip route add A.B.C.D/Prefix via 192.168.0.2
Mikrotik:
«Interfaces», «IP tunnel»:
«IP» — «Addresses», :
linux , , gateway IPIP-IPsec0.
PS
linux , Clamp TCP MSS ipip :
/etc/iptables.conf :
*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
/etc/network/interfaces
post-up iptables-restore < /etc/iptables.conf
mikrotik nginx (ip 10.10.10.1), , /etc/iptables.conf:
*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT
iptables, .
!