Get best of the week

Linux机器和NAT提供程序后面的Mikrotik之间的IPIP IPsec VPN隧道

Linux: Ubuntu 18.04.4 LTS(GNU / Linux 4.15.0-91-通用x86_64)


  • eth0 1.1.1.1/32外部IP
  • ipip-ipsec0 192.168.0.1/30将是我们的隧道

Miktoik: CCR 1009,RouterOS 6.46.5


  • 提供者的Eth0 10.0.0.2/30内部IP。提供程序的外部IP NAT是动态的。
  • ipip-ipsec0 192.168.0.2/30将是我们的隧道

我们将使用racoon在Linux机器上提升IPsec隧道。我不会描述的细节,有一个很好的文章vvpoloskin


安装必要的软件包:


sudo install racoon ipsec-tools

我们配置了racoon,它将有条件地充当ipsec服务器。由于处于主模式的mikrotik无法传输其他客户端标识符,并且它通过其连接到Linux的外部IP地址是动态的,因此您不能使用预共享密钥(密码授权),因为必须将密码映射到连接主机的IP地址或标识符。


我们将使用RSA密钥进行授权。


racoon RSA, mikrotik — PEM. plainrsa-gen racoon, Mikrotika PEM — : PEM RSA. plainrsa-gen openssl, ssh-keygen, .


PEM openssl, racoon plainrsa-gen:


#   
openssl genrsa -out server-name.pem 1024
#   
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# 
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key

: /etc/racoon/certs/server. , racoon ( root), 600.


mikrotik WinBox.


server-name.pub.pem mikrotik: «Files» — «Upload».


«IP» — «IP sec» — «Keys». — «Generate Key», mikrotika «Expor Pub. Key», «Files», — «Download».


racoon, «Import», «File name» server-name.pub.pem.


mikrotik


plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key

/etc/racoon/certs .


racoon : /etc/racoon/racoon.conf
log info; #  ,    Debug  Debug2.

listen {

    isakmp 1.1.1.1 [500]; #   ,     .
    isakmp_natt 1.1.1.1 [4500]; #   ,         NAT.
    strict_address; #        IP.
}

path certificate "/etc/racoon/certs"; #     .

remote anonymous { # ,       ISAKMP      .   IP,    Mikrotik, ,   anonymous,      .  IP   ,       .

    passive on; #  ""   ,      .
    nat_traversal on; #    NAT-T  ,    NAT. 
    exchange_mode main; #    ,    ---.
    my_identifier address 1.1.1.1; #   linux    ip .
    certificate_type plain_rsa "server/server-name.priv.key"; #   .
    peers_certfile plain_rsa "mikrotik.pub.key"; #   Mikrotik.

    proposal_check claim; #    ISAKMP . Racoon      ()                         ,      ,     ,   .     ,   , racoon           RESPONDER-LIFETIME.
    proposal { #  ISAKMP .

        encryption_algorithm aes; #   ISAKMP .
        hash_algorithm sha512; #  ,   ISAKMP .
        authentication_method rsasig; #    ISAKMP  -  RSA .
        dh_group modp2048; #     -   ISAKMP .
        lifetime time 86400 sec;   .
    }

    generate_policy on; #   ESP   ,    .
}

sainfo anonymous { #  ESP , anonymous -        .   , ,                  ,    ip , , .

    pfs_group modp2048; #     -  ESP .
    lifetime time 28800 sec; #   ESP .
    encryption_algorithm aes; #   ESP .
    authentication_algorithm hmac_sha512; #  ,    ESP .
    compression_algorithm deflate; #   ,     .
}

mikrotik

"IP" — "IPsec"


"Profiles"
Name( default)
Hash Algorithmsha512
Encryption Algorithmaes-128
DH-Groupmodp2048
Proposhal_checkclaim
Lifetime1d 00:00:00
NAT Traversaltrue ( )
DPD120
DPD Maximum failure5

"Peers"
Name( MyPeer)
Address1.1.1.1 (IP linux )
Local Address10.0.0.2 (IP WAN mikrotik)
Profiledefault
Exchange Modemain
Passivefalse
Send INITIAL_CONTACTtrue

"Proposal"
Name( MyPeerProposal)
Auth. Algorithmssha512
Encr. Algorithmsaes-128-cbc
Lifetime08:00:00
PFS Groupmodp2048

"Identities"
PeerMyPeer
Atuh. Methodrsa key
Keymikrotik.privet.key
Remote Keyserver-name.pub.pem
Policy Tamplate Groupdefault
Notrack Chain
My ID Typeauto
Remote ID Typeauto
Match Byremote id
Mode Configuration
Generate Policyno

"Policies — General"
PeerMyPeer
Tunneltrue
Src. Address192.168.0.0/30
Dest. Address192.168.0.0/30
Protocol255 (all)
Templatefalse

"Policies — Action"
Actionencrypt
Levelrequier
IPsec Protocolsesp
ProposalMyPeerProposal

, , WAN snat/masquerade, , ipsec :
"IP" — "Firewall".
"NAT", snat/masquerade.


"Advanced"
IPsec Policyout: none

racoon


sudo systemctl restart racoon

racoon , , syslog racoon , .


racoon , listen strict_address, systemd racoon
/lib/systemd/system/racoon.service, [Unit], After=network.target.


ipsec , :


sudo ip xfrm policy

src 192.168.0.0/30 dst 192.168.0.0/30 
    dir out priority 2147483648 
    tmpl src 1.1.1.1 dst "IP NAT    mikrotik"
        proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30 
    dir fwd priority 2147483648 
    tmpl src "IP NAT    mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30 
    dir in priority 2147483648 
    tmpl src "IP NAT    mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel

, syslog, journalctl -u racoon.


L3 , . , IPIP, mikrotik , vti, , , mikrotik . IPIP , multicast (fwmark) , iptables iproute2 (policy-based routing). — , , GRE. , .


.


Linux:


#  
sudo ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
# 
sudo ip link set ipip-ipsec0 up
#  
sudo ip addr add 192.168.0.1/30 dev ipip-ipsec0

mikrotik


sudo ip route add A.B.C.D/Prefix via 192.168.0.2

, /etc/network/interfaces post-up , , , /etc/ipip-ipsec0.conf post-up, , .


#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.0.1/30 dev ipip-ipsec0

ip route add A.B.C.D/Prefix via 192.168.0.2

Mikrotik:


«Interfaces», «IP tunnel»:


«IP tunnel» — «General»
Name( IPIP-IPsec0)
MTU1480 ( , mikrotik mtu 68)
Local Address192.168.0.2
Remote Address192.168.0.1
Ipsec Secret( Peer)
Keepalive( , mikrotika - linux )
DSCPinherit
Dont Fragmentno
Clamp TCP MSStrue
Allow Fast Pathtrue

«IP» — «Addresses», :


Address192.168.0.2/30
InterfaceIPIP-IPsec0

linux , , gateway IPIP-IPsec0.


PS


linux , Clamp TCP MSS ipip :


/etc/iptables.conf :


*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT

/etc/network/interfaces
post-up iptables-restore < /etc/iptables.conf


mikrotik nginx (ip 10.10.10.1), , /etc/iptables.conf:


*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
# mikrotik,   mangle,    route   192.168.0.1      10.10.10.1   80, 443.

#    linux  OpenVPN  172.16.0.1/24,              
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT

iptables, .


!

More articles:


All Articles