zoukankan      html  css  js  c++  java
  • ros routeros ikev2 ipsec 基础上跑pptp再跑ospf,适合点到多点的ipsec情况

    网络环境,客户端是路由下面的子网掩码的ROS(也就是没有公网IP,为城域网的ROS),服务端是具有公网IP的ROS。

    该文章可以解决运营商对于只有城域网IP的ROS,对于各种隧道协议全部限速的问题,具体限速情况,可以看我其他的文章:

    https://www.cnblogs.com/itfat/p/13326602.html

    测速推荐工具:

    https://www.cnblogs.com/itfat/p/13346324.html

    拓扑图:

    服务端配置:
    (1)创建CA和SERVER证书:
    Common name should contain IP or DNS name of the server;
    SAN (subject alternative name) should have IP or DNS of the server;
    EKU (extended key usage) tls-server and tls-client are required.

    /certificate
    add common-name=ca name=ca
    sign ca ca-crl-host=2.2.2.2
    add common-name=2.2.2.2 subject-alt-name=IP:2.2.2.2 key-usage=tls-server name=server1
    sign server1 ca=ca

    (2)Now that valid certificates are created on the router, add new Phase 1 profile and Phase 2 proposal entries with pfs-group=none.
    /ip ipsec profile
    add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
    /ip ipsec proposal
    add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none

    (3)Mode config is used for address distribution from IP/Pools.
    ipsec自动获取的IP范围为192.168.77.2-192.168.77.254,而这个IP段,我们只允许访问服务端的split-include=10.5.8.0/24,如果你想允许访问任何IP,那么split-include不用配置
    /ip pool
    add name=ike2-pool ranges=192.168.77.2-192.168.77.254
    /ip ipsec mode-config
    add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-include=10.5.8.0/24

    (4)Since that the policy template must be adjusted to allow only specific network policies, it is advised to create a separate policy group and template.
    创建一个新的组ike2-policies,禁用默认的ipsec policy避免干扰,创建ipsec传输模式template=yes,目的地址是192.168.77.0/24,源地址任意。
    /ip ipsec policy group
    add name=ike2-policies
    /ip ipsec policy
    disable numbers=0
    /ip ipsec policy
    add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

    (5)Create a new IPsec peer entry which will listen to all incoming IKEv2 requests.
    创建一个对端节点,因为这里是ikev2的服务端,那么passive=yes
    /ip ipsec peer
    add exchange-mode=ike2 name=ike2 passive=yes profile=ike2

    (6)Identity menu allows to match specific remote peers and assign different configuration for each one of them. First, create a default identity, that will accept all peers, but will verify the peer's identity with its certificate.
    创建验证方法,使用证书,老版本用命令rsa-signature,新版本用digital-signature
    ros v6.45.1以后:
    /ip ipsec identity
    add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
    ros v6.45.1以前:
    /ip ipsec identity
    add auth-method=rsa-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies

    (7)To generate a new certificate for the client and sign it with previously created CA.
    创建客户端证书,并用ca证书进行签名。
    /certificate
    add common-name=rw-client1 name=rw-client1 key-usage=tls-client
    sign rw-client1 ca=ca

    (8)PKCS12 format is accepted by most of client implementations, so when exporting the certificate, make sure PKCS12 is specified.
    导出客户端证书,并导出的格式为PKCS12,设置证书的密码为1234567890。
    Typically PKCS12 bundle contains also CA certificate, but some vendors may not install this CA, so self-signed CA certificate must be exported separately using PEM format.
    导入证书的时候,如果是pkcs12格式,那么不用单独导入CA证书了。如果不支持的话,那么需要导出pem格式(crt结尾的文件)+ca证书文件
    /certificate
    export-certificate rw-client1 export-passphrase=1234567890 type=pkcs12

    (9)#由于ether2-lan的IP段是10.5.8.0/24,所以需要给隧道过来的IP192.168.77.0/24进行伪装,否则无法访问10.5.8.0/24资源
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface=ether2-lan

    (10)已知的一些限制:
    Here is a list of known limitations by popular client software IKEv2 implementations.

    Windows will always ignore networks received by split-include and request policy with destination 0.0.0.0/0 (TSr). When IPsec-SA is generated, Windows requests DHCP option 249 to which RouterOS will respond with configured split-include networks automatically.
    Both Apple macOS and iOS will only accept the first split-include network.
    Both Apple macOS and iOS will use the DNS servers from system-dns and static-dns parameters only when 0.0.0.0/0 split-include is used.
    While some implementations can make use of different PFS group for phase 2, it is advised to use pfs-group=none under proposals to avoid any compatibility issues.

    客户端配置:
    (1)Import a PKCS12 format certificate in RouterOS.
    导入客户端证书,密码为1234567890
    /certificate import file-name=cert_export_rw-client1.p12 passphrase=1234567890

    (2)It is advised to create a separate Phase 1 profile and Phase 2 proposal configurations to not interfere with any existing IPsec configuration.
    /ip ipsec profile
    add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-rw
    /ip ipsec proposal
    add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-rw pfs-group=none

    (3)While it is possible to use the default policy template for policy generation, it is better to create a new policy group and template to separate this configuration from any other IPsec configuration.
    创建一个新的组ike2-rw,禁用默认的ipsec policy避免干扰,创建ipsec传输模式template=yes,目的地址,源地址任意。
    /ip ipsec policy group
    add name=ike2-rw
    /ip ipsec policy
    disable numbers=0
    /ip ipsec policy
    add group=ike2-rw proposal=ike2-rw template=yes

    (4)Create a new mode config entry with responder=no that will request configuration parameters from the server.
    客户端这边下面还有很多客户机,那么需要创建地址列表,同时写入mode-config。
    /ip firewall address-list
    add address=192.168.88.0/24 list=local
    /ip ipsec mode-config
    add name=ike2-rw responder=no src-address-list=local

    (5)Verify correct source NAT rule is dynamically generated when the tunnel is established.
    用了上述的mode-config,ros会自动生成一条伪装,这条伪装的目的就是源地址是local,全部伪装成ipsec的隧道地址。
    [admin@MikroTik] > /ip firewall nat print
    Flags: X - disabled, I - invalid, D - dynamic
    0 D ;;; ipsec mode-config
    chain=srcnat action=src-nat to-addresses=192.168.77.254 src-address-list=local dst-address-list=!local

    (6)Lastly, create peer and identity configurations.
    创建对端节点以及验证配置,使用证书,老版本用命令rsa-signature,新版本用digital-signature
    /ip ipsec peer
    add address=2.2.2.2/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw

    ros v6.45.1以后:
    /ip ipsec identity
    add auth-method=digital-signature certificate=cert_export_rw-client1.p12_0 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
    ros v6.45.1以前:
    /ip ipsec identity
    add auth-method=rsa-signature certificate=cert_export_rw-client1.p12_0 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw

    /ip route
    add distance=1 gateway=pppoe-out1
    #下面这条比较关键,表示访问对端的10.5.8.0/24的网段,都使用源IP为本地的lan口的IP:192.168.88.100的地址,理论用192.168.77.254应该也可以。没有这条你后面想用在ipsec上跑pptp跑ospf是不会成功的。。。
    add distance=1 dst-address=10.5.8.0/24 gateway=pppoe-out1 pref-src=192.168.88.100

    后续问题:
    ikev2的ipsec隧道创建完毕以后,你想起OSPF来学习两边的路由,那么需要在服务端上创建PPTP的服务端,然后客户端ROS创建pptp client,然后再跑ospf,我这边已经测试OK。
    简单来说就是ipsec基础上的ospf,完全可行。速度非常快!

    我重新做了一个不用证书的,用共享密钥的方式来创建ipsec:

    服务端:
    /ip ipsec profile
    add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
    /ip ipsec proposal
    add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none

    /ip pool
    add name=ike2-pool ranges=192.168.77.2-192.168.77.254
    /ip ipsec mode-config
    add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-include=10.5.8.0/24

    /ip ipsec policy group
    add name=ike2-policies
    /ip ipsec policy
    disable numbers=0
    /ip ipsec policy
    add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

    /ip ipsec peer
    add exchange-mode=ike2 name=ike2 passive=yes profile=ike2

    /ip ipsec identity
    add auth-method=pre-shared-key secret=12345678 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies

    /ip firewall nat

    add action=masquerade chain=srcnat out-interface=ether2-lan

    客户端:
    /ip ipsec profile
    add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-rw
    /ip ipsec proposal
    add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-rw pfs-group=none

    /ip ipsec policy group
    add name=ike2-rw
    /ip ipsec policy
    disable numbers=0
    /ip ipsec policy
    add group=ike2-rw proposal=ike2-rw template=yes

    /ip firewall address-list
    add address=192.168.88.0/24 list=local
    /ip ipsec mode-config
    add name=ike2-rw responder=no src-address-list=local

    /ip ipsec peer
    add address=2.2.2.2/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw

    /ip ipsec identity
    add auth-method=pre-shared-key secret=12345678 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw

    /ip route
    add distance=1 dst-address=10.5.8.0/24 gateway=pppoe-out1 pref-src=192.168.88.100

  • 相关阅读:
    《深度学习框架PyTorch入门与实践》示例——利用LeNet进行CIFAR-10分类
    ICCP算法——刚性变换2
    Anaconda3 + python3 + pytorch环境配置及安装过程遇到的问题总结
    安装MATLAB硬盘空间足够却装不下的解决方法
    PNN实现重力匹配——MATLAB复现论文
    卷积神经网络CNN——MATLAB deep learning工具箱学习笔记
    吴恩达深度学习 第四课第二周编程作业_Keras tutorial
    吴恩达深度学习 第三课 课后测验(无代码)
    吴恩达深度学习 第二课第二周编程作业_Optimization Methods 优化方法
    吴恩达深度学习 第二课第一周编程作业_Gradient Checking(梯度检查)
  • 原文地址:https://www.cnblogs.com/itfat/p/13390467.html
Copyright © 2011-2022 走看看