IPsec(GRE) betwen juniper and mikrotik
Материал из xapmc.net
- Задача
- Настроить защищенный канал между juniper и mikrotik и организовать динамическую маршрутизацию.
- Решение
- Воспользуемся для построения туннеля протоколом IPsec и GRE. Что бы работала динамическая маршрутизация OSPF наложим IPsec на GRE.
- Оборудование, которым располагаем
| Вендор | Модель |
|---|---|
| 1. Mikrotik | CCR1036-8G-2S+EM |
| 4. Juniper | srx100 |
- Схема сети
- Настройка
- Juniper srx 100
- OSPF
set protocols ospf traceoptions file debug-ospf set protocols ospf traceoptions file size 1m set protocols ospf traceoptions file files 5 set protocols ospf traceoptions flag all set protocols ospf area 0.0.0.66 interface gr-0/0/0.0 interface-type p2p set protocols ospf area 0.0.0.66 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.66 interface vlan.77
- IPsec
- 1.1.1.2 - внешний адрес juniper srx 100.
- 2.2.2.3 - внешний адрес mikrotik ccr.
set security ike proposal IKE_GRE_NET description mikrotik_gre_ipsec set security ike proposal IKE_GRE_NET authentication-method pre-shared-keys set security ike proposal IKE_GRE_NET dh-group group2 set security ike proposal IKE_GRE_NET authentication-algorithm sha1 set security ike proposal IKE_GRE_NET encryption-algorithm aes-128-cbc set security ike proposal IKE_GRE_NET lifetime-seconds 28800 set security ike policy IKE_GRE_POL mode main set security ike policy IKE_GRE_POL proposals IKE_GRE_NET set security ike policy IKE_GRE_POL pre-shared-key ascii-text xapmcnet set security ike gateway IKE_MIK ike-policy IKE_GRE_POL set security ike gateway IKE_MIK address 2.2.2.3 set security ike gateway IKE_MIK local-identity inet 1.1.1.2 set security ike gateway IKE_MIK external-interface fe-0/0/0 set security ipsec proposal IPSEC_PRO_GRE protocol esp set security ipsec proposal IPSEC_PRO_GRE authentication-algorithm hmac-md5-96 set security ipsec proposal IPSEC_PRO_GRE encryption-algorithm aes-128-cbc set security ipsec proposal IPSEC_PRO_GRE lifetime-seconds 28800 set security ipsec policy IPSEC_POL_GRE perfect-forward-secrecy keys group2 set security ipsec policy IPSEC_POL_GRE proposals IPSEC_PRO_GRE set security ipsec vpn VPN_MIK bind-interface st0.0 set security ipsec vpn VPN_MIK ike gateway IKE_MIK set security ipsec vpn VPN_MIK ike no-anti-replay set security ipsec vpn VPN_MIK ike proxy-identity local 172.17.1.2/32 set security ipsec vpn VPN_MIK ike proxy-identity remote 172.17.1.1/32 set security ipsec vpn VPN_MIK ike proxy-identity service any set security ipsec vpn VPN_MIK ike ipsec-policy IPSEC_POL_GRE set security ipsec vpn VPN_MIK establish-tunnels immediately
- VLAN
set vlans vlan77 vlan-id 77 set vlans vlan77 l3-interface vlan.77
- Интерфейсы
- Lo0, St0, vlan.77
set interfaces lo0 unit 0 family inet address 172.17.1.2/32 set interfaces st0 unit 0 description ipsec_mikrotik set interfaces st0 unit 0 family inet mtu 1460 set interfaces vlan unit 77 family inet address 192.168.77.1/24
- GRE
set interfaces gr-0/0/0 unit 0 tunnel source 172.17.1.2 set interfaces gr-0/0/0 unit 0 tunnel destination 172.17.1.1 set interfaces gr-0/0/0 unit 0 family inet mtu 1400
- Mikrotik ccr
- OSPF
/routing ospf area add area-id=0.0.0.66 name=area66 /routing ospf instance set [ find default=yes ] router-id=172.17.1.1 /routing ospf interface add interface=lo-srx network-type=point-to-point add interface=gre-srx network-type=point-to-point /routing ospf network add area=area66 network=172.17.1.1/32 add area=area66 network=10.1.1.0/30
- IPsec
/ip ipsec policy group add name=srx /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-128-cbc,twofish add auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=8h name=srx100 /ip ipsec peer add address=1.1.1.2/32 enc-algorithm=aes-128 lifetime=8h local-address=2.2.2.3 nat-traversal=no policy-template-group=srx secret=xapmcnet /ip ipsec policy add dst-address=0.0.0.0/0 proposal=srx100 sa-dst-address=1.1.1.2 sa-src-address=2.2.2.3 src-address=172.17.1.1/32 tunnel=yes
- Интерфейсы
- GRE
- 1.1.1.2 - внешний адрес juniper srx 100.
- 2.2.2.3 - внешний адрес mikrotik ccr.
/interface gre add !keepalive local-address=172.17.1.1 name=gre-srx remote-address=172.17.1.2
- Bridge вместо Lo
/interface bridge add name=lo-srx protocol-mode=none
IP address
/ip address add address=192.168.2.1/24 interface=bridge-local network=192.168.2.0 add address=172.17.1.1 interface=lo-srx network=172.17.1.0 add address=10.1.1.1/30 interface=gre-srx network=10.1.1.0
- Проверка
- OSPF
show ospf neighbor
Address Interface State ID Pri Dead 10.1.1.1 gr-0/0/0.0 Full 172.17.1.1 1 35
- ICMP
root@xapmc:/home/xapmc# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 3c:97:0e:65:be:b4
inet addr:192.168.2.130 Bcast:192.168.2.255 Mask:255.255.255.0
ping 192.168.77.2
PING 192.168.77.2 (192.168.77.2) 56(84) bytes of data. 64 bytes from 192.168.77.2: icmp_seq=1 ttl=62 time=2.89 ms 64 bytes from 192.168.77.2: icmp_seq=2 ttl=62 time=2.64 ms 64 bytes from 192.168.77.2: icmp_seq=3 ttl=62 time=2.84 ms ^C --- 192.168.77.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 2.643/2.793/2.891/0.107 ms
- Traceroute
traceroute 192.168.77.2
traceroute to 192.168.77.2 (192.168.77.2), 30 hops max, 60 byte packets 1 192.168.2.1 (192.168.2.1) 0.246 ms 0.323 ms 0.408 ms 2 10.1.1.2 (10.1.1.2) 4.611 ms 5.146 ms 8.898 ms 3 192.168.77.2 (192.168.77.2) 10.267 ms 11.220 ms 11.236 ms
- Как видим пакеты ICMP и traceroute отработали. Задача решена.
