用Mikrotik Router建立GRE over IPSec 备用链路51CTO博客 - 威尼斯人

用Mikrotik Router建立GRE over IPSec 备用链路51CTO博客

2019年03月08日10时42分45秒 | 作者: 南莲 | 标签: 链路,日本,美国 | 浏览: 1399

  公司在国内、日本、美国、德国、新加坡等多地均有事务,中心事务网络用的公司专有GPN(Global Private Network中文名是全球私有化网络)链路,现在测验建立一条备用链路,用于网络冗余和毛病切换。

  开始选用计划GRE over IPSec,跑ospf路由协议。 

一、为何要选GRE over IPSec:

  1. 各个site网络比较多,需求运用路由协议进行互联;

  2. IPSEC不支持组播,即不能传递路由协议,在承载路由协议上不如GRE地道便利;  

  3. GRE地道不能供给加密保证;

  4. 运用GRE在两个网关之间建立一个地道,运转路由协议及传输正常数据,运用IPSec对整个GRE地道进行加密,因而需求把两者进行结合。

二、测验环境:

  以我国、日本、美国三地为例,根本网络拓扑如下图,用Mikrotik RouterOS(简称ROS)做路由器和防火墙,中心跑ospf协议。GPN链路就相当于一个大二层,能够把中日美三地打通,相当于专线,因而在网络质量上优于直接走大网,做事务主线,这儿不多写;主要写一下怎么装备GRE链路完成备用链路功用,在GPN链路中止的时分能够主动切换到备线。

routeros上装备外网:

我国:101.251.x.x

日本:205.177.x.x

美国:38.83.x.x

三地的内网地址:

我国:10.13.24.0/22

日本:10.13.4.0/22

美国:10.13.12.0/22

三地互联地址(用10.13.253.0/24段做互联地址段):

我国和日本:10.13.253.0/30

日本和美国:10.13.253.16/30

美国和我国:10.13.253.4/30

GPN链路网段:

10.13.252.0/24


三、装备

1、三个ros的interface(ether1/2/3分别对应着外网/内网/GPN网络):

2、IPSec装备

我国:

/ip ipsec peer
     add address=205.177.x.x/32:500 comment="JP Link" auth-method=pre-shared-key secret="mypassword"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=5

     add address=38.83.x.x/32:500 comment= "USALink" auth-method=pre-shared-key secret="mypassword"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=5

/ip ipsec policy
    add src-address=101.251.x.x/32:any dst-address=205.177.x.x/32:any
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
    sa-src-address=101.251.x.x sa-dst-address=205.177.x.x proposal=default 
    priority=0
    
    add src-address=101.251.x.x/32:any dst-address=38.83.x.x/32:any
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
    sa-src-address=101.251.x.x sa-dst-address=38.83.x.x proposal=default 
    priority=0

日本:

/ip ipsec peer
     add address=101.251.x.x/32:500 comment="BJ Link" auth-method=pre-shared-key secret="mypassword"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=5

     add address=38.83.x.x/32:500 comment= "USA Link" auth-method=pre-shared-key secret="mypassword"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=5

/ip ipsec policy
    add src-address=205.177.x.x/32:any dst-address=101.251.x.x/32:any
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
    sa-src-address=205.177.x.x sa-dst-address=101.251.x.x proposal=default 
    priority=0
    
    add src-address=205.177.x.x/32:any dst-address=38.83.x.x/32:any
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
    sa-src-address=205.177.x.x sa-dst-address=38.83.x.x proposal=default 
    priority=0

美国:

/ip ipsec peer
     add address=101.251.x.x/32:500 comment="BJ Link" auth-method=pre-shared-key secret="mypassword"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=5

     add address=205.177.x.x/32:500 comment= "JP Link" auth-method=pre-shared-key secret="mypassword"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=5

/ip ipsec policy
    add src-address=38.83.x.x/32:any dst-address=101.251.x.x/32:any
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
    sa-src-address=38.83.x.x sa-dst-address=101.251.x.x proposal=default 
    priority=0
    
    add src-address=38.83.x.x/32:any dst-address=205.177.x.x/32:any
    protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
    sa-src-address=38.83.x.x sa-dst-address=205.177.x.x proposal=default 
    priority=0

我国示例图:

3、GRE装备:

我国:

/interface gre
add name= gre-tunnel1 local-address=101.251.x.x remote-address=205.177.x.x
 comment="JP Link"

add name= gre-tunnel2 local-address=101.251.x.x remote-address=38.83.x.x  
comment="USA Link"

/ip address
add address=10.13.253.1/30 interface=gre-tunnel1 network=10.13.253.0 comment="JP Link"
add address=10.13.253.5/30 interface=gre-tunnel2 network=10.13.253.4 comment="USA Link"



日本:

/interface gre
add name= gre-tunnel1 local-address=205.177.x.x remote-address=101.251.x.x
comment="BJ Link"

add name= gre-tunnel2 local-address=101.251.x.x remote-address=38.83.x.x  
comment="USA Link"

/ip address
add address=10.13.253.2/30 interface=gre-tunnel1 network=10.13.253.0 comment="BJ Link"
add address=10.13.253.17/30 interface=gre-tunnel2 network=10.13.253.16 comment="USA Link"

美国:

/interface gre
add name= gre-tunnel1 local-address=38.83.x.x remote-address=101.251.x.x
comment="BJ Link"

add name= gre-tunnel2 local-address=38.83.x.x remote-address=205.177.x.x  
comment="JP Link"

/ip address
add address=10.13.253.6/30 interface=gre-tunnel1 network=10.13.253.4 comment="BJ Link"
add address=10.13.253.18/30 interface=gre-tunnel2 network=10.13.253.16 comment="JP Link"

我国示例图:


4、OSPF装备

把本地的内网地址段、GPN网段(10.13.252.0/24),GRE互联地址网段都宣告进去,cost值GPN链路的优先级高,设为10,GRE Tunnel的cost值设为100:

我国:

/routing ospf>
 interface add interface=eth2 cost=10
 interface add interface=eth3 cost=10
 interface add interface=gre-tunnel1 cost=100
 interface add interface=gre-tunnel2 cost=100

/routing ospf>
 network add network=10.13.24.0/22 area=backbone comment="内网"
 network add network=10.13.252.0/24 area=backbone comment="GPN"
 network add network=10.13.253.0/30 area=backbone comment="JP Link"
 network add network=10.13.253.4/30 area=backbone comment="USA Link"

日本:

/routing ospf>
 interface add interface=eth2 cost=10
 interface add interface=eth3 cost=10
 interface add interface=gre-tunnel1 cost=100
 interface add interface=gre-tunnel2 cost=100

/routing ospf>
 network add network=10.13.4.0/22 area=backbone  comment="内网"
 network add network=10.13.252.0/24 area=backbone comment="GPN"
 network add network=10.13.253.0/30 area=backbone comment="BJ Link"
 network add network=10.13.253.16/30 area=backbone comment="USA Link"

美国:

/routing ospf>
 interface add interface=eth2 cost=10
 interface add interface=eth3 cost=10
 interface add interface=gre-tunnel1 cost=100
 interface add interface=gre-tunnel2 cost=100

/routing ospf>
 network add network=10.13.12.0/22 area=backbone  comment="内网"
 network add network=10.13.252.0/24 area=backbone comment="GPN"
 network add network=10.13.253.4/30 area=backbone comment="BJ Link"
 network add network=10.13.253.16/30 area=backbone comment="JP Link"

北京示例图:

四、验证

1、检查ospf是否发动成功:

2、down掉GPN的interface,检查ospf的路由是否主动切换到GRE Tunnel:

测验线路主动切换成功,再把GPN interface起来之后,检查路由又主动切换到了GPN链路。

success!

五、优化

  此文中只选了3个site,备线的ospf cost值均设为了100,;在实践布置时会多于3个,ospf值的设置,能够设置为点对点的推迟值,使在切换到备线时ospf选路选的是线路推迟最低的途径,也是最优的途径。比方中日之间大网推迟大约为55ms,能够把GRE的ospf cost设为55。




版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表威尼斯人立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章