網絡環境,客戶端是路由下面的子網掩碼的ROS(也就是沒有公網IP,為城域網的ROS),服務端是具有公網IP的ROS。
該文章可以解決運營商對於只有城域網IP的ROS,對於各種隧道協議全部限速的問題,具體限速情況,可以看我其他的文章:
https://www.cnblogs.com/itfat/p/13326602.html
測速推薦工具:
https://www.cnblogs.com/itfat/p/13346324.html
拓撲圖:
服務端配置:
(1)創建CA和SERVER證書:
Common name should contain IP or DNS name of the server;
SAN (subject alternative name) should have IP or DNS of the server;
EKU (extended key usage) tls-server and tls-client are required.
/certificate
add common-name=ca name=ca
sign ca ca-crl-host=2.2.2.2
add common-name=2.2.2.2 subject-alt-name=IP:2.2.2.2 key-usage=tls-server name=server1
sign server1 ca=ca
(2)Now that valid certificates are created on the router, add new Phase 1 profile and Phase 2 proposal entries with pfs-group=none.
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none
(3)Mode config is used for address distribution from IP/Pools.
ipsec自動獲取的IP范圍為192.168.77.2-192.168.77.254,而這個IP段,我們只允許訪問服務端的split-include=10.5.8.0/24,如果你想允許訪問任何IP,那么split-include不用配置
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-include=10.5.8.0/24
(4)Since that the policy template must be adjusted to allow only specific network policies, it is advised to create a separate policy group and template.
創建一個新的組ike2-policies,禁用默認的ipsec policy避免干擾,創建ipsec傳輸模式template=yes,目的地址是192.168.77.0/24,源地址任意。
/ip ipsec policy group
add name=ike2-policies
/ip ipsec policy
disable numbers=0
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
(5)Create a new IPsec peer entry which will listen to all incoming IKEv2 requests.
創建一個對端節點,因為這里是ikev2的服務端,那么passive=yes
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
(6)Identity menu allows to match specific remote peers and assign different configuration for each one of them. First, create a default identity, that will accept all peers, but will verify the peer's identity with its certificate.
創建驗證方法,使用證書,老版本用命令rsa-signature,新版本用digital-signature
ros v6.45.1以后:
/ip ipsec identity
add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
ros v6.45.1以前:
/ip ipsec identity
add auth-method=rsa-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
(7)To generate a new certificate for the client and sign it with previously created CA.
創建客戶端證書,並用ca證書進行簽名。
/certificate
add common-name=rw-client1 name=rw-client1 key-usage=tls-client
sign rw-client1 ca=ca
(8)PKCS12 format is accepted by most of client implementations, so when exporting the certificate, make sure PKCS12 is specified.
導出客戶端證書,並導出的格式為PKCS12,設置證書的密碼為1234567890。
Typically PKCS12 bundle contains also CA certificate, but some vendors may not install this CA, so self-signed CA certificate must be exported separately using PEM format.
導入證書的時候,如果是pkcs12格式,那么不用單獨導入CA證書了。如果不支持的話,那么需要導出pem格式(crt結尾的文件)+ca證書文件
/certificate
export-certificate rw-client1 export-passphrase=1234567890 type=pkcs12
(9)#由於ether2-lan的IP段是10.5.8.0/24,所以需要給隧道過來的IP192.168.77.0/24進行偽裝,否則無法訪問10.5.8.0/24資源
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-lan
(10)已知的一些限制:
Here is a list of known limitations by popular client software IKEv2 implementations.
Windows will always ignore networks received by split-include and request policy with destination 0.0.0.0/0 (TSr). When IPsec-SA is generated, Windows requests DHCP option 249 to which RouterOS will respond with configured split-include networks automatically.
Both Apple macOS and iOS will only accept the first split-include network.
Both Apple macOS and iOS will use the DNS servers from system-dns and static-dns parameters only when 0.0.0.0/0 split-include is used.
While some implementations can make use of different PFS group for phase 2, it is advised to use pfs-group=none under proposals to avoid any compatibility issues.
客戶端配置:
(1)Import a PKCS12 format certificate in RouterOS.
導入客戶端證書,密碼為1234567890
/certificate import file-name=cert_export_rw-client1.p12 passphrase=1234567890
(2)It is advised to create a separate Phase 1 profile and Phase 2 proposal configurations to not interfere with any existing IPsec configuration.
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-rw
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-rw pfs-group=none
(3)While it is possible to use the default policy template for policy generation, it is better to create a new policy group and template to separate this configuration from any other IPsec configuration.
創建一個新的組ike2-rw,禁用默認的ipsec policy避免干擾,創建ipsec傳輸模式template=yes,目的地址,源地址任意。
/ip ipsec policy group
add name=ike2-rw
/ip ipsec policy
disable numbers=0
/ip ipsec policy
add group=ike2-rw proposal=ike2-rw template=yes
(4)Create a new mode config entry with responder=no that will request configuration parameters from the server.
客戶端這邊下面還有很多客戶機,那么需要創建地址列表,同時寫入mode-config。
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
(5)Verify correct source NAT rule is dynamically generated when the tunnel is established.
用了上述的mode-config,ros會自動生成一條偽裝,這條偽裝的目的就是源地址是local,全部偽裝成ipsec的隧道地址。
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=192.168.77.254 src-address-list=local dst-address-list=!local
(6)Lastly, create peer and identity configurations.
創建對端節點以及驗證配置,使用證書,老版本用命令rsa-signature,新版本用digital-signature
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw
ros v6.45.1以后:
/ip ipsec identity
add auth-method=digital-signature certificate=cert_export_rw-client1.p12_0 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
ros v6.45.1以前:
/ip ipsec identity
add auth-method=rsa-signature certificate=cert_export_rw-client1.p12_0 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
/ip route
add distance=1 gateway=pppoe-out1
#下面這條比較關鍵,表示訪問對端的10.5.8.0/24的網段,都使用源IP為本地的lan口的IP:192.168.88.100的地址,理論用192.168.77.254應該也可以。沒有這條你后面想用在ipsec上跑pptp跑ospf是不會成功的。。。
add distance=1 dst-address=10.5.8.0/24 gateway=pppoe-out1 pref-src=192.168.88.100
后續問題:
ikev2的ipsec隧道創建完畢以后,你想起OSPF來學習兩邊的路由,那么需要在服務端上創建PPTP的服務端,然后客戶端ROS創建pptp client,然后再跑ospf,我這邊已經測試OK。
簡單來說就是ipsec基礎上的ospf,完全可行。速度非常快!
我重新做了一個不用證書的,用共享密鑰的方式來創建ipsec:
服務端:
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-include=10.5.8.0/24
/ip ipsec policy group
add name=ike2-policies
/ip ipsec policy
disable numbers=0
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec identity
add auth-method=pre-shared-key secret=12345678 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-lan
客戶端:
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-rw
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-rw pfs-group=none
/ip ipsec policy group
add name=ike2-rw
/ip ipsec policy
disable numbers=0
/ip ipsec policy
add group=ike2-rw proposal=ike2-rw template=yes
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw
/ip ipsec identity
add auth-method=pre-shared-key secret=12345678 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
/ip route
add distance=1 dst-address=10.5.8.0/24 gateway=pppoe-out1 pref-src=192.168.88.100