碼上快樂

相關內容    簡體    繁體

ros routeros ikev2 ipsec 基礎上跑GRE再跑ospf,適合點到點的ipsec情況

本文轉載自   查看原文   2020-08-05 20:11   741    ROS

網絡環境,客戶端是路由下面的子網掩碼的ROS(也就是沒有公網IP,為城域網的ROS),服務端是具有公網IP的ROS。

該文章可以解決運營商對於只有城域網IP的ROS,對於各種隧道協議全部限速的問題,具體限速情況,可以看我其他的文章:

https://www.cnblogs.com/itfat/p/13326602.html

測速推薦工具:

https://www.cnblogs.com/itfat/p/13346324.html

拓撲圖:

 

配置的說明可以見我另外的文章:

https://www.cnblogs.com/itfat/p/13390467.html

服務端:

創建一個回環接口,這個ip用於創建ipsec隧道的服務端IP
/interface bridge
add name=loopback-ipsec

/ip address
add address=172.16.99.1 interface=loopback-ipsec network=172.16.99.1

/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none

子網掩碼用30位,因為是點到點,那么下發IP,包括服務端就2個ip

/ip ipsec mode-config
add address=172.16.99.2 address-prefix-length=30 name=ike2-conf split-include=172.16.99.1/32 system-dns=no

/ip ipsec policy group
add name=ike2-policies

/ip ipsec policy
disable numbers=0

/ip ipsec policy
add dst-address=172.16.99.2/32 group=ike2-policies proposal=ike2 src-address=172.16.99.1/32 template=yes

/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2

/ip ipsec identity
add generate-policy=port-strict mode-config=ike2-conf peer=ike2 secret=密碼 policy-template-group=ike2-policies

客戶端:
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-rw

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-rw pfs-group=none

/ip ipsec policy group
add name=ike2-rw

/ip ipsec policy
disable numbers=0

/ip ipsec policy
add dst-address=172.16.99.1/32 src-address=172.16.99.2/32 group=ike2-rw proposal=ike2-rw template=yes

/ip ipsec peer
add address=ipsec服務端公網IP/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw

請注意,雖然我們客戶端沒有配置mode-config,但是這里必須寫上默認的request-only

/ip ipsec identity
add generate-policy=port-strict mode-config=request-only peer=ike2-rw-client policy-template-group=ike2-rw secret=密碼

 

上述就可以把ipsec隧道建立起來了,然后你再創建兩邊的GRE,同時創建隧道IP

服務端:

/interface gre

add local-address=172.16.99.1 name=gre-ipsec-to-yanfasanqu remote-address=172.16.99.2

/ip address

add address=172.16.101.1 interface=gre-ipsec-to-yanfasanqu network=172.16.101.2

最后起OSPF,點到點網絡直接填對端IP

/routing ospf network

add area=backbone network=172.16.101.2/32

客戶端

/interface gre

add local-address=172.16.99.2 name=gre-ipsec-to-hangzhou remote-address=172.16.99.1

/ip address

add address=172.16.101.2 interface=gre-ipsec-to-hangzhou network=172.16.101.1

/routing ospf network

add area=backbone network=172.16.101.1/32


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 ros routeros ikev2 ipsec 基礎上跑pptp再跑ospf,適合點到多點的ipsec情況 ros routeros ikev2 ipsec傳輸模式配置 Mikrotik ROS RouterOS 對等連接阿里雲的IPSEC IKEV2的網關 [ipsec][crypto] IKEv2的協商交互分析 [ipsec][strongswan] 使用wireshark查看strongswan ipsec esp ikev1 ikev2的加密內容 深信服AF ipsec ikev2 新版本嘗鮮(對接Azure) IPSec以及GRE原理 Canvas中點到點的路徑運動 端到端與點到點的聯系與區別 IPsec over GRE 和GRE over IPsec比較和區別與配置
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM