返回列表 發帖
moses

Rank: 1
1# 跳轉到 » 倒序看帖
打印
tT
發表於 2015-2-28 12:37 | 只看該作者

[VPN] 双动态IP; IPSEC; Site to Site VPN

ipsec, sitetosite, vpn, 双动态ip
需求描述:
site a: 内部192.168.11.0/24 外部电信FTTB线路, PPPoE获取动态公网IP
site b: 内部172.16.10.0/24  外部电信xDSL线路, PPPoE获取动态公网IP
site a, b 能够相互访问, 采用自带的Cloud DNS Name 标识双方; 采用IPSEC加密通信, 任意一边断线后重新自动建立IPSEC恢复通信.

配置过程:
site a:
  1. /ip ipsec peer
  2. add address=200.200.200.200/32 enc-algorithm=aes-128 nat-traversal=no secret=111111
複製代碼
这里地址填写site b的公网地址; enc-algorithm与site b设定一致; secret随意且与site b设定一致.
  1. /ip ipsec policy
  2. add dst-address=172.16.10.0/24 sa-dst-address=200.200.200.200 sa-src-address=100.100.100.100 src-address=192.168.11.0/24 tunnel=yes
複製代碼
这里src-address填写site a内网地址段; dst-address填写site b内网地址段; sa-src-address填写site a公网ip; sa-dst-address填写site b公网ip; tunnel设定为yes
  1. /ip firewall nat
  2. add chain=srcnat dst-address=172.16.10.0/24 src-address=192.168.11.0/24
複製代碼
这里dst-address填写site b内网地址段; src-address填写site a内网地址段; 将此条放置在第一条.
  1. #-----------
  2. #site to site ipsec tunel vpn, no actual interface, no OSPF!
  3. #script by moses
  4. #-----------

  6. #-----------
  7. #setting
  8. :global localsite "aaaaaaaaaaaa.sn.mynetname.net"
  9. #这里引号内为site a的Cloud DNS Name
  10. :global remotesite "bbbbbbbbbbbb.sn.mynetname.net"
  11. #这里引号内为site b的Cloud DNS Name
  12. :global vpninterface "pppoe-out1"
  13. #这里引号内为site a拨号接口
  14. #-----------

  16. #-----------
  17. #:global localcurrentip [:resolve $localsite]
  18. :global localcurrentip [:pick [/ip address get [find interface=$vpninterface] address] 0 [:find [/ip address get [find interface=$vpninterface] address] "/"]]
  19. :global localpreviousip
  20. :global remotecurrentip [:resolve $remotesite]
  21. :global remotepreviousip
  22. #-----------

  24. #-----------
  25. :if (($localcurrentip != $localpreviousip) || ($remotecurrentip != $remotepreviousip)) do= {
  26. /ip ipsec peer set 0 address=$remotecurrentip
  27. /ip ipsec policy set 1 sa-src-address=$localcurrentip sa-dst-address=$remotecurrentip
  28. /ip ipsec remote-peers kill-connections
  29. :set localpreviousip $localcurrentip
  30. :set remotepreviousip $remotecurrentip
  31. :log warning "IPSEC RESET! L:$localcurrentip R:$remotecurrentip"
  32. } else= {
  33. #:log info "no change"
  34. }
  35. #-----------
複製代碼
这个脚本命名为chkipsec, 在scheduler中每分钟调用一次就好.



site b:
  1. /ip ipsec peer
  2. add address=100.100.100.100/32 enc-algorithm=aes-128 nat-traversal=no secret=111111
複製代碼
这里地址填写site a的公网地址; enc-algorithm与site a设定一致; secret随意且与site a设定一致.
  1. /ip ipsec policy
  2. add dst-address=192.168.11.0/24 sa-dst-address=100.100.100.100 sa-src-address=200.200.200.200 src-address=172.16.10.0/24 tunnel=yes
複製代碼
这里src-address填写site b内网地址段; dst-address填写site a内网地址段; sa-src-address填写site b公网ip; sa-dst-address填写site a公网ip; tunnel设定为yes
  1. /ip firewall nat
  2. add chain=srcnat dst-address=192.168.11.0/24 src-address=172.16.10.0/24
複製代碼
这里dst-address填写site a内网地址段; src-address填写site b内网地址段; 将此条放置在第一条.
  1. #-----------
  2. #site to site ipsec tunel vpn, no actual interface, no OSPF!
  3. #script by moses
  4. #-----------

  6. #-----------
  7. #setting
  8. :global localsite "bbbbbbbbbbbb.sn.mynetname.net"
  9. #这里引号内为site b的Cloud DNS Name
  10. :global remotesite "aaaaaaaaaaaa.sn.mynetname.net"
  11. #这里引号内为site a的Cloud DNS Name
  12. :global vpninterface "pppoe-out1"
  13. #这里引号内为site b拨号接口
  14. #-----------

  16. #-----------
  17. #:global localcurrentip [:resolve $localsite]
  18. :global localcurrentip [:pick [/ip address get [find interface=$vpninterface] address] 0 [:find [/ip address get [find interface=$vpninterface] address] "/"]]
  19. :global localpreviousip
  20. :global remotecurrentip [:resolve $remotesite]
  21. :global remotepreviousip
  22. #-----------

  24. #-----------
  25. :if (($localcurrentip != $localpreviousip) || ($remotecurrentip != $remotepreviousip)) do= {
  26. /ip ipsec peer set 0 address=$remotecurrentip
  27. /ip ipsec policy set 1 sa-src-address=$localcurrentip sa-dst-address=$remotecurrentip
  28. /ip ipsec remote-peers kill-connections
  29. :set localpreviousip $localcurrentip
  30. :set remotepreviousip $remotecurrentip
  31. :log warning "IPSEC RESET! L:$localcurrentip R:$remotecurrentip"
  32. } else= {
  33. #:log info "no change"
  34. }
  35. #-----------
複製代碼
这个脚本命名为chkipsec, 在scheduler中每分钟调用一次就好.
收藏 分享

gfx86674

Rank: 1
2#
發表於 2015-8-7 21:38 | 只看該作者
需求描述:
site a: 内部192.168.11.0/24 外部电信FTTB线路, PPPoE获取动态公网IP
site b: 内部172.16.10.0/ ...
moses 發表於 2015-2-28 12:37
  1. :global localcurrentip [:pick [/ip address get [find interface=$vpninterface] address] 0 [:find [/ip address get [find interface=$vpninterface] address] "/"]]
複製代碼
抓取interface address這段script太長了,事實不必那麼麻煩:

假設要抓interface=pppoe-out1的address ,只要這樣宣告即可:
  1. :global localcurrentip
  2. /interface pppoe-client monitor pppoe-out1 once do={:set localcurrentip $"local-address"}
複製代碼
這樣pppoe-out1的address就會存到localcurrentip裡去了.

TOP

返回列表