网络环境,客户端是路由下面的子网掩码的ROS(也就是没有公网IP,为城域网的ROS),服务端是具有公网IP的ROS。
该文章可以解决运营商对于只有城域网IP的ROS,对于各种隧道协议全部限速的问题,具体限速情况,可以看我其他的文章:
https://www.cnblogs.com/itfat/p/13326602.html
测速推荐工具:
https://www.cnblogs.com/itfat/p/13346324.html
拓扑图:
服务端配置:
(1)创建CA和SERVER证书:
Common name should contain IP or DNS name of the server;
SAN (subject alternative name) should have IP or DNS of the server;
EKU (extended key usage) tls-server and tls-client are required.
/certificate
add common-name=ca name=ca
sign ca ca-crl-host=2.2.2.2
add common-name=2.2.2.2 subject-alt-name=IP:2.2.2.2 key-usage=tls-server name=server1
sign server1 ca=ca
(2)Now that valid certificates are created on the router, add new Phase 1 profile and Phase 2 proposal entries with pfs-group=none.
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none
(3)Mode config is used for address distribution from IP/Pools.
ipsec自动获取的IP范围为192.168.77.2-192.168.77.254,而这个IP段,我们只允许访问服务端的split-include=10.5.8.0/24,如果你想允许访问任何IP,那么split-include不用配置
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-include=10.5.8.0/24
(4)Since that the policy template must be adjusted to allow only specific network policies, it is advised to create a separate policy group and template.
创建一个新的组ike2-policies,禁用默认的ipsec policy避免干扰,创建ipsec传输模式template=yes,目的地址是192.168.77.0/24,源地址任意。
/ip ipsec policy group
add name=ike2-policies
/ip ipsec policy
disable numbers=0
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
(5)Create a new IPsec peer entry which will listen to all incoming IKEv2 requests.
创建一个对端节点,因为这里是ikev2的服务端,那么passive=yes
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
(6)Identity menu allows to match specific remote peers and assign different configuration for each one of them. First, create a default identity, that will accept all peers, but will verify the peer's identity with its certificate.
创建验证方法,使用证书,老版本用命令rsa-signature,新版本用digital-signature
ros v6.45.1以后:
/ip ipsec identity
add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
ros v6.45.1以前:
/ip ipsec identity
add auth-method=rsa-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
(7)To generate a new certificate for the client and sign it with previously created CA.
创建客户端证书,并用ca证书进行签名。
/certificate
add common-name=rw-client1 name=rw-client1 key-usage=tls-client
sign rw-client1 ca=ca
(8)PKCS12 format is accepted by most of client implementations, so when exporting the certificate, make sure PKCS12 is specified.
导出客户端证书,并导出的格式为PKCS12,设置证书的密码为1234567890。
Typically PKCS12 bundle contains also CA certificate, but some vendors may not install this CA, so self-signed CA certificate must be exported separately using PEM format.
导入证书的时候,如果是pkcs12格式,那么不用单独导入CA证书了。如果不支持的话,那么需要导出pem格式(crt结尾的文件)+ca证书文件
/certificate
export-certificate rw-client1 export-passphrase=1234567890 type=pkcs12
(9)#由于ether2-lan的IP段是10.5.8.0/24,所以需要给隧道过来的IP192.168.77.0/24进行伪装,否则无法访问10.5.8.0/24资源
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-lan
(10)已知的一些限制:
Here is a list of known limitations by popular client software IKEv2 implementations.
Windows will always ignore networks received by split-include and request policy with destination 0.0.0.0/0 (TSr). When IPsec-SA is generated, Windows requests DHCP option 249 to which RouterOS will respond with configured split-include networks automatically.
Both Apple macOS and iOS will only accept the first split-include network.
Both Apple macOS and iOS will use the DNS servers from system-dns and static-dns parameters only when 0.0.0.0/0 split-include is used.
While some implementations can make use of different PFS group for phase 2, it is advised to use pfs-group=none under proposals to avoid any compatibility issues.
客户端配置:
(1)Import a PKCS12 format certificate in RouterOS.
导入客户端证书,密码为1234567890
/certificate import file-name=cert_export_rw-client1.p12 passphrase=1234567890
(2)It is advised to create a separate Phase 1 profile and Phase 2 proposal configurations to not interfere with any existing IPsec configuration.
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-rw
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-rw pfs-group=none
(3)While it is possible to use the default policy template for policy generation, it is better to create a new policy group and template to separate this configuration from any other IPsec configuration.
创建一个新的组ike2-rw,禁用默认的ipsec policy避免干扰,创建ipsec传输模式template=yes,目的地址,源地址任意。
/ip ipsec policy group
add name=ike2-rw
/ip ipsec policy
disable numbers=0
/ip ipsec policy
add group=ike2-rw proposal=ike2-rw template=yes
(4)Create a new mode config entry with responder=no that will request configuration parameters from the server.
客户端这边下面还有很多客户机,那么需要创建地址列表,同时写入mode-config。
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
(5)Verify correct source NAT rule is dynamically generated when the tunnel is established.
用了上述的mode-config,ros会自动生成一条伪装,这条伪装的目的就是源地址是local,全部伪装成ipsec的隧道地址。
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=192.168.77.254 src-address-list=local dst-address-list=!local
(6)Lastly, create peer and identity configurations.
创建对端节点以及验证配置,使用证书,老版本用命令rsa-signature,新版本用digital-signature
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 name=ike2-rw-client
ros v6.45.1以后:
/ip ipsec identity
add auth-method=digital-signature certificate=cert_export_rw-client1.p12_0 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
ros v6.45.1以前:
/ip ipsec identity
add auth-method=rsa-signature certificate=cert_export_rw-client1.p12_0 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
/ip route
add distance=1 gateway=pppoe-out1
#下面这条比较关键,表示访问对端的10.5.8.0/24的网段,都使用源IP为本地的lan口的IP:192.168.88.100的地址,理论用192.168.77.254应该也可以。没有这条你后面想用在ipsec上跑pptp跑ospf是不会成功的。。。
add distance=1 dst-address=10.5.8.0/24 gateway=pppoe-out1 pref-src=192.168.88.100
后续问题:
ikev2的ipsec隧道创建完毕以后,你想起OSPF来学习两边的路由,那么需要在服务端上创建PPTP的服务端,然后客户端ROS创建pptp client,然后再跑ospf,我这边已经测试OK。
简单来说就是ipsec基础上的ospf,完全可行。速度非常快!