公司在国内、日本、美国、德国、新加坡等多地均有业务,中间业务网络用的公司专有GPN(Global Private Network中文名是全球私有化网络)链路,目前测试搭建一条备用链路,用于网络冗余和故障切换。
初步选用方案GRE over IPSec,跑ospf路由协议。
一、为何要选GRE over IPSec:
各个site网络比较多,需要使用路由协议进行互联;
IPSEC不支持组播,即不能传递路由协议,在承载路由协议上不如GRE隧道方便;
GRE隧道不能提供加密保障;
使用GRE在两个网关之间搭建一个隧道,运行路由协议及传输正常数据,使用IPSec对整个GRE隧道进行加密,因此需要把两者进行结合。
二、测试环境:
以中国、日本、美国三地为例,基本网络拓扑如下图,用Mikrotik RouterOS(简称ROS)做路由器和防火墙,中间跑ospf协议。GPN链路就相当于一个大二层,能够把中日美三地打通,相当于专线,因此在网络质量上优于直接走大网,做业务主线,这里不多写;主要写一下如何配置GRE链路实现备用链路功能,在GPN链路中断的时候能够自动切换到备线。
routeros上配置外网:
中国:101.251.x.x
日本:205.177.x.x
美国:38.83.x.x
三地的内网地址:
中国:10.13.24.0/22
日本:10.13.4.0/22
美国:10.13.12.0/22
三地互联地址(用10.13.253.0/24段做互联地址段):
中国和日本:10.13.253.0/30
日本和美国:10.13.253.16/30
美国和中国:10.13.253.4/30
GPN链路网段:
10.13.252.0/24
三、配置
1、三个ros的interface(ether1/2/3分别对应着外网/内网/GPN网络):
2、IPSec配置
中国:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
/ip ipsec peer add address=205.177.x.x/32:500 comment="JP Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=38.83.x.x/32:500 comment= "USALink" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=101.251.x.x/32:any dst-address=205.177.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=101.251.x.x sa-dst-address=205.177.x.x proposal=default priority=0 add src-address=101.251.x.x/32:any dst-address=38.83.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=101.251.x.x sa-dst-address=38.83.x.x proposal=default priority=0
日本:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
/ip ipsec peer add address=101.251.x.x/32:500 comment="BJ Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=38.83.x.x/32:500 comment= "USA Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=205.177.x.x/32:any dst-address=101.251.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=205.177.x.x sa-dst-address=101.251.x.x proposal=default priority=0 add src-address=205.177.x.x/32:any dst-address=38.83.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=205.177.x.x sa-dst-address=38.83.x.x proposal=default priority=0
美国:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
/ip ipsec peer add address=101.251.x.x/32:500 comment="BJ Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=205.177.x.x/32:500 comment= "JP Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=38.83.x.x/32:any dst-address=101.251.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=38.83.x.x sa-dst-address=101.251.x.x proposal=default priority=0 add src-address=38.83.x.x/32:any dst-address=205.177.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=38.83.x.x sa-dst-address=205.177.x.x proposal=default priority=0
中国示例图:
3、GRE配置:
中国:
1 2 3 4 5 6 7 8 9 10
/interface gre add name= gre-tunnel1 local-address=101.251.x.x remote-address=205.177.x.x comment="JP Link" add name= gre-tunnel2 local-address=101.251.x.x remote-address=38.83.x.x comment="USA Link" /ip address add address=10.13.253.1/30 interface=gre-tunnel1 network=10.13.253.0 comment="JP Link" add address=10.13.253.5/30 interface=gre-tunnel2 network=10.13.253.4 comment="USA Link"
日本:
1 2 3 4 5 6 7 8 9 10
/interface gre add name= gre-tunnel1 local-address=205.177.x.x remote-address=101.251.x.x comment="BJ Link" add name= gre-tunnel2 local-address=101.251.x.x remote-address=38.83.x.x comment="USA Link" /ip address add address=10.13.253.2/30 interface=gre-tunnel1 network=10.13.253.0 comment="BJ Link" add address=10.13.253.17/30 interface=gre-tunnel2 network=10.13.253.16 comment="USA Link"
美国:
1 2 3 4 5 6 7 8 9 10
/interface gre add name= gre-tunnel1 local-address=38.83.x.x remote-address=101.251.x.x comment="BJ Link" add name= gre-tunnel2 local-address=38.83.x.x remote-address=205.177.x.x comment="JP Link" /ip address add address=10.13.253.6/30 interface=gre-tunnel1 network=10.13.253.4 comment="BJ Link" add address=10.13.253.18/30 interface=gre-tunnel2 network=10.13.253.16 comment="JP Link"
中国示例图:
4、OSPF配置
把本地的内网地址段、GPN网段(10.13.252.0/24),GRE互联地址网段都宣布进去,cost值GPN链路的优先级高,设为10,GRE Tunnel的cost值设为100:
中国:
1 2 3 4 5 6 7 8 9 10 11
/routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.24.0/22 area=backbone comment="内网" network add network=10.13.252.0/24 area=backbone comment="GPN" network add network=10.13.253.0/30 area=backbone comment="JP Link" network add network=10.13.253.4/30 area=backbone comment="USA Link"
日本:
1 2 3 4 5 6 7 8 9 10 11
/routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.4.0/22 area=backbone comment="内网" network add network=10.13.252.0/24 area=backbone comment="GPN" network add network=10.13.253.0/30 area=backbone comment="BJ Link" network add network=10.13.253.16/30 area=backbone comment="USA Link"
美国:
1 2 3 4 5 6 7 8 9 10 11
/routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.12.0/22 area=backbone comment="内网" network add network=10.13.252.0/24 area=backbone comment="GPN" network add network=10.13.253.4/30 area=backbone comment="BJ Link" network add network=10.13.253.16/30 area=backbone comment="JP Link"
北京示例图:
四、验证
1、查看ospf是否启动成功:
2、down掉GPN的interface,查看ospf的路由是否自动切换到GRE Tunnel: