本文共 7602 字,大约阅读时间需要 25 分钟。
公司在国内、日本、美国、德国、新加坡等多地均有业务,中间业务网络用的公司专有GPN(Global Private Network中文名是全球私有化网络)链路,目前测试搭建一条备用链路,用于网络冗余和故障切换。
初步选用方案GRE over IPSec,跑ospf路由协议。
一、为何要选GRE over IPSec:
各个site网络比较多,需要使用路由协议进行互联;
IPSEC不支持组播,即不能传递路由协议,在承载路由协议上不如GRE隧道方便;
GRE隧道不能提供加密保障;
使用GRE在两个网关之间搭建一个隧道,运行路由协议及传输正常数据,使用IPSec对整个GRE隧道进行加密,因此需要把两者进行结合。
二、测试环境:
以中国、日本、美国三地为例,基本网络拓扑如下图,用Mikrotik RouterOS(简称ROS)做路由器和防火墙,中间跑ospf协议。GPN链路就相当于一个大二层,能够把中日美三地打通,相当于专线,因此在网络质量上优于直接走大网,做业务主线,这里不多写;主要写一下如何配置GRE链路实现备用链路功能,在GPN链路中断的时候能够自动切换到备线。
routeros上配置外网:
中国:101.251.x.x
日本:205.177.x.x
美国:38.83.x.x
三地的内网地址:
中国:10.13.24.0/22
日本:10.13.4.0/22
美国:10.13.12.0/22
三地互联地址(用10.13.253.0/24段做互联地址段):
中国和日本:10.13.253.0/30
日本和美国:10.13.253.16/30
美国和中国:10.13.253.4/30
GPN链路网段:
10.13.252.0/24
三、配置
1、三个ros的interface(ether1/2/3分别对应着外网/内网/GPN网络):
2、IPSec配置
中国:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | /ip ipsec peer add address=205.177.x.x /32 :500 comment= "JP Link" auth-method=pre-shared-key secret= "mypassword" generate-policy=no exchange-mode=main send-initial-contact= yes nat-traversal=no proposal-check=obey hash -algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=38.83.x.x /32 :500 comment= "USALink" auth-method=pre-shared-key secret= "mypassword" generate-policy=no exchange-mode=main send-initial-contact= yes nat-traversal=no proposal-check=obey hash -algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=101.251.x.x /32 :any dst-address=205.177.x.x /32 :any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel= yes sa-src-address=101.251.x.x sa-dst-address=205.177.x.x proposal=default priority=0 add src-address=101.251.x.x /32 :any dst-address=38.83.x.x /32 :any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel= yes sa-src-address=101.251.x.x sa-dst-address=38.83.x.x proposal=default priority=0 |
日本:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | /ip ipsec peer add address=101.251.x.x /32 :500 comment= "BJ Link" auth-method=pre-shared-key secret= "mypassword" generate-policy=no exchange-mode=main send-initial-contact= yes nat-traversal=no proposal-check=obey hash -algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=38.83.x.x /32 :500 comment= "USA Link" auth-method=pre-shared-key secret= "mypassword" generate-policy=no exchange-mode=main send-initial-contact= yes nat-traversal=no proposal-check=obey hash -algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=205.177.x.x /32 :any dst-address=101.251.x.x /32 :any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel= yes sa-src-address=205.177.x.x sa-dst-address=101.251.x.x proposal=default priority=0 add src-address=205.177.x.x /32 :any dst-address=38.83.x.x /32 :any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel= yes sa-src-address=205.177.x.x sa-dst-address=38.83.x.x proposal=default priority=0 |
美国:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | /ip ipsec peer add address=101.251.x.x /32 :500 comment= "BJ Link" auth-method=pre-shared-key secret= "mypassword" generate-policy=no exchange-mode=main send-initial-contact= yes nat-traversal=no proposal-check=obey hash -algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=205.177.x.x /32 :500 comment= "JP Link" auth-method=pre-shared-key secret= "mypassword" generate-policy=no exchange-mode=main send-initial-contact= yes nat-traversal=no proposal-check=obey hash -algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=38.83.x.x /32 :any dst-address=101.251.x.x /32 :any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel= yes sa-src-address=38.83.x.x sa-dst-address=101.251.x.x proposal=default priority=0 add src-address=38.83.x.x /32 :any dst-address=205.177.x.x /32 :any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel= yes sa-src-address=38.83.x.x sa-dst-address=205.177.x.x proposal=default priority=0 |
中国示例图:
3、GRE配置:
中国:
| 1 2 3 4 5 6 7 8 9 10 | /interface gre add name= gre-tunnel1 local -address=101.251.x.x remote-address=205.177.x.x comment= "JP Link" add name= gre-tunnel2 local -address=101.251.x.x remote-address=38.83.x.x comment= "USA Link" /ip address add address=10.13.253.1 /30 interface=gre-tunnel1 network=10.13.253.0 comment= "JP Link" add address=10.13.253.5 /30 interface=gre-tunnel2 network=10.13.253.4 comment= "USA Link" |
日本:
| 1 2 3 4 5 6 7 8 9 10 | /interface gre add name= gre-tunnel1 local -address=205.177.x.x remote-address=101.251.x.x comment= "BJ Link" add name= gre-tunnel2 local -address=101.251.x.x remote-address=38.83.x.x comment= "USA Link" /ip address add address=10.13.253.2 /30 interface=gre-tunnel1 network=10.13.253.0 comment= "BJ Link" add address=10.13.253.17 /30 interface=gre-tunnel2 network=10.13.253.16 comment= "USA Link" |
美国:
| 1 2 3 4 5 6 7 8 9 10 | /interface gre add name= gre-tunnel1 local -address=38.83.x.x remote-address=101.251.x.x comment= "BJ Link" add name= gre-tunnel2 local -address=38.83.x.x remote-address=205.177.x.x comment= "JP Link" /ip address add address=10.13.253.6 /30 interface=gre-tunnel1 network=10.13.253.4 comment= "BJ Link" add address=10.13.253.18 /30 interface=gre-tunnel2 network=10.13.253.16 comment= "JP Link" |
中国示例图:
4、OSPF配置
把本地的内网地址段、GPN网段(10.13.252.0/24),GRE互联地址网段都宣布进去,cost值GPN链路的优先级高,设为10,GRE Tunnel的cost值设为100:
中国:
| 1 2 3 4 5 6 7 8 9 10 11 | /routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.24.0 /22 area=backbone comment= "内网" network add network=10.13.252.0 /24 area=backbone comment= "GPN" network add network=10.13.253.0 /30 area=backbone comment= "JP Link" network add network=10.13.253.4 /30 area=backbone comment= "USA Link" |
日本:
| 1 2 3 4 5 6 7 8 9 10 11 | /routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.4.0 /22 area=backbone comment= "内网" network add network=10.13.252.0 /24 area=backbone comment= "GPN" network add network=10.13.253.0 /30 area=backbone comment= "BJ Link" network add network=10.13.253.16 /30 area=backbone comment= "USA Link" |
美国:
| 1 2 3 4 5 6 7 8 9 10 11 | /routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.12.0 /22 area=backbone comment= "内网" network add network=10.13.252.0 /24 area=backbone comment= "GPN" network add network=10.13.253.4 /30 area=backbone comment= "BJ Link" network add network=10.13.253.16 /30 area=backbone comment= "JP Link" |
北京示例图:
四、验证
1、查看ospf是否启动成功:
2、down掉GPN的interface,查看ospf的路由是否自动切换到GRE Tunnel:
测试线路自动切换成功,再把GPN interface起来之后,查看路由又自动切换到了GPN链路。
success!
五、优化
此文中只选了3个site,备线的ospf cost值均设为了100,;在实际部署时会多于3个,ospf值的设置,可以设置为点对点的延迟值,使在切换到备线时ospf选路选的是线路延迟最低的路径,也是最优的路径。比如中日之间大网延迟大概为55ms,可以把GRE的ospf cost设为55。