динамическая маршрутизация через GRE over IPSec туннели (iproute + quagga + openswan)
Дано:
3 маршрутизатора:
puppetmaster (белый ip адрес = A.A.A.A),
puppetslave (белый ip адрес = B.B.B.B),
puppetslave1 (белый ip адрес = C.C.C.C)
с centos 6.6 на борту.
Сети за маршрутизаторами будут имитировать ifb интерфейсы с заданными адресами.
Задача:
Объединить все сети за маршрутизаторами посредством туннелей.
Настроить динамическую маршрутизацию между сегментами.
Схема:
Решение.
На всех трех маршрутизаторах нам понадобятся указанные ниже пакеты.
root# yum -y install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
root# yum install openswan lsof quagga
1) Настраиваем туннели gre всех маршрутизаторов со всеми согласно схеме.
Пишем стартовые скрипты для каждого маршрутизатора (и запускаем после конфигурирования ospf и ipsec!):
puppetmaster
cat /root/tun_gre.sh
>>
#!/bin/bash
/sbin/modprobe -fr ip_gre
# to puppetslave
/sbin/ip tunnel add netb mode gre remote B.B.B.B local A.A.A.A ttl 255
/sbin/ip li set netb up
/sbin/ip addr add 172.16.33.5/30 dev netb
# to puppetslave1
/sbin/ip tunnel add netc mode gre remote C.C.C.C local A.A.A.A ttl 255
/sbin/ip li set netc up
/sbin/ip addr add 172.16.33.1/30 dev netc
# fake LAN segment
/sbin/modprobe ifb
/sbin/ip ad ad dev ifb0 192.168.31.1/24
/sbin/ip li set dev ifb0 up
/etc/init.d/zebra restart
/etc/init.d/ipsec restart
exit 0
puppetslave
cat /root/tun_gre.sh
>>
#!/bin/bash
/sbin/modprobe -fr ip_gre
# to puppetmaster
/sbin/ip tunnel add neta mode gre local 178.20.237.57 remote 195.208.185.132 ttl 255
/sbin/ip link set neta up
/sbin/ip addr add 172.16.33.6/30 dev neta
#to puppetslave1
/sbin/ip tunnel add netc mode gre local 178.20.237.57 remote 178.20.237.59 ttl 255
/sbin/ip link set netc up
/sbin/ip addr add 172.16.33.10/30 dev netc
# fake LAN segment
/sbin/modprobe ifb
/sbin/ip ad ad dev ifb0 192.168.32.1/24
/sbin/ip li set dev ifb0 up
/etc/init.d/zebra restart
/etc/init.d/ipsec restart
exit 0
puppetslave1
cat /root/tun_gre.sh
>>
#!/bin/bash
/sbin/modprobe -fr ip_gre
# to puppetmaster
/sbin/ip tunnel add neta mode gre local 178.20.237.59 remote 195.208.185.132 ttl 255
/sbin/ip link set neta up
/sbin/ip addr add 172.16.33.2/30 dev neta
#to puppetslave
/sbin/ip tunnel add netb mode gre remote 178.20.237.57 local 178.20.237.59 ttl 255
/sbin/ip link set netb up
/sbin/ip addr add 172.16.33.9/30 dev netb
# fake LAN segment
/sbin/modprobe ifb
/sbin/ip ad ad dev ifb0 192.168.33.1/24
/sbin/ip li set dev ifb0 up
/etc/init.d/zebra restart
/etc/init.d/ipsec restart
exit 0
Теперь если поднять туннели gre, мы не увидим удаленные подсети 192.168.3{1..3}/24:
root@puppetmaster# for x in {1..3}; do ping -c 1 192.168.3${x}.1 > /dev/null && echo 192.168.3${x}.1=OK ; done
192.168.31.1=OK
...
Видим только непосредственно присоединенный сегмент.
Чтобы наши маршрутизаторы знали обо всех удаленных подсетях, мы должны рассказать о них посредством ospf.
2) Настраиваем ospf на всех маршрутизаторах.
puppetmaster
root@puppetmaster# cat /etc/quagga/zebra.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:18:14
!
hostname RouterA
password RouterPass
enable password RouterPass
log file /var/log/quagga/quagga.log
!
interface eth0
ipv6 nd suppress-ra
!
interface gre0
ipv6 nd suppress-ra
!
interface gretap0
ipv6 nd suppress-ra
!
interface ibf0
ipv6 nd suppress-ra
!
interface ifb0
ipv6 nd suppress-ra
!
interface ifb1
ipv6 nd suppress-ra
!
interface lo
!
interface netb
description to-puppetslave
ipv6 nd suppress-ra
!
interface netc
description to-puppetslave1
ipv6 nd suppress-ra
!
ip forwarding
!
!
line vty
!
root@puppetmaster# cat /etc/quagga/ospfd.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:18:14
!
hostname ospfdA
password RouterPass
log file /var/log/quagga/quagga.log
log stdout
!
!
!
interface eth0
!
interface gre0
!
interface gretap0
!
interface ifb0
!
interface ifb1
!
interface lo
!
interface netb
description to-puppetslave
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
interface netc
description to-puppetslave1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
router ospf
ospf router-id A.A.A.A
network 172.16.33.0/30 area 0.0.0.0
network 172.16.33.4/30 area 0.0.0.0
network 192.168.31.1/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
line vty
!
puppetslave
root@puppetslave# cat /etc/quagga/zebra.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:21:10
!
hostname RouterB
password RouterPass
enable password RouterPass
log file /var/log/quagga/quagga.log
!
interface eth0
ipv6 nd suppress-ra
!
interface gre0
ipv6 nd suppress-ra
!
interface gretap0
ipv6 nd suppress-ra
!
interface ifb0
ipv6 nd suppress-ra
!
interface ifb1
ipv6 nd suppress-ra
!
interface lo
!
interface neta
description to-puppetmaster
ipv6 nd suppress-ra
!
interface netc
description to-puppetslave1
ipv6 nd suppress-ra
!
router-id 178.20.237.57
ip forwarding
!
!
line vty
!
root@puppetslave# cat /etc/quagga/ospfd.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:21:10
!
hostname ospfdB
password RouterPass
log file /var/log/quagga/quagga.log
log stdout
!
!
!
interface eth0
!
interface gre0
!
interface gretap0
!
interface ifb0
!
interface ifb1
!
interface lo
!
interface neta
description to-puppetmaster
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
interface netc
description to-puppetslave1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
router ospf
ospf router-id B.B.B.B
network 172.16.33.6/30 area 0.0.0.0
network 172.16.33.10/30 area 0.0.0.0
network 192.168.32.1/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
line vty
!
puppetslave1
root@puppetslave1# cat /etc/quagga/zebra.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:19:30
!
hostname Router
password zebra
enable password RouterPass
log file /var/log/quagga/quagga.log
!
interface eth0
ipv6 nd suppress-ra
!
interface gre0
ipv6 nd suppress-ra
!
interface gretap0
ipv6 nd suppress-ra
!
interface ifb0
ipv6 nd suppress-ra
!
interface ifb1
ipv6 nd suppress-ra
!
interface lo
!
interface neta
description to-puppetmaster
ipv6 nd suppress-ra
!
interface netb
description to-puppetslave
ipv6 nd suppress-ra
!
interface netn
ipv6 nd suppress-ra
!
ip forwarding
!
!
line vty
!
root@puppetslave1# cat /etc/quagga/ospfd.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:19:30
!
hostname ospfdC
password RoiterPass
log file /var/log/quagga/quagga.log
log stdout
!
!
!
interface eth0
!
interface gre0
!
interface gretap0
!
interface ifb0
!
interface ifb1
!
interface lo
!
interface neta
description to-puppetmaster
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
interface netb
description to-puppetslave
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
interface netn
!
router ospf
ospf router-id C.C.C.C
network 172.16.33.2/30 area 0.0.0.0
network 172.16.33.9/30 area 0.0.0.0
network 192.168.33.1/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
line vty
!
3) Настраиваем шифрование посредством ipsec в транспортном режиме.
Каждому маршрутизатору прописываем в /etc/rc.local следующее:
>>
for x in /proc/sys/net/ipv4/conf/* ;do echo 0 > ${x}/accept_redirects ; done
for x in /proc/sys/net/ipv4/conf/* ;do echo 0 > ${x}/send_redirects ; done
echo 1 > /proc/sys/net/ipv4/ip_forward
Затем наcтраиваем туннели:
puppetmaster
root@puppetmaster# cat /etc/ipsec.d/to-puppetslave.conf
>>
conn to_puppetslave
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
leftid=A.A.A.A
left=A.A.A.A
rightid=B.B.B.B
right=B.B.B.B
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetmaster# cat /etc/ipsec.d/to-puppetslave.secrets
>>
A.A.A.A B.B.B.B : PSK "IpsecPass"
root@puppetmaster# cat /etc/ipsec.d/to-puppetslave1.conf
>>
conn to_puppetslave1
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
leftid=A.A.A.A
left=A.A.A.A
rightid=C.C.C.C
right=C.C.C.C
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetmaster# cat /etc/ipsec.d/to-puppetslave1.secrets
>>
A.A.A.A C.C.C.C : PSK "IpsecPass"
puppetslave
root@puppetslave# cat /etc/ipsec.d/to-puppetmaster.conf
>>
conn to_puppetmaster
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
rightid=A.A.A.A
right=A.A.A.A
leftid=B.B.B.B
left=B.B.B.B
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetslave# cat /etc/ipsec.d/to-puppetmaster.secrets
>>
A.A.A.A B.B.B.B : PSK "IpsecPass"
root@puppetslave# cat /etc/ipsec.d/to-puppetslave1.conf
>>
conn to_puppetslave1
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
leftid=B.B.B.B
left=B.B.B.B
rightid=C.C.C.C
right=C.C.C.C
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetslave# cat /etc/ipsec.d/to-puppetslave1.secrets
>>
C.C.C.C B.B.B.B : PSK "IpsecPass"
puppetslave1
root@puppetslave1# cat /etc/ipsec.d/to-puppetmaster.conf
>>
conn to_puppetmaster
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
rightid=A.A.A.A
right=A.A.A.A
leftid=C.C.C.C
left=C.C.C.C
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetslave1# cat /etc/ipsec.d/to-puppetmaster.secrets
>>
C.C.C.C A.A.A.A : PSK "IpsecPass"
root@puppetslave1# cat /etc/ipsec.d/to-puppetslave.conf
>>
conn to_puppetslave
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
leftid=C.C.C.C
left=C.C.C.C
rightid=B.B.B.B
right=B.B.B.B
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetslave1# cat /etc/ipsec.d/to-puppetslave.secrets
>>
C.C.C.C B.B.B.B : PSK "IpsecPass"
4) После всего запускаем скрипты на всех маршрутизаторах:
root# bash -xv /root/tun_gre.sh
5) Проверяем работу ospf и ipsec:
Как видим, в таблице маршрутов появились маршруты, добавленные quagga ospfd (proto zebra):
root@puppetmaster# ip route
>>
10.10.0.1 dev eth0 scope link src 10.20.0.1
172.16.33.4/30 dev netb proto kernel scope link src 172.16.33.5
172.16.33.0/30 dev netc proto kernel scope link src 172.16.33.1
172.16.33.8/30 proto zebra metric 20
nexthop via 172.16.33.6 dev netb weight 1
nexthop via 172.16.33.2 dev netc weight 1
A.A.A.A/24 dev eth0 proto kernel scope link src A.A.A.A
192.168.32.0/24 via 172.16.33.6 dev netb proto zebra metric 20
192.168.33.0/24 via 172.16.33.2 dev netc proto zebra metric 20
192.168.31.0/24 dev ifb0 proto kernel scope link src 192.168.31.1
169.254.0.0/16 dev eth0 scope link metric 1002
default via A.A.A.1 dev eth0
Удаленные подсети доступны.
root@puppetmaster# for x in {1..3}; do ping -c 1 192.168.3${x}.1 > /dev/null && echo 192.168.3${x}.1=OK ; done
>>
192.168.31.1=OK
192.168.32.1=OK
192.168.33.1=OK
Между маршрутизаторами видим шифрованный трафик ESP и ospf (На маршрутизаторе, на котором происходит шифрование, мы можем видеть ospf трафик до шифрования, а также ESP трафик. Если мы будем наблюдать трафик на промежуточном маршрутизаторе, мы увидим, что между нашими маршрутизаторами передается только ESP трафик.)
root@puppetmaster# tcpdump proto ospf or proto 50 -i any
>>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:02:36.422402 IP 172.16.33.2 > ospf-all.mcast.net: OSPFv2, Hello, length 48
18:02:36.802367 IP puppetslave.localdomain > puppetmaster.localdomain: ESP(spi=0xe8ab91b6,seq=0xfa), length 76
18:02:36.969514 IP puppetslave.localdomain > puppetmaster.localdomain: ESP(spi=0xe8ab91b6,seq=0xfb), length 76
18:02:36.970442 IP puppetslave.localdomain > puppetmaster.localdomain: ESP(spi=0xe8ab91b6,seq=0xfc), length 116
18:02:36.970442 IP 172.16.33.6 > ospf-all.mcast.net: OSPFv2, Hello, length 44
18:02:36.970754 IP 172.16.33.1 > ospf-all.mcast.net: OSPFv2, LS-Update, length 100
18:02:36.970801 IP puppetmaster.localdomain > puppetslave1.localdomain: ESP(spi=0xe38c8f45,seq=0xfe), length 172
18:02:36.971704 IP puppetslave1.localdomain > puppetmaster.localdomain: ESP(spi=0xe3af051d,seq=0x101), length 172
18:02:36.971704 IP 172.16.33.2 > ospf-all.mcast.net: OSPFv2, LS-Update, length 100
18:02:37.693604 IP 172.16.33.1 > ospf-all.mcast.net: OSPFv2, LS-Ack, length 44
18:02:37.693666 IP puppetmaster.localdomain > puppetslave1.localdomain: ESP(spi=0xe38c8f45,seq=0xff), length 116
18:02:37.792211 IP puppetslave1.localdomain > puppetmaster.localdomain: ESP(spi=0xe3af051d,seq=0x102), length 116
18:02:37.792211 IP 172.16.33.2 > ospf-all.mcast.net: OSPFv2, LS-Ack, length 44
3 маршрутизатора:
puppetmaster (белый ip адрес = A.A.A.A),
puppetslave (белый ip адрес = B.B.B.B),
puppetslave1 (белый ip адрес = C.C.C.C)
с centos 6.6 на борту.
Сети за маршрутизаторами будут имитировать ifb интерфейсы с заданными адресами.
Задача:
Объединить все сети за маршрутизаторами посредством туннелей.
Настроить динамическую маршрутизацию между сегментами.
Схема:
Решение.
На всех трех маршрутизаторах нам понадобятся указанные ниже пакеты.
root# yum -y install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
root# yum install openswan lsof quagga
1) Настраиваем туннели gre всех маршрутизаторов со всеми согласно схеме.
Пишем стартовые скрипты для каждого маршрутизатора (и запускаем после конфигурирования ospf и ipsec!):
puppetmaster
cat /root/tun_gre.sh
>>
#!/bin/bash
/sbin/modprobe -fr ip_gre
# to puppetslave
/sbin/ip tunnel add netb mode gre remote B.B.B.B local A.A.A.A ttl 255
/sbin/ip li set netb up
/sbin/ip addr add 172.16.33.5/30 dev netb
# to puppetslave1
/sbin/ip tunnel add netc mode gre remote C.C.C.C local A.A.A.A ttl 255
/sbin/ip li set netc up
/sbin/ip addr add 172.16.33.1/30 dev netc
# fake LAN segment
/sbin/modprobe ifb
/sbin/ip ad ad dev ifb0 192.168.31.1/24
/sbin/ip li set dev ifb0 up
/etc/init.d/zebra restart
/etc/init.d/ipsec restart
exit 0
puppetslave
cat /root/tun_gre.sh
>>
#!/bin/bash
/sbin/modprobe -fr ip_gre
# to puppetmaster
/sbin/ip tunnel add neta mode gre local 178.20.237.57 remote 195.208.185.132 ttl 255
/sbin/ip link set neta up
/sbin/ip addr add 172.16.33.6/30 dev neta
#to puppetslave1
/sbin/ip tunnel add netc mode gre local 178.20.237.57 remote 178.20.237.59 ttl 255
/sbin/ip link set netc up
/sbin/ip addr add 172.16.33.10/30 dev netc
# fake LAN segment
/sbin/modprobe ifb
/sbin/ip ad ad dev ifb0 192.168.32.1/24
/sbin/ip li set dev ifb0 up
/etc/init.d/zebra restart
/etc/init.d/ipsec restart
exit 0
puppetslave1
cat /root/tun_gre.sh
>>
#!/bin/bash
/sbin/modprobe -fr ip_gre
# to puppetmaster
/sbin/ip tunnel add neta mode gre local 178.20.237.59 remote 195.208.185.132 ttl 255
/sbin/ip link set neta up
/sbin/ip addr add 172.16.33.2/30 dev neta
#to puppetslave
/sbin/ip tunnel add netb mode gre remote 178.20.237.57 local 178.20.237.59 ttl 255
/sbin/ip link set netb up
/sbin/ip addr add 172.16.33.9/30 dev netb
# fake LAN segment
/sbin/modprobe ifb
/sbin/ip ad ad dev ifb0 192.168.33.1/24
/sbin/ip li set dev ifb0 up
/etc/init.d/zebra restart
/etc/init.d/ipsec restart
exit 0
Теперь если поднять туннели gre, мы не увидим удаленные подсети 192.168.3{1..3}/24:
root@puppetmaster# for x in {1..3}; do ping -c 1 192.168.3${x}.1 > /dev/null && echo 192.168.3${x}.1=OK ; done
192.168.31.1=OK
...
Видим только непосредственно присоединенный сегмент.
Чтобы наши маршрутизаторы знали обо всех удаленных подсетях, мы должны рассказать о них посредством ospf.
2) Настраиваем ospf на всех маршрутизаторах.
puppetmaster
root@puppetmaster# cat /etc/quagga/zebra.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:18:14
!
hostname RouterA
password RouterPass
enable password RouterPass
log file /var/log/quagga/quagga.log
!
interface eth0
ipv6 nd suppress-ra
!
interface gre0
ipv6 nd suppress-ra
!
interface gretap0
ipv6 nd suppress-ra
!
interface ibf0
ipv6 nd suppress-ra
!
interface ifb0
ipv6 nd suppress-ra
!
interface ifb1
ipv6 nd suppress-ra
!
interface lo
!
interface netb
description to-puppetslave
ipv6 nd suppress-ra
!
interface netc
description to-puppetslave1
ipv6 nd suppress-ra
!
ip forwarding
!
!
line vty
!
root@puppetmaster# cat /etc/quagga/ospfd.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:18:14
!
hostname ospfdA
password RouterPass
log file /var/log/quagga/quagga.log
log stdout
!
!
!
interface eth0
!
interface gre0
!
interface gretap0
!
interface ifb0
!
interface ifb1
!
interface lo
!
interface netb
description to-puppetslave
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
interface netc
description to-puppetslave1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
router ospf
ospf router-id A.A.A.A
network 172.16.33.0/30 area 0.0.0.0
network 172.16.33.4/30 area 0.0.0.0
network 192.168.31.1/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
line vty
!
puppetslave
root@puppetslave# cat /etc/quagga/zebra.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:21:10
!
hostname RouterB
password RouterPass
enable password RouterPass
log file /var/log/quagga/quagga.log
!
interface eth0
ipv6 nd suppress-ra
!
interface gre0
ipv6 nd suppress-ra
!
interface gretap0
ipv6 nd suppress-ra
!
interface ifb0
ipv6 nd suppress-ra
!
interface ifb1
ipv6 nd suppress-ra
!
interface lo
!
interface neta
description to-puppetmaster
ipv6 nd suppress-ra
!
interface netc
description to-puppetslave1
ipv6 nd suppress-ra
!
router-id 178.20.237.57
ip forwarding
!
!
line vty
!
root@puppetslave# cat /etc/quagga/ospfd.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:21:10
!
hostname ospfdB
password RouterPass
log file /var/log/quagga/quagga.log
log stdout
!
!
!
interface eth0
!
interface gre0
!
interface gretap0
!
interface ifb0
!
interface ifb1
!
interface lo
!
interface neta
description to-puppetmaster
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
interface netc
description to-puppetslave1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
router ospf
ospf router-id B.B.B.B
network 172.16.33.6/30 area 0.0.0.0
network 172.16.33.10/30 area 0.0.0.0
network 192.168.32.1/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
line vty
!
puppetslave1
root@puppetslave1# cat /etc/quagga/zebra.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:19:30
!
hostname Router
password zebra
enable password RouterPass
log file /var/log/quagga/quagga.log
!
interface eth0
ipv6 nd suppress-ra
!
interface gre0
ipv6 nd suppress-ra
!
interface gretap0
ipv6 nd suppress-ra
!
interface ifb0
ipv6 nd suppress-ra
!
interface ifb1
ipv6 nd suppress-ra
!
interface lo
!
interface neta
description to-puppetmaster
ipv6 nd suppress-ra
!
interface netb
description to-puppetslave
ipv6 nd suppress-ra
!
interface netn
ipv6 nd suppress-ra
!
ip forwarding
!
!
line vty
!
root@puppetslave1# cat /etc/quagga/ospfd.conf
>>
!
! Zebra configuration saved from vty
! 2015/05/28 15:19:30
!
hostname ospfdC
password RoiterPass
log file /var/log/quagga/quagga.log
log stdout
!
!
!
interface eth0
!
interface gre0
!
interface gretap0
!
interface ifb0
!
interface ifb1
!
interface lo
!
interface neta
description to-puppetmaster
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
interface netb
description to-puppetslave
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ospfpass
ip ospf network broadcast
!
interface netn
!
router ospf
ospf router-id C.C.C.C
network 172.16.33.2/30 area 0.0.0.0
network 172.16.33.9/30 area 0.0.0.0
network 192.168.33.1/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
line vty
!
3) Настраиваем шифрование посредством ipsec в транспортном режиме.
Каждому маршрутизатору прописываем в /etc/rc.local следующее:
>>
for x in /proc/sys/net/ipv4/conf/* ;do echo 0 > ${x}/accept_redirects ; done
for x in /proc/sys/net/ipv4/conf/* ;do echo 0 > ${x}/send_redirects ; done
echo 1 > /proc/sys/net/ipv4/ip_forward
Затем наcтраиваем туннели:
puppetmaster
root@puppetmaster# cat /etc/ipsec.d/to-puppetslave.conf
>>
conn to_puppetslave
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
leftid=A.A.A.A
left=A.A.A.A
rightid=B.B.B.B
right=B.B.B.B
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetmaster# cat /etc/ipsec.d/to-puppetslave.secrets
>>
A.A.A.A B.B.B.B : PSK "IpsecPass"
root@puppetmaster# cat /etc/ipsec.d/to-puppetslave1.conf
>>
conn to_puppetslave1
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
leftid=A.A.A.A
left=A.A.A.A
rightid=C.C.C.C
right=C.C.C.C
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetmaster# cat /etc/ipsec.d/to-puppetslave1.secrets
>>
A.A.A.A C.C.C.C : PSK "IpsecPass"
puppetslave
root@puppetslave# cat /etc/ipsec.d/to-puppetmaster.conf
>>
conn to_puppetmaster
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
rightid=A.A.A.A
right=A.A.A.A
leftid=B.B.B.B
left=B.B.B.B
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetslave# cat /etc/ipsec.d/to-puppetmaster.secrets
>>
A.A.A.A B.B.B.B : PSK "IpsecPass"
root@puppetslave# cat /etc/ipsec.d/to-puppetslave1.conf
>>
conn to_puppetslave1
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
leftid=B.B.B.B
left=B.B.B.B
rightid=C.C.C.C
right=C.C.C.C
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetslave# cat /etc/ipsec.d/to-puppetslave1.secrets
>>
C.C.C.C B.B.B.B : PSK "IpsecPass"
puppetslave1
root@puppetslave1# cat /etc/ipsec.d/to-puppetmaster.conf
>>
conn to_puppetmaster
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
rightid=A.A.A.A
right=A.A.A.A
leftid=C.C.C.C
left=C.C.C.C
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetslave1# cat /etc/ipsec.d/to-puppetmaster.secrets
>>
C.C.C.C A.A.A.A : PSK "IpsecPass"
root@puppetslave1# cat /etc/ipsec.d/to-puppetslave.conf
>>
conn to_puppetslave
aggrmode=no
type=transport
compress=no
auth=esp
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
pfs=no
leftid=C.C.C.C
left=C.C.C.C
rightid=B.B.B.B
right=B.B.B.B
leftprotoport=gre
rightprotoport=gre
authby=secret
auto=start
root@puppetslave1# cat /etc/ipsec.d/to-puppetslave.secrets
>>
C.C.C.C B.B.B.B : PSK "IpsecPass"
4) После всего запускаем скрипты на всех маршрутизаторах:
root# bash -xv /root/tun_gre.sh
5) Проверяем работу ospf и ipsec:
Как видим, в таблице маршрутов появились маршруты, добавленные quagga ospfd (proto zebra):
root@puppetmaster# ip route
>>
10.10.0.1 dev eth0 scope link src 10.20.0.1
172.16.33.4/30 dev netb proto kernel scope link src 172.16.33.5
172.16.33.0/30 dev netc proto kernel scope link src 172.16.33.1
172.16.33.8/30 proto zebra metric 20
nexthop via 172.16.33.6 dev netb weight 1
nexthop via 172.16.33.2 dev netc weight 1
A.A.A.A/24 dev eth0 proto kernel scope link src A.A.A.A
192.168.32.0/24 via 172.16.33.6 dev netb proto zebra metric 20
192.168.33.0/24 via 172.16.33.2 dev netc proto zebra metric 20
192.168.31.0/24 dev ifb0 proto kernel scope link src 192.168.31.1
169.254.0.0/16 dev eth0 scope link metric 1002
default via A.A.A.1 dev eth0
Удаленные подсети доступны.
root@puppetmaster# for x in {1..3}; do ping -c 1 192.168.3${x}.1 > /dev/null && echo 192.168.3${x}.1=OK ; done
>>
192.168.31.1=OK
192.168.32.1=OK
192.168.33.1=OK
Между маршрутизаторами видим шифрованный трафик ESP и ospf (На маршрутизаторе, на котором происходит шифрование, мы можем видеть ospf трафик до шифрования, а также ESP трафик. Если мы будем наблюдать трафик на промежуточном маршрутизаторе, мы увидим, что между нашими маршрутизаторами передается только ESP трафик.)
root@puppetmaster# tcpdump proto ospf or proto 50 -i any
>>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:02:36.422402 IP 172.16.33.2 > ospf-all.mcast.net: OSPFv2, Hello, length 48
18:02:36.802367 IP puppetslave.localdomain > puppetmaster.localdomain: ESP(spi=0xe8ab91b6,seq=0xfa), length 76
18:02:36.969514 IP puppetslave.localdomain > puppetmaster.localdomain: ESP(spi=0xe8ab91b6,seq=0xfb), length 76
18:02:36.970442 IP puppetslave.localdomain > puppetmaster.localdomain: ESP(spi=0xe8ab91b6,seq=0xfc), length 116
18:02:36.970442 IP 172.16.33.6 > ospf-all.mcast.net: OSPFv2, Hello, length 44
18:02:36.970754 IP 172.16.33.1 > ospf-all.mcast.net: OSPFv2, LS-Update, length 100
18:02:36.970801 IP puppetmaster.localdomain > puppetslave1.localdomain: ESP(spi=0xe38c8f45,seq=0xfe), length 172
18:02:36.971704 IP puppetslave1.localdomain > puppetmaster.localdomain: ESP(spi=0xe3af051d,seq=0x101), length 172
18:02:36.971704 IP 172.16.33.2 > ospf-all.mcast.net: OSPFv2, LS-Update, length 100
18:02:37.693604 IP 172.16.33.1 > ospf-all.mcast.net: OSPFv2, LS-Ack, length 44
18:02:37.693666 IP puppetmaster.localdomain > puppetslave1.localdomain: ESP(spi=0xe38c8f45,seq=0xff), length 116
18:02:37.792211 IP puppetslave1.localdomain > puppetmaster.localdomain: ESP(spi=0xe3af051d,seq=0x102), length 116
18:02:37.792211 IP 172.16.33.2 > ospf-all.mcast.net: OSPFv2, LS-Ack, length 44