共计 7393 个字符,预计需要花费 19 分钟才能阅读完成。
公司在国内、日本、美国、德国、新加坡等多地均有业务,中间业务网络用的公司专有 GPN(Global Private Network 中文名是全球私有化网络)链路,目前测试搭建一条备用链路,用于网络冗余和故障切换。
初步选用方案 GRE over IPSec,跑 ospf 路由协议。
一、为何要选 GRE over IPSec:
各个 site 网络比较多,需要使用路由协议进行互联;
IPSEC 不支持组播,即不能传递路由协议,在承载路由协议上不如 GRE 隧道方便;
GRE 隧道不能提供加密保障;
使用 GRE 在两个网关之间搭建一个隧道,运行路由协议及传输正常数据,使用 IPSec 对整个 GRE 隧道进行加密,因此需要把两者进行结合。
二、测试环境:
以中国、日本、美国三地为例,基本网络拓扑如下图,用 Mikrotik RouterOS(简称 ROS)做路由器和防火墙,中间跑 ospf 协议。GPN 链路就相当于一个大二层,能够把中日美三地打通,相当于专线,因此在网络质量上优于直接走大网,做业务主线,这里不多写;主要写一下如何配置 GRE 链路实现备用链路功能,在 GPN 链路中断的时候能够自动切换到备线。
routeros 上配置外网:
中国:101.251.x.x
日本:205.177.x.x
美国:38.83.x.x
三地的内网地址:
中国:10.13.24.0/22
日本:10.13.4.0/22
美国:10.13.12.0/22
三地互联地址 (用 10.13.253.0/24 段做互联地址段):
中国和日本:10.13.253.0/30
日本和美国:10.13.253.16/30
美国和中国:10.13.253.4/30
GPN 链路网段:
10.13.252.0/24
三、配置
1、三个 ros 的 interface(ether1/2/ 3 分别对应着外网 / 内网 /GPN 网络):
2、IPSec 配置
中国:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | /ip ipsec peer add address=205.177.x.x/32:500 comment="JP Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=38.83.x.x/32:500 comment= "USALink" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=101.251.x.x/32:any dst-address=205.177.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=101.251.x.x sa-dst-address=205.177.x.x proposal=default priority=0 add src-address=101.251.x.x/32:any dst-address=38.83.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=101.251.x.x sa-dst-address=38.83.x.x proposal=default priority=0 |
日本:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | /ip ipsec peer add address=101.251.x.x/32:500 comment="BJ Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=38.83.x.x/32:500 comment= "USA Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=205.177.x.x/32:any dst-address=101.251.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=205.177.x.x sa-dst-address=101.251.x.x proposal=default priority=0 add src-address=205.177.x.x/32:any dst-address=38.83.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=205.177.x.x sa-dst-address=38.83.x.x proposal=default priority=0 |
美国:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | /ip ipsec peer add address=101.251.x.x/32:500 comment="BJ Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 add address=205.177.x.x/32:500 comment= "JP Link" auth-method=pre-shared-key secret="mypassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 /ip ipsec policy add src-address=38.83.x.x/32:any dst-address=101.251.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=38.83.x.x sa-dst-address=101.251.x.x proposal=default priority=0 add src-address=38.83.x.x/32:any dst-address=205.177.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=38.83.x.x sa-dst-address=205.177.x.x proposal=default priority=0 |
中国示例图:
3、GRE 配置:
中国:
1 2 3 4 5 6 7 8 9 10 | /interface gre add name= gre-tunnel1 local-address=101.251.x.x remote-address=205.177.x.x comment="JP Link" add name= gre-tunnel2 local-address=101.251.x.x remote-address=38.83.x.x comment="USA Link" /ip address add address=10.13.253.1/30 interface=gre-tunnel1 network=10.13.253.0 comment="JP Link"add address=10.13.253.5/30 interface=gre-tunnel2 network=10.13.253.4 comment="USA Link" |
日本:
1 2 3 4 5 6 7 8 9 10 | /interface gre add name= gre-tunnel1 local-address=205.177.x.x remote-address=101.251.x.x comment="BJ Link" add name= gre-tunnel2 local-address=101.251.x.x remote-address=38.83.x.x comment="USA Link" /ip address add address=10.13.253.2/30 interface=gre-tunnel1 network=10.13.253.0 comment="BJ Link"add address=10.13.253.17/30 interface=gre-tunnel2 network=10.13.253.16 comment="USA Link" |
美国:
1 2 3 4 5 6 7 8 9 10 | /interface gre add name= gre-tunnel1 local-address=38.83.x.x remote-address=101.251.x.x comment="BJ Link" add name= gre-tunnel2 local-address=38.83.x.x remote-address=205.177.x.x comment="JP Link" /ip address add address=10.13.253.6/30 interface=gre-tunnel1 network=10.13.253.4 comment="BJ Link"add address=10.13.253.18/30 interface=gre-tunnel2 network=10.13.253.16 comment="JP Link" |
中国示例图:
4、OSPF 配置
把本地的内网地址段、GPN 网段(10.13.252.0/24),GRE 互联地址网段都宣布进去,cost 值 GPN 链路的优先级高,设为 10,GRE Tunnel 的 cost 值设为 100:
中国:
1 2 3 4 5 6 7 8 9 10 11 | /routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.24.0/22 area=backbone comment="内网" network add network=10.13.252.0/24 area=backbone comment="GPN" network add network=10.13.253.0/30 area=backbone comment="JP Link" network add network=10.13.253.4/30 area=backbone comment="USA Link" |
日本:
1 2 3 4 5 6 7 8 9 10 11 | /routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.4.0/22 area=backbone comment="内网" network add network=10.13.252.0/24 area=backbone comment="GPN" network add network=10.13.253.0/30 area=backbone comment="BJ Link" network add network=10.13.253.16/30 area=backbone comment="USA Link" |
美国:
1 2 3 4 5 6 7 8 9 10 11 | /routing ospf> interface add interface=eth2 cost=10 interface add interface=eth3 cost=10 interface add interface=gre-tunnel1 cost=100 interface add interface=gre-tunnel2 cost=100 /routing ospf> network add network=10.13.12.0/22 area=backbone comment="内网" network add network=10.13.252.0/24 area=backbone comment="GPN" network add network=10.13.253.4/30 area=backbone comment="BJ Link" network add network=10.13.253.16/30 area=backbone comment="JP Link" |
北京示例图:
四、验证
1、查看 ospf 是否启动成功:
2、down 掉 GPN 的 interface,查看 ospf 的路由是否自动切换到 GRE Tunnel:
测试线路自动切换成功,再把 GPN interface 起来之后,查看路由又自动切换到了 GPN 链路。
success!
五、优化
此文中只选了 3 个 site,备线的 ospf cost 值均设为了 100,;在实际部署时会多于 3 个,ospf 值的设置,可以设置为点对点的延迟值,使在切换到备线时 ospf 选路选的是线路延迟最低的路径,也是最优的路径。比如中日之间大网延迟大概为 55ms, 可以把 GRE 的 ospf cost 设为 55。
本文永久更新链接地址 :http://www.linuxidc.com/Linux/2016-03/128968.htm
正文完
星哥说事-微信公众号
