双动态IP; IPSEC; Site to Site VPN
需求描述:site a: 内部192.168.11.0/24 外部电信FTTB线路, PPPoE获取动态公网IP
site b: 内部172.16.10.0/24 外部电信xDSL线路, PPPoE获取动态公网IP
site a, b 能够相互访问, 采用自带的Cloud DNS Name 标识双方; 采用IPSEC加密通信, 任意一边断线后重新自动建立IPSEC恢复通信.
配置过程:
[color=DarkRed][size=5]site a[/size][/color]:[code]
/ip ipsec peer
add address=200.200.200.200/32 enc-algorithm=aes-128 nat-traversal=no secret=111111
[/code]这里地址填写site b的公网地址; enc-algorithm与site b设定一致; secret随意且与site b设定一致.[code]
/ip ipsec policy
add dst-address=172.16.10.0/24 sa-dst-address=200.200.200.200 sa-src-address=100.100.100.100 src-address=192.168.11.0/24 tunnel=yes
[/code]这里src-address填写site a内网地址段; dst-address填写site b内网地址段; sa-src-address填写site a公网ip; sa-dst-address填写site b公网ip; tunnel设定为yes[code]
/ip firewall nat
add chain=srcnat dst-address=172.16.10.0/24 src-address=192.168.11.0/24
[/code]这里dst-address填写site b内网地址段; src-address填写site a内网地址段; 将此条放置在第一条.[code]
#-----------
#site to site ipsec tunel vpn, no actual interface, no OSPF!
#script by moses
#-----------
#-----------
#setting
:global localsite "aaaaaaaaaaaa.sn.mynetname.net"
#这里引号内为site a的Cloud DNS Name
:global remotesite "bbbbbbbbbbbb.sn.mynetname.net"
#这里引号内为site b的Cloud DNS Name
:global vpninterface "pppoe-out1"
#这里引号内为site a拨号接口
#-----------
#-----------
#:global localcurrentip [:resolve $localsite]
:global localcurrentip [:pick [/ip address get [find interface=$vpninterface] address] 0 [:find [/ip address get [find interface=$vpninterface] address] "/"]]
:global localpreviousip
:global remotecurrentip [:resolve $remotesite]
:global remotepreviousip
#-----------
#-----------
:if (($localcurrentip != $localpreviousip) || ($remotecurrentip != $remotepreviousip)) do= {
/ip ipsec peer set 0 address=$remotecurrentip
/ip ipsec policy set 1 sa-src-address=$localcurrentip sa-dst-address=$remotecurrentip
/ip ipsec remote-peers kill-connections
:set localpreviousip $localcurrentip
:set remotepreviousip $remotecurrentip
:log warning "IPSEC RESET! L:$localcurrentip R:$remotecurrentip"
} else= {
#:log info "no change"
}
#-----------
[/code]这个脚本命名为chkipsec, 在scheduler中每分钟调用一次就好.
[color=DarkRed][size=5]site b[/size][/color]:[code]
/ip ipsec peer
add address=100.100.100.100/32 enc-algorithm=aes-128 nat-traversal=no secret=111111
[/code]这里地址填写site a的公网地址; enc-algorithm与site a设定一致; secret随意且与site a设定一致.[code]
/ip ipsec policy
add dst-address=192.168.11.0/24 sa-dst-address=100.100.100.100 sa-src-address=200.200.200.200 src-address=172.16.10.0/24 tunnel=yes
[/code]这里src-address填写site b内网地址段; dst-address填写site a内网地址段; sa-src-address填写site b公网ip; sa-dst-address填写site a公网ip; tunnel设定为yes[code]
/ip firewall nat
add chain=srcnat dst-address=192.168.11.0/24 src-address=172.16.10.0/24
[/code]这里dst-address填写site a内网地址段; src-address填写site b内网地址段; 将此条放置在第一条.[code]
#-----------
#site to site ipsec tunel vpn, no actual interface, no OSPF!
#script by moses
#-----------
#-----------
#setting
:global localsite "bbbbbbbbbbbb.sn.mynetname.net"
#这里引号内为site b的Cloud DNS Name
:global remotesite "aaaaaaaaaaaa.sn.mynetname.net"
#这里引号内为site a的Cloud DNS Name
:global vpninterface "pppoe-out1"
#这里引号内为site b拨号接口
#-----------
#-----------
#:global localcurrentip [:resolve $localsite]
:global localcurrentip [:pick [/ip address get [find interface=$vpninterface] address] 0 [:find [/ip address get [find interface=$vpninterface] address] "/"]]
:global localpreviousip
:global remotecurrentip [:resolve $remotesite]
:global remotepreviousip
#-----------
#-----------
:if (($localcurrentip != $localpreviousip) || ($remotecurrentip != $remotepreviousip)) do= {
/ip ipsec peer set 0 address=$remotecurrentip
/ip ipsec policy set 1 sa-src-address=$localcurrentip sa-dst-address=$remotecurrentip
/ip ipsec remote-peers kill-connections
:set localpreviousip $localcurrentip
:set remotepreviousip $remotecurrentip
:log warning "IPSEC RESET! L:$localcurrentip R:$remotecurrentip"
} else= {
#:log info "no change"
}
#-----------
[/code]这个脚本命名为chkipsec, 在scheduler中每分钟调用一次就好. [quote]需求描述:
site a: 内部192.168.11.0/24 外部电信FTTB线路, PPPoE获取动态公网IP
site b: 内部172.16.10.0/ ...
[size=2][color=#999999]moses 發表於 2015-2-28 12:37[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=40747&ptid=6570][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote][code]:global localcurrentip [:pick [/ip address get [find interface=$vpninterface] address] 0 [:find [/ip address get [find interface=$vpninterface] address] "/"]][/code]抓取interface address這段script太長了,事實不必那麼麻煩:
假設要抓interface=pppoe-out1的address ,只要這樣宣告即可:[code]:global localcurrentip
/interface pppoe-client monitor pppoe-out1 once do={:set localcurrentip $"local-address"}[/code]這樣pppoe-out1的address就會存到localcurrentip裡去了.
頁:
[1]