家里一直都是使用的思科的企业级路由器(CISCO892W)上网,由于使用的是动态拨号地址,所以都是使用DMVPN和公司、老家互联的。
但是考虑到思科路由器比普通的家用路由器体积大,功耗大,有点风扇的嗡嗡声,关键是价格不菲。所以考虑将DMVPN转战到家用的路由器上。
言归正传,家用小路由器为网件3700v4,系统为最新的OpenWRT15.05.1。
1,安装软件包
opkg install opennhrp
opkg install kmod-ipsec4
opkg install quagga quagga-zebra quagga-ospfd
opkg install gre
opkg install iptables-mod-nat-extra
opkg install kmod-natsemi
opkg install kmod-nf-nathelper-extra
2,配置GRE接口
vi /etc/config/network
添加如下内容:
config interface 'gre'
option proto 'gre' ##协议为gre
option zone 'vpn' ##防火墙的区域为vpn
option peeraddr '0.0.0.0'##GRE对端地址为0.0.0.0
option mtu '1400'
option ttl '64'
option ikey '100' ##GRE的KEY
option okey '100' ##GRE的KEY
config interface 'gre1'
option proto 'static'
option ifname '@gre'
option ipaddr '172.16.100.3' ##隧道地址
option netmask '255.255.255.0' ##隧道掩码
配置完成需要在页面下激活,或者使用命令‘/etc/init.d/network restart
’激活接口。
查看接口:
root@openwrt:~# ifconfig gre-gre
gre-gre Link encap:UNSPEC HWaddr 75-59-45-52-00-00-7F-A2-00-00-00-00-00-00-00-00
inet addr:172.16.100.3 Mask:255.255.255.0
inet6 addr: fe80::200:5efe:7559:4552/64 Scope:Link
UP RUNNING MTU:1400 Metric:1
RX packets:10265 errors:0 dropped:0 overruns:0 frame:0
TX packets:19404 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:921632 (900.0 KiB) TX bytes:1489669 (1.4 MiB)
root@openwrt:~#ip link show gre-gre
13: gre-gre@NONE: <UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/gre 117.89.69.82 brd 0.0.0.0
root@openwrt:~#
root@openwrt:~# ip tunnel show gre-gre
gre-gre: gre/ip remote any local 117.89.69.82 ttl 64 key 100
root@openwrt:~#
3,配置IPSEC
3.1,配置共享密钥:
vi /etc/racoon/psk.txt
添加如下内容:
* Cisco ##IPSEC任意地址预共享密钥为Cisco
3.2,配置IPSEC流量(感兴趣流)
vi /etc/ipsec.conf
添加如下内容:
#!/usr/sbin/setkey -f
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
3.3,配置IPSEC策略:
vi /etc/racoon.conf
配置成如下内容(根据具体实际情况调整):
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main,aggressive;
lifetime time 24 hour;
nat_traversal on;
dpd_delay 10;
script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 1 hour;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
3.4,启动IPSEC
/etc/init.d/racoon restart
3.5,查看IPSEC状态
root@openwrt:~# setkey -D
117.89.69.82 224.0.0.5
esp mode=transport spi=0(0x00000000) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 22 11:37:49 2017 current: Feb 22 11:38:02 2017
diff: 13(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=12642 refcnt=0
117.89.69.82 218.94.26.93
esp mode=transport spi=3303143295(0xc4e1f77f) reqid=0(0x00000000)
E: des-cbc 7eabfcea 8eba315b
A: hmac-md5 8d10c4ea f7816b72 1702caf0 57233852
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 22 10:54:00 2017 current: Feb 22 11:38:02 2017
diff: 2642(s) hard: 3600(s) soft: 2880(s)
last: Feb 22 10:54:09 2017 hard: 0(s) soft: 0(s)
current: 21001(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 276 hard: 0 soft: 0
sadb_seq=2 pid=12642 refcnt=0
218.94.26.93 117.89.69.82
esp mode=transport spi=191219007(0x0b65c53f) reqid=0(0x00000000)
E: des-cbc 5ec7e525 321b699d
A: hmac-md5 564059d1 e3b92639 aefa88fb 21a3303b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 22 10:54:00 2017 current: Feb 22 11:38:02 2017
diff: 2642(s) hard: 3600(s) soft: 2880(s)
last: Feb 22 10:54:01 2017 hard: 0(s) soft: 0(s)
current: 28005(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 290 hard: 0 soft: 0
sadb_seq=0 pid=12642 refcnt=0
4,配置opennhrp
vi /etc/opennhrp/opennhrp.conf
配置成如下内容:
interface gre-gre ##接口填写实际端口
map 172.16.100.254/24 218.94.26.93 register cisco ##兼容思科NHRP
cisco-authentication cisco ##nhrp密钥为cisco
shortcut
redirect
multicast dynamic ##组播地址动态映射
启动opennhrp
/etc/init.d/opennhrp restart
查看opennhrp状态:
root@openwrt:~# opennhrpctl show
Status: ok
Interface: gre-gre
Type: local
Protocol-Address: 172.16.100.255/32
Alias-Address: 172.16.100.3
Flags: up
Interface: gre-gre
Type: local
Protocol-Address: 172.16.100.3/32
Flags: up
Interface: gre-gre
Type: static
Protocol-Address: 172.16.100.254/24
NBMA-Address: 218.94.26.93
Flags: up
5,配置动态路由协议:
vi /etc/quagga/ospfd.conf
添加如下内容:
interface gre-gre
ip ospf priority 0 ##分支为OSPF的DROTHER
!
router ospf
ospf router-id 172.16.100.3 ##OSPF协议的router-id
network 172.16.100.0/24 area 0.0.0.0 ##宣告gre接口
network 192.168.1.0/24 area 0.0.0.0 ##宣告内网网段
启动OSPF进程
/etc/init.d/quagga restart
查看OSPF:
telnet 127.0.0.1 2604
密码默认为zebra
相关命令为
show ip ospf neighbor
show ip ospf database
show ip ospf route
状态如下:
openwrt# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
172.16.100.254 255 Full/DR 33.452s 172.16.100.254 gre-gre:172.16.100.3 0 0 0
openwrt#
openwrt# show ip ospf route
============ OSPF network routing table ============
N 172.16.0.0/24 [110] area: 0.0.0.0
via 172.16.100.1, gre-gre
via 172.16.100.2, gre-gre
N 172.16.100.0/24 [10] area: 0.0.0.0
directly attached to gre-gre
N 192.2.10.0/24 [12] area: 0.0.0.0
via 172.16.100.254, gre-gre
N 192.168.1.0/24 [10] area: 0.0.0.0
directly attached to br-lan
N 192.168.49.0/24 [11] area: 0.0.0.0
via 172.16.100.1, gre-gre
N 192.168.50.0/24 [11] area: 0.0.0.0
via 172.16.100.1, gre-gre
N 192.168.100.0/24 [11] area: 0.0.0.0
via 172.16.100.2, gre-gre
============ OSPF router routing table =============
R 172.16.0.1 [10] area: 0.0.0.0, ASBR
via 172.16.100.1, gre-gre
R 172.16.0.2 [10] area: 0.0.0.0, ASBR
via 172.16.100.2, gre-gre
============ OSPF external routing table ===========
N E2 192.168.51.0/24 [10/20] tag: 51
via 172.16.100.1, gre-gre
N E2 192.168.102.0/24 [10/20] tag: 102
via 172.16.100.2, gre-gre
openwrt#
openwrt# show ip ospf database
OSPF Router with ID (172.16.100.3)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Link count
172.16.0.1 172.16.0.1 1605 0x80000853 0x950d 4
172.16.0.2 172.16.0.2 1947 0x8000070b 0xfe62 3
172.16.0.254 172.16.0.254 95 0x80000f39 0xed68 2
172.16.100.3 172.16.100.3 497 0x8000006e 0xbb10 2
172.16.100.254 172.16.100.254 1996 0x800002bf 0x3339 3
192.168.254.253 192.168.254.253 628 0x800002b9 0x885f 6
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum
172.16.0.254 172.16.0.254 1368 0x80000dd8 0x752c
172.16.100.254 172.16.100.254 1490 0x8000060e 0x31ec
AS External Link States
Link ID ADV Router Age Seq# CkSum Route
192.168.51.0 172.16.0.1 1851 0x80000e07 0xcd31 E2 192.168.51.0/24 [0x33]
192.168.102.0 172.16.0.2 153 0x800003e4 0x9331 E2 192.168.102.0/24 [0x66]
openwrt#
6,配置防火墙
vi /etc/config/firewall
添加如下内容:
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'vpn'
option forward 'ACCEPT'
option network 'gre1'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
重启防火墙
/etc/init.d/firewall restart
7,测试:
netstat -r 查看路由
ping 172.16.10.254
设备重启,包括wan地址改变,dmvpn都能正常建立。
root@openwrt:~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 117.89.68.1 0.0.0.0 UG 0 0 0 pppoe-wan
117.89.68.1 * 255.255.255.255 UH 0 0 0 pppoe-wan
172.16.0.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
172.16.100.0 * 255.255.255.0 U 0 0 0 gre-gre
192.2.10.0 172.16.100.254 255.255.255.0 UG 0 0 0 gre-gre
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.49.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.50.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.51.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.100.0 172.16.100.2 255.255.255.0 UG 0 0 0 gre-gre
192.168.102.0 172.16.100.2 255.255.255.0 UG 0 0 0 gre-gre
192.168.200.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
root@openwrt:~# ping 172.16.100.254
PING 172.16.100.254 (172.16.100.254): 56 data bytes
64 bytes from 172.16.100.254: seq=0 ttl=255 time=5.116 ms
64 bytes from 172.16.100.254: seq=1 ttl=255 time=5.165 ms
64 bytes from 172.16.100.254: seq=2 ttl=255 time=4.921 ms
64 bytes from 172.16.100.254: seq=3 ttl=255 time=4.971 ms
^C
--- 172.16.100.254 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max
此次配置已经全部完成,经过我的测试已经完美运行了两月有余,一切正常。本人全部原创,转载请说明。
2019.03.19更新:
1,openwrt18.06.2上无法配置成功,racoon安装配置有些BUG,导致服务无法启动。
2017.12.20更新:
目前还是遇到了些问题。
1,opennhrp的spoke到cisco的spoke之间的流量需要通过cisco的hub端中转。(非正常)
2,opennhrp的spoke到opennhrp的spoke之间的流量可以之间建立ipsec互通不需要通过hub中转。(正常)
3,opennhrp在lede上没有做成功,主要问题是lede上安装ipsec-tools时系统的依赖包安装有问题。(BUG)
这些问题有时间慢慢研究。
文章评论
请教一下,这样配置还是至少需要一台思科的路由当作hub是吗?只是各spoke可用openwrt代替,不过这也是非常牛了,真是全网第一。
@鲲翔 我的情况是,HUB是思科的设备,spoke用openwrt代替。当然hub用openwrt也行,只是配置需要相应的变更。
请问我在执行完setkey -D之后显示的是no SAD entries,这个有可能是什么原因?
root@OpenNHRP:~# /etc/init.d/racoon restart
Command failed: Not found
uci: Entry not found
root@OpenNHRP:~# setkey -D
No SAD entries.
root@OpenNHRP:~#
root@OpenNHRP:~# cat /etc/ipsec.conf
#!/usr/sbin/setkey -f
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre1 -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre1 -P in ipsec esp/transport//require;
@Suen 你这个是什么意思呢,发现不命令?我这个只能保证在openwrt15.05上可以使用。其他的发行版linux应该也可以的。但是具体的命令需要看文档了。
进入QUIK MODE 工具就开始报错,不知道咋搞额。
使用的自动ike.
Thu Nov 4 17:45:05 2021 daemon.debug racoon: 2021-11-04 17:45:05: DEBUG: =
Thu Nov 4 17:45:05 2021 daemon.info racoon: 2021-11-04 17:45:05: INFO: ISAKMP-SA established 172.16.1.22[500]-172.16.1.26[500] spi:4da1047ce1726fb5:1055bff0bbaa3e72
Thu Nov 4 17:45:05 2021 daemon.debug racoon: 2021-11-04 17:45:05: DEBUG: =
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: =
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: begin QUICK mode.
Thu Nov 4 17:45:06 2021 daemon.info racoon: 2021-11-04 17:45:06: INFO: initiate new phase 2 negotiation: 172.16.1.22[500]<=>172.16.1.26[500]
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: compute IV for phase2
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: phase1 last IV:
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG:
bc810355 93129f11 9ecc591a b9763f3c b952bfb0
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: hash(sha1)
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: encryption(aes)
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: phase2 IV computed:
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG:
8df728ea 6afcd34a 0f511cf0 3f576c03
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: call pfkey_send_getspi
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: pfkey GETSPI sent: ESP/Tunnel 172.16.1.26[500]->172.16.1.22[500]
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: pfkey getspi sent.
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: pk_recv: retry[0] recv()
Thu Nov 4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: got pfkey GETSPI message
Thu Nov 4 17:45:06 2021 daemon.info racoon: 2021-11-04 17:45:06: ERROR: libipsec failed pfkey align (Invalid sadb message)
Thu Nov 4 17:45:21 2021 daemon.info racoon: 2021-11-04 17:45:21: ERROR: 172.16.1.26 give up to get IPsec-SA due to time up to wait.
Thu Nov 4 17:45:21 2021 daemon.debug racoon: 2021-11-04 17:45:21: DEBUG: IV freed
Thu Nov 4 17:45:35 2021 daemon.debug racoon: 2021-11-04 17:45:35: DEBUG: pk_recv: retry[0] recv()
Thu Nov 4 17:45:35 2021 daemon.debug racoon: 2021-11-04 17:45:35: DEBUG: got pfkey EXPIRE message
Thu Nov 4 17:45:35 2021 daemon.info racoon: 2021-11-04 17:45:35: ERROR: libipsec failed pfkey align (Invalid sadb message)
Thu Nov 4 17:45:36 2021 daemon.debug racoon: 2021-11-04 17:45:36: DEBUG: pk_recv: retry[0] recv()
Thu Nov 4 17:45:36 2021 daemon.debug racoon: 2021-11-04 17:45:36: DEBUG: got pfkey EXPIRE message
Thu Nov 4 17:45:36 2021 daemon.info racoon: 2021-11-04 17:45:36: ERROR: libipsec failed pfkey align (Invalid sadb message)
ipsec-tools 补丁有吗 openwrt 15.05 的。能发我吗
我现在用openswan 配置 gre over ipsec 在配置opennhrp的。
@hah 我记得以前在哪看到的,一直没使用。