家里一直都是使用的思科的企业级路由器(CISCO892W)上网,由于使用的是动态拨号地址,所以都是使用DMVPN和公司、老家互联的。
但是考虑到思科路由器比普通的家用路由器体积大,功耗大,风扇有点嗡嗡声,关键是价格不菲。所以考虑将DMVPN转战到家用的路由器上。
言归正传,家用小路由器为网件WNDR3700V4,系统为最新的OpenWRT15.05.1。
安装软件包
opkg install opennhrp
opkg install kmod-ipsec4
opkg install quagga quagga-zebra quagga-ospfd
opkg install gre
opkg install iptables-mod-nat-extra
opkg install kmod-natsemi
opkg install kmod-nf-nathelper-extra配置GRE接口
更改配置文件vi /etc/config/network
添加如下内容:
config interface 'gre'
option proto 'gre' ##协议为gre
option zone 'vpn' ##防火墙的区域为vpn
option peeraddr '0.0.0.0'##GRE对端地址为0.0.0.0
option mtu '1400'
option ttl '64'
option ikey '100' ##GRE的KEY
option okey '100' ##GRE的KEY
config interface 'gre1'
option proto 'static'
option ifname '@gre'
option ipaddr '172.16.100.3' ##隧道地址
option netmask '255.255.255.0' ##隧道掩码配置完成需要在页面下激活,或者使用命令/etc/init.d/network restart激活接口。 查看接口:
root@openwrt:~# ifconfig gre-gre
gre-gre Link encap:UNSPEC HWaddr 75-59-45-52-00-00-7F-A2-00-00-00-00-00-00-00-00
inet addr:172.16.100.3 Mask:255.255.255.0
inet6 addr: fe80::200:5efe:7559:4552/64 Scope:Link
UP RUNNING MTU:1400 Metric:1
RX packets:10265 errors:0 dropped:0 overruns:0 frame:0
TX packets:19404 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:921632 (900.0 KiB) TX bytes:1489669 (1.4 MiB)
root@openwrt:~#ip link show gre-gre
13: gre-gre@NONE: <UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/gre 117.89.69.82 brd 0.0.0.0
root@openwrt:~#
root@openwrt:~# ip tunnel show gre-gre
gre-gre: gre/ip remote any local 117.89.69.82 ttl 64 key 100
root@openwrt:~# 配置IPSEC
配置共享密钥
编辑配置文件vi /etc/racoon/psk.txt
添加如下内容:
* Cisco ##IPSEC任意地址预共享密钥为Cisco配置IPSEC流量(感兴趣流)
编辑配置文件vi /etc/ipsec.conf
添加如下内容:
#!/usr/sbin/setkey -f
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;配置IPSEC策略
编辑配置文件vi /etc/racoon.conf
配置成如下内容(根据具体实际情况调整):
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main,aggressive;
lifetime time 24 hour;
nat_traversal on;
dpd_delay 10;
script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 1 hour;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}启动IPSEC
使用命令进行启动/etc/init.d/racoon restart
查看IPSEC状态
root@openwrt:~# setkey -D
117.89.69.82 224.0.0.5
esp mode=transport spi=0(0x00000000) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 22 11:37:49 2017 current: Feb 22 11:38:02 2017
diff: 13(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=12642 refcnt=0
117.89.69.82 218.94.26.93
esp mode=transport spi=3303143295(0xc4e1f77f) reqid=0(0x00000000)
E: des-cbc 7eabfcea 8eba315b
A: hmac-md5 8d10c4ea f7816b72 1702caf0 57233852
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 22 10:54:00 2017 current: Feb 22 11:38:02 2017
diff: 2642(s) hard: 3600(s) soft: 2880(s)
last: Feb 22 10:54:09 2017 hard: 0(s) soft: 0(s)
current: 21001(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 276 hard: 0 soft: 0
sadb_seq=2 pid=12642 refcnt=0
218.94.26.93 117.89.69.82
esp mode=transport spi=191219007(0x0b65c53f) reqid=0(0x00000000)
E: des-cbc 5ec7e525 321b699d
A: hmac-md5 564059d1 e3b92639 aefa88fb 21a3303b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 22 10:54:00 2017 current: Feb 22 11:38:02 2017
diff: 2642(s) hard: 3600(s) soft: 2880(s)
last: Feb 22 10:54:01 2017 hard: 0(s) soft: 0(s)
current: 28005(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 290 hard: 0 soft: 0
sadb_seq=0 pid=12642 refcnt=0配置opennhrp
编辑配置文件vi /etc/opennhrp/opennhrp.conf
配置成如下内容:
interface gre-gre ##接口填写实际端口
map 172.16.100.254/24 218.94.26.93 register cisco ##兼容思科NHRP
cisco-authentication cisco ##nhrp密钥为cisco
shortcut
redirect
multicast dynamic ##组播地址动态映射启动opennhrp
/etc/init.d/opennhrp restart查看opennhrp状态:
root@openwrt:~# opennhrpctl show
Status: ok
Interface: gre-gre
Type: local
Protocol-Address: 172.16.100.255/32
Alias-Address: 172.16.100.3
Flags: up
Interface: gre-gre
Type: local
Protocol-Address: 172.16.100.3/32
Flags: up
Interface: gre-gre
Type: static
Protocol-Address: 172.16.100.254/24
NBMA-Address: 218.94.26.93
Flags: up配置动态路由协议
编辑配置文件vi /etc/quagga/ospfd.conf
添加如下内容:
interface gre-gre
ip ospf priority 0 ##分支为OSPF的DROTHER
!
router ospf
ospf router-id 172.16.100.3 ##OSPF协议的router-id
network 172.16.100.0/24 area 0.0.0.0 ##宣告gre接口
network 192.168.1.0/24 area 0.0.0.0 ##宣告内网网段启动OSPF进程
/etc/init.d/quagga restart查看OSPF:
telnet 127.0.0.1 2604
密码默认为zebra 相关命令为
show ip ospf neighbor
show ip ospf database
show ip ospf route状态如下:
openwrt# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
172.16.100.254 255 Full/DR 33.452s 172.16.100.254 gre-gre:172.16.100.3 0 0 0
openwrt#
openwrt# show ip ospf route
============ OSPF network routing table ============
N 172.16.0.0/24 [110] area: 0.0.0.0
via 172.16.100.1, gre-gre
via 172.16.100.2, gre-gre
N 172.16.100.0/24 [10] area: 0.0.0.0
directly attached to gre-gre
N 192.2.10.0/24 [12] area: 0.0.0.0
via 172.16.100.254, gre-gre
N 192.168.1.0/24 [10] area: 0.0.0.0
directly attached to br-lan
N 192.168.49.0/24 [11] area: 0.0.0.0
via 172.16.100.1, gre-gre
N 192.168.50.0/24 [11] area: 0.0.0.0
via 172.16.100.1, gre-gre
N 192.168.100.0/24 [11] area: 0.0.0.0
via 172.16.100.2, gre-gre
============ OSPF router routing table =============
R 172.16.0.1 [10] area: 0.0.0.0, ASBR
via 172.16.100.1, gre-gre
R 172.16.0.2 [10] area: 0.0.0.0, ASBR
via 172.16.100.2, gre-gre
============ OSPF external routing table ===========
N E2 192.168.51.0/24 [10/20] tag: 51
via 172.16.100.1, gre-gre
N E2 192.168.102.0/24 [10/20] tag: 102
via 172.16.100.2, gre-gre
openwrt#
openwrt# show ip ospf database
OSPF Router with ID (172.16.100.3)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Link count
172.16.0.1 172.16.0.1 1605 0x80000853 0x950d 4
172.16.0.2 172.16.0.2 1947 0x8000070b 0xfe62 3
172.16.0.254 172.16.0.254 95 0x80000f39 0xed68 2
172.16.100.3 172.16.100.3 497 0x8000006e 0xbb10 2
172.16.100.254 172.16.100.254 1996 0x800002bf 0x3339 3
192.168.254.253 192.168.254.253 628 0x800002b9 0x885f 6
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum
172.16.0.254 172.16.0.254 1368 0x80000dd8 0x752c
172.16.100.254 172.16.100.254 1490 0x8000060e 0x31ec
AS External Link States
Link ID ADV Router Age Seq# CkSum Route
192.168.51.0 172.16.0.1 1851 0x80000e07 0xcd31 E2 192.168.51.0/24 [0x33]
192.168.102.0 172.16.0.2 153 0x800003e4 0x9331 E2 192.168.102.0/24 [0x66]
openwrt#配置防火墙
编辑配置文件vi /etc/config/firewall
添加如下内容:
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'vpn'
option forward 'ACCEPT'
option network 'gre1'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'重启防火墙
重启防火墙命令/etc/init.d/firewall restart
测试
在OpenWrt上使用命令进行测试
netstat -r 查看路由
ping 172.16.10.254设备重启,包括wan地址改变,dmvpn都能正常建立。
root@openwrt:~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 117.89.68.1 0.0.0.0 UG 0 0 0 pppoe-wan
117.89.68.1 * 255.255.255.255 UH 0 0 0 pppoe-wan
172.16.0.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
172.16.100.0 * 255.255.255.0 U 0 0 0 gre-gre
192.2.10.0 172.16.100.254 255.255.255.0 UG 0 0 0 gre-gre
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.49.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.50.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.51.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
192.168.100.0 172.16.100.2 255.255.255.0 UG 0 0 0 gre-gre
192.168.102.0 172.16.100.2 255.255.255.0 UG 0 0 0 gre-gre
192.168.200.0 172.16.100.1 255.255.255.0 UG 0 0 0 gre-gre
root@openwrt:~# ping 172.16.100.254
PING 172.16.100.254 (172.16.100.254): 56 data bytes
64 bytes from 172.16.100.254: seq=0 ttl=255 time=5.116 ms
64 bytes from 172.16.100.254: seq=1 ttl=255 time=5.165 ms
64 bytes from 172.16.100.254: seq=2 ttl=255 time=4.921 ms
64 bytes from 172.16.100.254: seq=3 ttl=255 time=4.971 ms
^C
--- 172.16.100.254 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max此次配置已经全部完成,经过我的测试已经完美运行两月有余,一切正常。本人全部原创,转载请说明。
2019.03.19更新:
1,OpenWRT18.06.2上无法配置成功,racoon安装配置有些BUG,导致服务无法启动。
2017.12.20更新: 目前还是遇到了些问题。
1,opennhrp的spoke到cisco的spoke之间的流量需要通过cisco的hub端中转。(非正常)
2,opennhrp的spoke到opennhrp的spoke之间的流量可以之间建立ipsec互通不需要通过hub中转。(正常)
3,opennhrp在lede上没有做成功,主要问题是lede上安装ipsec-tools时系统的依赖包安装有问题。(BUG)
这些问题有时间慢慢研究。