分类目录归档:高级

如何设置分支机构互连 (2) GRE over VPN

简介

Policy-based VPN有很大的局限性,尤其是无法支持路由。而常用的基于路由的IPSec VPN所用到的VTi接口,要求两端WAN口都是固定IP,需要专线,这对大多数中小企业来说网络使用成本太高。

我们这里介绍如何配置GRE over IPSec, 通过GRE隧道,就可以使用各种路由协议灵活配置你的网络。

下图是本文用到示范网络。左端是EdgeRouter,右端是VyOS。

预先准备

路由设备

实现本文介绍的功能,你需要一台EdgeRouter和安装好VyOS的软路由。在参考本文开始配置以前,我们假定大家已经按照介绍VyOS一文完成了VyOS的初始化配置。使用EdgeOS的用户,可以使用系统自带的wizard完成初始配置。

设置动态域名

考虑到大多数客户的宽带接入都是动态IP地址, 因此需要通过域名来获取当前使用的IP地址。我们假定左边EdgeOS的域名是edgeos.ddns.com,右边的VyOS的域名是vyos.ddns.com

如何配置动态域名,请参见本站另一篇帖子EdgeRouter/VyOS配置DDNS动态域名

基于规则的IPSec VPN

GRE隧道两端各用一个固定IP作为端口外围地址。

你可以使用路由器上任何接口IP地址,但是有一个问题就是,如果那个接口离线,相应的GRE接口也会进入离线状态。因此使用永远在线的loopback接口就有优势了。

配置loopback地址

下面我们为EdgeOS端loopback端口配置一个IP地址,10.255.0.254/32。

configure
set interfaces loopback lo address 10.255.0.254/32

同样,再到VyOS配置相应的loopback地址,10.255.1.254/32。

configure
set interfaces loopback lo address 10.255.1.254/32

配置IPSec隧道

我们首先要配置一条承载GRE的IPSec隧道,具体配置方法我们已经在如何设置分支机构互连(一)IPSec VPN一文中有了详细解释,这里就不再赘述。请注意替换原文中local prefix和remote prefix分别为两端的loopback地址。

完成后,可以从EdgeOS端使用以下命令测试隧道是否通畅。

sudo ping 10.255.1.254 -I 10.255.0.254

如果隧道还没建立起来,IPSec进程在监控到隧道流量后,会自动启动连接,连接过程中丢失几个包是正常现象。

GRE接口

GRE隧道配置有5个必配要素:

  • 隧道名称,以tun起头,后面接从0到255的数字。
  • 隧道本地外部地址 local-ip
  • 隧道对端外部地址 remote-ip
  • 隧道内部地址 address
  • 最大传输单元 mtu,这个是包括IP包头的,和MSS不一样。

由于GRE是点到点隧道。因此隧道内两端各只有一个IP地址,因此CIDR必须是30。下面是EdgeOS侧GRE隧道配置的参考命令:

set interfaces tunnel tun0 address 10.254.0.1/30
set interfaces tunnel tun0 description 'EdgeOS ... (ipsec) ... VyOS'
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 10.255.0.254
set interfaces tunnel tun0 mtu 1390
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip 10.255.1.254

同样,我们在VyOS也配置相应的GRE隧道:

set interfaces tunnel tun0 address 10.254.0.2/30
set interfaces tunnel tun0 description 'VyOS ... (ipsec) ... EdgeOS'
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 10.255.1.254
set interfaces tunnel tun0 mtu 1390
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip 10.255.0.254

防火墙策略

由于我们相当与在WAN口对接了GRE隧道(IPSec流量来自于WAN口),因此还需要对应地配置一条防火墙策略,允许WAN口接入GRE隧道。

EdgeOS的auto-firewall-nat-exclude并不包括这一条规则,需要参考如下命令添加:

set firewall name WAN_LOCAL rule 210 action accept
set firewall name WAN_LOCAL rule 210 description 'ipsec'
set firewall name WAN_LOCAL rule 210 ipsec match-ipsec
set firewall name WAN_LOCAL rule 210 log disable
set firewall name WAN_LOCAL rule 210 protocol all

VyOS端,我们之前已经做过这个配置,不必重复了。

路由

要让流量通过GRE隧道转发,还需要配置相应的路由。下面我们就用静态路由作为参考。

EdgeOS端

set protocols static route 10.1.0.0/24 next-hop 10.254.0.2 description 'right side via GRE over IPSec'
set protocols static route 10.1.0.0/24 next-hop 10.254.0.2 distance 100
commit;save;exit

VyOS端

set protocols static route 10.0.0.0/24 next-hop 10.254.0.1 description 'right side via GRE over IPSec'
set protocols static route 10.0.0.0/24 next-hop 10.254.0.1 distance 100
commit;save;exit

如何设置分支机构互连 (1) IPSec VPN

简介

站点到站点的VPN应用是IPSec最常见的使用场景。通过VPN隧道,企业内部多个站点可以无缝连接,内部应用可以通过虚拟网络互联互通。

本篇介绍如何在Ubiquiti EdgeRouter与VyOS之间建立点对点IPSec隧道,实现两个分支机构的互访。

下图是一个简单的测试模型。左边的站点(EdgeOS)的笔记本用户,需要通过VPN访问右边站点(VyOS)的服务器。左右两边内网网段分别是10.0.0.0/24和10.1.0.0/24。

预先准备

路由设备

实现本文介绍的功能,你需要一台EdgeRouter和安装好VyOS的软路由。在参考本文开始配置以前,我们假定大家已经按照介绍VyOS一文完成了VyOS的初始化配置。使用EdgeOS的用户,可以使用系统自带的wizard完成初始配置。

设置动态域名

考虑到大多数客户的宽带接入都是动态IP地址, 因此需要通过域名来获取当前使用的IP地址。我们假定左边EdgeOS的域名是edgeos.ddns.com,右边的VyOS的域名是vyos.ddns.com

如何配置动态域名,请参见本站另一篇帖子EdgeRouter/VyOS配置DDNS动态域名

RSA密钥

许多同学都有过用预共享密钥设置VPN隧道的经验。的确,预共享密钥使用起来非常方便,但是他有一个很大的缺点,WAN口必须是静态地址,而能提供静态地址的企业专线成本非常高,所以现实生活中大多数企业还是使用性价比高的共享宽带。

共享宽带带来的一个缺点是,只能得到一个动态地址。运营商大多数每24-48小时,就要更换一次公网地址。

在这个情况下,使用RSA签名进行IKE认证就非常有用了。RSA算法配合两端的ID就可以完成认证。下面我们先生成密钥。

EdgeOS/VyOS自带生成RSA密钥的模块。在shell下执行以下命令,

[email protected]:~$ generate vpn rsa-key
Generating 2048 bit rsa-key to /config/ipsec.d/rsa-keys/localhost.key
.........+++++
...........................+++++

Your new local RSA key has been generated
The public portion of the key is:

0sAwEAAe7k2zE85tw4T7BGQGjkGEcIB3K7PnktckNx/JskpkhAjcU3TE7Q9xj6MtjWw794XKNFk2cnGmLCD9tkNPK30vITi3quJQxVNfuTJy3rFT6uJfPxyNsnCr+D483UNYdJThtsac8zenBoqQVMS5O50Db7/6UFdKF6QsoAMd9aRyROFZ+3RBiPe3uDMMwCaFEW28EFKN3Ye47LTCk1r1V/cXIUsMa9uVkgy9b5Axp+FnYwDl84m2mbViE+/sm7WPRGpuR15nFVwZHlk8Fj+USXMmjdteqOzq0Q19I4ma7v15LLdKlhhboxJiwjO/OqRzKsW4zt+5GcvbCagF6PzM942ok=

这个命令会在生成PEM格式的2048bit RSA密钥,存放在/config/ipsec.d/rsa-keys/localhost.key文件里。同时会生成RFC3110格式的公钥。

我们需要在配置里保存新生成的密钥和公钥,你需要将刚才生成的公钥粘贴替换到下面的命令里。

configure

set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name local-pub rsa-key 0sAwEAAe7k2zE85tw4T7BGQGjkGEcIB3K7PnktckNx/JskpkhAjcU3TE7Q9xj6MtjWw794XKNFk2cnGmLCD9tkNPK30vITi3quJQxVNfuTJy3rFT6uJfPxyNsnCr+D483UNYdJThtsac8zenBoqQVMS5O50Db7/6UFdKF6QsoAMd9aRyROFZ+3RBiPe3uDMMwCaFEW28EFKN3Ye47LTCk1r1V/cXIUsMa9uVkgy9b5Axp+FnYwDl84m2mbViE+/sm7WPRGpuR15nFVwZHlk8Fj+USXMmjdteqOzq0Q19I4ma7v15LLdKlhhboxJiwjO/OqRzKsW4zt+5GcvbCagF6PzM942ok=

同样,在右端VyOS侧执行同样的命令。

[email protected]:~$ generate vpn rsa-key
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
Generating RSA private key, 2192 bit long modulus (2 primes)
.+++++
.........................+++++
e is 65537 (0x010001)

Your new local RSA key has been generated
The public portion of the key is:

0sAwEAAd3MOCvSY2WnMCz9uVOLO34o+Cmhwlld+ldz0iP+x4jdCiD/676r5C4hfc9m8VDWfaFy/Ya6r4cprfM6XuPymRH+VgRPXoHafBdLY+1y6//HES/f2QUGqRfxjIbDn6fzDBqLHSPIB8eryYA6YFj0cgZMlG7EJGmkk/yEP5nziGJUHHKyGu+yAXdEsHoHar4Fp13hdzzdXFiqQ6hNg4LP3q8cTOiXVd1Ba3UuAwH+9tiLxUmPOBkYQXBxcBrlYu9tkU9kGB0vOj6crMnCt73qUO9aOrLSK8qEoi/4JnHLA9HHNna9fcTlCrn7fXRANzq0CYHfoyoosUhRIBnzeqUzGcDvCZ3diMxm8pmKI3vWD8RdUqs=

并且把两端的公钥都保存到VyOS配置里。

configure

set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name local-pub rsa-key 0sAwEAAd3MOCvSY2WnMCz9uVOLO34o+Cmhwlld+ldz0iP+x4jdCiD/676r5C4hfc9m8VDWfaFy/Ya6r4cprfM6XuPymRH+VgRPXoHafBdLY+1y6//HES/f2QUGqRfxjIbDn6fzDBqLHSPIB8eryYA6YFj0cgZMlG7EJGmkk/yEP5nziGJUHHKyGu+yAXdEsHoHar4Fp13hdzzdXFiqQ6hNg4LP3q8cTOiXVd1Ba3UuAwH+9tiLxUmPOBkYQXBxcBrlYu9tkU9kGB0vOj6crMnCt73qUO9aOrLSK8qEoi/4JnHLA9HHNna9fcTlCrn7fXRANzq0CYHfoyoosUhRIBnzeqUzGcDvCZ3diMxm8pmKI3vWD8RdUqs=
set vpn rsa-keys rsa-key-name edgeos-pub rsa-key 0sAwEAAe7k2zE85tw4T7BGQGjkGEcIB3K7PnktckNx/JskpkhAjcU3TE7Q9xj6MtjWw794XKNFk2cnGmLCD9tkNPK30vITi3quJQxVNfuTJy3rFT6uJfPxyNsnCr+D483UNYdJThtsac8zenBoqQVMS5O50Db7/6UFdKF6QsoAMd9aRyROFZ+3RBiPe3uDMMwCaFEW28EFKN3Ye47LTCk1r1V/cXIUsMa9uVkgy9b5Axp+FnYwDl84m2mbViE+/sm7WPRGpuR15nFVwZHlk8Fj+USXMmjdteqOzq0Q19I4ma7v15LLdKlhhboxJiwjO/OqRzKsW4zt+5GcvbCagF6PzM942ok=

回到左边的EdgeOS,我们再把VyOS的公钥保存到配置里。

set vpn rsa-keys rsa-key-name vyos-pub rsa-key 0sAwEAAd3MOCvSY2WnMCz9uVOLO34o+Cmhwlld+ldz0iP+x4jdCiD/676r5C4hfc9m8VDWfaFy/Ya6r4cprfM6XuPymRH+VgRPXoHafBdLY+1y6//HES/f2QUGqRfxjIbDn6fzDBqLHSPIB8eryYA6YFj0cgZMlG7EJGmkk/yEP5nziGJUHHKyGu+yAXdEsHoHar4Fp13hdzzdXFiqQ6hNg4LP3q8cTOiXVd1Ba3UuAwH+9tiLxUmPOBkYQXBxcBrlYu9tkU9kGB0vOj6crMnCt73qUO9aOrLSK8qEoi/4JnHLA9HHNna9fcTlCrn7fXRANzq0CYHfoyoosUhRIBnzeqUzGcDvCZ3diMxm8pmKI3vWD8RdUqs=

Policy-based IPSec VPN

通常IPSec是通过匹配预设置的隧道两端的网段来确定哪些流量走隧道的。本例中,假定笔记本电脑需要访问远端服务器,那么相应的流量包里,对应的源地址和目标地址分别是10.0.0.100和10.1.0.200,而隧道两端的网段设置是10.0.0.0/24和10.1.0.200/24,于是流量就会走隧道。

这种匹配方式类似于防火墙的规则,因此我们也称之为基于规则的IPSec VPN。下面我们就开始配置。

EdgeOS端

set vpn ipsec auto-update 30
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group ESP_GRP compression disable
set vpn ipsec esp-group ESP_GRP lifetime 3600
set vpn ipsec esp-group ESP_GRP mode tunnel
set vpn ipsec esp-group ESP_GRP pfs enable
set vpn ipsec esp-group ESP_GRP proposal 1 encryption aes256
set vpn ipsec esp-group ESP_GRP proposal 1 hash sha1
set vpn ipsec ike-group IKE_V1 dead-peer-detection action restart
set vpn ipsec ike-group IKE_V1 dead-peer-detection interval 30
set vpn ipsec ike-group IKE_V1 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE_V1 ikev2-reauth no
set vpn ipsec ike-group IKE_V1 key-exchange ikev1
set vpn ipsec ike-group IKE_V1 lifetime 28800
set vpn ipsec ike-group IKE_V1 proposal 1 dh-group 2
set vpn ipsec ike-group IKE_V1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE_V1 proposal 1 hash sha1
set vpn ipsec ike-group IKE_V2 dead-peer-detection action restart
set vpn ipsec ike-group IKE_V2 dead-peer-detection interval 30
set vpn ipsec ike-group IKE_V2 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE_V2 ikev2-reauth no
set vpn ipsec ike-group IKE_V2 key-exchange ikev2
set vpn ipsec ike-group IKE_V2 lifetime 28800
set vpn ipsec ike-group IKE_V2 proposal 1 dh-group 2
set vpn ipsec ike-group IKE_V2 proposal 1 encryption aes256
set vpn ipsec ike-group IKE_V2 proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
edit vpn ipsec site-to-site peer vyos.ddns.com
set authentication id edgeos.ddns.com
set authentication mode rsa
set authentication remote-id vyos.ddns.com
set authentication rsa-key-name vyos-pub
set connection-type initiate
set description 'ipsec tunnel edgeos ... vyos'
set ike-group IKE_V2
set ikev2-reauth inherit
set local-address any
set tunnel 0 allow-nat-networks disable
set tunnel 0 allow-public-networks disable
set tunnel 0 esp-group ESP_GRP
set tunnel 0 local prefix 10.0.0.0/24
set tunnel 0 remote prefix 10.1.0.0/24

设置说明

  • auto-update:让IPSec daemon定时去检查DDNS是否有更新,时间单位是秒;
  • auto-firwall-nat-exclude:启用后系统会自动配置相应的防火墙和NAT策略;
  • dead-peer-detection:自动检测并重置死连接;
  • ipsec-interface:设置成你所要使用的WAN口;
  • connection-type initiate:在EdgeOS里,Initiate对应的连接类型是”route”,隧道流量会自动触发连接;
  • peer vyos.ddns.com:要用对端域名
  • authentication id:本地域名或者你设置的本地名称
  • authentication remote-id: 对端域名或者你设置的对端名称
  • authentication rsa-key-name:对端公钥
  • local prefix: 是要开放给对端访问的本地内网网段;
  • remote prefxi:需要访问的远端内网网段。

由于IPSec对流量进行加密,相应的esp包会被占用大约100字节,因此需要调整TCP MSS设定。

set firewall options mss-clamp interface-type all 
set firewall options mss-clamp mss 1300

commit;save;exit

VyOS端

防火墙

VyOS和EdgeOS略有不同。VyOS没有内置auto-firewall-nat-exclude命令,因此需要单独先配置防火墙策略。

set firewall name WAN_LOCAL rule 200 action 'accept'
set firewall name WAN_LOCAL rule 200 description 'ipsec ike'
set firewall name WAN_LOCAL rule 200 destination port '500,4500'
set firewall name WAN_LOCAL rule 200 log 'disable'
set firewall name WAN_LOCAL rule 200 protocol 'udp'
set firewall name WAN_LOCAL rule 201 action 'accept'
set firewall name WAN_LOCAL rule 201 description 'ipsec esp'
set firewall name WAN_LOCAL rule 201 log 'disable'
set firewall name WAN_LOCAL rule 201 protocol 'esp'
set firewall name WAN_LOCAL rule 210 action 'accept'
set firewall name WAN_LOCAL rule 210 description 'ipsec traffic'
set firewall name WAN_LOCAL rule 210 log 'disable'
set firewall name WAN_LOCAL rule 210 protocol 'all'
set firewall name WAN_LOCAL rule 210 ipsec match-ipsec
set firewall name WAN_IN rule 210 action 'accept'
set firewall name WAN_IN rule 210 description 'ipsec traffic'
set firewall name WAN_IN rule 210 log 'disable'
set firewall name WAN_IN rule 210 protocol 'all'
set firewall name WAN_IN rule 210 ipsec match-ipsec

NAT

我们需要配置地址转换规则,把隧道流量排除在出口NAT之外。

set nat source rule 10 description 'exclude ipsec'
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 source address '10.1.0.0/24'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 protocol 'all'
set nat source rule 10 translation address 'masquerade'

IPSec

然后是配置VPN。

set vpn ipsec auto-update 30
set vpn ipsec esp-group ESP_GRP compression disable
set vpn ipsec esp-group ESP_GRP lifetime 3600
set vpn ipsec esp-group ESP_GRP mode tunnel
set vpn ipsec esp-group ESP_GRP pfs enable
set vpn ipsec esp-group ESP_GRP proposal 1 encryption aes256
set vpn ipsec esp-group ESP_GRP proposal 1 hash sha1
set vpn ipsec ike-group IKE_V1 dead-peer-detection action restart
set vpn ipsec ike-group IKE_V1 dead-peer-detection interval 30
set vpn ipsec ike-group IKE_V1 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE_V1 ikev2-reauth no
set vpn ipsec ike-group IKE_V1 key-exchange ikev1
set vpn ipsec ike-group IKE_V1 lifetime 28800
set vpn ipsec ike-group IKE_V1 proposal 1 dh-group 2
set vpn ipsec ike-group IKE_V1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE_V1 proposal 1 hash sha1
set vpn ipsec ike-group IKE_V2 dead-peer-detection action restart
set vpn ipsec ike-group IKE_V2 dead-peer-detection interval 30
set vpn ipsec ike-group IKE_V2 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE_V2 ikev2-reauth no
set vpn ipsec ike-group IKE_V2 key-exchange ikev2
set vpn ipsec ike-group IKE_V2 lifetime 28800
set vpn ipsec ike-group IKE_V2 proposal 1 dh-group 2
set vpn ipsec ike-group IKE_V2 proposal 1 encryption aes256
set vpn ipsec ike-group IKE_V2 proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
edit vpn ipsec site-to-site peer edgeos.ddns.com
set authentication id vyos.ddns.com
set authentication mode rsa
set authentication remote-id edgos.ddns.com
set authentication rsa-key-name edgeos-pub
set connection-type respond
set description 'ipsec tunnel vyos ... edgeos'
set ike-group IKE_V2
set ikev2-reauth inherit
set local-address any
set tunnel 0 allow-nat-networks disable
set tunnel 0 allow-public-networks disable
set tunnel 0 esp-group ESP_GRP
set tunnel 0 local prefix 10.1.0.0/24
set tunnel 0 remote prefix 10.0.0.0/24

设置说明

  • connection-type initiate:在VyOS里,respond对应的连接类型是”route”,隧道流量会自动触发连接,与EdgeOS实现不同;

与 EdgeOS一样,我们需要配置TCP MSS。因为IPSec流量通过WAN口,这里对应的接口就是eth0,如果你使用pppoe,相应的端口应该是pppoe0。

set firewall options interface eth0 adjust-mss '1300'

commit;save;exit

测试与诊断

我们这里介绍几个常用的命令:

  • 查看连接状态: sudo ipsec statusall
a[email protected]:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.118-amd64-vyos, x86_64):
  uptime: 20 hours, since Sep 17 20:00:02 2020
  malloc: sbrk 3211264, mmap 0, used 1447440, free 1763824
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  192.0.0.1
Connections:
peer-edgeos.ddns.com-tunnel-0:  %any...edgeos.ddns.com  IKEv2, dpddelay=30s
peer-edgeos.ddns.com-tunnel-0:   local:  [vyos.ddns.com] uses public key authentication
peer-edgeos.ddns.com-tunnel-0:    cert:  "vyos.ddns.com"
peer-edgeos.ddns.com-tunnel-0:   remote: [edgeos.ddns.com] uses public key authentication
peer-edgeos.ddns.com-tunnel-0:    cert:  "edgeos.ddns.com"
peer-edgeos.ddns.com-tunnel-0:   child:  10.1.0.0/24 === 10.0.0.0/24 TUNNEL, dpdaction=restart
Routed Connections:
peer-edgeos.ddns.com-tunnel-0{2}:  ROUTED, TUNNEL, reqid 2
peer-edgeos.ddns.com-tunnel-0{2}:   10.1.0.0/24 === 10.0.0.0/24
Security Associations (1 up, 0 connecting):
peer-edgeos.ddns.com-tunnel-0[165]: ESTABLISHED 4 hours ago, 10.1.8.50[vyos.ddns.com]...35.220.139.62[edgeos.ddns.com]
peer-edgeos.ddns.com-tunnel-0[165]: IKEv2 SPIs: 4156b61c9b60c765_i* fdec6e13d63f6640_r, rekeying in 2 hours
peer-edgeos.ddns.com-tunnel-0[165]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-edgeos.ddns.com-tunnel-0{30}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c99726b9_i ccf4d342_o
peer-edgeos.ddns.com-tunnel-0{30}:  AES_CBC_256/HMAC_SHA1_96/MODP_2048, 1596 bytes_i (19 pkts, 44s ago), 1596 bytes_o (19 pkts, 44s ago), rekeying in 23 minutes
peer-edgeos.ddns.com-tunnel-0{30}:   10.1.0.0/24 === 10.0.0.0/24
  • 重启IPSec进程: sudo ipsec restart

如果查看IPsec状态时,“Routed Connections:“下面没有显示相应的隧道信息,就需要执行这个命令重启进程。一般第一次配置完,常常会发生这种情况。

  • 强制连接: sudo ipsec up <peer>
  • 在线查看ipsec日志: sudo swanctl –log

EdgeRouter/VyOS配置DDNS动态域名

Cloudflare

市场上有很多动态域名提供商,其中最值得推荐的是Cloudflare。只要你把注册的域名转到Cloudflare下管理,动态域名本身并不收费,而且一个账户可以管理上千个子域名,没有额外费用,也不需要你实名注册,并且亲测中国境内可用。

EdgeOS/VyOS

EdgeRouter最新版本的固件本身直接支持Cloudflare APIv4,参考以下配置命令。

configure
edit service dns dynamic interface pppoe0 service custom-cloudflare
set host-name www.yoursite.com
set login your_cloudflare_email
set password your_cloudflare_global_API_key
set protocol cloudflare
set options "zone=yoursite.com"
commit;save;exit

USG

UBNT的另外一条产品线,USG系列,其装载的OS版本很老,因此无法直接支持Cloudflare DDNS。网上有很多帖子提到手动更新ddclient软件,但是一旦固件更新,就必须重新配置,非常麻烦。这里我们介绍使用shell script的方法,来定时更新域名。原始脚本参考自Tras2在Github上的帖子

首先在/config/scripts/目录下,创建一个新的script文件cloudflare-update.sh,填入以下内容,并根据你的Cloudflare账户更改文件起头的设置参数。

#!/bin/bash

# A bash script to update a Cloudflare DNS A record with the external IP of the source machine
# Used to provide DDNS service for my home
# Needs the DNS record pre-creating on Cloudflare

# Cloudflare zone is the zone which holds the record
zone="yourdomain.com"
# dnsrecord is the A record which will be updated
dnsrecord="www.yourdomain.com"
# Cloudflare authentication details, keep these private
cloudflare_auth_email="[email protected]"
cloudflare_auth_key="your_cloudflare_global_API_key"

log_file="/var/log/cloudflare.log"

# LOGGER
log() {
    if [ "$1" ]; then
        echo -e "[$(date)] - $1" >> $log_file
    fi
}

# Get the current external IP address
ip=$(curl -s -X GET https://checkip.amazonaws.com)

echo "Current IP is $ip"

if host $dnsrecord 8.8.8.8 | grep "has address" | grep "$ip"; then
  echo "$dnsrecord is currently set to $ip; no changes needed"
  exit
fi

# if here, the dns record needs updating

# get the zone id for the requested zone
zoneid=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$zone&status=active" \
  -H "X-Auth-Email: $cloudflare_auth_email" \
  -H "X-Auth-Key: $cloudflare_auth_key" \
  -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')

echo "Zoneid for $zone is $zoneid"

# get the dns record id
dnsrecordid=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$zoneid/dns_records?type=A&name=$dnsrecord" \
  -H "X-Auth-Email: $cloudflare_auth_email" \
  -H "X-Auth-Key: $cloudflare_auth_key" \
  -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')

echo "DNSrecordid for $dnsrecord is $dnsrecordid"

# update the record
update=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$zoneid/dns_records/$dnsrecordid" \
  -H "X-Auth-Email: $cloudflare_auth_email" \
  -H "X-Auth-Key: $cloudflare_auth_key" \
  -H "Content-Type: application/json" \
  --data "{\"type\":\"A\",\"name\":\"$dnsrecord\",\"content\":\"$ip\",\"ttl\":1,\"proxied\":false}")

if [[ $update == *"\"success\":false"* ]]; then
    message="API UPDATE FAILED. DUMPING RESULTS:\n$update"
    log "$message"
    echo -e "$message"
    exit 1 
else
    message="IP changed to: $ip"
    log "$message"
    echo "$message"
fi

以上脚本通过查询特定网站(https://checkip.amazonaws.com)以获取外网IP。如果使用多个WAN口,这个方法就不适用了,可以通过调用EdgeOS运行命令接口来获取端口IP地址:

ip=$(/opt/vyatta/bin/vyatta-op-cmd-wrapper show interfaces | grep pppoe0 | awk '{print $2}')

记住要将新创建的文件改成可执行模式,然后进行测试:

sudo chmod +x /config/scripts/cloudflare-update.sh
sudo /config/scripts/cloudflare-update.sh

测试成功后,我们需要通过网关配置文件来设置定时任务。具体网关配置文件的设置方法请参见UBNT的官网链接。参考的配置文件如下:

{
    "system": {
        "task-scheduler": {
            "task": {
                "update-cloudflar-dns": {
                    "executable": {
                        "arguments": "",
                        "path": "/config/scripts/cloudflare-update.sh"
                    },
                    "interval": "1m"
                }
            }
        }
    }
}

这种方法可以保证设置不会受到固件升级的影响,并且每次USG从云端更新配置时,会自动将更新任务下发到USG。

NoIP

NoIP也是网友常用的DDNS供应商,相对Cloudflare,其最大的好处是使用官方域名,完全免费。EdgeOS和USG也都内置对NoIP的支持,可以使用WebUI或者Unifi控制器直接配置。参考命令行配置如下:

configure
edit service dns dynamic interface pppoe0 
set service noip host-name yourhost.ddns.net
set service noip login yourloginID
set service noip password yourloginpasswd
set service noip server dynupdate.no-ip.com
set web checkip.dyndns.com
commit;save;exit

NoIP的免费DDNS域名服务,供应商会要求域名必须每30天至少更新一次。而EdgeOS的设计在WAN口IP不变化的情况下,不主动更新DDNS记录。因此有必要配置一个定时任务来实现每天更新一次域名。这里我们调用EdgeOS内置的运行命令接口/opt/vyatta/bin/vyatta-op-cmd-wrapper,有兴趣的朋友可以参见官网介绍

configure
edit system task-scheduler task update_noip_pppoe0 
set executable arguments 'update dns dynamic interface pppoe0'
set executable path /opt/vyatta/bin/vyatta-op-cmd-wrapper
set interval 1d
commit;save;exit

公云PubYun

公云是国内老牌DDNS提供商,这里就不赘述了,直接上干货。

configure
set service dns dynamic interface pppoe0 service custom-pubyun host-name yourdomain.f3322.net
set service dns dynamic interface pppoe0 service custom-pubyun login yourlogin
set service dns dynamic interface pppoe0 service custom-pubyun options ssl=no
set service dns dynamic interface pppoe0 service custom-pubyun password yourpasswd
set service dns dynamic interface pppoe0 service custom-pubyun protocol dyndns2
set service dns dynamic interface pppoe0 service custom-pubyun server www.pubyun.com
commit;save;exit

阿里云DDNS

阿里云的DDNS服务最近很流行。EdgeOS和VyOS都没有内置支持,我们参考网上其他的网友Jarvis脚本,做了一个参考实现。

先下载脚本文件updatealiddns.sh,然后用编辑器修改脚本开头的三个参数:

  • aliddns_ak,你的阿里云DDNS账户Access Key ID
  • aliddns_sk,你的阿里云DDNS账户Access Key Secrets
  • aliddns_domain,阿里云域名后缀

上传修改后的脚本文件到/config/scripts目录下,并使用以下命令更改文件属性为可执行。

sudo chmod +x /config/scripts/update-aliddns.sh

接下来,我们配置一个系统任务,每分钟执行一次这个脚本。

configure
set system task-scheduler task update-aliyun-ddns executable arguments 'myhostname'
set system task-scheduler task update-aliyun-ddns executable path '/config/scripts/update-aliddns.sh'
set system task-scheduler task update-aliyun-ddns interval '1m'
commit;save;exit

上述配置中,myhostname是你的二级域名。请根据实际情况修改。