Companies in China, Japan, the United States, Germany, Singapore and many other businesses have business, intermediary business Network with the company's proprietary GPN (Global Private Network Chinese name is the world's privatization networks) link, the current test to build a backup link for network redundancy and failover.
The initial selection program is GRE over IPSEC, which runs the OSPF routing protocol.
First, why to choose GRE over IPSEC:
Each site network is more, need to use routing protocol to Interconnect;
IPSec does not support multicast, that is, the routing protocol cannot be delivered, and is not as convenient as the GRE tunnel on the bearer routing protocol;
The GRE tunnel does not provide encryption protection;
Use GRE to build a tunnel between two gateways, run routing protocols and transfer normal data, encrypt the entire GRE tunnel using IPSec, and therefore need to combine the two.
Second, the test environment:
Take China, Japan, the United States for example, basic network topology such as, with Mikrotik RouterOS (ROS) do routers and firewalls, intermediate run OSPF protocol. GPN link is equivalent to a sophomore layer, can be three to get through the United States and Japan, the equivalent of a dedicated line, so in the network quality is superior to the direct Go Big network, do business main line, here do not write much; write about how to configure the GRE link for alternate link functionality, and automatically switch to the spare when the GPN link is interrupted.
Configure the Extranet on the RouterOS:
China: 101.251.x.x
Japan: 205.177.x.x
United States: 38.83.x.x
Intranet address of the three locations:
China: 10.13.24.0/22
Japan: 10.13.4.0/22
United States: 10.13.12.0/22
Three-way interconnected address (with 10.13.253.0/24 segment for connected address segment):
China and Japan: 10.13.253.0/30
Japan and the United States: 10.13.253.16/30
United States and China: 10.13.253.4/30
GPN Chain Network segment:
10.13.252.0/24
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/79/3E/wKioL1aMqsKA5YO7AACtkdUUmo8995.png "title=" GRE topology map. png "alt=" Wkiol1amqska5yo7aactkduumo8995.png "/>
Third, the configuration
1, three Ros interface (ETHER1/2/3 respectively corresponding to the extranet/Intranet/GPN Network):
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/79/3E/wKioL1aMrObB-9-1AAAoSQt-fX8610.png "title=" Rosinterface.png "alt=" Wkiol1amrobb-9-1aaaosqt-fx8610.png "/>
2. IPSec Configuration
China:
/ip ipsec peer add address=205.177.x.x/32:500 comment= "JP link " auth-method=pre-shared-key secret=" MyPassword " generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm= 3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval= disable-dpd dpd-maximum-failures=5 add address=38.83.x.x/32:500 comment= "Usalink" auth-method=pre-shared-key secret= "MyPassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm= 3des dh-group=modp1024 lifetime=1d Lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5/ip ipsec  POLICY    ADD SRC-ADDRESS=101.251.X.X/32:ANY DST-ADDRESS=205.177.X.X/32: any protocol=all action=encrypt level=require ipsec-protocols=esp Tunnel=yes sa-src-address=101.251.x.x sa-dst-address=205.177.x.x proposal= default priority=0 add src-address=101.251.x.x/32:any dst-address=38.83.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=101.251.x.x sa-dst-address=38.83.x.x proposal=default Priority=0
Japan:
/ip ipsec peer add address=101.251.x.x/32:500 comment= "BJ link " auth-method=pre-shared-key secret=" MyPassword " generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm= 3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval= disable-dpd dpd-maximum-failures=5 add address=38.83.x.x/32:500 comment= "Usa link" auth-method=pre-shared-key secret= "MyPassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm= 3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5/ip ipsec policy add src-address=205.177.x.x/32:any dst-address=101.251.x.x/ 32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=205.177.x.x sa-dst-address=101.251.x.x Proposal=default priority=0 add src-address=205.177.x.x/32:any dst-address=38.83.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=205.177.x.x sa-dst-address=38.83.x.x proposal=default Priority=0
United States:
/ip ipsec peer add address=101.251.x.x/32:500 comment= "BJ link " auth-method=pre-shared-key secret=" MyPassword " generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm= 3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval= disable-dpd dpd-maximum-failures=5 add address=205.177.x.x/32:500 comment= "Jp link" auth-method=pre-shared-key secret= "MyPassword" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm= 3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5/ip Ipsec policy add src-address=38.83.x.x/32:any dst-address=101.251.x.x/32 :any protocol=all action=encrypt level=require ipsec-protocols=esp Tunnel=yes sa-src-address=38.83.x.x sa-dst-address=101.251.x.x proposal= default priority=0 add src-address=38.83.x.x/32:any dst-address=205.177.x.x/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=38.83.x.x sa-dst-address=205.177.x.x proposal=default Priority=0
China sample diagram:
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/79/41/wKioL1aMyNmTOc0hAABf1TRTcPE712.png "style=" float: none; "title=" Ipsec1.png "alt=" Wkiol1amynmtoc0haabf1trtcpe712.png "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/79/42/wKiom1aMyLOQ0Lb_AAA6D1686bQ877.png "style=" float: none; "title=" Ipsec2.png "alt=" Wkiom1amyloq0lb_aaa6d1686bq877.png "/>
3. GRE configuration:
China:
/interface greadd name= gre-tunnel1 local-address=101.251.x.x remote-address=205.177.x.x comment= "JP Link" add name= Gre-tunnel2 local-address=101.251.x.x remote-address=38.83.x.x comment= "USA Link"/IP addressadd ADDRESS=10.13.253.1/ Interface=gre-tunnel1 network=10.13.253.0 comment= "JP Link" add Address=10.13.253.5/30 interface=gre-tunnel2 network=10.13.253.4 comment= "USA Link"
Japan:
/interface greadd name= gre-tunnel1 local-address=205.177.x.x remote-address=101.251.x.xcomment= "BJ Link" add name= Gre-tunnel2 local-address=101.251.x.x remote-address=38.83.x.x comment= "USA Link"/IP addressadd address=10.13.253.2/ Interface=gre-tunnel1 network=10.13.253.0 comment= "BJ Link" add Address=10.13.253.17/30 interface=gre-tunnel2 network=10.13.253.16 comment= "USA Link"
United States:
/interface greadd name= gre-tunnel1 local-address=38.83.x.x remote-address=101.251.x.xcomment= "BJ Link" add name= Gre-tunnel2 local-address=38.83.x.x remote-address=205.177.x.x comment= "JP Link"/IP addressadd address=10.13.253.6/ Interface=gre-tunnel1 network=10.13.253.4 comment= "BJ Link" add Address=10.13.253.18/30 interface=gre-tunnel2 network=10.13.253.16 comment= "JP Link"
China sample diagram:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/79/41/wKioL1aMyg6RUm57AAA5DP6aEA8642.png "style=" float: none; "title=" Gre1.png "alt=" Wkiol1amyg6rum57aaa5dp6aea8642.png "/>
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/79/41/wKioL1aMyg6CrPB0AAAmTPuNj9g488.png "style=" float: none; "title=" Gre2.png "alt=" Wkiol1amyg6crpb0aaamtpunj9g488.png "/>
4. OSPF configuration
The Local intranet address segment, GPN network Segment (10.13.252.0/24), the GRE connected address network segment are declared, the cost value GPN link priority high, set to the 10,gre tunnel value is set to 100:
China:
/routing ospf> interface Add interface=eth2 cost=10 interface add Interface=eth3 cost=10 interface Add Interface=gre-tu Nnel1 cost=100 interface Add Interface=gre-tunnel2 cost=100/routing ospf> network add NETWORK=10.13.24.0/22 area= Backbone comment= "Intranet" network add network=10.13.252.0/24 area=backbone comment= "GPN" Network add NETWORK=10.13.253.0/30 Area=backbone comment= "JP link" network add network=10.13.253.4/30 area=backbone comment= "USA link"
Japan:
/routing ospf> interface Add interface=eth2 cost=10 interface add Interface=eth3 cost=10 interface Add Interface=gre-tu Nnel1 cost=100 interface Add Interface=gre-tunnel2 cost=100/routing ospf> network add NETWORK=10.13.4.0/22 area= Backbone comment= "Intranet" network add network=10.13.252.0/24 area=backbone comment= "GPN" Network add NETWORK=10.13.253.0/30 Area=backbone comment= "BJ link" network add network=10.13.253.16/30 area=backbone comment= "USA link"
United States:
/routing ospf> interface Add interface=eth2 cost=10 interface add Interface=eth3 cost=10 interface Add Interface=gre-tu Nnel1 cost=100 interface Add Interface=gre-tunnel2 cost=100/routing ospf> network add NETWORK=10.13.12.0/22 area= Backbone comment= "Intranet" network add network=10.13.252.0/24 area=backbone comment= "GPN" Network add NETWORK=10.13.253.4/30 Area=backbone comment= "BJ link" network add network=10.13.253.16/30 area=backbone comment= "JP link"
Beijing Example diagram:
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/79/43/wKiom1aM0drxCOY7AAAn2u30CE8808.png "title=" OSPF Int.png "alt=" Wkiom1am0drxcoy7aaan2u30ce8808.png "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/79/42/wKioL1aM0eGRh09fAAASsp2aTUE302.png "style=" float: none; "title=" OSPF network.png "alt=" Wkiol1am0egrh09faaassp2atue302.png "/>
Iv. Verification
1. See if OSPF started successfully:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/79/43/wKiom1aM05yQVYXHAABRq9dPWr8703.png "title=" Ospf.png "alt=" Wkiom1am05yqvyxhaabrq9dpwr8703.png "/>
2. Down GPN interface to see if the route of OSPF automatically switches to GRE tunnel:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/79/42/wKioL1aM1CWD4AvaAABDLv9j1ZI614.png "title=" The switch succeeds. png "alt=" wkiol1am1cwd4avaaabdlv9j1zi614.png "/> Test line automatically switch successfully, then GPN interface up, view the route and automatically switch to the GPN link.
success!
Five, optimize
This article only selected 3 sites, the OSPF cost value of the spare line is set to 100, the actual deployment will be more than 3, the OSPF value setting, can be set to point-to-point delay value, so that when switching to the spare line OSPF selected route is the lowest line delay path, is also the best path. For example, the network latency between the Chinese and Japanese is about 55MS, the GRE OSPF cost can be set to 55.
This article is from "Jason's blog" blog, please be sure to keep this source http://xujunxian.blog.51cto.com/8614409/1732188
Build GRE over IPSEC backup link with Mikrotik router
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
