Mainos / Advertisement:
Ero sivun ”RouterOS IPSec” versioiden välillä
Siirry navigaatioon
Siirry hakuun
(Ak: Uusi sivu: Oletetaan että reitittimillä on jo yhteys toisiinsa. Esimerkin tiedot: Site 1: * WAN 10.0.0.19 * LAN 192.168.200.1 Site 2: * WAN 10.0.0.21 * LAN 192.168.100.1 Peerin konffau...) |
|||
| Rivi 11: | Rivi 11: | ||
| − | Peerin konffaus: | + | ==== Peerin konffaus: ==== |
Site 1: | Site 1: | ||
| − | ip ipsec peer | + | /ip ipsec peer |
add address=192.168.100.1/24 port=500 auth-method=pre-shared-key | add address=192.168.100.1/24 port=500 auth-method=pre-shared-key | ||
secret=Qwerty1 | secret=Qwerty1 | ||
| Rivi 21: | Rivi 21: | ||
Site 2: | Site 2: | ||
| − | ip ipsec peer | + | /ip ipsec peer |
add address=192.168.200.1/24 port=500 auth-method=pre-shared-key | add address=192.168.200.1/24 port=500 auth-method=pre-shared-key | ||
secret=Qwerty1 | secret=Qwerty1 | ||
| − | + | ==== Poliisin ja proposalin konffaus: ==== | |
| + | |||
| + | /ip ipsec proposal print | ||
| + | |||
| + | Näemme että meillä on jo simppeli proposal valmiina. konffataan siis poliisi joka käyttää sitä. | ||
Site 1: | Site 1: | ||
| − | ip ipsec policy | + | /ip ipsec policy |
add src-address=192.168.200.0/24 src-port=any dst-address=192.168.100.0/24 dst-port=any sa-src-address=10.0.0.19 sa-dst-address=10.0.0.21 tunnel=yes action=encrypt proposal=default | add src-address=192.168.200.0/24 src-port=any dst-address=192.168.100.0/24 dst-port=any sa-src-address=10.0.0.19 sa-dst-address=10.0.0.21 tunnel=yes action=encrypt proposal=default | ||
Site 2: | Site 2: | ||
| − | ip ipsec policy | + | /ip ipsec policy |
add src-address=192.168.100.0/24 src-port=any dst-address=192.168.200.0/24 dst-port=any sa-src-address=10.0.0.21 sa-dst-address=10.0.0.19 tunnel=yes action=encrypt proposal=default | add src-address=192.168.100.0/24 src-port=any dst-address=192.168.200.0/24 dst-port=any sa-src-address=10.0.0.21 sa-dst-address=10.0.0.19 tunnel=yes action=encrypt proposal=default | ||
| + | |||
| + | |||
| + | ==== Natin konffaus ==== | ||
| + | |||
| + | |||
| + | Site 1: | ||
| + | |||
| + | /ip firewall nat | ||
| + | add chain=srcnat action=accept place-before=0 src-address=192.168.200.0/24 dst-address=192.168.100.0/24 | ||
| + | |||
| + | |||
| + | Site 2: | ||
| + | |||
| + | /ip firewall nat | ||
| + | add chain=srcnat action=accept place-before=0 src-address=192.168.100.0/24 dst-address=192.168.200.0/24 | ||
Versio 27. helmikuuta 2015 kello 07.41
Oletetaan että reitittimillä on jo yhteys toisiinsa. Esimerkin tiedot:
Site 1:
- WAN 10.0.0.19
- LAN 192.168.200.1
Site 2:
- WAN 10.0.0.21
- LAN 192.168.100.1
Peerin konffaus:
Site 1:
/ip ipsec peer add address=192.168.100.1/24 port=500 auth-method=pre-shared-key secret=Qwerty1
Site 2:
/ip ipsec peer add address=192.168.200.1/24 port=500 auth-method=pre-shared-key secret=Qwerty1
Poliisin ja proposalin konffaus:
/ip ipsec proposal print
Näemme että meillä on jo simppeli proposal valmiina. konffataan siis poliisi joka käyttää sitä.
Site 1:
/ip ipsec policy add src-address=192.168.200.0/24 src-port=any dst-address=192.168.100.0/24 dst-port=any sa-src-address=10.0.0.19 sa-dst-address=10.0.0.21 tunnel=yes action=encrypt proposal=default
Site 2:
/ip ipsec policy add src-address=192.168.100.0/24 src-port=any dst-address=192.168.200.0/24 dst-port=any sa-src-address=10.0.0.21 sa-dst-address=10.0.0.19 tunnel=yes action=encrypt proposal=default
Natin konffaus
Site 1:
/ip firewall nat add chain=srcnat action=accept place-before=0 src-address=192.168.200.0/24 dst-address=192.168.100.0/24
Site 2:
/ip firewall nat add chain=srcnat action=accept place-before=0 src-address=192.168.100.0/24 dst-address=192.168.200.0/24
Mainos / Advertisement:
