Mainos / Advertisement:

Difference between revisions of "RouterOS IPSec"

From Taisto
Jump to navigation Jump to search
(Ak: Uusi sivu: Oletetaan että reitittimillä on jo yhteys toisiinsa. Esimerkin tiedot: Site 1: * WAN 10.0.0.19 * LAN 192.168.200.1 Site 2: * WAN 10.0.0.21 * LAN 192.168.100.1 Peerin konffau...)
 
Line 11: Line 11:
  
  
Peerin konffaus:
+
==== Peerin konffaus: ====
  
 
Site 1:
 
Site 1:
  
  ip ipsec peer
+
  /ip ipsec peer
 
  add address=192.168.100.1/24 port=500 auth-method=pre-shared-key
 
  add address=192.168.100.1/24 port=500 auth-method=pre-shared-key
 
  secret=Qwerty1
 
  secret=Qwerty1
Line 21: Line 21:
 
Site 2:
 
Site 2:
  
  ip ipsec peer
+
  /ip ipsec peer
 
  add address=192.168.200.1/24 port=500 auth-method=pre-shared-key
 
  add address=192.168.200.1/24 port=500 auth-method=pre-shared-key
 
  secret=Qwerty1
 
  secret=Qwerty1
  
  
Poliisijutskien konffaus:
+
==== Poliisin ja proposalin konffaus: ====
 +
 
 +
/ip ipsec proposal print
 +
 
 +
Näemme että meillä on jo simppeli proposal valmiina. konffataan siis poliisi joka käyttää sitä.
  
 
Site 1:
 
Site 1:
  
  ip ipsec policy
+
  /ip ipsec policy
 
  add src-address=192.168.200.0/24 src-port=any dst-address=192.168.100.0/24 dst-port=any sa-src-address=10.0.0.19 sa-dst-address=10.0.0.21 tunnel=yes action=encrypt proposal=default
 
  add src-address=192.168.200.0/24 src-port=any dst-address=192.168.100.0/24 dst-port=any sa-src-address=10.0.0.19 sa-dst-address=10.0.0.21 tunnel=yes action=encrypt proposal=default
  
 
Site 2:
 
Site 2:
  
  ip ipsec policy
+
  /ip ipsec policy
 
  add src-address=192.168.100.0/24 src-port=any dst-address=192.168.200.0/24 dst-port=any sa-src-address=10.0.0.21 sa-dst-address=10.0.0.19 tunnel=yes action=encrypt proposal=default
 
  add src-address=192.168.100.0/24 src-port=any dst-address=192.168.200.0/24 dst-port=any sa-src-address=10.0.0.21 sa-dst-address=10.0.0.19 tunnel=yes action=encrypt proposal=default
 +
 +
 +
==== Natin konffaus ====
 +
 +
 +
Site 1:
 +
 +
/ip firewall nat
 +
add chain=srcnat action=accept place-before=0 src-address=192.168.200.0/24 dst-address=192.168.100.0/24
 +
 +
 +
Site 2:
 +
 +
/ip firewall nat
 +
add chain=srcnat action=accept place-before=0 src-address=192.168.100.0/24 dst-address=192.168.200.0/24

Revision as of 10:41, 27 February 2015

Oletetaan että reitittimillä on jo yhteys toisiinsa. Esimerkin tiedot:

Site 1:

  • WAN 10.0.0.19
  • LAN 192.168.200.1


Site 2:

  • WAN 10.0.0.21
  • LAN 192.168.100.1


Peerin konffaus:

Site 1:

/ip ipsec peer
add address=192.168.100.1/24 port=500 auth-method=pre-shared-key
secret=Qwerty1

Site 2:

/ip ipsec peer
add address=192.168.200.1/24 port=500 auth-method=pre-shared-key
secret=Qwerty1


Poliisin ja proposalin konffaus:

/ip ipsec proposal print

Näemme että meillä on jo simppeli proposal valmiina. konffataan siis poliisi joka käyttää sitä.

Site 1:

/ip ipsec policy
add src-address=192.168.200.0/24 src-port=any dst-address=192.168.100.0/24 dst-port=any sa-src-address=10.0.0.19 sa-dst-address=10.0.0.21 tunnel=yes action=encrypt proposal=default

Site 2:

/ip ipsec policy
add src-address=192.168.100.0/24 src-port=any dst-address=192.168.200.0/24 dst-port=any sa-src-address=10.0.0.21 sa-dst-address=10.0.0.19 tunnel=yes action=encrypt proposal=default


Natin konffaus

Site 1:

/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.200.0/24 dst-address=192.168.100.0/24

Site 2:

/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.100.0/24 dst-address=192.168.200.0/24
Mainos / Advertisement: