LOGIN.

管理员登陆入口 ^_^!

您好,欢迎访问网站!
  [查看权限]

欢迎加入QQ群!

595998749
2017年06月14日 12:02:57

Routeos 建立 IPsec VPN

routeos IPsec VPN 总结

物理环境
A为服务器
WAN-A:172.11.11.1
LAN-A:192.168.2.192/26

B为客户端
本机外网口IP为192.168.254.42,映射对外IP172.11.10.1

WAN-B:192.168.254.42
LAN-B:192.168.20.0/24

ROS 的客户端需要l2tp-client连接后才能使用IPsec 连接,所以在服务端还需要配置l2tp Server ,并分配帐户。


开放端口
ipsec-esp 协议
UDP  500
UDP  1701

Server

#开启防火墙端口

/ip firewall filter
add action=accept chain=input comment="" disabled=no dst-port=1701 protocol=udp
add action=accept chain=input comment="" disabled=no protocol=ipsec-esp
add action=accept chain=input comment="" disabled=no dst-port=500 protocol=udp

#开启 l2tp Server

/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
   default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled

#建立帐户

/ppp secret

add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
   local-address=10.10.101.1 name=test password=test profile=\
   default-encryption remote-address=10.10.101.2 routes="" service=l2tp
#配置 IPsec

/ip ipsec proposal
set default auth-algorithms=md5,sha1 comment="" disabled=no enc-algorithms=3des lifetime=1d name=default pfs-group=modp1024

/ip ipsec peer

add address=172.11.10.1:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \
   enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=123 \
   send-initial-contact=yes

/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=192.168.20.0/24:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
   sa-dst-address=172.11.10.1 sa-src-address=172.11.11.1 src-address=192.168.2.0/24:any tunnel=yes

/ip firewall filter

add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.20.0/24 src-address=192.168.2.192/26


Client

#开启防火墙端口

/ip firewall filter
add action=accept chain=input comment="" disabled=no dst-port=1701 protocol=udp
add action=accept chain=input comment="" disabled=no protocol=ipsec-esp
add action=accept chain=input comment="" disabled=no dst-port=500 protocol=udp

#开启 l2tp Client

/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" connect-to=172.11.11.1 dial-on-demand=no \
   disabled=no max-mru=1460 max-mtu=1460 mrru=disabled name=l2tp-out1 password=test profile=default-encryption user=\
   test

#配置 IPsec

/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des lifetime=1d name=default pfs-group=modp1024

/ip ipsec peer

add address=172.11.11.1:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=\
   disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=sha1 \
   lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=123 send-initial-contact=yes


/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=192.168.2.0/24:any ipsec-protocols=esp level=require priority=0 \
   proposal=default protocol=all sa-dst-address=172.11.11.1 sa-src-address=192.168.252.254 src-address=\
   192.168.20.0/24:any tunnel=yes


/ip firewall nat

add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.2.192/26 src-address=192.168.20.0/24

 

 

注意:要在client 端ping 目标IP 才会建立连接的


« 上一篇 下一篇 »

发表评论:

名称(*)
邮箱
网址
验证码(*)
正文(*)
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。