diff --git a/nomes_comandes_tunel_IPSEC. b/nomes_comandes_tunel_IPSEC. new file mode 100644 index 0000000..aafd87b --- /dev/null +++ b/nomes_comandes_tunel_IPSEC. @@ -0,0 +1,97 @@ +connectar-se al port 2 del mikrotik +engegar winbox + +FORCE RESET +/system reset-configuration no-defaults=yes skip-backup=no +YES + +/system identity set name=Router-A +/interface bridge add name=bridge-LAN + +Per activa el mode segur + +apretar control + X + +/interface bridge port add bridge=bridge-LAN interface=ether2 + +PAUSA +copy.paste a saco !!! + +/interface bridge port add bridge=bridge-LAN interface=ether3 +/interface bridge port add bridge=bridge-LAN interface=ether4 +/interface bridge port add bridge=bridge-LAN interface=ether5 +/ip address add address=10.1.202.1/24 interface=bridge-LAN comment="LAN Router-A" +/ip address add address=192.168.90.1/24 interface=ether1 comment="WAN Router-A" +/ip route add dst-address=192.168.80.0/24 gateway=192.168.90.254 comment="Ruta cap a WAN Router-B via NU-GAN5" +/ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes +/ip ipsec peer add name=peer-routerB address=192.168.80.1 exchange-mode=ike2 profile=perfil-vpn +/ip ipsec identity add peer=peer-routerB auth-method=pre-shared-key secret="class" +/ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h +/ip ipsec policy add peer=peer-routerB tunnel=yes src-address=10.1.202.0/24 dst-address=10.1.101.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 proposal=proposta-vpn +/ip firewall nat add chain=srcnat src-address=10.1.202.0/24 dst-address=10.1.101.0/24 action=accept comment="No NAT cap a LAN-B per IPsec" +/ip route add dst-address=10.1.101.0/24 gateway=192.168.90.254 comment="Ruta cap a LAN-B per IPsec" + + +TEST !! +/ping 192.168.80.1 +/ip ipsec active-peers print +/ip ipsec installed-sa print detail +/ping 10.1.101.1 src-address=10.1.202.1 + + + +I recordatori important: això reconstrueix Router-A. Perquè els clients funcionin sense rutes manuals, han de tenir com a gateway: + +Clients LAN A → 10.1.202.1 +Clients LAN B → 10.1.101.1 + + +Aquest seria el bloc net per reconstruir Router-B / xarxa B després d’un reset sense defaults: + +/system identity set name=Router-B + +/interface bridge add name=bridge-LAN + +/interface bridge port add bridge=bridge-LAN interface=ether2 +/interface bridge port add bridge=bridge-LAN interface=ether3 +/interface bridge port add bridge=bridge-LAN interface=ether4 +/interface bridge port add bridge=bridge-LAN interface=ether5 + +/ip address add address=10.1.101.1/24 interface=bridge-LAN comment="LAN Router-B" +/ip address add address=192.168.80.1/24 interface=ether1 comment="WAN Router-B" + +/ip route add dst-address=192.168.90.0/24 gateway=192.168.80.254 comment="Ruta cap a WAN Router-A via NU-GAN5" + +/ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes + +/ip ipsec peer add name=peer-routerA address=192.168.90.1 exchange-mode=ike2 profile=perfil-vpn + +/ip ipsec identity add peer=peer-routerA auth-method=pre-shared-key secret="class" + +/ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h + +/ip ipsec policy add peer=peer-routerA tunnel=yes src-address=10.1.101.0/24 dst-address=10.1.202.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 proposal=proposta-vpn + +/ip firewall nat add chain=srcnat src-address=10.1.101.0/24 dst-address=10.1.202.0/24 action=accept comment="No NAT cap a LAN-A per IPsec" + +/ip route add dst-address=10.1.202.0/24 gateway=192.168.80.254 comment="Ruta cap a LAN-A per IPsec" + +Comprovació mínima des del Router-B: + +/ping 192.168.90.1 +/ip ipsec active-peers print +/ip ipsec installed-sa print detail +/ping 10.1.202.1 src-address=10.1.101.1 + +I recordatori pels clients de la xarxa B: + +Clients LAN B → gateway 10.1.101.1 + +Si un client de LAN B té un altre gateway, llavors necessitarà ruta específica: + +sudo ip route add 10.1.202.0/24 via 10.1.101.1 + + + + +