Delete nomes_comandes_tunel_IPSEC.
This commit is contained in:
parent
f898c2f31d
commit
dcad58f4da
@ -1,97 +0,0 @@
|
||||
connectar-se al port 2 del mikrotik
|
||||
engegar winbox
|
||||
|
||||
FORCE RESET
|
||||
/system reset-configuration no-defaults=yes skip-backup=no
|
||||
YES
|
||||
|
||||
/system identity set name=Router-A
|
||||
/interface bridge add name=bridge-LAN
|
||||
|
||||
Per activa el mode segur
|
||||
|
||||
apretar control + X
|
||||
|
||||
/interface bridge port add bridge=bridge-LAN interface=ether2
|
||||
|
||||
PAUSA
|
||||
copy.paste a saco !!!
|
||||
|
||||
/interface bridge port add bridge=bridge-LAN interface=ether3
|
||||
/interface bridge port add bridge=bridge-LAN interface=ether4
|
||||
/interface bridge port add bridge=bridge-LAN interface=ether5
|
||||
/ip address add address=10.1.202.1/24 interface=bridge-LAN comment="LAN Router-A"
|
||||
/ip address add address=192.168.90.1/24 interface=ether1 comment="WAN Router-A"
|
||||
/ip route add dst-address=192.168.80.0/24 gateway=192.168.90.254 comment="Ruta cap a WAN Router-B via NU-GAN5"
|
||||
/ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes
|
||||
/ip ipsec peer add name=peer-routerB address=192.168.80.1 exchange-mode=ike2 profile=perfil-vpn
|
||||
/ip ipsec identity add peer=peer-routerB auth-method=pre-shared-key secret="class"
|
||||
/ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h
|
||||
/ip ipsec policy add peer=peer-routerB tunnel=yes src-address=10.1.202.0/24 dst-address=10.1.101.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 proposal=proposta-vpn
|
||||
/ip firewall nat add chain=srcnat src-address=10.1.202.0/24 dst-address=10.1.101.0/24 action=accept comment="No NAT cap a LAN-B per IPsec"
|
||||
/ip route add dst-address=10.1.101.0/24 gateway=192.168.90.254 comment="Ruta cap a LAN-B per IPsec"
|
||||
|
||||
|
||||
TEST !!
|
||||
/ping 192.168.80.1
|
||||
/ip ipsec active-peers print
|
||||
/ip ipsec installed-sa print detail
|
||||
/ping 10.1.101.1 src-address=10.1.202.1
|
||||
|
||||
|
||||
|
||||
I recordatori important: això reconstrueix Router-A. Perquè els clients funcionin sense rutes manuals, han de tenir com a gateway:
|
||||
|
||||
Clients LAN A → 10.1.202.1
|
||||
Clients LAN B → 10.1.101.1
|
||||
|
||||
|
||||
Aquest seria el bloc net per reconstruir Router-B / xarxa B després d'un reset sense defaults:
|
||||
|
||||
/system identity set name=Router-B
|
||||
|
||||
/interface bridge add name=bridge-LAN
|
||||
|
||||
/interface bridge port add bridge=bridge-LAN interface=ether2
|
||||
/interface bridge port add bridge=bridge-LAN interface=ether3
|
||||
/interface bridge port add bridge=bridge-LAN interface=ether4
|
||||
/interface bridge port add bridge=bridge-LAN interface=ether5
|
||||
|
||||
/ip address add address=10.1.101.1/24 interface=bridge-LAN comment="LAN Router-B"
|
||||
/ip address add address=192.168.80.1/24 interface=ether1 comment="WAN Router-B"
|
||||
|
||||
/ip route add dst-address=192.168.90.0/24 gateway=192.168.80.254 comment="Ruta cap a WAN Router-A via NU-GAN5"
|
||||
|
||||
/ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes
|
||||
|
||||
/ip ipsec peer add name=peer-routerA address=192.168.90.1 exchange-mode=ike2 profile=perfil-vpn
|
||||
|
||||
/ip ipsec identity add peer=peer-routerA auth-method=pre-shared-key secret="class"
|
||||
|
||||
/ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h
|
||||
|
||||
/ip ipsec policy add peer=peer-routerA tunnel=yes src-address=10.1.101.0/24 dst-address=10.1.202.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 proposal=proposta-vpn
|
||||
|
||||
/ip firewall nat add chain=srcnat src-address=10.1.101.0/24 dst-address=10.1.202.0/24 action=accept comment="No NAT cap a LAN-A per IPsec"
|
||||
|
||||
/ip route add dst-address=10.1.202.0/24 gateway=192.168.80.254 comment="Ruta cap a LAN-A per IPsec"
|
||||
|
||||
Comprovació mínima des del Router-B:
|
||||
|
||||
/ping 192.168.90.1
|
||||
/ip ipsec active-peers print
|
||||
/ip ipsec installed-sa print detail
|
||||
/ping 10.1.202.1 src-address=10.1.101.1
|
||||
|
||||
I recordatori pels clients de la xarxa B:
|
||||
|
||||
Clients LAN B → gateway 10.1.101.1
|
||||
|
||||
Si un client de LAN B té un altre gateway, llavors necessitarà ruta específica:
|
||||
|
||||
sudo ip route add 10.1.202.0/24 via 10.1.101.1
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user