HeadRoom/555
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
45c37bfe91
555/nomes_comandes_tunel_IPSEC.
Max HeadRoom 45c37bfe91 Upload files to "/"
2026-05-19 17:31:17 +02:00

98 lines
4.0 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

connectar-se al port 2 del mikrotik
engegar winbox
FORCE RESET
/system reset-configuration no-defaults=yes skip-backup=no
YES
/system identity set name=Router-A
/interface bridge add name=bridge-LAN
Per activa el mode segur
apretar control + X
/interface bridge port add bridge=bridge-LAN interface=ether2
PAUSA
copy.paste a saco !!!
/interface bridge port add bridge=bridge-LAN interface=ether3
/interface bridge port add bridge=bridge-LAN interface=ether4
/interface bridge port add bridge=bridge-LAN interface=ether5
/ip address add address=10.1.202.1/24 interface=bridge-LAN comment="LAN Router-A"
/ip address add address=192.168.90.1/24 interface=ether1 comment="WAN Router-A"
/ip route add dst-address=192.168.80.0/24 gateway=192.168.90.254 comment="Ruta cap a WAN Router-B via NU-GAN5"
/ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes
/ip ipsec peer add name=peer-routerB address=192.168.80.1 exchange-mode=ike2 profile=perfil-vpn
/ip ipsec identity add peer=peer-routerB auth-method=pre-shared-key secret="class"
/ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h
/ip ipsec policy add peer=peer-routerB tunnel=yes src-address=10.1.202.0/24 dst-address=10.1.101.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 proposal=proposta-vpn
/ip firewall nat add chain=srcnat src-address=10.1.202.0/24 dst-address=10.1.101.0/24 action=accept comment="No NAT cap a LAN-B per IPsec"
/ip route add dst-address=10.1.101.0/24 gateway=192.168.90.254 comment="Ruta cap a LAN-B per IPsec"
TEST !!
/ping 192.168.80.1
/ip ipsec active-peers print
/ip ipsec installed-sa print detail
/ping 10.1.101.1 src-address=10.1.202.1
I recordatori important: això reconstrueix Router-A. Perquè els clients funcionin sense rutes manuals, han de tenir com a gateway:
Clients LAN A → 10.1.202.1
Clients LAN B → 10.1.101.1
Aquest seria el bloc net per reconstruir Router-B / xarxa B després dun reset sense defaults:
/system identity set name=Router-B
/interface bridge add name=bridge-LAN
/interface bridge port add bridge=bridge-LAN interface=ether2
/interface bridge port add bridge=bridge-LAN interface=ether3
/interface bridge port add bridge=bridge-LAN interface=ether4
/interface bridge port add bridge=bridge-LAN interface=ether5
/ip address add address=10.1.101.1/24 interface=bridge-LAN comment="LAN Router-B"
/ip address add address=192.168.80.1/24 interface=ether1 comment="WAN Router-B"
/ip route add dst-address=192.168.90.0/24 gateway=192.168.80.254 comment="Ruta cap a WAN Router-A via NU-GAN5"
/ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes
/ip ipsec peer add name=peer-routerA address=192.168.90.1 exchange-mode=ike2 profile=perfil-vpn
/ip ipsec identity add peer=peer-routerA auth-method=pre-shared-key secret="class"
/ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h
/ip ipsec policy add peer=peer-routerA tunnel=yes src-address=10.1.101.0/24 dst-address=10.1.202.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 proposal=proposta-vpn
/ip firewall nat add chain=srcnat src-address=10.1.101.0/24 dst-address=10.1.202.0/24 action=accept comment="No NAT cap a LAN-A per IPsec"
/ip route add dst-address=10.1.202.0/24 gateway=192.168.80.254 comment="Ruta cap a LAN-A per IPsec"
Comprovació mínima des del Router-B:
/ping 192.168.90.1
/ip ipsec active-peers print
/ip ipsec installed-sa print detail
/ping 10.1.202.1 src-address=10.1.101.1
I recordatori pels clients de la xarxa B:
Clients LAN B → gateway 10.1.101.1
Si un client de LAN B té un altre gateway, llavors necessitarà ruta específica:
sudo ip route add 10.1.202.0/24 via 10.1.101.1
Reference in New Issue View Git Blame Copy Permalink