Jump to content
  • 0

IPSEC IKEv2 VPN вижда само рутъра но не и другите LAN устройства


imperia
 Share

Question

Здравейте,

Конфигурирах IPSEC VPN. Свързвам се, имам Интернет, виждам рутъра, но нямам достъп до другите устройства в LAN-а. 
Опитам да сложа IPSEC клиентите и във същата мрежа и в отделна. Калъч.
Сигурно ми липсва някое правило в firewall-а.

Може ли някой да помогне с някакви насоки.
Благодаря.

Link to comment
Share on other sites

6 answers to this question

Recommended Posts

  • 0

За IPSEC задължително accept правило най отгоре в NAT таблицата. 

add action=accept chain=srcnat comment="IPSEC " dst-address=192.168.1.0/24 src-address=192.168.0.0/24

 

Edited by gbdesign
  • Thanks 1
Link to comment
Share on other sites

  • 0
  • Administrator

Само налучквам:

Локалния ти адрес в профила ти е адреса на рутера,

а отдалечения ти е от същата мрежа.

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

  • 0

Не ти разбрах въпроса.
Кой профил?
рутъра ми е 192.168.0.1. лан-а 192.168.0.x а vpn клиентите ги пробвах пак в 192.168.0.x и 192.168.1.x също.

 

Link to comment
Share on other sites

  • 0
/interface bridge
add fast-forward=no name=bridge2
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:50:8B:13:AF:8A
/interface wireless
set [ find default-name=wlan1 ] country=bulgaria disabled=no frequency=2437 \
    mode=ap-bridge ssid=iMPERiA wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n country=bulgaria disabled=no \
    mode=ap-bridge ssid=iMPERiA-5GHz wireless-protocol=802.11 wps-mode=disabled
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys
/ip dhcp-server option
add code=119 name=domain-search value=0x07696D7065726961036C616E00
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group
add name=roadwarrior
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.0.101-192.168.0.199
add name=ipsec-rw ranges=192.168.1.0/24
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge2 lease-time=1d name=dhcp1
/ip ipsec mode-config
add address-pool=ipsec-rw address-prefix-length=32 name=rw-cfg static-dns=\
    192.168.0.1 system-dns=no
/interface bridge port
add bridge=bridge2 interface=ether2
add bridge=bridge2 interface=ether3
add bridge=bridge2 interface=ether4
add bridge=bridge2 interface=ether5
add bridge=bridge2 interface=sfp1
add bridge=bridge2 interface=wlan2
add bridge=bridge2 interface=wlan1
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=12h
/ip dhcp-server lease
add address=192.168.0.2 client-id=1:10:bf:48:b7:85:30 mac-address=\
    10:BF:48:B7:85:30 server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dhcp-option=domain-search dns-server=192.168.0.1 \
    domain=imperia.lan gateway=192.168.0.1 netmask=24 ntp-server=192.168.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d
/ip dns static
add address=192.168.0.1 name=MikroTik.imperia.lan ttl=1w
/ip firewall address-list
add address=198.20.69.74 list=shodan
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input in-interface=ether1 ipsec-policy=in,ipsec
add action=accept chain=input dst-port=500,4500 in-interface=ether1 protocol=\
    udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=drop chain=input in-interface=ether1 src-address-list=shodan
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="rtorrent dht" dst-address=\
    93.152.xxx.xxx dst-port=6881 in-interface=ether1 protocol=udp to-addresses=\
    192.168.0.62 to-ports=6881
/ip ipsec peer
add auth-method=rsa-signature certificate=imperia.host.net enc-algorithm=aes-256 \
    exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \
    mode-config=rw-cfg passive=yes policy-template-group=roadwarrior
/ip ipsec policy
set 0 dst-address=192.168.1.0/24 group=roadwarrior src-address=0.0.0.0/0
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge2 type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Sofia
/system leds
set 1 interface=wlan2
/system ntp client
set enabled=yes primary-ntp=212.70.148.17 secondary-ntp=87.97.157.120
/system ntp server
set enabled=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=sfp1
add interface=wlan2
add interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=sfp1
add interface=wlan2
add interface=wlan1

 

Link to comment
Share on other sites

  • 0

Колега Благодаря.

Стана

Предполагам че няма как да пъхна VPN клиентите в същия субнет като локалните компютри 192.168.0.x.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.