Zywal l2tp Server + Client l2tp Mikrotik
Добавлено: 29 окт 2019, 13:09
Denis.Martynov
Необходимо организовать vpn туннель между устройствами, клиент l2tp на микротик выходит в интернет через 3g (серый ip), подключается в офис на zywall сервер l2tp.
Со стороны клиента все хорошо, видим удаленную сеть.
Со стороны сервера видим только микротик по ip клиента.
Фаервол временно отключен
Со стороны клиента все хорошо, видим удаленную сеть.
Со стороны сервера видим только микротик по ip клиента.
Фаервол временно отключен
# oct/28/2019 18:46:05 by RouterOS 6.44.1
# software id = R8RK-BVJV
#
# model = RB951Ui-2nD
# serial number = *
/interface bridge
add admin-mac=74:4D:28:95:71:8D auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Dor2 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=[*]\
wpa2-pre-shared-key=[*]
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des,des \
pfs-group=none
/ip pool
add name=dhcp ranges=192.168.7.10-192.168.7.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 local-address=192.168.101.5 use-compression=yes use-encryption=yes \
use-mpls=yes use-upnp=yes
set *FFFFFFFE change-tcp-mss=default use-compression=yes use-mpls=yes
/interface l2tp-client
add allow=pap connect-to=[*]disabled=no ipsec-secret=[*]\
keepalive-timeout=30 name=l2tp-out1 password=[*]profile=default \
use-ipsec=yes user=[*]
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=WAN
/ip address
add address=192.168.7.1/24 comment=defconf interface=ether2 network=192.168.7.0
/ip cloud
set ddns-update-interval=30m update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no
/ip dhcp-server network
add address=192.168.7.0/24 comment=defconf gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.7.1 name=router.lan
/ip firewall filter
add action=accept chain=input
add action=accept chain=output
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 out-interface=\
all-ppp src-address=192.168.7.0/24
/ip route
add check-gateway=ping distance=2 dst-address=192.168.100.0/24 gateway=\
l2tp-out1 pref-src=192.168.101.5
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# software id = R8RK-BVJV
#
# model = RB951Ui-2nD
# serial number = *
/interface bridge
add admin-mac=74:4D:28:95:71:8D auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Dor2 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=[*]\
wpa2-pre-shared-key=[*]
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des,des \
pfs-group=none
/ip pool
add name=dhcp ranges=192.168.7.10-192.168.7.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 local-address=192.168.101.5 use-compression=yes use-encryption=yes \
use-mpls=yes use-upnp=yes
set *FFFFFFFE change-tcp-mss=default use-compression=yes use-mpls=yes
/interface l2tp-client
add allow=pap connect-to=[*]disabled=no ipsec-secret=[*]\
keepalive-timeout=30 name=l2tp-out1 password=[*]profile=default \
use-ipsec=yes user=[*]
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=WAN
/ip address
add address=192.168.7.1/24 comment=defconf interface=ether2 network=192.168.7.0
/ip cloud
set ddns-update-interval=30m update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no
/ip dhcp-server network
add address=192.168.7.0/24 comment=defconf gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.7.1 name=router.lan
/ip firewall filter
add action=accept chain=input
add action=accept chain=output
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 out-interface=\
all-ppp src-address=192.168.7.0/24
/ip route
add check-gateway=ping distance=2 dst-address=192.168.100.0/24 gateway=\
l2tp-out1 pref-src=192.168.101.5
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN