ipsec шифрование
Добавлено: 04 окт 2016, 23:07
izavtraman
Имеется сеть с главным офисом и тремя филиалами. Настроил ipsec, траффик между главным офисом и филиалами шифруется, но между филиалами не получается настроить шифрование. Траффик между филиалами идет открытым. Как заставить его шифровать?
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,3des
/ppp profile
set *FFFFFFFE use-compression=yes
/routing ospf area
add area-id=1.1.1.1 name=area1
/routing ospf instance
set [ find default=yes ] router-id=1.1.1.1
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 log-prefix="" \
src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 log-prefix="" \
src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 log-prefix="" \
src-address=192.168.0.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface=ether1 \
src-address=192.168.0.0/24
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-192,3des exchange-mode=\
main-l2tp generate-policy=port-override local-address=172.0.0.1 secret=\
123456
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=172.0.0.2 sa-src-address=\
172.0.0.1 src-address=192.168.0.0/24 tunnel=yes
add dst-address=192.168.2.0/24 sa-dst-address=172.0.0.3 sa-src-address=\
172.0.0.1 src-address=192.168.0.0/24 tunnel=yes
add dst-address=192.168.3.0/24 sa-dst-address=172.0.0.4 sa-src-address=\
172.0.0.1 src-address=192.168.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.0.1
/ppp secret
add local-address=172.0.0.1 name=client1 password=Zz123456 profile=\
default-encryption remote-address=172.0.0.2 service=l2tp
add local-address=172.0.0.1 name=client2 password=Zz123456 profile=\
default-encryption remote-address=172.0.0.3 service=l2tp
add local-address=172.0.0.1 name=client3 password=Zz123456 profile=\
default-encryption remote-address=172.0.0.4 service=l2tp
/routing ospf network
add area=backbone network=172.0.0.0/24
add area=area1 network=192.168.0.0/24
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,3des
/ppp profile
set *FFFFFFFE use-compression=yes
/routing ospf area
add area-id=1.1.1.1 name=area1
/routing ospf instance
set [ find default=yes ] router-id=1.1.1.1
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 log-prefix="" \
src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 log-prefix="" \
src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 log-prefix="" \
src-address=192.168.0.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface=ether1 \
src-address=192.168.0.0/24
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-192,3des exchange-mode=\
main-l2tp generate-policy=port-override local-address=172.0.0.1 secret=\
123456
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=172.0.0.2 sa-src-address=\
172.0.0.1 src-address=192.168.0.0/24 tunnel=yes
add dst-address=192.168.2.0/24 sa-dst-address=172.0.0.3 sa-src-address=\
172.0.0.1 src-address=192.168.0.0/24 tunnel=yes
add dst-address=192.168.3.0/24 sa-dst-address=172.0.0.4 sa-src-address=\
172.0.0.1 src-address=192.168.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.0.1
/ppp secret
add local-address=172.0.0.1 name=client1 password=Zz123456 profile=\
default-encryption remote-address=172.0.0.2 service=l2tp
add local-address=172.0.0.1 name=client2 password=Zz123456 profile=\
default-encryption remote-address=172.0.0.3 service=l2tp
add local-address=172.0.0.1 name=client3 password=Zz123456 profile=\
default-encryption remote-address=172.0.0.4 service=l2tp
/routing ospf network
add area=backbone network=172.0.0.0/24
add area=area1 network=192.168.0.0/24
/interface l2tp-client
add allow=mschap2 connect-to=10.0.0.2 disabled=no mrru=1600 name=l2tp-out1 \
password=Zz123456 user=client1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,3des
/ppp profile
set *FFFFFFFE use-compression=yes
/routing ospf area
add area-id=2.2.2.2 name=area2
/routing ospf instance
set [ find default=yes ] router-id=2.2.2.2
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=10.0.1.2/24 interface=ether1 network=10.0.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 log-prefix="" \
src-address=192.168.1.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface=ether1 \
src-address=192.168.1.0/24
/ip ipsec peer
add address=172.0.0.1/32 enc-algorithm=aes-256,aes-192,3des exchange-mode=\
main-l2tp generate-policy=port-override local-address=172.0.0.2 secret=\
123456
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=172.0.0.1 sa-src-address=\
172.0.0.2 src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.1.1
/routing ospf network
add area=backbone network=172.0.0.0/24
add area=area2 network=192.168.1.0/24
/system identity
set name=Branch1
add allow=mschap2 connect-to=10.0.0.2 disabled=no mrru=1600 name=l2tp-out1 \
password=Zz123456 user=client1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,3des
/ppp profile
set *FFFFFFFE use-compression=yes
/routing ospf area
add area-id=2.2.2.2 name=area2
/routing ospf instance
set [ find default=yes ] router-id=2.2.2.2
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=10.0.1.2/24 interface=ether1 network=10.0.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 log-prefix="" \
src-address=192.168.1.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface=ether1 \
src-address=192.168.1.0/24
/ip ipsec peer
add address=172.0.0.1/32 enc-algorithm=aes-256,aes-192,3des exchange-mode=\
main-l2tp generate-policy=port-override local-address=172.0.0.2 secret=\
123456
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=172.0.0.1 sa-src-address=\
172.0.0.2 src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.1.1
/routing ospf network
add area=backbone network=172.0.0.0/24
add area=area2 network=192.168.1.0/24
/system identity
set name=Branch1
/interface l2tp-client
add allow=mschap2 connect-to=10.0.0.2 disabled=no mrru=1600 name=l2tp-out1 \
password=Zz123456 user=client2
/ppp profile
set *FFFFFFFE use-compression=yes
/routing ospf area
add area-id=3.3.3.3 name=area3
/routing ospf instance
set [ find default=yes ] router-id=3.3.3.3
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=10.0.2.2/24 interface=ether1 network=10.0.2.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 log-prefix="" \
src-address=192.168.2.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface=ether1 \
src-address=192.168.2.0/24
/ip ipsec peer
add address=172.0.0.1/32 enc-algorithm=aes-256,aes-192,3des exchange-mode=\
main-l2tp local-address=172.0.0.3 secret=123456
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=172.0.0.1 sa-src-address=\
172.0.0.3 src-address=192.168.2.0/24 tunnel=yes
add dst-address=0.0.0.0/24 sa-dst-address=172.0.0.1 sa-src-address=172.0.0.3 \
src-address=192.168.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.2.1
/routing ospf network
add area=backbone network=172.0.0.0/24
add area=area3 network=192.168.2.0/24
add allow=mschap2 connect-to=10.0.0.2 disabled=no mrru=1600 name=l2tp-out1 \
password=Zz123456 user=client2
/ppp profile
set *FFFFFFFE use-compression=yes
/routing ospf area
add area-id=3.3.3.3 name=area3
/routing ospf instance
set [ find default=yes ] router-id=3.3.3.3
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=10.0.2.2/24 interface=ether1 network=10.0.2.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 log-prefix="" \
src-address=192.168.2.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface=ether1 \
src-address=192.168.2.0/24
/ip ipsec peer
add address=172.0.0.1/32 enc-algorithm=aes-256,aes-192,3des exchange-mode=\
main-l2tp local-address=172.0.0.3 secret=123456
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=172.0.0.1 sa-src-address=\
172.0.0.3 src-address=192.168.2.0/24 tunnel=yes
add dst-address=0.0.0.0/24 sa-dst-address=172.0.0.1 sa-src-address=172.0.0.3 \
src-address=192.168.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.2.1
/routing ospf network
add area=backbone network=172.0.0.0/24
add area=area3 network=192.168.2.0/24
/interface l2tp-client
add allow=mschap2 connect-to=10.0.0.2 disabled=no mrru=1600 name=l2tp-out1 \
password=Zz123456 user=client3
/ppp profile
set *FFFFFFFE use-compression=yes
/routing ospf area
add area-id=4.4.4.4 name=area4
/routing ospf instance
set [ find default=yes ] router-id=4.4.4.4
/ip address
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
add address=10.0.3.2/24 interface=ether1 network=10.0.3.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 log-prefix="" \
src-address=192.168.3.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface=ether1 \
src-address=192.168.3.0/24
/ip ipsec peer
add address=172.0.0.1/32 enc-algorithm=aes-256,aes-192,3des exchange-mode=\
main-l2tp generate-policy=port-override local-address=172.0.0.4 secret=\
123456
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=172.0.0.1 sa-src-address=\
172.0.0.4 src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.3.1
/routing ospf network
add area=backbone network=172.0.0.0/24
add area=area4 network=192.168.3.0/24
add allow=mschap2 connect-to=10.0.0.2 disabled=no mrru=1600 name=l2tp-out1 \
password=Zz123456 user=client3
/ppp profile
set *FFFFFFFE use-compression=yes
/routing ospf area
add area-id=4.4.4.4 name=area4
/routing ospf instance
set [ find default=yes ] router-id=4.4.4.4
/ip address
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
add address=10.0.3.2/24 interface=ether1 network=10.0.3.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 log-prefix="" \
src-address=192.168.3.0/24
add action=masquerade chain=srcnat log-prefix="" out-interface=ether1 \
src-address=192.168.3.0/24
/ip ipsec peer
add address=172.0.0.1/32 enc-algorithm=aes-256,aes-192,3des exchange-mode=\
main-l2tp generate-policy=port-override local-address=172.0.0.4 secret=\
123456
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=172.0.0.1 sa-src-address=\
172.0.0.4 src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.3.1
/routing ospf network
add area=backbone network=172.0.0.0/24
add area=area4 network=192.168.3.0/24