Zdravim,
chtěl jsem se zeptat, sestavil jsem IPSEC tunnel podle teto konfigurace akorat v IKEv2 ale neprochazí mi pakety do druhe site, z druhe site do mé ano, ale ode me ne - ten nat bypass mam nastavený, proti memu mikrotiku je ZyXEL USG40. Na druhe strane jsou oba smery povolene na firewallu. Nevíte kde jeste by mohl byt zakopany pes?
Děkuji
https://systemzone.net/mikrotik-site-to ... ith-ipsec/
❗️Toto je původní verze internetového fóra ISPforum.cz do února 2020 bez možnosti registrace nových uživatelů. Aktivní verzi fóra naleznete na adrese https://telekomunikace.cz
SITE to SITE IPSEC IKEv2 Tunnel
myslíte že by tam měla byt nejaka routa? nebo staci toto?
NAT Bypass Rule Configuration in Office 1 Router
The following steps will show the configuration of NAT Bypass rule in Office2 RouterOS.
Go to IP > Firewall and click on NAT tab and then click on PLUS SIGN (+). New NAT Rule window will appear.
In General tab, choose srcnat from Chain dropdown menu.
Put Office 2 Router’s LAN network (10.10.12.0/24) that wants to communicate to Office 1 Router, in Src. Address input field.
Put Office 1 Router’s LAN network (10.10.11.0/24) where Office 2 Router wants to reach, in Dst. Address input field.
Click on Action tab and choose accept option from Action dropdown menu.
Click Apply and OK button.
Your newly created rule will be available in the list table. Now place this rule at first position by drag and drop otherwise this rule will not be workable.
NAT Bypass Rule Configuration in Office 1 Router
The following steps will show the configuration of NAT Bypass rule in Office2 RouterOS.
Go to IP > Firewall and click on NAT tab and then click on PLUS SIGN (+). New NAT Rule window will appear.
In General tab, choose srcnat from Chain dropdown menu.
Put Office 2 Router’s LAN network (10.10.12.0/24) that wants to communicate to Office 1 Router, in Src. Address input field.
Put Office 1 Router’s LAN network (10.10.11.0/24) where Office 2 Router wants to reach, in Dst. Address input field.
Click on Action tab and choose accept option from Action dropdown menu.
Click Apply and OK button.
Your newly created rule will be available in the list table. Now place this rule at first position by drag and drop otherwise this rule will not be workable.
0 x
-
sub_zero
- Příspěvky: 1741
- Registrován: 19 years ago
- antispam: Ano
- Bydliště: Olomouc
- Kontaktovat uživatele:
pakliže to je to PolicyBased IPsec (což Mikrotik je), žádná routa není potřeba.
Máě tu vyjímku z NATu opravdu úplně nahoře? Není před ní nějakej jinej NAT (Maškaráda apod.?)
Máě tu vyjímku z NATu opravdu úplně nahoře? Není před ní nějakej jinej NAT (Maškaráda apod.?)
0 x
Říkáš-li, že něco nejde, znamená to, že to neumíš.
Jirka Lazorčák
PS: Ta fotka je stará, už mám +15kilo..
Jirka Lazorčák
PS: Ta fotka je stará, už mám +15kilo..
pred touto vyjimkou nic neni - je prvni. Muze byt problem jeste nekde v nastaveni tunnelu?
Děkuji
Děkuji
0 x
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm
/ip address
add address=X.X.X.X interface=ether1 network=X.X.X.X
add address=X.X.X.X interface="MY_LAN" network=X.X.X.X
/ip firewall nat
add action=accept chain=srcnat dst-address=LAN ON THE SECOND SIDE OF THE TUNNEL src-address=\
MY_LAN
/ip ipsec peer
add address=SECOND ROUTER IP_WAN dh-group="ecp256,ecp384,ecp521,ec2n185,ec2n155,modp\
8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768" \
dpd-interval=10s enc-algorithm=aes-256 exchange-mode=ike2 \
generate-policy=port-override hash-algorithm=sha256 notrack-chain=\
prerouting port=500 secret="x"
/ip ipsec policy
add dst-address=LAN ON THE SECOND SIDE OF THE TUNNEL sa-dst-address=SECOND ROUTER IP_WAN sa-src-address=\
MY_WAN src-address=MY_LAN tunnel=yes
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm
/ip address
add address=X.X.X.X interface=ether1 network=X.X.X.X
add address=X.X.X.X interface="MY_LAN" network=X.X.X.X
/ip firewall nat
add action=accept chain=srcnat dst-address=LAN ON THE SECOND SIDE OF THE TUNNEL src-address=\
MY_LAN
/ip ipsec peer
add address=SECOND ROUTER IP_WAN dh-group="ecp256,ecp384,ecp521,ec2n185,ec2n155,modp\
8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768" \
dpd-interval=10s enc-algorithm=aes-256 exchange-mode=ike2 \
generate-policy=port-override hash-algorithm=sha256 notrack-chain=\
prerouting port=500 secret="x"
/ip ipsec policy
add dst-address=LAN ON THE SECOND SIDE OF THE TUNNEL sa-dst-address=SECOND ROUTER IP_WAN sa-src-address=\
MY_WAN src-address=MY_LAN tunnel=yes
0 x