IPsec S2S

[Rudolf Dvořák]

Zdravim,
nastavuji si tady IPsec tunel a zaboha nemuzu prijit na to co mam spatne, kdyz se kouknu do installed SAs tak tam jsou videt bytes jenom jednim smerem. Kouknete mi jestli to mam ok?
Verze mk na obou stranach 6.11 jedno je mipsbe a druhy ccr.
Diky Ruda

R1:

Kód: Vybrat vše

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip ipsec peer
add address=2.2.2.2/32 local-address=1.1.1.1 secret=AjPiSek
/ip ipsec policy
add dst-address=10.0.0.0/18 sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=10.1.0.0/20 tunnel=yes

/ip firewall nat
add chain=srcnat dst-address=10.0.0.0/18 src-address=10.1.0.0/20


R2:

Kód: Vybrat vše

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip ipsec peer
add address=1.1.1.1/32 local-address=2.2.2.2 secret=AjPiSek
/ip ipsec policy
add dst-address=10.1.0.0/20 sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=10.0.0.0/18 tunnel=yes

/ip firewall nat
add chain=srcnat dst-address=10.1.0.0/20 src-address=10.0.0.0/18



Jinak na zkoušku jsem zkoušel vypnout i vsechna pravidla ve firewallu.

[sub_zero]

chybí Ti tam spousta konfigurace.. základ máš dobře.
Postni sem veškerej print. Používáš NAT Traversal?¨


edit: pingáš doufám z těch koncových lokalit, že jo? Pokud jen mezi routery a z těch lokalit nejde žádný provoz, nikdy se to nespojí.

[Rudolf Dvořák]

provoz teče, pingam ze stanic za routery, nat-t nepoužívám, mám obě lokality naroutovane od ISP

R1:

Kód: Vybrat vše

ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0x2C7B053 src-address=2.2.2.2 dst-address=1.1.1.1 auth-algorithm=md5 enc-algorithm=3des
      replay=4 state=mature auth-key="adb40c3ce3df33724624f67dc2e2be49"
      enc-key="ebe66e0cb0e39fe9f81805725eae67ea70614507613f9958" add-lifetime=24m/30m

 1 E  spi=0x728D28D src-address=1.1.1.1 dst-address=2.2.2.2 auth-algorithm=md5 enc-algorithm=3des
      replay=4 state=mature auth-key="b8d47033ef6820f7f7cf5cfefbea82f8"
      enc-key="b865f86e76e27fa634082e6d2283d20bcb83fa42fbe3001e" addtime=mar/24/2014 09:43:59
      expires-in=17m4s add-lifetime=24m/30m current-bytes=8118
Flags: X - disabled

ip ipsec peer print
 0   address=2.2.2.2/32 local-address=1.1.1.1 passive=no port=500 auth-method=pre-shared-key
     secret="AjPiSek" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no
     proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=5

ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
 0    src-address=10.1.0.0/20 src-port=any dst-address=10.0.0.0/18 dst-port=any protocol=all action=encrypt
      level=require ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2
      proposal=default priority=0

R2:

Kód: Vybrat vše

ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0x2C7B053 src-address=2.2.2.2 dst-address=1.1.1.1 auth-algorithm=md5 enc-algorithm=3des
      replay=4 state=mature auth-key="adb40c3ce3df33724624f67dc2e2be49"
      enc-key="ebe66e0cb0e39fe9f81805725eae67ea70614507613f9958" addtime=mar/24/2014 10:43:59
      expires-in=16m50s add-lifetime=24m/30m current-bytes=9138

 1 E  spi=0x728D28D src-address=1.1.1.1 dst-address=2.2.2.2 auth-algorithm=md5 enc-algorithm=3des
      replay=4 state=mature auth-key="b8d47033ef6820f7f7cf5cfefbea82f8"
      enc-key="b865f86e76e27fa634082e6d2283d20bcb83fa42fbe3001e" addtime=mar/24/2014 10:43:59
      expires-in=16m50s add-lifetime=24m/30m current-bytes=8118
Flags: X - disabled

ip ipsec peer print       
 0   address=1.1.1.1/32 local-address=2.2.2.2 passive=no port=500 auth-method=pre-shared-key
     secret="AjPiSek" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no
     proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=5

ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
 0    src-address=10.0.0.0/18 src-port=any dst-address=10.1.0.0/20 dst-port=any protocol=all action=encrypt
      level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1
      proposal=default priority=0

ve firewallu mam povoleny protokoly 50,51 a udp(port 500) na input routeru
jeste mam jednu vec a to je, ze R1 kdyz pingam tak je v siti providera ipadresa z rozsahu lokality do ktere se chci pripojit (ta za R2), ale to by mel ipsec vyresit ne?

//pripadne rekni co konkretne mam sem hodit, nebo kdyby jsi mel slabsi chvilku tak bych ti hodil link na dema