IPSEC pomoc pri nastaveni...

[fidosoft]

Dobry den, mam na Vas prosbu. Mam dva MK 493G ruzne pohozene v Brne. zatim je mam spojene pres EOIP (funguje bez problemu), ale jsem "stoural" a chci mezi nema rozbehnout IPSEC... Podotykam ze maji stejnou verzi verzi firmware 5.14. Problem je v to, ze MK si klice vymeni ale nemuzu se mezi nema kdyz vypnu EOIP dopingat. Nat podle mne mam nastaven. Uz jsem zkousel co mne napadlo prostudoval jsem toho "mraky", ale nikam to zatim nevedlo .. Muze mi pls nekdo pomoct...

Konfigurace MK1...
wan:78.102.108.26
lan: 192.168.2.0/24

MK2:
wan: 83.240.6.140
lan: 192.168.144.0/24

Nastaveni mk1
/ip firewall nat
add chain=srcnat out-interface=01_UPC_internet action=masquerade
/ip ipsec peer
add address=83.240.6.140 port=500 auth-method=pre-shared-key secret="testtest"
/ip ipsec policy
add src-address=192.168.2.0/24 src-port=any dst-address=192.168.144.146.0/24 dst-port=any \
sa-src-address=78.102.108.26 sa-dst-address=83.240.6.140 \
tunnel=yes action=encrypt proposal=default
/ip firewall filter add action=accept \ chain=input dst-port=500 protocol=udp
/ip firewall filter add action=accept \ chain=forward dst-address=192.168.144.146.0/24 src-address=192.168.2.0/24
/ip firewall filter add action=accept \ chain=forward dst-address=192.168.2.0/24 src-address=192.168.144.146.0/24
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.2.0/24 dst-address=192.168.144.146.0/24


Nasteveni mk2
/ip firewall nat
add chain=srcnat out-interface=gateway action=masquerade
/ip ipsec peer
add address=78.102.108.26 port=500 auth-method=pre-shared-key secret="testtest"
/ip ipsec policy
add src-address=192.168.144.146.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any \
sa-src-address=83.240.6.140 sa-dst-address=78.102.108.26 \
tunnel=yes action=encrypt proposal=default
/ip firewall filter add action=accept \ chain=input dst-port=500 protocol=udp
/ip firewall filter add action=accept \ chain=forward dst-address=192.168.144.146.0/24 src-address=192.168.2.0/24
/ip firewall filter add action=accept \ chain=forward dst-address=192.168.2.0/24 src-address=192.168.144.146.0/24
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.2.0/24 dst-address=192.168.144.146.0/24

[sub_zero]

u nastavení MK2 máš špatně to poslední pravidlo (accept v NATu). Ale je možný, že to je jen chyba CTRL+C a CTRL+V
My máme de fakto stejnou konfiguraci, jen máme v peeru zaškrtnuto i NAT Traversal, což u Tebe nevidím.

[fidosoft]

pls myslis toto prehodit dst addres a dst addres...
MK2
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.2.0/24 dst-address=192.168.144.146.0/24

po uprave

/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.144.146.0/24 dst-address=192.168.2.0/24

Zkousel jsem i nat travesal ale bez nejakeho uspechu... pls ma to tak byt.... dik za info

[sub_zero]

ano, ten NAT uz mas spravne. A taky bacha na to, ze pokud to mas spojeno jen IPsecem, mezi tema routerama si nedopingas! Tzn, vyzkousej pingat z nejakyho PC v LAN1 na jiny PC v LAN2.

[fidosoft]

no to je ale blbustka. skusim to a dam vedet dikec...

[fidosoft]

Tak bud jsem dlbe cetl nebo jsem uplny trotl ale ani ve snu mne nenapadlo ze ping z MK1 nebo MK2 nepojede i kdyz bylo navazane spojeni ...
Po pingu z pc 1 spojeni navazano /ip ipsec remote-peers print "state=established" a /ip ipsec installed-sa print detail "state=mature" ... takze moc dik

pro informaci pro ostatny fungujici nastaveni MK1 A MK2 Povoleni 4500 udp neni nutna aspon ne u naseho spojeni
MK2
/ip firewall nat add chain=srcnat out-interface=gateway action=masquerade
/ip ipsec peer add address=78.102.108.26 port=500 auth-method=pre-shared-key secret="testtest"
/ip ipsec policy add src-address=192.168.144.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any \
sa-src-address=83.240.6.140 sa-dst-address=78.102.108.26 \ tunnel=yes action=encrypt proposal=default
/ip firewall filter add action=accept \ chain=input dst-port=500 protocol=udp
/ip firewall filter add action=accept \ chain=forward dst-address=192.168.144.0/24 src-address=192.168.2.0/24
/ip firewall nat add chain=srcnat action=accept place-before=0 \ src-address=192.168.144.0/24 dst-address=192.168.2.0/24
/ip firewall filter add action=accept \ chain=input dst-port=4500 protocol=udp
/ip firewall filter add action=accept \ chain=input protocol=50

MK1
/ip firewall nat add chain=srcnat out-interface=01_UPC_internet action=masquerade
/ip ipsec peer add address=83.240.6.140 port=500 auth-method=pre-shared-key secret="testtest"
/ip ipsec policy add src-address=192.168.2.0/24 src-port=any dst-address=192.168.144.0/24 dst-port=any \
sa-src-address=78.102.108.26 sa-dst-address=83.240.6.140 \ tunnel=yes action=encrypt proposal=default
/ip firewall filter add action=accept \ chain=input dst-port=500 protocol=udp
/ip firewall filter add action=accept \ chain=forward dst-address=192.168.144.0/24 src-address=192.168.2.0/24
/ip firewall filter add action=accept \ chain=forward dst-address=192.168.2.0/24 src-address=192.168.144.0/24
/ip firewall nat add chain=srcnat action=accept place-before=0 \ src-address=192.168.2.0/24 dst-address=192.168.144.0/24
/ip firewall filter add action=accept \ chain=input dst-port=4500 protocol=udp
/ip firewall filter add action=accept \ chain=input protocol=50

[sub_zero]

ano.. "state=mature" je ten spravnej stav