Помогите решить проблему с ipsec

RIP, OSFP, BGP, MPLS/VPLS
sapanovskiy
Сообщения: 13
Зарегистрирован: 14 июн 2019, 17:08

Помогите решить проблему с ipsec

Сообщение sapanovskiy »

Добрый день форумчане!!! Помогите разобраться вот с такой ситуацией (Имеются 2 офиса с одинаковой ip адресацией, настроен ipsec и вродебы как работает, но не пингуется ip второго офиса.) Подскажите, в чём может быть проблема, куда копать? Скриншоты прилагаются.
У вас нет необходимых прав для просмотра вложений в этом сообщении.
Аватара пользователя
Chupaka
Сообщения: 4088
Зарегистрирован: 29 фев 2016, 15:26
Откуда: Минск

Re: Помогите решить проблему с ipsec

Сообщение Chupaka »

Здравствуйте.

Скриншоты текста - это вообще гениально :) Чтобы никто не мог скопировать или процитировать?

Код: Выделить всё

/export hide-sensitive
Что значит "вроде бы как работает, но не пингуется"? Т.е. в целом, если не брать в расчёт пинг, пакетики бегают нормально? А что это за IP? Там файрвол на машине самой мешать не может?
sapanovskiy
Сообщения: 13
Зарегистрирован: 14 июн 2019, 17:08

Re: Помогите решить проблему с ipsec

Сообщение sapanovskiy »

Да нет просто сразу и не подумал, что весь конфиг понадобится

# model = RB4011iGS+

Код: Выделить всё

/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz frequency=2462,2437,2412 name=channel2 reselect-interval=1d tx-power=15
add band=5ghz-onlyac control-channel-width=20mhz frequency=5180,5220,5745,5785,5300,5680 name=channel5 tx-power=17

/interface bridge
add name=bridge-br1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=lan1
set [ find default-name=ether3 ] name=lan2
set [ find default-name=ether4 ] name=lan3
set [ find default-name=ether5 ] name=lan4
set [ find default-name=ether7 ] name=lan5
set [ find default-name=ether8 ] name=lan6
set [ find default-name=ether9 ] name=lan7
set [ find default-name=ether10 ] name=lan8
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=ether1 ] name=wan1
set [ find default-name=ether6 ] name=wan2
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan1 name=Beltelecom service-name=Beltelecom use-peer-dns=yes user=\
    [email protected]
/caps-man datapath
add bridge=bridge-br1 client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man rates
add basic=48Mbps,54Mbps name=rate1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=security1
/caps-man configuration
add channel=channel2 country="united states" datapath=datapath1 distance=indoors mode=ap name=cfg2 rates=rate1 rx-chains=0,1,2,3 \
   security1 ssid=Clever tx-chains=0,1,2,3
add channel=channel5 country="united states" datapath=datapath1 distance=indoors mode=ap name=cfg5 rx-chains=0,1,2,3 security=\
    security1 ssid=Clever5 tx-chains=0,1,2,3

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=policy_group
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=ABB-profile nat-traversal=no
/ip ipsec peer
add address=2.2.2.2/32 local-address=1.1.1.1 name=ABB-peers profile=ABB-profile
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ABB-proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.30-192.168.0.252
add name=vpn_pool ranges=192.168.112.1-192.168.112.10
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-br1 lease-time=3d name=dhcp
/ppp profile
add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool use-encryption=no
/queue simple
add burst-threshold=30M/30M burst-time=30s/30s limit-at=40M/40M max-limit=50M/50M name=ovpn priority=1/1 target=192.168.0.129/32
add dst=Beltelecom max-limit=200M/200M name=queue-limit queue=pcq-upload-default/pcq-download-default target=192.168.0.0/24
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all signal-range=-79..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all signal-range=-120..-80 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=ac,an master-configuration=cfg5 name-format=identity
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration=cfg2

/interface bridge port
add bridge=bridge-br1 interface=lan1
add bridge=bridge-br1 interface=lan2
add bridge=bridge-br1 interface=lan3
add bridge=bridge-br1 interface=lan4
add bridge=bridge-br1 interface=lan5
add bridge=bridge-br1 interface=lan6
add bridge=bridge-br1 interface=lan7
add bridge=bridge-br1 interface=lan8
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap2 caller-id-type=number default-profile=l2tp_profile enabled=yes use-ipsec=yes
/ip address
add address=192.168.0.1/24 interface=bridge-br1 network=192.168.0.0
add address=3.3.3.3/20 interface=wan2 network=3.3.3.0
/ip dhcp-server lease
....
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.8.8,8.8.4.4 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=8128KiB servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=1701,500,4500 in-interface=wan1 protocol=udp
add action=accept chain=input in-interface=wan1 protocol=ipsec-esp
add action=drop chain=input connection-state=invalid disabled=yes
add action=accept chain=forward connection-state="" in-interface=wan1 ipsec-policy=out,ipsec
add action=accept chain=forward connection-state="" in-interface=wan1 ipsec-policy=in,ipsec
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid disabled=yes
add action=drop chain=input in-interface=wan1
add action=drop chain=forward in-interface=wan1
/ip firewall nat
add action=accept chain=srcnat comment="ipsec action" dst-address=192.168.177.0/24 src-address=10.58.6.0/24
add action=netmap chain=srcnat comment=1 dst-address=192.168.177.0/24 src-address=192.168.0.0/24 to-addresses=10.58.6.0/24
add action=netmap chain=dstnat comment=2 dst-address=10.58.6.0/24 src-address=192.168.177.0/24 to-addresses=192.168.0.0/24
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=13555 protocol=udp to-addresses=192.168.0.129 to-ports=13555
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=21 protocol=udp to-addresses=192.168.0.21 to-ports=21
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=21 protocol=tcp to-addresses=192.168.0.21 to-ports=21
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=1190 protocol=tcp to-addresses=192.168.0.1 to-ports=1190
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=3000 protocol=tcp to-addresses=192.168.0.39 to-ports=3000
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=9090 protocol=tcp to-addresses=192.168.0.101 to-ports=80
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=50001-60000 protocol=udp to-addresses=192.168.0.174 to-ports=\
    50001-60000
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=8070 protocol=tcp to-addresses=192.168.0.150 to-ports=80
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=8081 protocol=tcp to-addresses=192.168.0.137 to-ports=8080

add action=masquerade chain=srcnat comment=ipsec ipsec-policy=out,none
add action=masquerade chain=srcnat out-interface=wan1
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.101 dst-port=80 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.42 dst-port=3000 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.101 dst-port=80-500 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=ABB-peers
/ip ipsec policy
add dst-address=192.168.177.0/24 level=unique peer=ABB-peers proposal=ABB-proposal sa-dst-address=2.2.2.2 sa-src-address=\
    1.1.1.1 src-address=10.58.6.0/24 tunnel=yes
/ip route
add distance=1 gateway=Beltelecom
add check-gateway=ping comment=ISP1 disabled=yes distance=1 gateway=1.1.1.1
add check-gateway=ping comment=ISP2 disabled=yes distance=2 gateway=3.3.3.3
add comment=Google disabled=yes distance=1 dst-address=8.8.4.4/32 gateway=1.1.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries=16k enabled=yes
/ip traffic-flow target
add dst-address=192.168.0.42
/ppp secret
add name=vpn_user profile=l2tp_profile service=l2tp
/snmp
set enabled=yes trap-version=3
/system clock
set time-zone-name=Europe/Minsk
/system identity
set name=MikroTik_RB4011
ipsec - показывает что туннель якобы есть, но пакетики не бегают
sviktor
Сообщения: 1
Зарегистрирован: 08 июл 2021, 12:43

Re: Помогите решить проблему с ipsec

Сообщение sviktor »

Здравствуйте. Проблема решилась?
Syber
Сообщения: 1
Зарегистрирован: 24 янв 2022, 15:49

Аналогичная проблема с объединением офисов. Помогите решить проблему с ipsec

Сообщение Syber »

Добрый день, уважаемые.

Столкнулся с аналогичной проблемой, и не уже не пойму куда рыть.
Есть 3 офиса тестовых)
1. Головной
2. Офис - 1
3. Офис - 2

1. Головной настроен на IPSec (статус Establish до Офис 1 и Офис 2 + Ping OK )
2. Офис - 1 так же настроен на IPSec с Головным офисом (статус Establish до Головного + Ping OK )
3. Офис - 3 так же настроен на IPSec с Головным офисом (статус Establish до Головного + Ping до головного)
874 10.1.1.1 timeout
875 10.1.1.1 timeout
876 10.1.1.1 timeout
877 10.1.1.1 timeout
878 176.62.187.177 84 64 978ms host unreachable
879 10.1.1.1 timeout
Хотя маршруты прописаны и все как бы ок..
Голову уже сломал - прошу помощи.
Конфиг в студии

/interface bridge
add admin-mac=4C:5E:0C:EC:1A:97 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full comment=NVR speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
ether6-master
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
IP_Phone
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=MFU
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-Ce country=russia2 disabled=no distance=indoors frequency=auto \
frequency-mode=manual-txpower max-station-count=10 mode=ap-bridge ssid=\
blablabla station-roaming=enabled wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 lifetime=3d name=\
Profile-IpSec
/ip ipsec peer
add address=176.62.177.4/32 name=Energo-Office profile=Profile-IpSec
/ip ipsec proposal
set [ find default=yes ] disabled=yes lifetime=0s
add auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
lifetime=8h name=Proposal-IpSec
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=176.62.187.177/25 interface=ether1 network=176.62.187.128
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:b0:c:d1:e0:37:8d mac-address=\
B0:0C:D1:E0:37:8D server=defconf
add address=192.168.88.10 client-id=1:b0:61:c7:c:8f:b0 comment=TLF-8802a \
mac-address=B0:61:C7:0C:8F:B0 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.10.10.3,10.10.10.4,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input disabled=yes src-address=195.26.31.64/26
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="Port Access" dst-port=500,1701,4500 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none
add action=accept chain=srcnat dst-address=10.1.1.0/24 src-address=\
192.168.88.0/24
add action=dst-nat chain=dstnat comment=NVR dst-port=34510,34700 \
in-interface=ether1 protocol=tcp to-addresses=192.168.88.141
/ip ipsec identity
add peer=Energo-Office
/ip ipsec policy
add dst-address=10.1.1.0/24 peer=Energo-Office proposal=Proposal-IpSec \
src-address=192.168.88.0/24 tunnel=yes
set 1 disabled=yes
/ip route
add distance=1 gateway=176.62.187.129
add distance=1 dst-address=10.1.1.0/24 gateway=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=\
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master\
,ether7,ether8,ether9,ether10"
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool netwatch
add down-script="log warning \"_________internet propal_________\"" host=\
8.8.8.8 interval=10s up-script=\
"log warning \"_________internet zarabotall_________\""
add down-script="log warning \"internet propal\"" host=8.8.8.8 interval=10s