Помогите решить проблему с ipsec

RIP, OSFP, BGP, MPLS/VPLS
Ответить
sapanovskiy
Сообщения: 13
Зарегистрирован: 14 июн 2019, 17:08

Помогите решить проблему с ipsec

Сообщение sapanovskiy »

Добрый день форумчане!!! Помогите разобраться вот с такой ситуацией (Имеются 2 офиса с одинаковой ip адресацией, настроен ipsec и вродебы как работает, но не пингуется ip второго офиса.) Подскажите, в чём может быть проблема, куда копать? Скриншоты прилагаются.
Вложения
13.jpg
13.jpg (141.32 КБ) 1732 просмотра
12.jpg
12.jpg (174.08 КБ) 1732 просмотра
11.jpg
11.jpg (160.35 КБ) 1732 просмотра
Аватара пользователя
Chupaka
Сообщения: 3878
Зарегистрирован: 29 фев 2016, 15:26
Откуда: Минск
Контактная информация:

Re: Помогите решить проблему с ipsec

Сообщение Chupaka »

Здравствуйте.

Скриншоты текста - это вообще гениально :) Чтобы никто не мог скопировать или процитировать?

Код: Выделить всё

/export hide-sensitive
Что значит "вроде бы как работает, но не пингуется"? Т.е. в целом, если не брать в расчёт пинг, пакетики бегают нормально? А что это за IP? Там файрвол на машине самой мешать не может?
sapanovskiy
Сообщения: 13
Зарегистрирован: 14 июн 2019, 17:08

Re: Помогите решить проблему с ipsec

Сообщение sapanovskiy »

Да нет просто сразу и не подумал, что весь конфиг понадобится

# model = RB4011iGS+

Код: Выделить всё

/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz frequency=2462,2437,2412 name=channel2 reselect-interval=1d tx-power=15
add band=5ghz-onlyac control-channel-width=20mhz frequency=5180,5220,5745,5785,5300,5680 name=channel5 tx-power=17

/interface bridge
add name=bridge-br1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=lan1
set [ find default-name=ether3 ] name=lan2
set [ find default-name=ether4 ] name=lan3
set [ find default-name=ether5 ] name=lan4
set [ find default-name=ether7 ] name=lan5
set [ find default-name=ether8 ] name=lan6
set [ find default-name=ether9 ] name=lan7
set [ find default-name=ether10 ] name=lan8
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=ether1 ] name=wan1
set [ find default-name=ether6 ] name=wan2
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan1 name=Beltelecom service-name=Beltelecom use-peer-dns=yes user=\
    [email protected]
/caps-man datapath
add bridge=bridge-br1 client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man rates
add basic=48Mbps,54Mbps name=rate1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=security1
/caps-man configuration
add channel=channel2 country="united states" datapath=datapath1 distance=indoors mode=ap name=cfg2 rates=rate1 rx-chains=0,1,2,3 \
   security1 ssid=Clever tx-chains=0,1,2,3
add channel=channel5 country="united states" datapath=datapath1 distance=indoors mode=ap name=cfg5 rx-chains=0,1,2,3 security=\
    security1 ssid=Clever5 tx-chains=0,1,2,3

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=policy_group
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=ABB-profile nat-traversal=no
/ip ipsec peer
add address=2.2.2.2/32 local-address=1.1.1.1 name=ABB-peers profile=ABB-profile
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ABB-proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.30-192.168.0.252
add name=vpn_pool ranges=192.168.112.1-192.168.112.10
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-br1 lease-time=3d name=dhcp
/ppp profile
add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool use-encryption=no
/queue simple
add burst-threshold=30M/30M burst-time=30s/30s limit-at=40M/40M max-limit=50M/50M name=ovpn priority=1/1 target=192.168.0.129/32
add dst=Beltelecom max-limit=200M/200M name=queue-limit queue=pcq-upload-default/pcq-download-default target=192.168.0.0/24
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all signal-range=-79..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all signal-range=-120..-80 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=ac,an master-configuration=cfg5 name-format=identity
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration=cfg2

/interface bridge port
add bridge=bridge-br1 interface=lan1
add bridge=bridge-br1 interface=lan2
add bridge=bridge-br1 interface=lan3
add bridge=bridge-br1 interface=lan4
add bridge=bridge-br1 interface=lan5
add bridge=bridge-br1 interface=lan6
add bridge=bridge-br1 interface=lan7
add bridge=bridge-br1 interface=lan8
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap2 caller-id-type=number default-profile=l2tp_profile enabled=yes use-ipsec=yes
/ip address
add address=192.168.0.1/24 interface=bridge-br1 network=192.168.0.0
add address=3.3.3.3/20 interface=wan2 network=3.3.3.0
/ip dhcp-server lease
....
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.8.8,8.8.4.4 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=8128KiB servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=1701,500,4500 in-interface=wan1 protocol=udp
add action=accept chain=input in-interface=wan1 protocol=ipsec-esp
add action=drop chain=input connection-state=invalid disabled=yes
add action=accept chain=forward connection-state="" in-interface=wan1 ipsec-policy=out,ipsec
add action=accept chain=forward connection-state="" in-interface=wan1 ipsec-policy=in,ipsec
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid disabled=yes
add action=drop chain=input in-interface=wan1
add action=drop chain=forward in-interface=wan1
/ip firewall nat
add action=accept chain=srcnat comment="ipsec action" dst-address=192.168.177.0/24 src-address=10.58.6.0/24
add action=netmap chain=srcnat comment=1 dst-address=192.168.177.0/24 src-address=192.168.0.0/24 to-addresses=10.58.6.0/24
add action=netmap chain=dstnat comment=2 dst-address=10.58.6.0/24 src-address=192.168.177.0/24 to-addresses=192.168.0.0/24
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=13555 protocol=udp to-addresses=192.168.0.129 to-ports=13555
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=21 protocol=udp to-addresses=192.168.0.21 to-ports=21
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=21 protocol=tcp to-addresses=192.168.0.21 to-ports=21
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=1190 protocol=tcp to-addresses=192.168.0.1 to-ports=1190
add action=netmap chain=dstnat dst-address=1.1.1.1 dst-port=3000 protocol=tcp to-addresses=192.168.0.39 to-ports=3000
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=9090 protocol=tcp to-addresses=192.168.0.101 to-ports=80
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=50001-60000 protocol=udp to-addresses=192.168.0.174 to-ports=\
    50001-60000
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=8070 protocol=tcp to-addresses=192.168.0.150 to-ports=80
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=8081 protocol=tcp to-addresses=192.168.0.137 to-ports=8080

add action=masquerade chain=srcnat comment=ipsec ipsec-policy=out,none
add action=masquerade chain=srcnat out-interface=wan1
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.101 dst-port=80 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.42 dst-port=3000 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.101 dst-port=80-500 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=ABB-peers
/ip ipsec policy
add dst-address=192.168.177.0/24 level=unique peer=ABB-peers proposal=ABB-proposal sa-dst-address=2.2.2.2 sa-src-address=\
    1.1.1.1 src-address=10.58.6.0/24 tunnel=yes
/ip route
add distance=1 gateway=Beltelecom
add check-gateway=ping comment=ISP1 disabled=yes distance=1 gateway=1.1.1.1
add check-gateway=ping comment=ISP2 disabled=yes distance=2 gateway=3.3.3.3
add comment=Google disabled=yes distance=1 dst-address=8.8.4.4/32 gateway=1.1.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries=16k enabled=yes
/ip traffic-flow target
add dst-address=192.168.0.42
/ppp secret
add name=vpn_user profile=l2tp_profile service=l2tp
/snmp
set enabled=yes trap-version=3
/system clock
set time-zone-name=Europe/Minsk
/system identity
set name=MikroTik_RB4011
ipsec - показывает что туннель якобы есть, но пакетики не бегают
sviktor
Сообщения: 1
Зарегистрирован: 08 июл 2021, 12:43

Re: Помогите решить проблему с ipsec

Сообщение sviktor »

Здравствуйте. Проблема решилась?
Syber
Сообщения: 1
Зарегистрирован: 24 янв 2022, 15:49

Аналогичная проблема с объединением офисов. Помогите решить проблему с ipsec

Сообщение Syber »

Добрый день, уважаемые.

Столкнулся с аналогичной проблемой, и не уже не пойму куда рыть.
Есть 3 офиса тестовых)
1. Головной
2. Офис - 1
3. Офис - 2

1. Головной настроен на IPSec (статус Establish до Офис 1 и Офис 2 + Ping OK )
2. Офис - 1 так же настроен на IPSec с Головным офисом (статус Establish до Головного + Ping OK )
3. Офис - 3 так же настроен на IPSec с Головным офисом (статус Establish до Головного + Ping до головного)
874 10.1.1.1 timeout
875 10.1.1.1 timeout
876 10.1.1.1 timeout
877 10.1.1.1 timeout
878 176.62.187.177 84 64 978ms host unreachable
879 10.1.1.1 timeout
Хотя маршруты прописаны и все как бы ок..
Голову уже сломал - прошу помощи.
Конфиг в студии

/interface bridge
add admin-mac=4C:5E:0C:EC:1A:97 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full comment=NVR speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
ether6-master
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
IP_Phone
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=MFU
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-Ce country=russia2 disabled=no distance=indoors frequency=auto \
frequency-mode=manual-txpower max-station-count=10 mode=ap-bridge ssid=\
blablabla station-roaming=enabled wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 lifetime=3d name=\
Profile-IpSec
/ip ipsec peer
add address=176.62.177.4/32 name=Energo-Office profile=Profile-IpSec
/ip ipsec proposal
set [ find default=yes ] disabled=yes lifetime=0s
add auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
lifetime=8h name=Proposal-IpSec
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=176.62.187.177/25 interface=ether1 network=176.62.187.128
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:b0:c:d1:e0:37:8d mac-address=\
B0:0C:D1:E0:37:8D server=defconf
add address=192.168.88.10 client-id=1:b0:61:c7:c:8f:b0 comment=TLF-8802a \
mac-address=B0:61:C7:0C:8F:B0 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.10.10.3,10.10.10.4,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input disabled=yes src-address=195.26.31.64/26
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="Port Access" dst-port=500,1701,4500 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none
add action=accept chain=srcnat dst-address=10.1.1.0/24 src-address=\
192.168.88.0/24
add action=dst-nat chain=dstnat comment=NVR dst-port=34510,34700 \
in-interface=ether1 protocol=tcp to-addresses=192.168.88.141
/ip ipsec identity
add peer=Energo-Office
/ip ipsec policy
add dst-address=10.1.1.0/24 peer=Energo-Office proposal=Proposal-IpSec \
src-address=192.168.88.0/24 tunnel=yes
set 1 disabled=yes
/ip route
add distance=1 gateway=176.62.187.129
add distance=1 dst-address=10.1.1.0/24 gateway=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=\
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master\
,ether7,ether8,ether9,ether10"
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool netwatch
add down-script="log warning \"_________internet propal_________\"" host=\
8.8.8.8 interval=10s up-script=\
"log warning \"_________internet zarabotall_________\""
add down-script="log warning \"internet propal\"" host=8.8.8.8 interval=10s
Ответить