Good day to all!
It just so happened that in our company over the past two years we have been slowly switching to microtics. The main nodes are built on CCR1072, and local connection points for computers on devices are simpler. Of course, there is also a combination of networks via the IPSEC tunnel, in this case, the setup is quite simple and does not cause any difficulties, since there are a lot of materials on the network. But there are certain difficulties with the mobile connection of clients, the manufacturer’s wiki tells you how to use the Shrew soft VPN client (everything seems to be clear with this setting) and it is this client that is used by 99% of remote access users, and 1% is me, I was just too lazy each just enter the login and password in the client and I wanted a lazy location on the couch and convenient connection to work networks. I did not find instructions for configuring Mikrotik for situations when it is not even behind a gray address, but completely behind a black one and maybe even several NATs on the network. Therefore, I had to improvise, and therefore I propose to look at the result.
There is:
- CCR1072 as main device. version 6.44.1
- CAP ac as home connection point. version 6.44.1
The main feature of the setting is that the PC and Mikrotik must be on the same network with the same addressing, which is issued by the main 1072.
Let's move on to the settings:
1. Of course we turn on Fasttrack, but since fasttrack is not compatible with vpn, we have to cut its traffic.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Add network forwarding from / to home and work
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Create a user connection description
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Create an IPSEC Proposal
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Create an IPSEC Policy
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Create an IPSEC profile
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Create an IPSEC peer
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Now for some simple magic. Since I didn’t really want to change the settings on all devices on my home network, I had to somehow hang DHCP on the same network, but it’s reasonable that Mikrotik doesn’t allow you to hang more than one address pool on one bridge, so I found a workaround, namely for a laptop, I just created DHCP Lease with manual parameters, and since netmask, gateway & dns also have option numbers in DHCP, I specified them manually.
1.DHCP Options
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP lease
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
At the same time, setting 1072 is practically basic, only when issuing an IP address to a client in the settings it is indicated that the IP address entered manually, and not from the pool, should be given to him. For regular PC clients, the subnet is the same as the Wiki configuration 192.168.55.0/24.
Such a setting allows you not to connect to the PC through third-party software, and the tunnel itself is raised by the router as needed. The load of the client CAP ac is almost minimal, 8-11% at a speed of 9-10MB / s in the tunnel.
All settings were made through Winbox, although with the same success it can be done through the console.
Source: habr.com