Sugeng dino kabeh!
Kebetulan ing perusahaan kita, kita wis mboko sithik ngalih menyang chip Mikrotik sajrone rong taun kepungkur. Node utama dibangun ing CCR1072, dene titik sambungan komputer lokal ana ing piranti sing luwih prasaja. Mesthi wae, kita uga nawakake integrasi jaringan liwat trowongan IPSEC; ing kasus iki, persiyapan cukup prasaja lan gampang, amarga akeh sumber daya sing kasedhiya online. Nanging, sambungan klien seluler menehi tantangan tartamtu; wiki pabrikan nerangake carane nggunakake Shrew soft. VPN klien (persiyapan iki koyone cukup jelas), lan iki klien sing digunakake dening 99% pangguna akses jarak jauh, lan 1% liyane yaiku aku. Aku ora gelem ngetik login lan sandhi saben-saben, lan aku pengin pengalaman sing luwih santai lan nyaman kanthi sambungan sing trep menyang jaringan kerja. Aku ora nemokake pandhuan kanggo ngonfigurasi Mikrotik kanggo kahanan sing ora ana ing mburi alamat pribadi, nanging ing mburi alamat sing wis diblokir, lan malah bisa uga ana pirang-pirang NAT ing jaringan kasebut. Dadi aku kudu improvisasi, lan aku saranake sampeyan ndeleng asil kasebut.
kasedhiya:
- CCR1072 minangka piranti utama. versi 6.44.1
- CAP ac minangka titik sambungan ngarep. versi 6.44.1
Fitur utama persiyapan yaiku PC lan Mikrotik kudu ana ing jaringan sing padha kanthi alamat sing padha, yaiku sing ditanggepi menyang 1072 utama.
Ayo pindhah menyang setelan:
1. Mesthi, kita ngaktifake Fasttrack, nanging amarga fasttrack ora kompatibel karo VPN, kita kudu Cut metu lalu lintas sawijining.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Tambah jaringan Terusake saka / kanggo ngarep lan karya
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Nggawe gambaran sambungan pangguna
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Nggawe Proposal IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Nggawe Kebijakan IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Nggawe profil IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Nggawe peer IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Saiki kanggo sawetara Piandel prasaja. Amarga aku ora pengin ngganti setelan ing kabeh piranti ing jaringan asal, aku kudu piye wae nyetel DHCP ing jaringan sing padha, nanging wajar yen Mikrotik ora ngidini sampeyan nyetel luwih saka siji blumbang alamat. jembatan siji, mula aku nemokake solusi, yaiku kanggo laptop aku mung nggawe DHCP Lease kanthi nemtokake paramèter kanthi manual, lan amarga netmask, gateway & dns uga duwe nomer pilihan ing DHCP, aku nemtokake kanthi manual.
1. Pilihan DHCP
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2. DHCP Lease
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Ing wektu sing padha, setelan 1072 praktis dhasar, mung nalika nerbitake alamat IP menyang klien, dituduhake ing setelan sing kudu diwenehi alamat IP sing dilebokake kanthi manual, lan ora saka blumbang. Kanggo klien biasa saka komputer pribadi, subnet padha karo konfigurasi karo Wiki 192.168.55.0/24.
Persiyapan iki ngidini sampeyan ora nyambung menyang PC liwat piranti lunak pihak katelu, lan trowongan dhewe diunggahake dening router yen perlu. Beban ing klien CAP ac meh minimal, 8-11% ing kacepetan 9-10MB / s ing trowongan.
Kabeh setelan digawe liwat Winbox, sanajan bisa uga ditindakake liwat konsol.
Source: www.habr.com
