αα½ααααΈα’αααααΆααα’ααααααΆ!
ααΆααΆαααΎαα‘αΎαααΌα ααααααΆαα αααα»ααααα»αα αα»αααααααΎααααα»ααααααα 1072 ααααΆααααααααααα ααΎαααΆαααααΆααααααΌαααααα·α ααααααα ααΈααααΌαα·α α ααααΆααααααΆαααααααΌαααΆααααααΎαα‘αΎααα ααΎ CCR99 α αΎαα ααα»α αααααΆααααΌαααααΆααααααΆαααα»αααααΌααααα ααΎα§αααααααΊααΆααααααΆαα ααΆααΆααα·αααΆαα ααααΆαααΆααα½ααααα αΌαααααΆαααααααΆαααΆααααααααΌαααΌααααααααΈ IPSEC ααααα αααα»αααααΈααα ααΆααααα αααΊααΆααααααΆαα α αΎααα·αααααα±ααααΆαααΆαααααΆαααΆαα½αα‘αΎα αααααααΆααααααΆααααΆα αααΎααα ααΎαααααΆαα ααα»ααααααΆαααΆαααααΆααα½αα ααα½αααΆαα½αααΆαααααΆααααΌααααααα αααααααα’αα·αα·αα αα·ααΈαααααααα»αα αα»αααα·αααααΆααα’αααααΈααααααααΎαααΆαααΈαααααα Shrew ααα VPN (α’αααΈααααααααΆαα αΆααααΌα ααΆα αααΆααααΆαα½αααΉαααΆααααααααα) α αΎαααΆααΊααΆαααΆαααΈααααααααααααααααΌαααΆαααααΎααααΆααααα 1% ααα’αααααααΎααααΆααα αΌαααααΎααΈα ααααΆαα α αΎα XNUMX% ααΊααΆαααα»α αααα»αααααΆαααααααα·αααα ααααΆαααααααΆαααααααα αΌαααΆαα αΌα αα·αααΆααααααααΆαααα αααα»ααααΆαααΈαααααα α αΎααααα»αα ααααΆαααΈααΆαααααα·ααα ααΎααΆα‘α»α αα·αααΆααααααΆααααΆααααα½ααα ααΆαααααααΆαααΆαααΆαα αααα»ααα·αααΆαααααΎαααΆαααααΆααααααΆααααααααα ααΆαααααααα Mikrotik αααααΆααααααΆαααΆααα ααααααααΆαα·ααα ααΈαααααα’αΆααααααΆαααααααααα ααα»ααααααΆαααααα»ααα ααΈαααααααααααα αα½α α αΎααααα ααααΆ NAT ααΆα αααΎααα ααΎαααααΆαα ααΌα ααααα αΎα αααα»αααααΌαααααααΎ improvise ααΌα ααααα αΎααααα»αααααΎα±αααα·αα·αααααΎαααααααα
ααΆαα
- CCR1072 ααΆα§αααααααααΆααα αααα 6.44.1
- CAP ac ααΆα ααα»α αααααΆααααααα αααα 6.44.1
αααααααα·αααα
ααααααααΆααααααααΊααΆ PC αα·α Mikrotik ααααΌααααα
ααΎαααααΆαααΌα
ααααΆαααααΆαα’αΆααααααΆαααΌα
ααααΆαααααααΌαααΆαα
ααααααα 1072 α
ααααααααα
ααΆααααααα
1. ααΆααΆααα·αααΆαα ααΎαααΎα Fasttrack ααα»αααααααααΆα fasttrack αα·αααααααΆααΆαα½α vpn ααΎαααααΌαααΆαααααααα ααΆα αααααααααΆα
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. ααααααααΆααααααΌααααααααααΆαααΈ/αα αααα αα·αααααααααααΎααΆα
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. αααααΎαααΆααα·αααααΆα’αααΈααΆααααααΆααα’αααααααΎααααΆαα
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. αααααΎαααααΎ IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. αααααΎααααααΆααα IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. αααααΎααααααα IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. αααααΎα IPSEC peer
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
α₯α‘αΌαααααααααΆαααααααααααΆαααααα½αα ααα½αα αααααΆααααα»ααα·αααΆαα·αα ααααααΆααααααΌαααΆαααααααα ααΎα§αααααααΆααα’αααα ααΎαααααΆααααααααααααα»α ααΌα αααααααα»αααααΌααααααα½α DHCP αα ααΎαααααΆααααα½α ααα»ααααααΆααα ααα»ααααα Mikrotik αα·αα’αα»ααααΆαα±ααα’ααααααα½ααααα»αα’αΆααααααΆαα αααΎαααΆααα½ααα ααΎααααΆααα½α ααΌα αααααααα»αααΆαααααΎααα·ααΈαααααααΆααα½α αααααΊαααααΆαααα»αααααΌααααα½ααα αααα»αααΎααααααααΎα DHCP Lease ααΆαα½ααααΆαααΆααααααααααα α αΎαα αΆααααΆααααΈ netmask, gateway & dns ααααΆαααααααααΎααα αααα»α DHCP αααα»αααΆααααααΆααααΆαααααα
αααααΎα 1.DHCP
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP αα½α
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
αααα»ααααααΆαα½αααααΆααα ααΆαααααα 1072 ααΊα’αα»ααααααΆααΌαααααΆα αα»αααααΆααα ααα’αΆααααααΆα IP αααα’αα·αα·αααααα»αααΆαααααα ααΆααααΌαααΆααααα αΆαααΆα’αΆααααααΆα IP αααααΆααααα αΌαααααα αα·ααααααααΈα’αΆααα αα½αααααααΌαααΆααααααα±ααααΆααα αααααΆαααααΆαααΈαααααααα»αααααΌαααααααααΆ αααααΆαααααΊααΌα ααααΆαα ααΉαααΆαααααααα ααΆαααααααααα·ααΈ 192.168.55.0/24 α
ααΆααααααααααααα’αα»ααααΆαα±ααα’ααααα·αααααΆαααα αα»αααααΌαααααΆαααααααααα·ααΈααΆααΈααΈααΈ α αΎαααααΌαααΌααααααααΈαααα½αα―αααααΌαααΆαααΎαα‘αΎαααααααααααααΆααααααΌαααΆαα ααΆααααα»ααααααααΆαααΈαααααα CAP ac ααΊααααΎααααα·α αα½α αααα»αααΊ 8-11% αααα»αααααΏα 9-10MB / s αα αααα»αααααΌαααΌααααααααΈα
ααΆααααααααΆααα’ααααααΌαααΆαααααΎα‘αΎαααΆαααα Winbox αααααΈααΆααα½αααΆαααααααααΌα
ααααΆ ααΆα’αΆα
ααααΌαααΆαααααΎααΆαααααα»αααΌααααααα
ααααα: www.habr.com