Manuia le aso uma!
Na tupu i totonu o la matou kamupani i le lua tausaga ua tuanaʻi ua matou faʻasolosolo malie i Mikrotik. O nodes autu e fausia i luga o le CCR1072, ma o nofoaga fesoʻotaʻiga faʻapitonuʻu mo komepiuta i luga o masini e faigofie. O le mea moni, o loʻo i ai foi le tuʻufaʻatasia o fesoʻotaʻiga e ala i le IPSEC tunnel, i lenei tulaga o le seti e faigofie tele ma e le mafua ai ni faʻafitauli, o le mea e lelei ai e tele mea i luga o le upega tafailagi. Ae o loʻo i ai ni faʻafitauli faʻapitoa i fesoʻotaʻiga feaveaʻi a tagata faʻatau, o le wiki a le gaosi oloa e taʻu atu ia te oe le faʻaogaina o le Shrew soft VPN client (e foliga mai e manino mea uma e faʻavae i luga o lenei tulaga) ma o le tagata faʻatau lea e faʻaaogaina e le 99% o avanoa mamao. tagata faʻaoga, ma 1% o aʻu, ua naʻo aʻu paie tagata uma O le taimi lava na ou ulufale ai i laʻu login ma upu faʻaulu i totonu o le tagata o tausia, na ou manaʻo i se tulaga paie i luga o le nofoa ma se fesoʻotaʻiga talafeagai i fesoʻotaʻiga galue. Ou te leʻi mauaina ni faʻatonuga mo le faʻatulagaina o Mikrotik mo tulaga e le o tua atu i tua o se tuatusi efuefu, ae o le uliuli atoa ma atonu e tele NAT i luga o le upega tafailagi. O le mea lea, e tatau ona ou faʻaleleia, ma o lea ou te fautua atu e te vaʻai i le iʻuga.
Avanoa:
- CCR1072 o le masini autu. lomiga 6.44.1
- CAP ac e fai ma nofoaga feso'ota'iga fale. lomiga 6.44.1
O le vaega autu o le seti o le PC ma Mikrotik e tatau ona i luga o le upega tutusa ma le tuatusi tutusa, o le mea lea e tuʻuina atu i le autu 1072.
Sei o tatou agai i le faatulagaga:
1. Ioe, matou te mafaia le Fasttrack, ae talu ai o le fasttrack e le fetaui ma VPN, e tatau ona matou tipi ese lana feoaiga.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Fa'aopoopo feso'ota'iga fa'asolo mai/i le fale ma le galuega
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Fausia se faʻamatalaga fesoʻotaʻiga tagata faʻaoga
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Fausia se Fautuaga IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Fausia se Faiga Fa'avae IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Fausia se talaaga IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Fausia se tupulaga IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
O lea mo sina togafiti faataulaitu. Talu ai ou te leʻi manaʻo tele e sui tulaga i luga o masini uma i luga o le upega tafaʻilagi, e tatau ona ou setiina le DHCP i luga o le fesoʻotaʻiga tutusa, ae e talafeagai e le faʻatagaina oe e Mikrotik e faʻatūina le sili atu ma le tasi le vaitaele tuatusi i luga. tasi le alalaupapa, o lea na ou maua ai se taʻaloga, e pei o le komepiuta na ou fatuina le DHCP Lease ma le faʻamaoniaina ma le lima ia tapulaʻa, ma talu ai o le netmask, gateway & dns e iai foi numera filifiliga i le DHCP, na ou faʻamaonia ma le lima.
1.DHCP Filifiliga
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP lisi
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
I le taimi lava e tasi, o le faʻatulagaina o le 1072 e masani lava, naʻo le tuʻuina atu o se tuatusi IP i le tagata o tausia, o loʻo faʻaalia i tulaga e tatau ona tuʻuina atu se tuatusi IP na tuʻuina ma le lima, ae le o le vaitaele. Mo tagata masani mai komepiuta a le tagata lava ia, o le subnet e tutusa ma le faʻatulagaina ma Wiki 192.168.55.0/24.
O lenei seti e mafai ai ona e le faʻafesoʻotaʻi i lau PC e ala i polokalama faakomepiuta lona tolu, ma o le alalaupapa lava ia e siitia e le router pe a manaʻomia. Ole uta ile client CAP ac e toetoe lava a laititi, 8-11% ile saoasaoa ole 9-10MB/s ile alavai.
O faʻatulagaga uma na faia e ala i Winbox, e ui lava e mafai ona faia lelei e ala i le faʻamafanafanaga.
puna: www.habr.com