Molweni nonke!
Kwenzekile ukuba kwinkampani yethu kule minyaka mibini idlulileyo siye satshintshela kancinci kwi-microtics. Iinqununu eziphambili zakhiwe kwi-CCR1072, kwaye iindawo zokuxhunyelelwa kwendawo kwiikhomputha kwizixhobo zilula. Ewe kunjalo, kukho indibaniselwano yothungelwano ngetonela ye-IPSEC, kulo mzekelo, ukuseta kulula kakhulu kwaye akubangeli nabuphi na ubunzima, kuba kukho izinto ezininzi kwinethiwekhi. Kodwa kukho ubunzima obuthile ngoqhagamshelo lweselula lwabathengi, i-wiki yomenzi ikuxelela indlela yokusebenzisa umxhasi we-Shrew soft VPN (yonke into ibonakala icacile ngolu seto) kwaye ngulo mxhasi osetyenziswa yi-99% yabasebenzisi bokufikelela kude. , kunye ne-1% ndim, bendisonqena kakhulu nganye ndifake igama lokungena kunye negama lokugqitha kumxhasi kwaye bendifuna indawo eyonqenayo esofeni kunye noqhagamshelo olufanelekileyo kuthungelwano lomsebenzi. Andizange ndifumane imiyalelo yokuqwalasela iMikrotik kwiimeko xa ingekho emva kwedilesi engwevu, kodwa isemva ngokupheleleyo kumnyama kwaye mhlawumbi ii-NAT ezininzi kwinethiwekhi. Ke ngoko, kuye kwafuneka ndiphucule, kwaye ke ndicebisa ukujonga isiphumo.
Iyafumaneka:
- CCR1072 njengesixhobo esiphambili. uguqulelo 6.44.1
- CAP ac njengendawo yoqhagamshelwano lwasekhaya. uguqulelo 6.44.1
Into ephambili yokumisela kukuba i-PC kunye ne-Mikrotik kufuneka ibe kwinethiwekhi efanayo kunye nedilesi efanayo, ekhutshwe yi-1072 engundoqo.
Masiqhubele phambili kwiisetingi:
1. Ngokuqinisekileyo sivula i-Fasttrack, kodwa ekubeni i-fasttrack ayihambelani ne-vpn, kufuneka sinciphise i-traffic yayo.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Ukongeza inethiwekhi yokuthumela ukusuka / ukuya ekhaya nasemsebenzini
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Yenza inkcazo yoqhagamshelwano lomsebenzisi
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. Yenza isiphakamiso se-IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Yenza uMgaqo-nkqubo we-IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Yenza iprofayili ye-IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Yenza intanga ye-IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
Ngoku malunga nomlingo olula. Ekubeni ndandingafuni ngokwenene ukutshintsha izicwangciso kuzo zonke izixhobo kwinethiwekhi yam yasekhaya, kuye kwafuneka ukuba ngandlela-thile ndixhome i-DHCP kwinethiwekhi efanayo, kodwa kunengqiqo ukuba iMikrotik ayikuvumeli ukuba uxhome ngaphezu kwechibi ledilesi enye kwibhulorho enye. , ngoko ke ndifumene i-workaround, eyile yelaptop, ndidale nje i-DHCP yokuQesha ngeeparamitha zesandla, kwaye ukusukela oko i-netmask, isango kunye ne-dns nazo zinamanani okhetho kwi-DHCP, ndizichaze ngesandla.
1.DHCP Iinketho
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP yokuqeshisa
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
Ngelo xesha, ukubeka i-1072 ngokuqhelekileyo kuyisiseko, kuphela xa ukhupha idilesi ye-IP kumxhasi kwiisethingi kuboniswa ukuba idilesi ye-IP ifakwe ngesandla, kwaye kungekhona echibini, kufuneka inikwe kuye. Kubathengi bePC rhoqo, i-subnet iyafana noqwalaselo lwe-Wiki 192.168.55.0/24.
Ukusetwa okunjalo kukuvumela ukuba ungaxhumeki kwiPC ngesoftware yomntu wesithathu, kwaye itonela ngokwayo iphakanyiswe ngumzila njengoko kufuneka. Umthwalo womthengi we-CAP ac uphantse uncinci, i-8-11% ngesantya se-9-10MB / s kwi-tunnel.
Zonke iisetingi zenziwe ngeWinbox, nangona ngempumelelo efanayo inokwenziwa ngeconsole.
umthombo: www.habr.com