Answer the question
In order to leave comments, you need to log in
IPSEC Mikrotik blind host?
Good afternoon, colleagues.
Faced the following problem.
Given: 5 Mikrotiks and 2 providers.
IPsec: Auth. Alg.: sha1 / Encr. Alg: 3des / PFS Group: modp 1024
1 Provider
All 4 Mikrotiks have almost the same firewall settings and identical IPsec settings. They see each other perfectly, because are located, at the same time, in the provider's L2 network.
2 Provider
It is seen by mikrotiks from the 1st network. They connect via RDP and go through it in every possible way. Mikrotik from the second provider does not see the very first provider, neither icmp, nor rdp, nothing.
Config of one of L2 Mikrotik
000.000.000.134 - local network 192.168.3.0
100.100.100.114 ##### (L2 Mikrotik) 192.168.8.0
200.200.200.130 ##### (L2 Mikrotik) 192.168.2.0
300.300.300.154 ###### (5 Mikrotik of the second provider) 192.168.10.0
I'm waiting for the second one to be brought. It is configured by analogy with this, except that the inversion of ip addresses.
#
# model = RB4011iGS+
# serial number = |Serial|
/interface bridge
add name=br1-lan
/interface ethernet
set [ find default-name=ether1 ] mac-address=MAC:13
set [ find default-name=ether2 ] mac-address=MAC:14 name=\
"ether2- for console"
set [ find default-name=ether3 ] name=ether3-wan
set [ find default-name=ether4 ] name=ether4-lan
set [ find default-name=ether5 ] mac-address=MAC:17 name=\
ether5-lan
set [ find default-name=ether6 ] mac-address=MAC:18 name=\
ether6-lan
set [ find default-name=ether7 ] mac-address=MAC:19 name=\
ether7-lan
set [ find default-name=ether8 ] mac-address=MAC:1A name=\
ether8-lan
set [ find default-name=ether9 ] mac-address=MAC:1B name=\
ether9-lan
set [ find default-name=ether10 ] mac-address=MAC:1C name=\
ether10-lan
set [ find default-name=sfp- sfpplus1 ] mac-address=MAC:1D
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des hash-algorithm=\
md5
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des
add enc-algorithms=3des lifetime=8h name=100.100.100.114 ##### (L2 Mikrotik)
add enc-algorithms =3des lifetime=8h name=200.200.200.130 ##### (L2 Mikrotik)
add enc-algorithms=3des lifetime=8h name=300.300.300.154 ###### (5 Mikrotik second provider)
/interface bridge port
add bridge=br1-lan interface=ether4-lan
add bridge=br1-lan interface=ether5-lan
add bridge=br1-lan interface=ether6-lan
add bridge=br1-lan interface=ether7-lan
add bridge=br1-lan interface =ether8-lan
add bridge=br1-lan interface=ether9-lan
add bridge=br1-lan interface=ether10-lan
/interface list member
add interface=br1-lan list=LAN
add interface=ether1 list=WAN
/ip address
add address=000.000.000.134/28 interface=ether3-wan network=000.000.000.128
add address=192.168.3.1/24 interface=br1-lan network=192.168.3.0
add address=000.000.000.129 interface=ether3-wan network=000.000.000.129
/ip dns
set servers=DNS provider
/ip dns static
add address=192.168.3.1 name=MYLAN
/ip firewall filter
add chain=forward connection-nat-state=dstnat
add action=accept chain=input comment=to_192.168.2.0/24 src-address=\
200.200.200.130 ##### (L2 Mikrotik)
add action=accept chain=output comment=to_192 .168.2.0/24 dst-address=\
200.200.200.130 ##### (L2 Mikrotik)
add action=accept chain=forward comment=to_192.168.2.0/24 src-address=\
192.168.2.0/24
add action=accept chain=forward comment=to_192.168.2 .0/24 dst-address=\
192.168.2.0/24
add action=accept chain=input comment=to_192.168.10.0/24 src-address=\
300.300.300.154 ###### (5 Mikrotik second provider)
add action=accept chain=output comment=to_192.168.10.0/24 dst-address=\
300.300.300.154 ###### (5 Mikrotik second provider)
add action=accept chain=forward comment=to_192.168.10.0 /24 src-address=\
192.168.10.0/24
add action=accept chain=forward comment=to_192.168.10.0/24 dst-address=\
192.168.10.0/24
add action=accept chain=input comment=to_192.168.8.0/24 src-address=\
100.100.100.114 ##### (L2 Mikrotik)
add action=accept chain=output comment=to_192.168.8.0/24 dst -address=\
100.100.100.114 ##### (L2 Mikrotik)
add action=accept chain=forward comment=to_192.168.8.0/24 src-address=\
192.168.8.0/24
add action=accept chain=forward comment =to_192.168.8.0/24 dst-address=\
192.168.8.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3-wan
add action=accept chain=srcnat comment=to_192.168.2.0 /24 dst-address=\
192.168.2.0/24 src-address=192.168.3.0/24
add action=accept chain=srcnat comment=to_192.168.8.0/24 dst-address=\
192.168.8.0/24 src-address=192.168.3.0/24
add action=accept chain=srcnat comment=to_192.168.10.0/24 dst-address=\
192.168.10.0/24 src-address=192.168.3.0/24
/ ip ipsec peer
add address=200.200.200.130/32 secret=secret ##### (L2 Mikrotik)
add address=100.100.100.114/32 secret=secret ##### (L2 Mikrotik)
add address=300.300.300.154/ 32 secret=secret ###### (5 Mikrotik second provider)
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.8.0/24 proposal=100.100.100.114 sa-dst-address=\ ### ## (L2 Mikrotik)
100.100.100.114 sa-src-address=000.000.000.134 src-address=192.168.3.0/24 \
tunnel=yes
add dst-address=192.168.2.0/24 proposal=200.200.200.130 sa-dst-address=\ ##### (L2 Mikrotik)
200.200.200.130 sa-src-address=000.000.000.134 src-address=192.168.3.0 /24 \
tunnel=yes
add dst-address=192.168.10.0/24 proposal=300.300.300.154 sa-dst-address=\
300.300.300.154 sa-src-address=000.000.000.134 src-address=192.168.3.0/24 \ ###### (5 Mikrotik second provider)
tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=000.000.000.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=5556
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether3-wan type=external
add interface=br1-lan type=internal
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MYLAN
/system routerboard settings
set silent-boot=
no Mikrotik from the blind network is configured in the same way, with the inversion of ip wan and lan
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question