記個備忘錄,免得之後忘了
###設定認證
/certificate
add common-name=ca name=ca
sign ca ca-crl-host=2.2.2.2
/certificate
add common-name=2.2.2.2 subject-alt-name=IP:2.2.2.2 key-usage=tls-server name=server1
sign server1 ca=ca
/certificate
add common-name=rw-client1 name=rw-client1 key-usage=tls-client
sign rw-client1 ca=ca
###Export client certificate (pkcs12 format)
export-certificate rw-client1 export-passphrase=1234567890 type=pkcs12
export-certificate ca type=pem
###Set profile
/ip ipsec profile
add name=ike2
###Set proposal
/ip ipsec proposal
add name=ike2 pfs-group=none
###Set IP pool
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
###Config
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf
##Policy
/ip ipsec policy group
add name=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
###Peer
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
###Identity
/ip ipsec identity
add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
###Firewall
###If this router is VPN server (clients connect to it), then you want (before the last drop in input chain):
/ip firewall filter
add chain=input dst-port=500,4500 protocol=udp action=accept
add chain=input protocol=ipsec-esp action=accept
###VPN clients should access router itself (via encrypted tunnel),
/ip firewall filter
add chain=input ipsec-policy=in,ipsec action=accept
沒有留言:
張貼留言