Scribd Logo
Upload

Welcome to Scribd!

  • MikroTik (05.03.01) Cấu hình IPsec VPN trên Router MikroTik (CLI)

    Uploaded by

    Tuan Nguyen
    10 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    10 views3 pages

    MikroTik (05.03.01) Cấu hình IPsec VPN trên Router MikroTik (CLI)

    Uploaded by

    Tuan Nguyen

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 3

    MikroTik: (05.03.

    01) Cấu hình IPsec VPN trên Router


    MikroTik (CLI)
    May 17, 2021

    Mục tiêu thực hành:


    - Cấu hình Phase1 Policy trên Router MikroTik.
    - Cấu hình Phase2 Policy trên Router MikroTik.
    - Cấu hình NAT Exemption trên Router MikroTik.
    - Kiểm tra kết nối IPsec VPN trên Router MikroTik.

    Các bước triển khai:


    Cấu hình Phase1 Policy trên Router MikroTik.
    /ip ipsec profile name="phase1.policy" hash-algorithm=sha1 enc-algorithm=3des dh-
    group=modp2048,modp1024,modp768 lifetime=1d proposal-check=obey 
    /ip ipsec peer name="IpsecDraytek" address=171.245.249.102/32 local-
    address=113.161.87.212 profile=phase1.policy
    /ip ipsec identity  peer=IpsecDraytek  auth-method=pre-shared-key secret="12345678"

    Cấu hình Phase2 Policy trên Router MikroTik.


    /ip ipsec proposal name="phase2.policy" auth-algorithms=sha1 enc-
    algorithms=3des lifetime=1d  pfs-group=none
    /ip ipsec policy peer=IpsecDraytek  tunnel=yes src-address=192.168.100.0/24 dst-
    address=172.16.31.0/24  action=encrypt  ipsec-protocols=esp sa-src-address=113.161.87.212  s
    a-dst-address=171.245.249.102 proposal=phase2.policy

    Cấu hình NAT Exemption trên Router MikroTik.


    - Đảm bảo NAT Exemption Entry nằm phía trước dòng NAT Overload Entry.
    /ip firewall nat chain=srcnat action=accept src-address=192.168.100.0/24 dst-
    address=172.16.31.0/24
    /ip firewall nat chain=srcnat action=masquerade  out-interface=PPPoE-VNPT

    Kiểm tra kết nối IPsec VPN trên Router MikroTik.


    [admin@DWN] > ip ipsec installed-sa print
    Flags: H - hw-aead, A - AH, E - ESP 
      0  E spi=0xB4E6A54 src-address=171.245.249.102 dst-address=113.161.87.212 
          state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
          auth-key="d6792290acb3a73111ed36dceeb30b070b69fa0a" 
          enc-key="eca944ac5a25ce8f818ee3cf7396e43b823fc9bd9bb61181" 
          addtime=may/16/2021 12:59:56 expires-in=10h46m50s add-lifetime=19h12m/1d 
          current-bytes=3691242 current-packets=19748 replay=128 

      1  E spi=0xBB4EAAA5 src-address=113.161.87.212 dst-address=171.245.249.102 
          state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
          auth-key="12f7631b8279012e8ad3ebd7ba4ee89d8fc67d90" 
          enc-key="fea6b5535bf427ae2d1007f339c8c39d6bba1d79c7b2d96b" 
          addtime=may/16/2021 12:59:56 expires-in=10h46m50s add-lifetime=19h12m/1d 
          current-bytes=6560 current-packets=104 replay=128 
    [admin@DWN] > 

    You might also like