ipsec site to site

[fed7]

Ciao a tutti.
Ho messo su una serie di vpn site 2 site usando ipsec tra vari rb.
Le rb sono 1100AHx4.
Al momento sono 5. Con due "centri stella". Sul primo ci sono collegati 3 rb su 3 tunnel.
Sul secondo "centro stella" ad momento non c'è nulla tranne il tunnel "principale" verso il centro stella diciamo A.
Ok.
Tutto è su .... ma dopo un po' cade o meglio si congela.
Se da una delle sedi lancio un ping al router dell'altra sede allora si tira su.

Idee?
Cosa non ho fatto?
Tks,
Fed

[abbio90]

Buonasera, prova ad allegare la configurazione con pastebin

[fed7]

Buonasera, prova ad allegare la configurazione con pastebin

Ciao,
ecco.
Se lancio un ping alla rb dall'altra parte del tunnel questo viene ristabilità. è come se fosse ibernato.
All'altro capo c'è una 1100Ahx4
Sarà mica un problema hw? Nel senso che la 2011 è troppo "scarsa"?

Codice: Seleziona tutto

# sep/01/2020 16:46:06 by RouterOS 6.47.1
# software id =
#
# model = RB2011UiAS
# serial number =
/interface bridge
add admin-mac=C4:AD:34:21:3C:21 auto-mac=no comment=defconf name=bridge
add name=bridgetvcc
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=_pwd_ use-peer-dns=yes user=_user_wisp_
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=LAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=xx.yyy.kkk.zzz/32 name=BussolenoHQ
/ip pool
add name=dhcp ranges=192.168.103.10-192.168.103.254
add name=dhcp_pool1 ranges=192.168.203.10-192.168.203.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridgetvcc name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridgetvcc comment=defconf interface=ether6
add bridge=bridgetvcc comment=defconf interface=ether7
add bridge=bridgetvcc comment=defconf interface=ether8
add bridge=bridgetvcc comment=defconf interface=ether9
add bridge=bridgetvcc comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether6 list=LAN2
/ip address
add address=192.168.103.1/24 comment=defconf interface=ether2 network=\
    192.168.103.0
add address=192.168.203.1/24 interface=ether6 network=192.168.203.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.103.0/24 comment=defconf gateway=192.168.103.1 netmask=24
add address=192.168.203.0/24 gateway=192.168.203.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.203.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked \
    src-address=192.168.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
    192.168.103.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8001 protocol=tcp to-addresses=\
    192.168.203.103 to-ports=8001
add action=dst-nat chain=dstnat dst-port=1554 protocol=tcp to-addresses=\
    192.168.203.103 to-ports=1554
add action=dst-nat chain=dstnat dst-port=2018 protocol=tcp to-addresses=\
    192.168.203.103 to-ports=2018
/ip ipsec identity
add peer=BussolenoHQ secret=_pwd_robusta!
/ip ipsec policy
add dst-address=192.168.0.0/24 level=unique peer=BussolenoHQ sa-dst-address=\
    xx.yyy.kkk.zzz sa-src-address=zz.yyy.jjj.xxx src-address=192.168.103.0/24 \
    tunnel=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=SANVALERIANO
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


[fed7]

Mi sono anche accorto che non posso controllare le rb dalle sedi remote.