Aiuto VPN IPSEC

[ibrahimovich87]

Ragazzi buongiorno,

ieri ho dovuto resettare il mio Mikrotik modello RB951G per una configurazione inserita male, avevo ovviamente i backup ma non sono riuscito in alcun modo a ripristinarli (mi chiedeva la password ma non li ho MAI criptati....ho provato ovviamente ad inserire la password di accesso al router ma niente...) Sto cercando quindi di ricreare tutte le configurazioni ma essendo un completo novizio, come è stata la prima volta che ho fatto quelle configurazione è lo stesso per ora...praticamente dovrei tirare su due VPN IPSEC verso 2 centri situati in luoghi diversi, tramite alcune guide sono riuscito a farle connettere....ma su una collegandomi su di un PC tramite VNC ho una lentezza mostruosa, sull'altra nonostante la connessione sia in stato "established" non riesce a fare nulla....

Praticamente la situazione è questa:

- Sede Principale
- Pal: Ip Pubblico 79.58.xx.xx
IP Interno 192.168.98.xx
Prima Sede Alternativa
- Tiv : Ip Pubblico 212.210.xx.x
Ip Privato: 192.168.54.xx
Seconda Sede Alternativa
- Vell: Ip Pubblico 188.9.xx.xx
Ip Privato: 192.168.5.xx

Vi prego non so veramente più dove mettere le mani...

[radiation]

I backup se richiedono la password è quella di amministrazione della RB con la quale sono stati creati.

Discorso IPsec tra cosa avviene? Sono due Mikrotik?
Nelle route hai specificato le rotte?

[ibrahimovich87]

Ciao Andrea,

scusa manca qualcosa,

Allora il punto centrale è un Mikrotik gli altri sono 2 Draytek


Credo di non aver specificato le rotte non so minimamente come si fa

[ibrahimovich87]

Questo è l'export del mio mikrotik

"[admin@MikroTik] > export
# jan/12/2018 14:32:42 by RouterOS 6.41
# software id = 5FQC-XBNF
#
# model = 951G-2HnD
# serial number = 642E071F78C1
/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
igmp-snooping=yes name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=\
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=\
1Mbps,2Mbps,5.5Mbps,11Mbps country=italy distance=indoors frequency=2422 \
mode=ap-bridge name=Miko rate-set=configured ssid=Miko wireless-protocol=\
802.11 wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=@alicebiz.routed use-peer-dns=yes user=@alicebiz.routed
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=xxxx \
wpa2-pre-shared-key=xxxxx
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm,3des,blowfish lifetime=0s
/ip pool
add name=dhcp ranges=192.168.98.150-192.168.98.190
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=50m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=Miko
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=mactel
/ip settings
set accept-redirects=yes
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=Miko list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.98.4/24 comment=defconf interface=ether2-master network=\
192.168.98.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
192.168.98.4 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.4 name=router
/ip firewall filter
add action=accept chain=input dst-port=500,4500,1701 ingress-priority=0 \
priority=0 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward comment=Tivoli connection-state=\
established,related dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=forward comment=Velletri connection-state=\
established,related dst-address=192.168.5.0/24 src-address=192.168.98.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!mactel
add action=accept chain=input
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.54.0/24 src-address=\
192.168.98.0/24
add action=accept chain=srcnat comment=NAT_Velletri dst-address=192.168.5.0/24 \
src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
pppoe-out1 out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.54.0/24 \
dst-address-list=212.210.xx.xx src-address=192.168.98.0/24 \
src-address-list=79.58.xxx.xx
/ip ipsec peer
add address=212.210.xx.x/32 comment=VPN_Tivoli dh-group=modp1024 \
enc-algorithm=aes-256,aes-192,aes-128,blowfish nat-traversal=no secret=\
xxxx
add address=188.9.xx.xxx/32 comment=VPN_Velletri dh-group=modp1024 \
enc-algorithm=aes-256,aes-192,aes-128,blowfish nat-traversal=no secret=\
xxxxxx
/ip ipsec policy
set 0 disabled=yes
add comment=VPN_Tivoli dst-address=192.168.54.0/24 sa-dst-address=212.210.xx.xxx \
sa-src-address=79.58.xx.xx src-address=192.168.98.0/24 tunnel=yes
add comment=VPN_Velletri dst-address=192.168.5.0/24 sa-dst-address=188.9.198.82 \
sa-src-address=79.58.xx.xx src-address=192.168.98.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel"