Indice   FAQ  
Iscriviti  Login
Indice RouterOS RouterOS

Problema Ipsec con hotspot

Tutto su questo sistema operativo linux based - Configurazioni, dubbi, problematiche &....
Rispondi al messaggio

Problema Ipsec con hotspot

Messaggioda varton27 » ven 20 mag 2016, 22:45

Ciao a tutti,
ho un probema con una configurazione ipsec con indirizzi nattati su 2 linee internet, più precisamente ho 2 rb

1. Routerborad rb1100 dove ho configurato
Ether1 -> Wan con ip statico su modem 192.168.2.2
Ether2 -> Hotspot con autenticazione Mac Addrees 100.100.0/23
Ether3 -> Linea uffici 192.168.10.0/24
Ether4 -> Linea per Ipsec 10.10.10.0/23

2. RouterBoard Rb493 dove ho congiurato
Ether1 -> Wan con ip statico su modem 192.168.2.253
Ether2 -> Hotspot con autenticazione Mac Addrees 192.168.100.0/23
Ether3 -> Linea per Ipsec 10.10.12.0/24

Ho usato la configurazione ipsec che h utilizzato in un altro caso con ip nattati che funziona correttamente ma quando ho caricato tale configurazione su queste rb ipsec non funziona.

Può dipendere dal Hotspot il mancato collegato? Perchè l'unica differenza della volta precedente è proprio l hotspot o puo dipendere dalla configurazione del routing delle porte

Help me
varton27
Mikrotik Curious User
Mikrotik Curious User
 
Messaggi: 7
Iscritto il: mar 17 mag 2016, 21:54
Uso routerOS dalla Versione: v5.x
Top

Re: Problema Ipsec con hotspot

Messaggioda xanio » sab 21 mag 2016, 9:46

Ciao,
se pensi che il problema sia l'HS, disattivalo e fai le prove.

Senza un export della configurazione è difficile capire dove possa essere l'errore, in una ipsec i fattori possono essere tanti.

Cmq puoi abilitare i log e verificare se durante il debug noti qualche cosa che non va, tipo non viene sharata la key, errori nella seconda fase.

Aspettiamo info.
---
MTCNA - MTCRE
Avatar utente
xanio
Staff rosIT
Staff rosIT
 
Messaggi: 1054
Iscritto il: lun 31 ott 2011, 18:15
Località: Sicilia
Uso routerOS dalla Versione: v4.x
Certificazioni Mikrotik: MTCNA - MTCRE
Altre certificazioni: Milestone - Yeastar - Cambium
Preferred Training Centre: Grifonline
Top

Re: Problema Ipsec con hotspot

Messaggioda varton27 » dom 22 mag 2016, 18:31

Ho provato a disattivare hs ma il risuòtato non cambiaIPsec non va: La configurazione della rb1 (RB1100 powerpc ver 6.35)

# may/22/2016 18:22:48 by RouterOS 6.35.2
# software id = R4BV-6CJ3
#
/interface ethernet
set [ find default-name=ether5 ] name=Istituto
set [ find default-name=ether4 ] name=Segret
set [ find default-name=ether3 ] name=Voip
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/ip hotspot profile
add dns-name=pxxxxo.xxx.it hotspot-address=100.100.0.1 name=hsprof1 \
smtp-server=8.8.8.8 use-radius=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=hs-pool-5 ranges=100.100.5.1-100.100.15.254
/ip dhcp-server
add address-pool=hs-pool-5 disabled=no interface=Istituto lease-time=1h name=\
dhcp1
/ip hotspot
add address-pool=hs-pool-5 disabled=no interface=Istituto name=hotspot1 \
profile=hsprof1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=WAN1 \
network=192.168.88.0
add address=10.10.10.1/23 interface=Voip network=10.10.10.0
add address=192.168.10.1/24 interface=Segret network=192.168.10.0
add address=100.100.0.1/20 interface=Istituto network=100.100.0.0
add address=192.168.1.249/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.253/24 interface=WAN2 network=192.168.2.0
/ip dhcp-server network
add address=100.100.0.0/20 comment="hotspot network" gateway=100.100.0.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
servers=8.8.8.8
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.1.0/24 in-interface=Segret
add chain=prerouting dst-address=192.168.2.0/24 in-interface=Segret
add chain=prerouting dst-address=192.168.1.0/24 in-interface=Istituto
add chain=prerouting dst-address=192.168.2.0/24 in-interface=Istituto
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Voip new-connection-mark=WAN1_conn \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Voip new-connection-mark=WAN2_conn \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Segret new-connection-mark=WAN1_conn \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Segret new-connection-mark=WAN2_conn \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Istituto new-connection-mark=WAN1_conn \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Istituto new-connection-mark=WAN2_conn \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface=Voip new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=Voip new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface=Segret new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=Segret new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface=Istituto new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=Istituto new-routing-mark=to_WAN2
/ip firewall nat
add chain=srcnat dst-address=10.10.12.0/24 src-address=10.10.10.0/23
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=100.100.0.0/20
/ip hotspot ip-binding
add comment="Lab. Piano Terra - Server" mac-address=00:19:99:91:6F:C7 server=\
hotspot1 type=bypassed
......

add comment="aula magna" mac-address=A4:DB:30:76:AE:4A server=hotspot1 type=\
bypassed
/ip hotspot user
add name=admin password=xxxxx
add address=xx.xx.xx.xx/32 dpd-interval=disable-dpd enc-algorithm=3des \
hash-algorithm=md5 local-address=0.0.0.0 secret=xxxxxx
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.10.12.0/24 sa-dst-address=xx.xx.xx.xx sa-src-address=\
192.168.2.253 src-address=10.10.10.0/23 tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1
/radius
add address=100.100.0.1 secret=HsLeto2016!! service=hotspot
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec

La configurazione della seconda rb (rb493ah mispbe vers. 6.35) è identica ma cambiano solo ip come descritto sopra.
varton27
Mikrotik Curious User
Mikrotik Curious User
 
Messaggi: 7
Iscritto il: mar 17 mag 2016, 21:54
Uso routerOS dalla Versione: v5.x
Top

Rispondi al messaggio

Torna a RouterOS

Chi c’è in linea

Visitano il forum: Nessuno e 7 ospiti

Privacy Terms of use
Powered by phpBB © 2002, 2005, 2007 phpBB Group
MikroTik is a registered trademark of MikroTikls corporation
Hai bisogno di aiuto? Contattaci!