Вы находитесь на странице: 1из 11

Mikrotik

, .
,

.
, , ,
, ,
.
, Mikrotik
.
, .

, RouterOS Mikrotik
:

PPTP;
L2TP;
IPSec;
PPPOE;
IP2IP.
EoIP;
802.1Q VLAN.



. ,
, .

, .

.
Mikrotik 1 Mikrotik 2 .
, IP-
. 192.168.5.0, 192.168.5.1 192.168.5.2 , ..
.
,
.
PPTP
PPTP (Point to Point Tunnel Protocol) " ". PPTP
,
. , ,

.

PPTP :

;
;

;

PPTP Mikrotik :

mschap2;
mschap1;
chap;
pap.

, mschap2,
.
PPTP EoIP (EthernetOverIP),

. EoIP ,
Ethernet .
" "
.
PPTP
, RouterOS Mikrotik .
PPTP Server
/interface pptp-server server set enabled=yes

/ppp profile add name=filial only-one=yes use-compression=yes use-encryption=yes use-vj-compression=yes
/ppp secret add name=newuser password=newpassword local-address=192.168.5.1 profile=filial remoteaddress=192.168.5.2 service=pptp

" PPTP "
/interface pptp-server add name=filial user=newuser

:
/interface pptp-client add name=filial_connection connect-to=192.168.1.1 user=newuser
password=newpassword allow=mschap2 disabled=no
,
, .
-
, .

, :
/ip route add dst-address=192.168.20.0/24 gateway=192.168.5.1 pref-src=192.168.5.2
:
/ip route add dst-address=192.168.10.0/24 gateway=192.168.5.2 pref-src=192.168.5.1
,
L3.
, , OSI, EoIP
.
, PPTP
.
EoIP .
:
/interface eoip add name=filial_EoIP remote-address=192.168.5.1 disabled=no
:
/interface eoip add name=filial_EoIP remote-address=192.168.5.2 disabled=no
EoIP .
:
/interface bridge add
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=filial_EoIP
:
/interface bridge add
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=filial_EoIP

,
.

L2TP
L2TP PPTP, . L2TP

IPSec.
L2TP :

;
;
.

PPTP, L2TP - .
L2TP ,
.

.
.
L2TP .
PPTP Server
/interface l2tp-server server set enabled=yes
:
/ppp profile add name=filial only-one=yes use-compression=yes use-encryption=yes use-vj-compression=yes
/ppp secret add name=newuser password=newpassword local-address=192.168.5.1 remoteaddress=192.168.5.2 service=l2tp profile=filial

" PPTP ":
/interface l2tp-server add name=filial user=newuser

:
/interface l2tp-client add name=filial_connection connect-to=192.168.1.1 user=newuser
password=newpassword allow=mschap2 disabled=no

IP2IP
IP-IP .
IP IP .
IP DATA
.
- . IP2IP

. IP2IP ,
- ,
IPSec.
Cisco IOS
.
, -
IPIP.
IPIP : IP.

:
/interface ipip add name=tunnel1 local-address=192.168.1.1 remote-address=192.168.1.2 disabled=no
/ip address add address=192.168.5.1/24 interface=tunnel1 disabled=no
:
/interface ipip add name=tunnel1 local-address=192.168.1.2 remote-address=192.168.1.1 disabled=no
/ip address add address=192.168.5.2/24 interface=tunnel1 disabled=no
EoIP .

PPPOE
PPPOE PPP
. ,
, PPPOE.
, , .
PPP over Ethernet , OSI.
PPPOE PPTP ,
core- ,
.
PPPOE Mikrotik :

No encryption;
MPPE 40bit RSA
MPPE 128bit RSA

, .
,
. ,

.
PPPOE .
PPPOE :
/ppp profile add name=filial only-one=yes use-compression=yes use-encryption=yes
/interface pppoe-server server add interface=ether1 service-name=filial1one-session-per-host=yes defaultprofile=filial disabled=no use-vj-compression=yes
/ppp secret add name=newuser password=newpassword local-address=192.168.5.1 remoteaddress=192.168.5.2 service=pppoe
:
/interface pppoe-client add name=filial_connection service-name=filial1 user=newuser password=newpassword
allow=mschap2 disabled=no

VLAN
VLAN 2
OSI. 802.1Q
Ethernet .
, .
VLAN RouterOS Mikrotik 4095
.
VLAN ,
,
.
, 802.1Q

Realtek 8139;
Intel PRO/100;
Intel PRO1000 server adapter;
National Semiconductor DP83816 based cards (RouterBOARD200 onboard Ethernet, RouterBOARD
24 card);
National Semiconductor DP83815 (Soekris onboard Ethernet);
VIA VT6105M based cards (RouterBOARD 44 card);
VIA VT6105;
VIA VT6102 (VIA EPIA onboard Ethernet).

802.1Q
:

3Com 3c59x PCI;


DEC 21140 (tulip).

, VLAN
.
:
/interface vlan add name=vlan1 vlan-id=10 interface=ether1
/ip address add address=192.168.5.1/24 interface=vlan1
:
/interface vlan add name=vlan1 vlan-id=10 interface=ether1
/ip address add address=192.168.5.2/24 interface=vlan1
VLAN running,
:
ping 192.168.5.1
192.168.5.1 64 byte ping: ttl=255 time=1 ms
192.168.5.1 64 byte ping: ttl=255 time=3 ms

ping 192.168.5.2
192.168.5.2 64 byte ping: ttl=255 time=3 ms
192.168.5.2 64 byte ping: ttl=255 time=2 ms

IPSec
IPSec ,
. IPv6
.
IPSec :

;
.

ESP (Encapsulating Security Payload


) (Authentication Header ).
, AH
.
IKE (Internet
Key Exchange). :

- ,
(Security Associations SA).
;
.

IPSec, , :
( ) (
).
IP .
UDP ,
.
IP-.
IPSec AH (Authentification Header)
NAT. IP , IPSec
, .
NAT-Traversal, IPSec UDP
.
UDP IPSec
.
RouterOS Mikrotik IPSec:
, , ,
, , . ,
NAT-T, .
IPSec :

:
/ip ipsec policy add sa-src-address=192.168.1.1 sa-dst-address=192.168.1.2 action=encrypt
/ip ipsec peer add address=192.168.1.2/24 secret="drivermania.ru" generate-policy=yes
:
/ip ipsec policy add sa-src-address=192.168.1.2 sa-dst-address=192.168.1.1 action=encrypt
/ip ipsec peer add address=192.168.1.1 secret="aitec.md"
IPSec :
/ip firewall add chain=input protocol=udp dst-port=500 action=accept comment="Allow IKE" disabled=no
/ip firewall add chain=input protocol=ipsec-esp action=accept comment="Allow IPSec-esp" disabled=no
/ip firewall add chain=input protocol=ipsec-ah action=accept comment="Allow IPSec-ah" disabled=no
,

ip ipsec> counters print


out-accept:
out-accept-isakmp:
out-drop:
out-encrypt:
in-accept:
in-accept-isakmp:
in-drop:
in-decrypted:
in-drop-encrypted-expected:

7
0
0
8
16
0
0
7
0

IPSec 192.168.10.0/24
192.168.20.0/24 .
/ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.20.0/24 outinterface=public action=masquerade
/ip ipsec policy add src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=encrypt tunnel=yes sasrc-address=192.168.1.1 sa-dst-address=192.168.1.2
/ip ipsec peer add address=192.168.1.2 exchange-mode=aggressive secret="aitec.md"

/ip firewall nat add chain=srcnat src-address=192.168.20.0/24 dst-address=192.168.10.0/24 outinterface=public action=masquerade


/ip ipsec policy add src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=encrypt tunnel=yes sasrc-address=192.168.1.2 sa-dst-address=192.168.1.1
/ip ipsec peer add address=192.168.1.1 exchange-mode=aggressive secret="aitec.md"
192.168.1.1 192.168.1.2
192.168.20.0 192.168.10.0.
, :
(policy)

(peer). ,
, IPSec, Proposals ManualSAs.
Proposals .
:

, : md5,
sha1, null;
: des, 3des, aes-128, aes-192, aes256, null.

modp768;
modp1024;
modp1536;
none.

Proposals (Policy)
ManualSAs
Security Associations.

SA .

SA:
/ip ipsec manual-sa add name=ah-sa1 ah-spi=0x101/0x100 ah-key=aitec.md
/ip ipsec policy add src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=encrypt ipsecprotocols=ah tunnel=yes sa-src=192.168.1.1 sa-dst=192.168.1.2 manual-sa=ah-sa1

/ip ipsec manual-sa add name=ah-sa1 ah-spi=0x101/0x100 ah-key=aitec.md


/ip ipsec policy add src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=encrypt ipsecprotocols=ah tunnel=yes sa-src=192.168.1.2 sa-dst=192.168.1.1 manual-sa=ah-sa1
, Peers , /
ManualSAs IKE .
IPSec ,
, .

,
.
, IPSec,
, PPTP/L2TP.
IP ,
PPPOE VLAN. ,

- IPIP. , ,
EoIP
.

,
. !


http://www.drivermania.ru/

Вам также может понравиться