生まれ変わる - umarekawaru

User Tools

Site Tools

Trace:
technical:ipsec:routeros

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
technical:ipsec:routeros [2024/06/19 21:14] jctechnical:ipsec:routeros [2024/12/13 15:52] (current) jc
Line 2: Line 2:
 # RouterOS Site to Site IPSec VPN # RouterOS Site to Site IPSec VPN
  
-## Create Peer+## Create IPSec 
 + 
 +### Peer
  
 ``` ```
 /ip/ipsec/peer/add name="$peer_name" address=$peer_address profile=$profile_name exchange-mode=ike2 send-initial-contact=yes /ip/ipsec/peer/add name="$peer_name" address=$peer_address profile=$profile_name exchange-mode=ike2 send-initial-contact=yes
 ``` ```
-## Create Identity+##Identity
 ``` ```
 /ip/ipsec/identity/add peer=$peer_name auth-method=pre-shared-key secret="$secret" generate-policy=no policy-template-group=$policy_name /ip/ipsec/identity/add peer=$peer_name auth-method=pre-shared-key secret="$secret" generate-policy=no policy-template-group=$policy_name
 ``` ```
-## Create Proposal+##Proposal
 ``` ```
 /ip/ipsec/proposal/add name="$proposal_name" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp2048 /ip/ipsec/proposal/add name="$proposal_name" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp2048
 ``` ```
-## Create Profile+##Profile
 ``` ```
 /ip/ipsec/profile/add name="$profile_name" hash-algorithm=sha256 prf-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5 /ip/ipsec/profile/add name="$profile_name" hash-algorithm=sha256 prf-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
 ``` ```
-## Create Policy+##Policy
 ``` ```
 /ip/ipsec/policy/add peer=$peer_name tunnel=yes src-address=$local_subnet src-port=any dst-address=$remote_subnet dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=0.0.0.0 sa-dst-address=$dest_addr proposal=$proposal_name priority=0x20000 ph2-count=1 ph2-state=no-phase2 /ip/ipsec/policy/add peer=$peer_name tunnel=yes src-address=$local_subnet src-port=any dst-address=$remote_subnet dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=0.0.0.0 sa-dst-address=$dest_addr proposal=$proposal_name priority=0x20000 ph2-count=1 ph2-state=no-phase2
 ``` ```
-## Create NAT Rule+## Create Firewall NAT Rule
 ``` ```
 /ip/firewall/nat/add chain=srcnat action=accept src-address=$local_subnet dst-address=$remote_subnet log=no log-prefix="" place-before=0 /ip/firewall/nat/add chain=srcnat action=accept src-address=$local_subnet dst-address=$remote_subnet log=no log-prefix="" place-before=0
 +```
 +## ~WIP~ Dynamic IPSec IPv4 or IPv6 Address
 +
 +### Script
 +```
 +:global ip [:resolve myip.opendns.com server=208.67.222.222];
 +put $ip
 +
 +```
 +
 +### Pre-deployment
 +```
 +scp dynamic_ipsec_script.sh $user@hostname
 +```
 +## DNS Server
 +
 +```
 +$hostname A $IPv4|$IPv6
 ``` ```
 </markdown> </markdown>
technical/ipsec/routeros.1718846045.txt.gz · Last modified: 2024/06/19 21:14 by jc

Page Tools