Ahoj,
potřebuji vytvořit IPSEC tunel mezi mikrotikem a linuxem. Aktuálně se tunel tváří jako spojený, nicméně si nepingnu ani jednu protistranu. Nevím jestli je chyba ve vytvořeném tunelu nebo v routovací tabulce, případně firewallu.
Na straně mikrotiku je NAT 1:1
Veřejná IP: x.x.118.238
Lan router: 192.168.88.33/24
Na straně linuxu:
Veřejná IP: x.x.236.226
LAN: 192.168.1.0/22
Mikrotik konfigurace
# oct/24/2016 15:15:05 by RouterOS 6.37.1
# software id = F2QE-XR6A
#
/interface bridge
add name=brige_lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1_LAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether6 ] name=ether6_WAN
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=1d
/ip pool
add name=dhcp_pool2 ranges=172.16.1.2-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=brige_lan name=dhcp1
/interface bridge port
add bridge=brige_lan interface=ether1_LAN
add bridge=brige_lan interface=ether2_LAN
add bridge=brige_lan interface=ether3_LAN
add bridge=brige_lan interface=ether4_LAN
add bridge=brige_lan interface=ether5
add bridge=brige_lan interface=wlan1
/ip address
add address=192.168.88.33/24 interface=ether6_WAN network=192.168.88.0
add address=172.16.1.1/24 interface=brige_lan network=172.16.1.0
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
/ip dns
set allow-remote-requests=yes servers=x.x.x.x,x.x.x.x
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=500 protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=\
192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=\
172.16.1.0/24
add action=masquerade chain=srcnat out-interface=ether6_WAN src-address=\
172.16.1.0/24
/ip ipsec peer
add address=x.x.236.226/32 enc-algorithm=3des nat-traversal=no secret=\
xxxxx
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.0.0/18 level=unique priority=1 sa-dst-address=\
x.x.236.226 sa-src-address=x.x.118.238 src-address=172.16.1.0/24 \
tunnel=yes
/ip route
add distance=1 gateway=192.168.88.1
Linux konfigurace:
spdadd 192.168.0.0/16 172.16.1.0/24 any -P out ipsec
esp/tunnel/x.x.236.226-x.x.118.238/unique;
spdadd 172.16.1.0/24 192.168.0.0/16 any -P in ipsec
esp/tunnel/x.x.118.238-x.x.236.226/unique;
Log mikrotik:
08:52:58 ipsec,debug,packet x.x.236.226 DPD monitoring....
08:52:58 ipsec,debug,packet compute IV for phase2
08:52:58 ipsec,debug,packet phase1 last IV:
08:52:58 ipsec,debug,packet 90b1f051 ff687685 ca85359f
08:52:58 ipsec,debug,packet hash(sha1)
08:52:58 ipsec,debug,packet encryption(3des)
08:52:58 ipsec,debug,packet phase2 IV computed:
08:52:58 ipsec,debug,packet 067fc5da dd4adab1
08:52:58 ipsec,debug,packet HASH with:
08:52:58 ipsec,debug,packet ca85359f 00000020 00000001 01108d28 8530521b 104f666a
d806b1d2 e8cf1698
08:52:58 ipsec,debug,packet 00000e59
08:52:58 ipsec,debug,packet hmac(hmac_sha1)
08:52:58 ipsec,debug,packet HASH computed:
08:52:58 ipsec,debug,packet 0e283e18 12e1ff75 78f0aa43 c21f21e8 337c22d0
08:52:58 ipsec,debug,packet begin encryption.
08:52:58 ipsec,debug,packet encryption(3des)
08:52:58 ipsec,debug,packet pad length = 8
08:52:58 ipsec,debug,packet 0b000018 0e283e18 12e1ff75 78f0aa43 c21f21e8 337c22d0
00000020 00000001
08:52:58 ipsec,debug,packet 01108d28 8530521b 104f666a d806b1d2 e8cf1698 00000e59
843ac0e0 92e61607
08:52:58 ipsec,debug,packet encryption(3des)
08:52:58 ipsec,debug,packet with key:
08:52:58 ipsec,debug,packet 0a9b2423 add8d8bc 7629cc98 067c0bd5 24073118 d8357766
08:52:58 ipsec,debug,packet encrypted payload by IV:
08:52:58 ipsec,debug,packet 067fc5da dd4adab1
08:52:58 ipsec,debug,packet save IV for next:
08:52:58 ipsec,debug,packet 392d5df2 f481e6bd
08:52:58 ipsec,debug,packet encrypted.
08:52:58 ipsec,debug,packet 92 bytes from 192.168.88.33[500] to x.x.236.226[500]
08:52:58 ipsec,debug,packet sockname 192.168.88.33[500]
08:52:58 ipsec,debug,packet send packet from 192.168.88.33[500]
08:52:58 ipsec,debug,packet send packet to x.x.236.226[500]
08:52:58 ipsec,debug,packet src4 192.168.88.33[500]
08:52:58 ipsec,debug,packet dst4 x.x.236.226[500]
08:52:58 ipsec,debug,packet 1 times of 92 bytes message will be sent to x.x.236.
226[500]
08:52:58 ipsec,debug,packet 8530521b 104f666a d806b1d2 e8cf1698 08100501 ca85359f
0000005c 21a2b16e
08:52:58 ipsec,debug,packet 886961bd bf9027b8 60deb228 1b0c52cc 6f1d5171 c360819a
71ee5a13 182c698e
08:52:58 ipsec,debug,packet ba75b5b0 f203b575 38479279 9dd9b314 2b8dfcd7 392d5df2
f481e6bd
08:52:58 ipsec,debug,packet sendto Information notify.
08:52:58 ipsec,debug,packet x.x.236.226 DPD R-U-There sent (0)
08:52:58 ipsec,debug,packet x.x.236.226 rescheduling send_r_u (5).
08:52:58 ipsec,debug,packet ==========
08:52:58 ipsec,debug,packet 92 bytes message received from 86.61.236.226[500] to 1
92.168.88.33[500]
08:52:58 ipsec,debug,packet 8530521b 104f666a d806b1d2 e8cf1698 08100501 f87f3ef5
0000005c 28e612ff
08:52:58 ipsec,debug,packet 84cf9b32 ea8c360e 28c58496 c48395d9 364e6d54 8a753daa
d95a90ff 610db420
08:52:58 ipsec,debug,packet 900ea80a 8bf84dca b7662f0b 3b721de6 973e7558 347f8ffa
91a10bb0
08:52:58 ipsec,debug,packet receive Information.
08:52:58 ipsec,debug,packet compute IV for phase2
08:52:58 ipsec,debug,packet phase1 last IV:
08:52:58 ipsec,debug,packet 90b1f051 ff687685 f87f3ef5
08:52:58 ipsec,debug,packet hash(sha1)
08:52:58 ipsec,debug,packet encryption(3des)
08:52:58 ipsec,debug,packet phase2 IV computed:
08:52:58 ipsec,debug,packet 6b9578ea a201f4ae
08:52:58 ipsec,debug,packet encryption(3des)
08:52:58 ipsec,debug,packet IV was saved for next processing:
08:52:58 ipsec,debug,packet 347f8ffa 91a10bb0
08:52:58 ipsec,debug,packet encryption(3des)
08:52:58 ipsec,debug,packet with key:
08:52:58 ipsec,debug,packet 0a9b2423 add8d8bc 7629cc98 067c0bd5 24073118 d8357766
08:52:58 ipsec,debug,packet decrypted payload by IV:
08:52:58 ipsec,debug,packet 6b9578ea a201f4ae
08:52:58 ipsec,debug,packet decrypted payload, but not trimed.
08:52:58 ipsec,debug,packet 0b000018 12c6ffb0 b6b2c211 45c37010 c03d603c ad063a59
00000020 00000001
08:52:58 ipsec,debug,packet 01108d29 8530521b 104f666a d806b1d2 e8cf1698 00000e59
ce8092ff d69d9f07
08:52:58 ipsec,debug,packet padding len=8
08:52:58 ipsec,debug,packet skip to trim padding.
08:52:58 ipsec,debug,packet decrypted.
08:52:58 ipsec,debug,packet 8530521b 104f666a d806b1d2 e8cf1698 08100501 f87f3ef5
0000005c 0b000018
08:52:58 ipsec,debug,packet 12c6ffb0 b6b2c211 45c37010 c03d603c ad063a59 00000020
00000001 01108d29
08:52:58 ipsec,debug,packet 8530521b 104f666a d806b1d2 e8cf1698 00000e59 ce8092ff
d69d9f07
08:52:58 ipsec,debug,packet HASH with:
08:52:58 ipsec,debug,packet f87f3ef5 00000020 00000001 01108d29 8530521b 104f666a
d806b1d2 e8cf1698
08:52:58 ipsec,debug,packet 00000e59
08:52:58 ipsec,debug,packet hmac(hmac_sha1)
08:52:58 ipsec,debug,packet HASH computed:
08:52:58 ipsec,debug,packet 12c6ffb0 b6b2c211 45c37010 c03d603c ad063a59
08:52:58 ipsec,debug,packet hash validated.
08:52:58 ipsec,debug,packet begin.
08:52:58 ipsec,debug,packet seen nptype=8(hash) len=24
08:52:58 ipsec,debug,packet seen nptype=11(notify) len=32
08:52:58 ipsec,debug,packet succeed.
08:52:58 ipsec,debug,packet x.x.236.226 DPD R-U-There-Ack received
08:52:58 ipsec,debug,packet received an R-U-THERE-ACK
