jchudoba To slyším poprvé že by tohle bylo potřeba pro LE. A už vůbec nevím že by IKEv2 běželo na 443. To jsou dva nesmysly v jednom odstavci.
https://letsencrypt.org/how-it-works/
Konkrétně:
First, the agent proves to the CA that the web server controls a domain. Then, the agent can request, renew, and revoke certificates for that domain.
A ještě dodám obrázek ze Synology - informace při obnovování certifikátu.
A netvrdím, že IKEv2 běží na 443, ale z nějakého důvodu tam ty pravidla vadily (443 i 80). Protože když jsem je vypnul, tak to začalo fungovat okamžitě. Opravdu vyzkoušeno několikrát, neplácám.
jchudoba A ještě by se hodil log na straně Mikrotiku, co v něm bylo ve chvíli kdy probíhal popisovaný jev. Základem jakéhokoli troubeshootingu je číst logy, zejména na Mikrotiku jsou dost ukecané.
V logu byly pouze záznamy o připojení a odpojení spojení, stejná situace, jako když se připojím a pak se ručně odpojím.
jchudoba Nevíme kolik podobných nesmyslů je v celé konfiguraci-rozhodně by to chtělo prověřit ji celou. A to jde dost těžko dokud se tu neobjeví její export.
Export tady
`jun/24/2021 22:33:54 by RouterOS 6.48.2
software id = M7PA-GS0M
model = RB962UiGS-5HacT2HnT
serial number = BEC50BE2D47B
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2442 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2472 name=channel11
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce \
frequency=5180 name=channel36
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce \
frequency=5220 name=channel44
add band=2ghz-b/g/n name=wlan-channel-2G
add band=5ghz-onlyac name=wlan-channel-5G
/interface bridge
add admin-mac=C4:AD:34:09:ED:37 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
add name=bridge-guest
add name=bridge-loopback
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/caps-man datapath
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=\
datapath-lan
add bridge=bridge-guest name=datapath-guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-LAN
add authentication-types=wpa2-psk encryption=aes-ccm name=security-Guest
/caps-man configuration
add channel=wlan-channel-2G country="czech republic" datapath=datapath-lan \
installation=indoor mode=ap name=Configuration-Spotlight-2G security=\
security-LAN ssid=Spotlight-2G
add channel=wlan-channel-5G country="czech republic" datapath=datapath-lan \
installation=indoor mode=ap name=Configuration-Spotlight-5G security=\
security-LAN ssid=Spotlight-5G
add channel=wlan-channel-2G country="czech republic" datapath=datapath-guest \
installation=indoor mode=ap name=Configuration-Spotlight-Guest security=\
security-Guest ssid=Spotlight-Guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WiFi_Password \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
WiFi_Guest_Password supplicant-identity=""
/interface wireless
managed by CAPsMAN
channel: 2452/20-Ce/gn(20dBm), SSID: Spotlight-2G, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
ap-bridge name=WLAN-2G security-profile=WiFi_Password ssid=Spotlight-2G \
station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
managed by CAPsMAN
channel: 5180/20-Ceee/ac/P(23dBm), SSID: Spotlight-5G, local forwarding
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
distance=indoors frequency=auto frequency-mode=manual-txpower \
installation=indoor mode=ap-bridge name=WLAN-5G security-profile=\
WiFi_Password ssid=Spotlight-5G station-roaming=enabled \
wireless-protocol=802.11 wps-mode=disabled
/ip ipsec policy group
add name=ike2-group
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
name=ike2-profile
/ip ipsec peer
add exchange-mode=ike2 local-address=185.xxx.xxx.xxx name=vpn-peer passive=yes \
profile=ike2-profile
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-256-cbc
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=ike2-proposal pfs-group=none
/ip pool
add name=DHCP_Pool ranges=192.168.96.10-192.168.96.254
add name=DHCP_Guest_Pool ranges=192.168.97.10-192.168.97.30
add name=VPN_Pool ranges=10.10.10.10-10.10.10.50
/ip dhcp-server
add address-pool=DHCP_Pool disabled=no interface=bridge name=DHCP
add address-pool=DHCP_Guest_Pool disabled=no interface=bridge-guest name=\
DHCP_Guest
/ip ipsec mode-config
add address-pool=VPN_Pool address-prefix-length=32 name=ike2-mode-config \
split-include=0.0.0.0/0 static-dns=10.10.10.1 system-dns=no
/ppp profile
add change-tcp-mss=yes dns-server=192.168.96.1 interface-list=LAN \
local-address=10.10.10.1 name=l2tp-profile remote-address=VPN_Pool
add dns-server=192.168.96.1 local-address=10.10.10.1 name=pptp-profile \
remote-address=VPN_Pool use-encryption=yes
/queue simple
add disabled=yes max-limit=20M/10M name=qos-WAN target=ether1-WAN
add disabled=yes max-limit=1M/3M name=wos-test-client target=192.168.96.83/32
/system logging action
add bsd-syslog=yes name=syslog remote=192.168.96.2 target=remote
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
Configuration-Spotlight-2G name-format=identity slave-configurations=\
Configuration-Spotlight-Guest
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
master-configuration=Configuration-Spotlight-5G name-format=identity
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=WLAN-5G
add bridge=bridge interface=WLAN-2G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/interface ovpn-server server
set auth=sha1 certificate=CA cipher=aes256 port=1195
/interface pptp-server server
set default-profile=default
/interface wireless cap
set discovery-interfaces=bridge,bridge-guest enabled=yes interfaces=\
WLAN-2G,WLAN-5G
/ip address
add address=192.168.96.1/24 comment=defconf interface=bridge network=\
192.168.96.0
add address=192.168.97.1/24 interface=bridge-guest network=192.168.97.0
add address=10.10.10.1/24 interface=bridge-loopback network=10.10.10.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.96.5 client-id=1:48:8f:5a:23:64:1e mac-address=\
48:8F:5A:23:64:1E server=DHCP
/ip dhcp-server network
add address=192.168.96.0/24 comment=defconf dns-server=192.168.96.1 gateway=\
192.168.96.1
add address=192.168.97.0/24 dns-server=192.168.96.1 gateway=192.168.97.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.96.2 name=server.domena.cz
/ip firewall filter
add action=accept chain=input comment="Allow Winbox from PRACE" dst-port=\
8291 in-interface-list=WAN protocol=tcp src-address=213.xxx.xxx.xxx
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Allow VPN to RouterOS" ipsec-policy=\
in,ipsec src-address=10.10.10.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"CAPsMAN - Povoluje lokalni WLAN na CAPsMAN" dst-address=192.168.96.0/24 \
src-address=192.168.96.0/24
add action=accept chain=input comment=\
"CAPsMAN - Povoluje lokalni (Guest) WLAN na CAPsMAN" dst-address=\
192.168.96.0/24 src-address=192.168.97.0/24
add action=accept chain=input comment="Allow IKE for IPsec" dst-address=\
185.xxx.xxx.xxx dst-port=500 protocol=udp
add action=accept chain=input comment="Allow NAT-T for IPsec" dst-address=\
185.xxx.xxx.xxx dst-port=4500 protocol=udp
add action=accept chain=input comment="Allow IPsec-ESP" dst-address=\
185.xxx.xxx.xxx protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow traffic from LAN to HOST" \
dst-address=192.168.97.0/24 src-address=192.168.96.0/24
add action=accept chain=forward comment="Allow traffic from VPN to LAN" \
dst-address=192.168.96.0/24 ipsec-policy=in,ipsec src-address=\
10.10.10.0/24
add action=accept chain=forward comment="Allow traffic from VPN to WAN" \
dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.10.10.0/24
add action=drop chain=forward comment="Drop traffic from HOST to LAN" \
dst-address=192.168.96.0/24 src-address=192.168.97.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Synology - HTTPS - Web access" \
disabled=yes dst-address-type="" dst-port=5051 in-interface=ether1-WAN \
protocol=tcp to-addresses=192.168.96.2 to-ports=5051
add action=dst-nat chain=dstnat comment="Synology - HTTP - Lets Encrypt" \
dst-address-type=local dst-port=80 in-interface=ether1-WAN protocol=tcp \
to-addresses=192.168.96.2 to-ports=80
add action=dst-nat chain=dstnat comment="Synology - HTTPS - Lets Encrypt" \
dst-address-type=local dst-port=443 in-interface=ether1-WAN protocol=tcp \
to-addresses=192.168.96.2 to-ports=443
/ip ipsec identity
add auth-method=digital-signature certificate=vpn-server-cert \
generate-policy=port-strict match-by=certificate mode-config=\
ike2-mode-config peer=vpn-peer policy-template-group=ike2-group \
remote-certificate=client1@server.domena.cz remote-id=user-fqdn:clien1@server.domena.cz
add auth-method=digital-signature certificate=vpn-server-cert \
generate-policy=port-strict match-by=certificate mode-config=\
ike2-mode-config peer=vpn-peer policy-template-group=ike2-group \
remote-certificate=client2@server.domena.cz remote-id=\
user-fqdn:client2@server.domena.cz
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.10.10.0/24 group=ike2-group proposal=ike2-proposal \
src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp interfaces
add interface=ether1-WAN type=external
add interface=bridge type=internal
/ppp secret
add name=vpn_client1 profile=pptp-profile service=pptp
add name=vpn_client2 profile=pptp-profile service=pptp
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=MikroTik-FW
/system logging
set 0 topics=info,!caps
add action=syslog topics=system
add action=syslog topics=critical
add action=syslog topics=warning
add action=syslog topics=error
add topics=firewall
add action=syslog topics=info,!caps
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN`
Předem díky