Mikrotik VPN

3 septembre 2013Christian ValléeMikrotik

Comment etablir un VPN entre 2 site avec 2 routeurs Mikrotik

J’utilise cette page pour la base http://wiki.mikrotik.com/wiki/L2TP_%2B_IPSEC_between_2_Mikrotik_routers

Lan Serveur: 192.168.88.0/24
Lan Client: 192.168.77.0/24

Ouvrir le port UDP/1701 du cote du serveur dans la chaine input (Eventuellement UDP/500 et UDP/4500, à tester)

Voici le resumé des regles:

Coté serveur:

Serveur

/ppp secret add caller-id=”” comment=”vpn” disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=10.0.16.9 name=custvpn password=pwd profile=default remote-address=10.0.16.10 routes=”” service=l2tp

/interface l2tp-server add disabled=no name=l2tp-custvpn user=custvpn

/interface l2tp-server server set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled

/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024

/ip ipsec policy add action=encrypt disabled=no dst-address=192.168.77.0/24 ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=10.0.16.10 sa-src-address=10.0.16.9 src-address=192.168.88.0/24 tunnel=yes

/ip ipsec peer add address=10.0.16.10/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn=”” nat-traversal=no proposal-check=obey secret=test send-initial-contact=yes

/ip route add comment=custvpn disabled=no distance=1 dst-address=192.168.77.0/24 gateway=10.0.16.10 scope=30 target-scope=10

Cote Client

Client

/interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=a.b.c.d dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 mrru=disabled name=l2tp-client password=pwd profile=default-encryption user=custvpn

/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024

/ip ipsec policy add action=encrypt disabled=no dst-address=192.168.88.0/24 ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=10.0.16.9 sa-src-address=10.0.16.10 src-address=192.168.77.0/24 tunnel=yes

/ip ipsec peer add address=10.0.16.9/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn=”” nat-traversal=no proposal-check=obey secret=test send-initial-contact=yes

/ip route add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=10.0.16.9 scope=30 target-scope=10