ipsec transport mode между mikrotik и linux (ubuntu 18.04)
HOWTO по настройке ipsec в transport mode между Mikrotik и ipv6-сетью за ним, и Ubuntu 18.04
0. Вводные данные
Ubuntu IP: 2001:67c:xxxx:::3
Mikrotik IP: 2a02:220e:yyyy::
Генерируем длинный PSK: my_very_long_psk
1. Ubuntu
1.1 /etc/ipsec.conf
config setup
klipsdebug=none
uniqueids=yes
#nat_traversal=yes
conn %default
type=tunnel
keyingtries=0
disablearrivalcheck=no
authby=secret
esp=aes256-sha256
ike=aes256-sha256-modp1024
keylife=8h
keyexchange=ike
left=2001:67c:xxxx:::3
pfs=yes
conn mikrotik
right=2a02:220e:yyyyy::
rightid=2a02:220e:yyyyy::
rightnexthop=2a02:220e:yyyy::
rightsubnet=2a02:220e:yyyy::/64
auto=start
1.2 /etc/ipsec.secret
2001:67c:xxxx::3 2a02:220e:yyyy:: : PSK "my_very_long_psk"
1.3 команды
systemctl enable --now ipsec
ipsec status
2. Mikrotik
2.1 Настройка
/ip ipsec peer
add address=2001:67c:2268:xxxx::3/128 exchange-mode=ike2 local-address=2a02:220e:yyyy:: name=ubuntu passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm,blowfish,twofish
/ip ipsec identity
add generate-policy=port-override peer=ubuntu auth-method=pre-shared-key disabled=no secret=my_very_long_psk
/ipv6 firewall filter
add action=accept chain=input src-address=2001:67c:2268:xxxx::3/128
add action=accept chain=forward src-address=2001:67c:2268:1287:1287::3/128
2.2 Команды
[admin@MikroTik] > /ip/ipsec/peer/ print
Flags: X - disabled; D - dynamic; R - responder
0 R name="ubuntu" address=2001:67c:2268:xxxx::3/128 local-address=2a02:220e:yyyy:: passive=yes profile=default exchange-mode=ike2 send-initial-contact=yes
[admin@MikroTik] > /ip/ipsec/policy/ print
Flags: T - TEMPLATE; D, A - ACTIVE; * - DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 D ubuntu yes 2a02:220e:yyyy::/64 2001:67c:2268:yyyy::3/128 all encrypt unique 1
0. Вводные данные
Ubuntu IP: 2001:67c:xxxx:::3
Mikrotik IP: 2a02:220e:yyyy::
Генерируем длинный PSK: my_very_long_psk
1. Ubuntu
1.1 /etc/ipsec.conf
config setup
klipsdebug=none
uniqueids=yes
#nat_traversal=yes
conn %default
type=tunnel
keyingtries=0
disablearrivalcheck=no
authby=secret
esp=aes256-sha256
ike=aes256-sha256-modp1024
keylife=8h
keyexchange=ike
left=2001:67c:xxxx:::3
pfs=yes
conn mikrotik
right=2a02:220e:yyyyy::
rightid=2a02:220e:yyyyy::
rightnexthop=2a02:220e:yyyy::
rightsubnet=2a02:220e:yyyy::/64
auto=start
1.2 /etc/ipsec.secret
2001:67c:xxxx::3 2a02:220e:yyyy:: : PSK "my_very_long_psk"
1.3 команды
systemctl enable --now ipsec
ipsec status
2. Mikrotik
2.1 Настройка
/ip ipsec peer
add address=2001:67c:2268:xxxx::3/128 exchange-mode=ike2 local-address=2a02:220e:yyyy:: name=ubuntu passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm,blowfish,twofish
/ip ipsec identity
add generate-policy=port-override peer=ubuntu auth-method=pre-shared-key disabled=no secret=my_very_long_psk
/ipv6 firewall filter
add action=accept chain=input src-address=2001:67c:2268:xxxx::3/128
add action=accept chain=forward src-address=2001:67c:2268:1287:1287::3/128
2.2 Команды
[admin@MikroTik] > /ip/ipsec/peer/ print
Flags: X - disabled; D - dynamic; R - responder
0 R name="ubuntu" address=2001:67c:2268:xxxx::3/128 local-address=2a02:220e:yyyy:: passive=yes profile=default exchange-mode=ike2 send-initial-contact=yes
[admin@MikroTik] > /ip/ipsec/policy/ print
Flags: T - TEMPLATE; D, A - ACTIVE; * - DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 D ubuntu yes 2a02:220e:yyyy::/64 2001:67c:2268:yyyy::3/128 all encrypt unique 1