Код: Выделить всё
identit: peer=IKEv2-peer auth-method=digital-signature mode-config=IKEv2-cfg certificate=server-IKEv2
generate-policy=port-strict policy-template-group=IKEv2-policies
mode-config: name="IKEv2-cfg" system-dns=yes address-pool=VPN pool address-prefix-length=24 split-dns=""
peer: name="IKEv2-cfg" system-dns=yes address-pool=VPN pool address-prefix-length=24 split-dns=""
policy: 0.0.0.0/0 192.168.87.0/24 all
profile: name="IKEv2" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
proposal: name="IKEv2" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=none
VPN pool 192.168.87.100/24-192.168.87.150/24
Настройки Firewall
Код: Выделить всё
;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
;;; defconf: accept established,related,untracked
chain=input action=accept
connection-state=established,related,untracked log=no log-prefix=""
;;; ipsec
chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
;;; reject l2tp for not list "allow"
chain=input action=accept protocol=udp
dst-port=1701,4500,500 log=no log-prefix=""
;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked
;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
;;; dstnat connection-state=new in-interface-list=WAN
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat src-address=!192.168.87.0/24
in-interface-list=WAN log=no log-prefix=""
Подскажите, что с этим всем можно сделать.