Подскажите плиз. Есть два микрота, стоят во главе двух сетей, внешний ip у обоих белый. Поднимаю l2tp сеть между ними. Настраиваю без шифрования. Не проходит подключение. Версия RouterOS v6.43.8 (stable) на обоих.
Сервер:
Код: Выделить всё
# feb/03/2019 20:47:14 by RouterOS 6.43.8
/caps-man channel
add name=channel1
add band=2ghz-b/g/n name=channel2
add band=2ghz-b/g/n extension-channel=Ce name=channel3 tx-power=5
add band=2ghz-b control-channel-width=20mhz frequency=2457 name=smarthome \
tx-power=20
/caps-man datapath
add client-to-client-forwarding=yes name=smarthome
/interface l2tp-server
add disabled=yes name="l2tp map" user=***_map
add name="l2tp p17" user=***_p17
/interface bridge
add admin-mac=E888:8D:8C:98:74:8D arp=proxy-arp auto-mac=no fast-forward=no \
igmp-snooping=yes name=bridge_lan
/interface ethernet
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
ether2_lan
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
name=ether3_iptv
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=wan
/caps-man datapath
add bridge=bridge_lan client-to-client-forwarding=yes local-forwarding=no \
name=datapath1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
add name=iptv ranges=192.168.2.100-192.168.2.200
add name=l2tp_pool ranges=172.16.30.2-172.16.30.100
add name=pptp_pool ranges=192.168.3.120-192.168.3.139
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge_lan name=lan1
add address-pool=iptv disabled=no interface=ether3_iptv name=iptv
/ppp profile
add change-tcp-mss=yes local-address=192.168.3.1 name=pptp_profile \
remote-address=pptp_pool
add change-tcp-mss=yes local-address=172.16.30.1 name="l2tp server" \
remote-address=l2tp_pool use-encryption=no
add change-tcp-mss=yes dns-server=192.168.3.1 local-address=192.168.3.1 name=\
"sstp client-to-site" remote-address=l2tp_pool wins-server=192.168.3.1
set *FFFFFFFE use-encryption=no
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=log
/interface bridge port
add bridge=bridge_lan interface=ether2_lan
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/interface l2tp-server server
set authentication=mschap2 default-profile="l2tp server" enabled=yes \
ipsec-secret=******
/interface list member
add interface=bridge_lan list=mac-winbox
/interface pptp-server server
set default-profile=pptp_profile enabled=yes
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=\
"sstp client-to-site" enabled=yes
/ip address
add address=192.168.1.1/24 comment=lan interface=bridge_lan network=\
192.168.1.0
add address=192.168.2.1/24 comment=iptv interface=ether3_iptv network=\
192.168.2.0
/ip firewall filter
add action=accept chain=input comment=iptv dst-port=1234 in-interface=wan \
protocol=udp
add action=accept chain=forward dst-port=1234 out-interface=ether3_iptv \
protocol=udp
add action=accept chain=input in-interface=wan protocol=igmp
add action=drop chain=forward dst-port=1234 out-interface=!ether3_iptv \
protocol=udp
add action=accept chain=input comment=l2tp dst-port=1701,500,4500 \
in-interface=wan protocol=udp
add action=drop chain=input comment="Drop flood on port 53" dst-port=53 \
in-interface=wan protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Allow pings" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="pptp server" dst-address=****** \
dst-port=1723 in-interface=wan protocol=tcp
add action=accept chain=input comment="Allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-AH" protocol=ipsec-ah
add action=accept chain=input comment="Allow established connections" \
connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Allow related connections" \
connection-state=related
add action=accept chain=forward connection-state=related
add action=accept chain=input comment=\
"Allow all connections from our local network" in-interface=!wan \
src-address=192.168.1.0/24
add action=accept chain=input in-interface=!wan src-address=192.168.2.0/24
add action=accept chain=input in-interface=!wan src-address=192.168.3.0/24
add action=accept chain=input in-interface=!wan src-address=192.168.20.0/24
add action=accept chain=forward in-interface=!wan src-address=192.168.1.0/24
add action=accept chain=forward in-interface=!wan src-address=192.168.2.0/24
add action=accept chain=forward comment=\
"Allow incoming connections for torrent" dst-address=192.168.1.245 \
dst-port=51413 in-interface=wan protocol=tcp
add action=accept chain=forward comment="allow vpn to lan" in-interface=!wan \
out-interface=bridge_lan src-address=192.168.3.0/24
add action=accept chain=forward in-interface=!wan out-interface=bridge_lan \
src-address=172.16.30.0/24
add action=drop chain=input comment="Drop off invalid connections" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop off all other incoming connections" \
in-interface=wan
add action=accept chain=forward comment=\
"Allow access from the local network to the Internet" in-interface=!wan \
out-interface=wan
add action=drop chain=forward comment="Drop off all other connections"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.17.0/24 priority=0 \
src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat comment=vpn out-interface=wan
add action=dst-nat chain=dstnat comment=torrent-client dst-port=51413 \
in-interface=wan protocol=tcp to-addresses=192.168.1.245 to-ports=45000
/ip ipsec policy
set 0 group=group1
/ip route
add comment="route ipip p17" distance=1 dst-address=192.168.17.0/24 gateway=\
172.16.30.4 pref-src=192.168.1.1
add comment="route l2tp p17" distance=1 dst-address=192.168.17.0/24 gateway=\
172.16.30.2 pref-src=192.168.1.1
add comment="route l2tp map" distance=1 dst-address=192.168.20.0/24 gateway=\
172.16.30.3 pref-src=192.168.1.1
/ppp secret
add local-address=172.16.30.1 name=*** password=*** profile=\
"l2tp server" remote-address=172.16.30.2 service=l2tp
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=wan upstream=yes
add interface=ether3_iptv
Код: Выделить всё
# feb/03/2019 20:50:49 by RouterOS 6.43.2
/interface bridge
add arp=proxy-arp fast-forward=no name=bridge_iptv
add admin-mac=8899:8D:8C:9E:CB:8F arp=proxy-arp auto-mac=no name=bridge_lan
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=7 band=2ghz-onlyn country=russia \
disabled=no frequency=auto mode=ap-bridge ssid=*** \
wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
name=ether2_lan
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
name=ether4_iptv
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
64:66:B3:2D:9F:C5 name=wan
/interface l2tp-server
add disabled=yes name="l2tp server" user=***
/interface pptp-server
add name=pptp-in1 user=***
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add dh-group=modp1024 enc-algorithm=aes-128 hash-algorithm=md5 name=profile_1 \
nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des name=profile_2
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=lan ranges=192.168.17.100-192.168.17.200
add name=iptv ranges=192.168.18.100-192.168.18.200
add name=l2tp_pool ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
add address-pool=lan disabled=no interface=bridge_lan name=lan
add address-pool=iptv disabled=no interface=bridge_iptv name=iptv
/ppp profile
add change-tcp-mss=yes local-address=172.16.30.2 name="l2tp client" \
remote-address=172.16.30.1 use-encryption=no
/interface l2tp-client
add allow=mschap2 connect-to=*** disabled=no ipsec-secret=\
*** name=l2tp-m12 password=***s profile="l2tp client" user=\
***_p17
/user group
set read policy="local,telnet,ssh,read,test,winbox,password,web,sniff,api,romo\
n,tikapp,!ftp,!reboot,!write,!policy,!sensitive,!dude"
/interface bridge port
add bridge=bridge_lan interface=ether2_lan
add bridge=bridge_lan interface=ether3
add bridge=bridge_iptv interface=ether4_iptv
add bridge=bridge_lan interface=wlan1
/interface l2tp-server server
set authentication=mschap2 default-profile="l2tp server" enabled=yes \
ipsec-secret=*** use-ipsec=yes
/ip address
add address=192.168.17.1/24 interface=ether2_lan network=192.168.17.0
add address=192.168.18.1/24 interface=bridge_iptv network=192.168.18.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wan
/ip dhcp-server network
add address=192.168.17.0/24 dns-server=192.168.17.1 gateway=192.168.17.1 \
netmask=24
add address=192.168.18.0/24 dns-server=192.168.18.1 gateway=192.168.18.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.17.1
/ip firewall filter
add action=accept chain=input comment=iptv dst-port=1234 in-interface=wan \
protocol=udp
add action=accept chain=input in-interface=wan protocol=igmp
add action=drop chain=input comment="Drop flood on port 53" dst-port=53 \
in-interface=wan protocol=udp
add action=accept chain=input comment=l2tp port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Allow pings" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="pptp server" dst-address=\
*** dst-port=1723 in-interface=wan protocol=tcp
add chain=input comment="Allow IKE" dst-port=500 protocol=udp
add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add chain=input comment="Allow IPSec-AH" protocol=ipsec-ah
add action=accept chain=input comment="Allow established connections" \
connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Allow related connections" \
connection-state=related
add action=accept chain=forward connection-state=related
add action=accept chain=input comment=\
"Allow all connections from our local network" in-interface=!wan \
src-address=192.168.17.0/24
add action=accept chain=input in-interface=!wan src-address=192.168.18.0/24
add action=accept chain=forward in-interface=!wan src-address=192.168.17.0/24
add action=accept chain=forward in-interface=!wan src-address=192.168.18.0/24
add action=accept chain=forward comment="allow vpn to lan" in-interface=!wan \
out-interface=bridge_lan src-address=172.16.31.0/24
add action=drop chain=input comment="Drop off invalid connections" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop off all other incoming connections" \
in-interface=wan
add action=accept chain=forward comment=\
"Allow access from the local network to the Internet" in-interface=!wan \
out-interface=wan
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 priority=0 \
src-address=192.168.17.0/24
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat comment=vpn out-interface=all-ppp
/ip ipsec peer
add address=***/32 comment="ip tunnel p17-m12" profile=profile_1 \
secret=***
add address=0.0.0.0/0 comment=client-tosite exchange-mode=main-l2tp \
generate-policy=port-strict passive=yes policy-template-group=group1 \
profile=profile_2 secret=***
/ip ipsec policy
set 0 group=group1
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=172.16.30.1 pref-src=\
192.168.17.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.17.0/24,192.168.1.0/24,192.168.20.0/24,0.0.0.0/0
set ssh address=192.168.17.0/24,192.168.1.0/24,192.168.20.0/24,0.0.0.0/0
set api disabled=yes
set winbox address=192.168.17.0/24,192.168.1.0/24,192.168.20.0/24,0.0.0.0/0
set api-ssl disabled=yes
/ppp secret
add disabled=yes local-address=172.16.30.2 name=***_p17 password=***denis \
profile="l2tp client" remote-address=172.16.30.1 service=l2tp
add local-address=192.168.19.1 name=*** password=***denis profile=\
pptp_profile remote-address=192.168.19.100 service=pptp
add local-address=172.16.32.1 name=*** password=***denis profile=\
"l2tp server" remote-address=172.16.32.2 service=l2tp
Сервер:
Код: Выделить всё
first L2TP UDP packet received from ip клиента
Код: Выделить всё
l2tp-m12: initializing...
l2tp-m12: connecting...
l2tp-m12: terminating... - session closed