l2tp, без шифрования, не проходит подключение

Обсуждение оборудования и его настройки
Ответить
yden
Сообщения: 96
Зарегистрирован: 27 июл 2017, 21:12

Добрый всем.
Подскажите плиз. Есть два микрота, стоят во главе двух сетей, внешний ip у обоих белый. Поднимаю l2tp сеть между ними. Настраиваю без шифрования. Не проходит подключение. Версия RouterOS v6.43.8 (stable) на обоих.

Сервер:

Код: Выделить всё

# feb/03/2019 20:47:14 by RouterOS 6.43.8

/caps-man channel
add name=channel1
add band=2ghz-b/g/n name=channel2
add band=2ghz-b/g/n extension-channel=Ce name=channel3 tx-power=5
add band=2ghz-b control-channel-width=20mhz frequency=2457 name=smarthome \
    tx-power=20
/caps-man datapath
add client-to-client-forwarding=yes name=smarthome
/interface l2tp-server
add disabled=yes name="l2tp map" user=***_map
add name="l2tp p17" user=***_p17
/interface bridge
add admin-mac=E888:8D:8C:98:74:8D arp=proxy-arp auto-mac=no fast-forward=no \
    igmp-snooping=yes name=bridge_lan
/interface ethernet
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2_lan
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=ether3_iptv
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=wan
/caps-man datapath
add bridge=bridge_lan client-to-client-forwarding=yes local-forwarding=no \
    name=datapath1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
add name=iptv ranges=192.168.2.100-192.168.2.200
add name=l2tp_pool ranges=172.16.30.2-172.16.30.100
add name=pptp_pool ranges=192.168.3.120-192.168.3.139
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge_lan name=lan1
add address-pool=iptv disabled=no interface=ether3_iptv name=iptv
/ppp profile
add change-tcp-mss=yes local-address=192.168.3.1 name=pptp_profile \
    remote-address=pptp_pool
add change-tcp-mss=yes local-address=172.16.30.1 name="l2tp server" \
    remote-address=l2tp_pool use-encryption=no
add change-tcp-mss=yes dns-server=192.168.3.1 local-address=192.168.3.1 name=\
    "sstp client-to-site" remote-address=l2tp_pool wins-server=192.168.3.1
set *FFFFFFFE use-encryption=no
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=log
/interface bridge port
add bridge=bridge_lan interface=ether2_lan
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/interface l2tp-server server
set authentication=mschap2 default-profile="l2tp server" enabled=yes \
    ipsec-secret=******
/interface list member
add interface=bridge_lan list=mac-winbox
/interface pptp-server server
set default-profile=pptp_profile enabled=yes
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=\
    "sstp client-to-site" enabled=yes
/ip address
add address=192.168.1.1/24 comment=lan interface=bridge_lan network=\
    192.168.1.0
add address=192.168.2.1/24 comment=iptv interface=ether3_iptv network=\
    192.168.2.0
/ip firewall filter
add action=accept chain=input comment=iptv dst-port=1234 in-interface=wan \
    protocol=udp
add action=accept chain=forward dst-port=1234 out-interface=ether3_iptv \
    protocol=udp
add action=accept chain=input in-interface=wan protocol=igmp
add action=drop chain=forward dst-port=1234 out-interface=!ether3_iptv \
    protocol=udp
add action=accept chain=input comment=l2tp dst-port=1701,500,4500 \
    in-interface=wan protocol=udp
add action=drop chain=input comment="Drop flood on port 53" dst-port=53 \
    in-interface=wan protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Allow pings" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="pptp server" dst-address=****** \
    dst-port=1723 in-interface=wan protocol=tcp
add action=accept chain=input comment="Allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-AH" protocol=ipsec-ah
add action=accept chain=input comment="Allow established connections" \
    connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Allow related connections" \
    connection-state=related
add action=accept chain=forward connection-state=related
add action=accept chain=input comment=\
    "Allow all connections from our local network" in-interface=!wan \
    src-address=192.168.1.0/24
add action=accept chain=input in-interface=!wan src-address=192.168.2.0/24
add action=accept chain=input in-interface=!wan src-address=192.168.3.0/24
add action=accept chain=input in-interface=!wan src-address=192.168.20.0/24
add action=accept chain=forward in-interface=!wan src-address=192.168.1.0/24
add action=accept chain=forward in-interface=!wan src-address=192.168.2.0/24
add action=accept chain=forward comment=\
    "Allow incoming connections for torrent" dst-address=192.168.1.245 \
    dst-port=51413 in-interface=wan protocol=tcp
add action=accept chain=forward comment="allow vpn to lan" in-interface=!wan \
    out-interface=bridge_lan src-address=192.168.3.0/24
add action=accept chain=forward in-interface=!wan out-interface=bridge_lan \
    src-address=172.16.30.0/24
add action=drop chain=input comment="Drop off invalid connections" \
    connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop off all other incoming connections" \
    in-interface=wan
add action=accept chain=forward comment=\
    "Allow access from the local network to the Internet" in-interface=!wan \
    out-interface=wan
add action=drop chain=forward comment="Drop off all other connections"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.17.0/24 priority=0 \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat comment=vpn out-interface=wan
add action=dst-nat chain=dstnat comment=torrent-client dst-port=51413 \
    in-interface=wan protocol=tcp to-addresses=192.168.1.245 to-ports=45000
/ip ipsec policy
set 0 group=group1
/ip route
add comment="route ipip p17" distance=1 dst-address=192.168.17.0/24 gateway=\
    172.16.30.4 pref-src=192.168.1.1
add comment="route l2tp p17" distance=1 dst-address=192.168.17.0/24 gateway=\
    172.16.30.2 pref-src=192.168.1.1
add comment="route l2tp map" distance=1 dst-address=192.168.20.0/24 gateway=\
    172.16.30.3 pref-src=192.168.1.1
/ppp secret
add local-address=172.16.30.1 name=*** password=*** profile=\
    "l2tp server" remote-address=172.16.30.2 service=l2tp
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=wan upstream=yes
add interface=ether3_iptv
Клиент:

Код: Выделить всё

# feb/03/2019 20:50:49 by RouterOS 6.43.2

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge_iptv
add admin-mac=8899:8D:8C:9E:CB:8F arp=proxy-arp auto-mac=no name=bridge_lan
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=7 band=2ghz-onlyn country=russia \
    disabled=no frequency=auto mode=ap-bridge ssid=*** \
    wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=ether2_lan
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=ether4_iptv
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    64:66:B3:2D:9F:C5 name=wan
/interface l2tp-server
add disabled=yes name="l2tp server" user=***
/interface pptp-server
add name=pptp-in1 user=***
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add dh-group=modp1024 enc-algorithm=aes-128 hash-algorithm=md5 name=profile_1 \
    nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des name=profile_2
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=lan ranges=192.168.17.100-192.168.17.200
add name=iptv ranges=192.168.18.100-192.168.18.200
add name=l2tp_pool ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
add address-pool=lan disabled=no interface=bridge_lan name=lan
add address-pool=iptv disabled=no interface=bridge_iptv name=iptv
/ppp profile
add change-tcp-mss=yes local-address=172.16.30.2 name="l2tp client" \
    remote-address=172.16.30.1 use-encryption=no
/interface l2tp-client
add allow=mschap2 connect-to=*** disabled=no ipsec-secret=\
    *** name=l2tp-m12 password=***s profile="l2tp client" user=\
    ***_p17
/user group
set read policy="local,telnet,ssh,read,test,winbox,password,web,sniff,api,romo\
    n,tikapp,!ftp,!reboot,!write,!policy,!sensitive,!dude"
/interface bridge port
add bridge=bridge_lan interface=ether2_lan
add bridge=bridge_lan interface=ether3
add bridge=bridge_iptv interface=ether4_iptv
add bridge=bridge_lan interface=wlan1
/interface l2tp-server server
set authentication=mschap2 default-profile="l2tp server" enabled=yes \
    ipsec-secret=*** use-ipsec=yes
/ip address
add address=192.168.17.1/24 interface=ether2_lan network=192.168.17.0
add address=192.168.18.1/24 interface=bridge_iptv network=192.168.18.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wan
/ip dhcp-server network
add address=192.168.17.0/24 dns-server=192.168.17.1 gateway=192.168.17.1 \
    netmask=24
add address=192.168.18.0/24 dns-server=192.168.18.1 gateway=192.168.18.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.17.1
/ip firewall filter
add action=accept chain=input comment=iptv dst-port=1234 in-interface=wan \
    protocol=udp
add action=accept chain=input in-interface=wan protocol=igmp
add action=drop chain=input comment="Drop flood on port 53" dst-port=53 \
    in-interface=wan protocol=udp
add action=accept chain=input comment=l2tp port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Allow pings" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="pptp server" dst-address=\
    *** dst-port=1723 in-interface=wan protocol=tcp
add chain=input comment="Allow IKE" dst-port=500 protocol=udp
add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add chain=input comment="Allow IPSec-AH" protocol=ipsec-ah
add action=accept chain=input comment="Allow established connections" \
    connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Allow related connections" \
    connection-state=related
add action=accept chain=forward connection-state=related
add action=accept chain=input comment=\
    "Allow all connections from our local network" in-interface=!wan \
    src-address=192.168.17.0/24
add action=accept chain=input in-interface=!wan src-address=192.168.18.0/24
add action=accept chain=forward in-interface=!wan src-address=192.168.17.0/24
add action=accept chain=forward in-interface=!wan src-address=192.168.18.0/24
add action=accept chain=forward comment="allow vpn to lan" in-interface=!wan \
    out-interface=bridge_lan src-address=172.16.31.0/24
add action=drop chain=input comment="Drop off invalid connections" \
    connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop off all other incoming connections" \
    in-interface=wan
add action=accept chain=forward comment=\
    "Allow access from the local network to the Internet" in-interface=!wan \
    out-interface=wan
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 priority=0 \
    src-address=192.168.17.0/24
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat comment=vpn out-interface=all-ppp
/ip ipsec peer
add address=***/32 comment="ip tunnel p17-m12" profile=profile_1 \
    secret=***
add address=0.0.0.0/0 comment=client-tosite exchange-mode=main-l2tp \
    generate-policy=port-strict passive=yes policy-template-group=group1 \
    profile=profile_2 secret=***
/ip ipsec policy
set 0 group=group1
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=172.16.30.1 pref-src=\
    192.168.17.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.17.0/24,192.168.1.0/24,192.168.20.0/24,0.0.0.0/0
set ssh address=192.168.17.0/24,192.168.1.0/24,192.168.20.0/24,0.0.0.0/0
set api disabled=yes
set winbox address=192.168.17.0/24,192.168.1.0/24,192.168.20.0/24,0.0.0.0/0
set api-ssl disabled=yes
/ppp secret
add disabled=yes local-address=172.16.30.2 name=***_p17 password=***denis \
    profile="l2tp client" remote-address=172.16.30.1 service=l2tp
add local-address=192.168.19.1 name=*** password=***denis profile=\
    pptp_profile remote-address=192.168.19.100 service=pptp
add local-address=172.16.32.1 name=*** password=***denis profile=\
    "l2tp server" remote-address=172.16.32.2 service=l2tp
Логи
Сервер:

Код: Выделить всё

first L2TP UDP packet received from ip клиента
Клиент:

Код: Выделить всё

l2tp-m12: initializing...
l2tp-m12: connecting...
l2tp-m12: terminating... - session closed
благодарю


seregaelcin
Сообщения: 176
Зарегистрирован: 27 фев 2016, 17:12

/ip ipsec peer
а если тут все потушить на время ?
На сервере должно стоять в настройках use IP sec yes либо no


Обладатель Mikrotik RB2011UAS-2HnD-IN
Ответить