Схему сети нарисовал (во вложении)
Поднял на одном роутере IPSec:
CCR1009:
Код: Выделить всё
# oct/19/2016 12:27:08 by RouterOS 6.36.3
# software id = W5P5-7SDN
#
/interface bridge
add name=ria-bridge
/interface eoip
add !keepalive mac-address=bl:ab:la:bl:ab:la name=ria-EoIP-A remote-address=192.168.100.3 tunnel-id=513
add !keepalive mac-address=bl:ab:la:bl:ab:la name=ria-EoIP-A remote-address=192.168.100.8 tunnel-id=518
add !keepalive mac-address=bl:ab:la:bl:ab:la name=ria-EoIP-D remote-address=192.168.100.2 tunnel-id=512
add !keepalive mac-address=bl:ab:la:bl:ab:la name=ria-EoIP-L remote-address=192.168.100.7 tunnel-id=517
add !keepalive mac-address=bl:ab:la:bl:ab:la name=ria-EoIP-R remote-address=192.168.100.5 tunnel-id=515
add !keepalive mac-address=bl:ab:la:bl:ab:la name=ria-EoIP-X remote-address=192.168.100.6 tunnel-id=516
add !keepalive mac-address=bl:ab:la:bl:ab:la name=ria-EoIP-Y remote-address=192.168.100.4 tunnel-id=514
/ppp profile
set *0 bridge=ria-bridge dns-server=192.168.100.66,192.168.1.66 local-address=192.168.100.1
/interface bridge port
add bridge=ria-bridge interface=ether2
add bridge=ria-bridge interface=ether3
add bridge=ria-bridge interface=ether4
add bridge=ria-bridge interface=ether5
add bridge=ria-bridge interface=ether6
add bridge=ria-bridge interface=ether7
add bridge=ria-bridge interface=ether8
/interface pppoe-server server
add disabled=no interface=<l2tp> service-name=service1
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
/ip dns
set allow-remote-requests=yes servers=192.168.100.66
/ip firewall filter
add action=accept chain=input dst-address=192.168.100.1 dst-port=1723 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow ping" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="Accept established connections" connection-state=established
add action=accept chain=forward connection-state=established
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=yes log=yes
/ip ipsec peer
add address=192.168.100.9/32 nat-traversal=no secret=ytw
/ip ipsec policy
add dst-address=0.0.0.0/24 ipsec-protocols=ah-esp sa-dst-address=192.168.100.9 sa-src-address=192.168.100.1 src-address=0.0.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.100.66
/ppp secret
add local-address=192.168.100.1 name=ria-D password=ytw remote-address=192.168.100.2 service=pptp
add local-address=192.168.100.1 name=ria-A password=ytw remote-address=192.168.100.3 service=pptp
add local-address=192.168.100.1 name=ria-Y password=ytw remote-address=192.168.100.4 service=pptp
add local-address=192.168.100.1 name=ria-R password=ytw remote-address=192.168.100.5 service=pptp
add local-address=192.168.100.1 name=ria-X password=ytw remote-address=192.168.100.6 service=pptp
add local-address=192.168.100.1 name=ria-L password=ytw remote-address=192.168.100.7 service=pptp
add local-address=192.168.100.1 name=ria-A password=ytw remote-address=192.168.100.8 service=pptp
/system clock
set time-zone-name=Asia/Yakutsk
/system identity
set name=DOP
/system routerboard settings
set protected-routerboot=disabled
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
RB850Gx2
Код: Выделить всё
# oct/19/2016 12:36:09 by RouterOS 6.36.3
# software id = QU53-9F28
#
/interface bridge
add name=ria-bridge
/interface bridge port
add bridge=ria-bridge interface=ether1
add bridge=ria-bridge interface=ether2
add bridge=ria-bridge interface=ether3
add bridge=ria-bridge interface=ether4
add bridge=ria-bridge interface=ether5
/ip address
add address=192.168.100.9/24 interface=ether2 network=192.168.100.0
/ip dns
set allow-remote-requests=yes servers=192.168.100.66,192.168.100.1
/ip ipsec peer
add address=192.168.100.1/32 nat-traversal=no secret=ytw
/ip ipsec policy
add dst-address=0.0.0.0/0 ipsec-protocols=ah-esp sa-dst-address=192.168.100.1 sa-src-address=192.168.100.9 src-address=0.0.0.0/0 tunnel=yes
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Yakutsk
/system identity
set name=L-152
/system routerboard settings
set cpu-frequency=533MHz protected-routerboot=disabled
Остальные Mikrotik'и не стал трогать, стендово тестирую на одном, все ли правильно?
CCR1009 не пингуется с RB850Gx2 (L-152)
Скриншоты с CCR1009 и RB850Gx2 (L-152) IPSec (Installed SAs) во вложении.
Подключил комп к RB850Gx2, локалка работает, но интернета нет.
Playlist радио работает, с инета берет