Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /ip ipsec profile
- add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="Phase 1"
- /ip ipsec peer
- add address=yyy.yyy.yyy.yyy/32 local-address=xxx.xxx.xxx.xxx name="IPSec chr1 -> Main" profile="Phase 1"
- /ip ipsec proposal
- add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name="Phase 2" pfs-group=modp2048
- /ip ipsec identity
- add peer="IPSec chr1 -> Main" secret="psk"
- /ip ipsec policy
- add dst-address=192.168.0.0/24 level=unique peer="IPSec chr1 -> Main" proposal="Phase 2" sa-dst-address=yyy.yyy.yyy.yyy sa-src-address=xxx.xxx.xxx.xxx src-address=10.1.1.0/26 tunnel=yes
- /ip firewall filter
- add action=accept chain=input comment="Accept Established/Related" connection-state=established,related log-prefix=accept
- add action=accept chain=forward comment="Accept Established/Related" connection-state=established,related
- add action=drop chain=input comment="Drop Invalid" connection-state=invalid
- add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
- add action=accept chain=input comment="Accept IPSec" dst-port=500,4500 in-interface-list=WAN protocol=udp
- add action=accept chain=input comment="Accept IPSec" in-interface-list=WAN protocol=ipsec-esp
- add action=accept chain=input comment="Accept IPSec" in-interface-list=WAN protocol=ipsec-ah
- add action=drop chain=input comment="Drop all" in-interface-list=WAN log-prefix=drop_all
- /ip firewall nat
- add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=10.1.1.0/26
- add action=accept chain=srcnat dst-address=10.1.1.0/26 src-address=192.168.0.0/24
Advertisement
Add Comment
Please, Sign In to add comment
