Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###############################################################################################################################################################################
- LHG:
- /ip address
- add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
- add address=172.16.1.2/30 interface=GRE_Loopback network=172.16.1.0
- add address=172.16.2.2/30 interface=LTE_DIGI_GRE network=172.16.2.0
- /interface bridge
- add fast-forward=no name=GRE_Loopback protocol-mode=none
- /interface gre
- add keepalive=10s,3 local-address=172.16.1.2 name=LTE_DIGI_GRE remote-address=172.16.1.1
- /ip ipsec profile
- add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=GRE_OSPF nat-traversal=no prf-algorithm=sha256
- /ip ipsec peer
- add address=XXXXXXXX exchange-mode=ike2 name=DIGI profile=GRE_OSPF
- /ip ipsec proposal
- add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=GRE_OSPF pfs-group=modp2048
- /ip ipsec identity
- add peer=DIGI secret=XXXXXXXXXXXXX
- /ip ipsec policy
- add dst-address=172.16.1.0/30 peer=DIGI proposal=GRE_OSPF sa-dst-address=XXX.XXX.XXX.XXX sa-src-address=XXX.XXX.XXX.XXX src-address=172.16.1.0/30 tunnel=yes
- /routing ospf instance
- add in-filter=GRE_OSPF_IN name=GRE_OSPF out-filter=GRE_OSPF_OUT redistribute-connected=as-type-1 router-id=172.16.2.2
- /routing ospf area
- add area-id=0.0.0.1 instance=GRE_OSPF name=GRE_OSPF
- /routing ospf interface
- add interface=LTE_DIGI_GRE network-type=point-to-point
- /routing ospf network
- add area=GRE_OSPF network=172.16.2.0/30
- /ip firewall filter
- add action=accept chain=input dst-port=2250,8291 protocol=tcp
- add action=accept chain=input dst-port=500,4500 protocol=udp
- add action=accept chain=input protocol=ipsec-esp
- add action=accept chain=input protocol=gre
- add action=accept chain=input protocol=ospf
- add action=accept chain=input protocol=icmp
- add action=accept chain=input connection-state=established,related
- add action=drop chain=input connection-state=invalid
- add action=drop chain=input
- add action=accept chain=forward ipsec-policy=in,ipsec
- add action=accept chain=forward ipsec-policy=out,ipsec
- add action=fasttrack-connection chain=forward
- add action=accept chain=forward connection-state=established,related
- add action=drop chain=forward connection-state=invalid
- /ip firewall mangle
- add action=change-mss chain=forward new-mss=1300 out-interface=lte1 passthrough=yes protocol=tcp tcp-flags=syn
- add action=change-mss chain=forward new-mss=1300 out-interface=LTE_DIGI_GRE passthrough=yes protocol=tcp tcp-flags=syn
- /ip firewall nat
- add action=accept chain=srcnat dst-address=172.16.1.0/30 src-address=172.16.1.0/30
- add action=masquerade chain=srcnat out-interface=lte1
- /routing filter
- add action=discard chain=GRE_OSPF_IN prefix=10.0.0.1
- add action=discard chain=GRE_OSPF_IN prefix=172.16.1.0/30
- add action=discard chain=GRE_OSPF_OUT prefix=172.16.1.0/30
- ##########################################################################################################################################################################
- HEX:
- /ip address
- add address=10.10.100.1/24 interface=ether2 network=10.10.100.0
- add address=10.10.110.1/24 interface=ether3 network=10.10.110.0
- add address=10.10.120.1/24 interface=ether4 network=10.10.120.0
- add address=10.10.11.1/24 interface=ether5 network=10.10.11.0
- add address=172.16.1.1/30 interface=GRE_Loopback network=172.16.1.0
- add address=172.16.2.1/30 interface=DIGI_LTE_GRE network=172.16.2.0
- /interface bridge
- add fast-forward=no name=GRE_Loopback protocol-mode=none
- /interface gre
- add keepalive=10s,3 local-address=172.16.1.1 name=DIGI_LTE_GRE remote-address=172.16.1.2
- /ip ipsec mode-config
- add address=10.10.17.10 address-prefix-length=32 name=Samsung
- add address=10.10.17.20 name=Redmi
- add address=10.10.17.30 name=PC
- add address=10.10.17.40 address-prefix-length=32 name=Gabi
- /ip ipsec policy group
- add name=IPSec_VPN
- /ip ipsec profile
- set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
- add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=IPSec_VPN
- add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=GRE_OSPF nat-traversal=no prf-algorithm=sha256
- /ip ipsec peer
- add address=XXXXXXXX exchange-mode=ike2 name=LTE profile=GRE_OSPF
- add exchange-mode=ike2 name=IPSec_VPN passive=yes profile=IPSec_VPN send-initial-contact=no
- /ip ipsec proposal
- set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
- add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=IPSec_VPN pfs-group=none
- add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=GRE_OSPF pfs-group=modp2048
- /ip ipsec identity
- add auth-method=digital-signature certificate=IPSec_Server generate-policy=port-strict match-by=certificate mode-config=Samsung peer=IPSec_VPN policy-template-group=IPSec_VPN remote-certificate=Samsung
- add auth-method=digital-signature certificate=IPSec_Server generate-policy=port-strict match-by=certificate mode-config=Gabi peer=IPSec_VPN policy-template-group=IPSec_VPN remote-certificate=Gabi
- add auth-method=digital-signature certificate=IPSec_Server generate-policy=port-strict match-by=certificate mode-config=Redmi peer=IPSec_VPN policy-template-group=IPSec_VPN remote-certificate=Redmi
- add auth-method=digital-signature certificate=IPSec_Server generate-policy=port-strict match-by=certificate mode-config=PC peer=IPSec_VPN policy-template-group=IPSec_VPN remote-certificate=PC
- add peer=LTE secret=XXXXXXXXXXXXXXX
- /ip ipsec policy
- add dst-address=10.10.17.0/24 group=IPSec_VPN proposal=IPSec_VPN src-address=0.0.0.0/0 template=yes
- add dst-address=172.16.1.0/30 peer=LTE proposal=GRE_OSPF sa-dst-address=XXX.XXX.XXX.XXX sa-src-address=XXX.XXX.XXX.XXX src-address=172.16.1.0/30 tunnel=yes
- /ip ipsec settings
- /routing ospf instance
- set [ find default=yes ] distribute-default=always-as-type-1 redistribute-connected=as-type-1 redistribute-static=as-type-1 router-id=10.10.120.1
- add in-filter=GRE_OSPF_IN name=GRE_OSPF out-filter=GRE_OSPF_OUT redistribute-connected=as-type-1 redistribute-other-ospf=as-type-1 router-id=172.16.2.1
- /routing ospf area
- add area-id=0.0.0.1 instance=GRE_OSPF name=GRE_OSPF
- /routing ospf interface
- add interface=ether4 network-type=broadcast
- add interface=DIGI_LTE_GRE network-type=point-to-point
- /routing ospf network
- add area=backbone network=10.10.120.0/24
- add area=GRE_OSPF network=172.16.2.0/30
- /ip firewall filter
- add action=accept chain=input dst-port=2250,8291 protocol=tcp
- add action=accept chain=input dst-port=500,4500 protocol=udp
- add action=accept chain=input protocol=ipsec-esp
- add action=accept chain=input protocol=icmp
- add action=accept chain=input protocol=ospf
- add action=accept chain=input protocol=gre
- add action=accept chain=input connection-state=established,related
- add action=drop chain=input connection-state=invalid
- add action=drop chain=input
- add action=accept chain=forward ipsec-policy=in,ipsec
- add action=accept chain=forward ipsec-policy=out,ipsec
- add action=fasttrack-connection chain=forward
- add action=accept chain=forward connection-state=established,related,new
- add action=drop chain=forward connection-state=invalid
- /ip firewall mangle
- add action=change-mss chain=forward new-mss=1300 out-interface=DIGI_PPPoE passthrough=yes protocol=tcp tcp-flags=syn
- /ip firewall nat
- add action=accept chain=srcnat dst-address=172.16.1.0/30 src-address=172.16.1.0/30
- add action=masquerade chain=srcnat out-interface=DIGI_PPPoE
Add Comment
Please, Sign In to add comment