GRE_OSPF

1. ###############################################################################################################################################################################
2. LHG:
3.  
4. /ip address
5. add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
6. add address=172.16.1.2/30 interface=GRE_Loopback network=172.16.1.0
7. add address=172.16.2.2/30 interface=LTE_DIGI_GRE network=172.16.2.0
8.  
9. /interface bridge
10. add fast-forward=no name=GRE_Loopback protocol-mode=none
11.  
12. /interface gre
13. add keepalive=10s,3 local-address=172.16.1.2 name=LTE_DIGI_GRE remote-address=172.16.1.1
14.  
15. /ip ipsec profile
16. add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=GRE_OSPF nat-traversal=no prf-algorithm=sha256
17. /ip ipsec peer
18. add address=XXXXXXXX exchange-mode=ike2 name=DIGI profile=GRE_OSPF
19. /ip ipsec proposal
20. add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=GRE_OSPF pfs-group=modp2048
21. /ip ipsec identity
22. add peer=DIGI secret=XXXXXXXXXXXXX
23. /ip ipsec policy
24. add dst-address=172.16.1.0/30 peer=DIGI proposal=GRE_OSPF sa-dst-address=XXX.XXX.XXX.XXX sa-src-address=XXX.XXX.XXX.XXX src-address=172.16.1.0/30 tunnel=yes
25.  
26. /routing ospf instance
27. add in-filter=GRE_OSPF_IN name=GRE_OSPF out-filter=GRE_OSPF_OUT redistribute-connected=as-type-1 router-id=172.16.2.2
28. /routing ospf area
29. add area-id=0.0.0.1 instance=GRE_OSPF name=GRE_OSPF
30. /routing ospf interface
31. add interface=LTE_DIGI_GRE network-type=point-to-point
32. /routing ospf network
33. add area=GRE_OSPF network=172.16.2.0/30
34.  
35. /ip firewall filter
36. add action=accept chain=input dst-port=2250,8291 protocol=tcp
37. add action=accept chain=input dst-port=500,4500 protocol=udp
38. add action=accept chain=input protocol=ipsec-esp
39. add action=accept chain=input protocol=gre
40. add action=accept chain=input protocol=ospf
41. add action=accept chain=input protocol=icmp
42. add action=accept chain=input connection-state=established,related
43. add action=drop chain=input connection-state=invalid
44. add action=drop chain=input
45. add action=accept chain=forward ipsec-policy=in,ipsec
46. add action=accept chain=forward ipsec-policy=out,ipsec
47. add action=fasttrack-connection chain=forward
48. add action=accept chain=forward connection-state=established,related
49. add action=drop chain=forward connection-state=invalid
50. /ip firewall mangle
51. add action=change-mss chain=forward new-mss=1300 out-interface=lte1 passthrough=yes protocol=tcp tcp-flags=syn
52. add action=change-mss chain=forward new-mss=1300 out-interface=LTE_DIGI_GRE passthrough=yes protocol=tcp tcp-flags=syn
53. /ip firewall nat
54. add action=accept chain=srcnat dst-address=172.16.1.0/30 src-address=172.16.1.0/30
55. add action=masquerade chain=srcnat out-interface=lte1
56.  
57. /routing filter
58. add action=discard chain=GRE_OSPF_IN prefix=10.0.0.1
59. add action=discard chain=GRE_OSPF_IN prefix=172.16.1.0/30
60. add action=discard chain=GRE_OSPF_OUT prefix=172.16.1.0/30
61.  
62. ##########################################################################################################################################################################
63.  
64. HEX:
65.  
66. /ip address
67. add address=10.10.100.1/24 interface=ether2 network=10.10.100.0
68. add address=10.10.110.1/24 interface=ether3 network=10.10.110.0
69. add address=10.10.120.1/24 interface=ether4 network=10.10.120.0
70. add address=10.10.11.1/24 interface=ether5 network=10.10.11.0
71. add address=172.16.1.1/30 interface=GRE_Loopback network=172.16.1.0
72. add address=172.16.2.1/30 interface=DIGI_LTE_GRE network=172.16.2.0
73.  
74. /interface bridge
75. add fast-forward=no name=GRE_Loopback protocol-mode=none
76.  
77. /interface gre
78. add keepalive=10s,3 local-address=172.16.1.1 name=DIGI_LTE_GRE remote-address=172.16.1.2
79.  
80. /ip ipsec mode-config
81. add address=10.10.17.10 address-prefix-length=32 name=Samsung
82. add address=10.10.17.20 name=Redmi
83. add address=10.10.17.30 name=PC
84. add address=10.10.17.40 address-prefix-length=32 name=Gabi
85. /ip ipsec policy group
86. add name=IPSec_VPN
87. /ip ipsec profile
88. set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
89. add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=IPSec_VPN
90. add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=GRE_OSPF nat-traversal=no prf-algorithm=sha256
91. /ip ipsec peer
92. add address=XXXXXXXX exchange-mode=ike2 name=LTE profile=GRE_OSPF
93. add exchange-mode=ike2 name=IPSec_VPN passive=yes profile=IPSec_VPN send-initial-contact=no
94. /ip ipsec proposal
95. set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
96. add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=IPSec_VPN pfs-group=none
97. add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=GRE_OSPF pfs-group=modp2048
98. /ip ipsec identity
99. add auth-method=digital-signature certificate=IPSec_Server generate-policy=port-strict match-by=certificate mode-config=Samsung peer=IPSec_VPN policy-template-group=IPSec_VPN remote-certificate=Samsung
100. add auth-method=digital-signature certificate=IPSec_Server generate-policy=port-strict match-by=certificate mode-config=Gabi peer=IPSec_VPN policy-template-group=IPSec_VPN remote-certificate=Gabi
101. add auth-method=digital-signature certificate=IPSec_Server generate-policy=port-strict match-by=certificate mode-config=Redmi peer=IPSec_VPN policy-template-group=IPSec_VPN remote-certificate=Redmi
102. add auth-method=digital-signature certificate=IPSec_Server generate-policy=port-strict match-by=certificate mode-config=PC peer=IPSec_VPN policy-template-group=IPSec_VPN remote-certificate=PC
103. add peer=LTE secret=XXXXXXXXXXXXXXX
104. /ip ipsec policy
105. add dst-address=10.10.17.0/24 group=IPSec_VPN proposal=IPSec_VPN src-address=0.0.0.0/0 template=yes
106. add dst-address=172.16.1.0/30 peer=LTE proposal=GRE_OSPF sa-dst-address=XXX.XXX.XXX.XXX sa-src-address=XXX.XXX.XXX.XXX src-address=172.16.1.0/30 tunnel=yes
107. /ip ipsec settings
108.  
109. /routing ospf instance
110. set [ find default=yes ] distribute-default=always-as-type-1 redistribute-connected=as-type-1 redistribute-static=as-type-1 router-id=10.10.120.1
111. add in-filter=GRE_OSPF_IN name=GRE_OSPF out-filter=GRE_OSPF_OUT redistribute-connected=as-type-1 redistribute-other-ospf=as-type-1 router-id=172.16.2.1
112. /routing ospf area
113. add area-id=0.0.0.1 instance=GRE_OSPF name=GRE_OSPF
114. /routing ospf interface
115. add interface=ether4 network-type=broadcast
116. add interface=DIGI_LTE_GRE network-type=point-to-point
117. /routing ospf network
118. add area=backbone network=10.10.120.0/24
119. add area=GRE_OSPF network=172.16.2.0/30
120.  
121. /ip firewall filter
122. add action=accept chain=input dst-port=2250,8291 protocol=tcp
123. add action=accept chain=input dst-port=500,4500 protocol=udp
124. add action=accept chain=input protocol=ipsec-esp
125. add action=accept chain=input protocol=icmp
126. add action=accept chain=input protocol=ospf
127. add action=accept chain=input protocol=gre
128. add action=accept chain=input connection-state=established,related
129. add action=drop chain=input connection-state=invalid
130. add action=drop chain=input
131. add action=accept chain=forward ipsec-policy=in,ipsec
132. add action=accept chain=forward ipsec-policy=out,ipsec
133. add action=fasttrack-connection chain=forward
134.  
135. add action=accept chain=forward connection-state=established,related,new
136. add action=drop chain=forward connection-state=invalid
137. /ip firewall mangle
138. add action=change-mss chain=forward new-mss=1300 out-interface=DIGI_PPPoE passthrough=yes protocol=tcp tcp-flags=syn
139. /ip firewall nat
140. add action=accept chain=srcnat dst-address=172.16.1.0/30 src-address=172.16.1.0/30
141. add action=masquerade chain=srcnat out-interface=DIGI_PPPoE
142.