Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/router.key
- set vpn rsa-keys rsa-key-name othersite rsa-key 0sAwEAAzaC1yc2EAAAABJQAAAQEAzXs2RLg7jPYOPs26jhYC01MSOxbTWl7OJM1S/L41x0GEL6MENgLBzmcwMk+p2YlunLKyeHlJnEwmdfByGtZgoSe5tN4/oeso+70PyDTyvVZGXBuVn7ZyufRKT5FTkxsamSIgr3JsfoEzl/Pxn1IKDo3eXtT/99Q91PCmgRIUX/Eu/GVF8xQa4kVMMjbPfWQPWeSsRJJHcOoFutyHFi98j7cU+ucFs3O/AZYwKyfxMLhg+v7aRa3Z+FiXyHyMmb7aOEkC7nL8Fr8C/TR5knaeWsnnMnvdvecjK8U19xpq3+DSzHP+idpWqIx61FGfuAkmQ=
- set vpn ipsec auto-firewall-nat-exclude disable
- set vpn ipsec auto-update 120
- edit vpn ipsec esp-group FOO0
- set proposal 1 encryption aes256
- set proposal 1 hash md5
- exit
- edit vpn ipsec ike-group FOO0
- set key-exchange ikev2
- set proposal 1 dh-group 14
- set proposal 1 encryption aes256
- set proposal 1 hash sha256
- set dead-peer-detection action clear
- set dead-peer-detection interval 30
- set dead-peer-detection timeout 120
- exit
- edit vpn ipsec site-to-site peer my.other.domain.not
- set authentication id @my.real.domain.not
- set authentication remote-id @my.other.domain.not
- set authentication mode rsa
- set authentication rsa-key-name othersite
- set connection-type respond
- set description "Other Site VPN"
- set dhcp-interface eth0
- set ike-group FOO0
- set tunnel 1 esp-group FOO0
- set tunnel 1 local prefix 192.168.1.0/24
- set tunnel 1 remote prefix 192.168.3.0/24
- exit
- set service dns forwarding options "listen-address=192.168.1.1"
- set service dns forwarding options server=/.other.local/192.168.3.1
- edit firewall name WAN_LOCAL
- set rule 30 action accept
- set rule 30 description ike
- set rule 30 destination port 500
- set rule 30 log disable
- set rule 30 protocol udp
- set rule 40 action accept
- set rule 40 description esp
- set rule 40 log disable
- set rule 40 protocol esp
- set rule 50 action accept
- set rule 50 description nat-t
- set rule 50 destination port 4500
- set rule 50 log disable
- set rule 50 protocol udp
- set rule 90 action accept
- set rule 90 description "Allow router access from ipsec VPNs"
- set rule 90 destination address 192.168.1.0/24
- set rule 90 log disable
- set rule 90 ipsec match-ipsec
- set rule 90 source address 192.168.0.0/16
- exit
- edit firewall name WAN_IN
- set rule 90 action accept
- set rule 90 description "Allow ipsec traffic from remote VPNs"
- set rule 90 destination address 192.168.1.0/24
- set rule 90 log disable
- set rule 90 ipsec match-ipsec
- set rule 90 source address 192.168.0.0/16
- exit
- edit service nat
- set rule 5000 description "Exclude traffic to VPN"
- set rule 5000 destination address 192.168.0.0/16
- set rule 5000 exclude
- set rule 5000 outbound-interface eth0
- set rule 5000 protocol all
- set rule 5000 source address 192.168.1.0/24
- set rule 5000 type masquerade
- exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement