API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 25th, 2018
906
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.68 KB | None | 0 0
raw download clone embed print report
  1. set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/router.key
  2. set vpn rsa-keys rsa-key-name othersite rsa-key 0sAwEAAzaC1yc2EAAAABJQAAAQEAzXs2RLg7jPYOPs26jhYC01MSOxbTWl7OJM1S/L41x0GEL6MENgLBzmcwMk+p2YlunLKyeHlJnEwmdfByGtZgoSe5tN4/oeso+70PyDTyvVZGXBuVn7ZyufRKT5FTkxsamSIgr3JsfoEzl/Pxn1IKDo3eXtT/99Q91PCmgRIUX/Eu/GVF8xQa4kVMMjbPfWQPWeSsRJJHcOoFutyHFi98j7cU+ucFs3O/AZYwKyfxMLhg+v7aRa3Z+FiXyHyMmb7aOEkC7nL8Fr8C/TR5knaeWsnnMnvdvecjK8U19xpq3+DSzHP+idpWqIx61FGfuAkmQ=
  3. set vpn ipsec auto-firewall-nat-exclude disable
  4. set vpn ipsec auto-update 120
  5.  
  6. edit vpn ipsec esp-group FOO0
  7. set proposal 1 encryption aes256
  8. set proposal 1 hash md5
  9. exit
  10.  
  11. edit vpn ipsec ike-group FOO0
  12. set key-exchange ikev2
  13. set proposal 1 dh-group 14
  14. set proposal 1 encryption aes256
  15. set proposal 1 hash sha256
  16. set dead-peer-detection action clear
  17. set dead-peer-detection interval 30
  18. set dead-peer-detection timeout 120
  19. exit
  20.  
  21. edit vpn ipsec site-to-site peer my.other.domain.not
  22. set authentication id @my.real.domain.not
  23. set authentication remote-id @my.other.domain.not
  24. set authentication mode rsa
  25. set authentication rsa-key-name othersite
  26. set connection-type respond
  27. set description "Other Site VPN"
  28. set dhcp-interface eth0
  29. set ike-group FOO0
  30. set tunnel 1 esp-group FOO0
  31. set tunnel 1 local prefix 192.168.1.0/24
  32. set tunnel 1 remote prefix 192.168.3.0/24
  33. exit
  34.  
  35. set service dns forwarding options "listen-address=192.168.1.1"
  36. set service dns forwarding options server=/.other.local/192.168.3.1
  37.  
  38. edit firewall name WAN_LOCAL
  39.  
  40. set rule 30 action accept
  41. set rule 30 description ike
  42. set rule 30 destination port 500
  43. set rule 30 log disable
  44. set rule 30 protocol udp
  45.  
  46. set rule 40 action accept
  47. set rule 40 description esp
  48. set rule 40 log disable
  49. set rule 40 protocol esp
  50.  
  51. set rule 50 action accept
  52. set rule 50 description nat-t
  53. set rule 50 destination port 4500
  54. set rule 50 log disable
  55. set rule 50 protocol udp
  56.  
  57. set rule 90 action accept
  58. set rule 90 description "Allow router access from ipsec VPNs"
  59. set rule 90 destination address 192.168.1.0/24
  60. set rule 90 log disable
  61. set rule 90 ipsec match-ipsec
  62. set rule 90 source address 192.168.0.0/16
  63.  
  64. exit
  65.  
  66. edit firewall name WAN_IN
  67. set rule 90 action accept
  68. set rule 90 description "Allow ipsec traffic from remote VPNs"
  69. set rule 90 destination address 192.168.1.0/24
  70. set rule 90 log disable
  71. set rule 90 ipsec match-ipsec
  72. set rule 90 source address 192.168.0.0/16
  73. exit
  74.  
  75. edit service nat
  76. set rule 5000 description "Exclude traffic to VPN"
  77. set rule 5000 destination address 192.168.0.0/16
  78. set rule 5000 exclude
  79. set rule 5000 outbound-interface eth0
  80. set rule 5000 protocol all
  81. set rule 5000 source address 192.168.1.0/24
  82. set rule 5000 type masquerade
  83. exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!