Last active
April 13, 2020 07:56
-
-
Save kermorgant/c72b8047e7427ba5ac61cee4246b5b66 to your computer and use it in GitHub Desktop.
ipsec config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
config setup | |
charondebug="ike 1, knl 1, cfg 0" | |
uniqueids=no | |
conn ikev2-vpn | |
auto=add | |
compress=no | |
type=tunnel | |
keyexchange=ikev2 | |
fragmentation=yes | |
forceencaps=yes | |
ike=aes128-sha256-modp3072,aes256-sha1-modp1024,3des-sha1-modp1024! | |
esp=aes128-sha256-modp3072,aes256-sha1,3des-sha1! | |
dpdaction=clear | |
dpddelay=300s | |
rekey=no | |
left=%any | |
leftid=@vps.mydomain.tld | |
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem | |
leftsendcert=always | |
leftsubnet=0.0.0.0/0 | |
right=%any | |
rightid=%any | |
rightauth=eap-mschapv2 | |
rightdns=8.8.8.8,8.8.4.4 | |
rightsourceip=10.10.10.0/24 | |
rightsendcert=never | |
eap_identity=%identity | |
leftfirewall=yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip firewall filter print | |
Flags: X - disabled, I - invalid, D - dynamic | |
0 D ;;; special dummy rule to show fasttrack counters | |
chain=forward action=passthrough | |
1 ;;; defconf: accept established,related,untracked | |
chain=input action=accept | |
connection-state=established,related,untracked | |
2 ;;; defconf: drop invalid | |
chain=input action=drop connection-state=invalid | |
3 ;;; defconf: accept ICMP | |
chain=input action=accept protocol=icmp | |
4 ;;; defconf: accept to local loopback (for CAPsMAN) | |
chain=input action=accept dst-address=127.0.0.1 | |
5 ;;; defconf: drop all not coming from LAN | |
chain=input action=drop in-interface-list=!LAN | |
6 ;;; defconf: accept in ipsec policy | |
chain=forward action=accept ipsec-policy=in,ipsec | |
7 ;;; defconf: accept out ipsec policy | |
chain=forward action=accept ipsec-policy=out,ipsec | |
8 ;;; defconf: fasttrack | |
chain=forward action=fasttrack-connection | |
connection-state=established,related | |
9 ;;; defconf: accept established,related, untracked | |
chain=forward action=accept | |
connection-state=established,related,untracked | |
10 ;;; defconf: drop invalid | |
chain=forward action=drop connection-state=invalid | |
11 ;;; defconf: drop all from WAN not DSTNATed | |
chain=forward action=drop connection-state=new | |
connection-nat-state=!dstnat in-interface-list=WAN |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip firewall nat print | |
Flags: X - disabled, I - invalid, D - dynamic | |
0 D ;;; ipsec mode-config | |
chain=srcnat action=src-nat to-addresses=10.10.10.2 | |
src-address-list=local3 dst-address-list=!local3 | |
1 X ;;; defconf: masquerade | |
chain=srcnat action=masquerade out-interface-list=WAN log=no | |
log-prefix="" ipsec-policy=out,none | |
2 chain=srcnat action=masquerade out-interface=lte1 log=no log-prefix="" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip firewall raw print | |
Flags: X - disabled, I - invalid, D - dynamic | |
0 D ;;; special dummy rule to show fasttrack counters | |
chain=prerouting action=passthrough |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec active-peers print | |
Flags: R - responder, N - natt-peer | |
# ID STATE UPTIME PH2-TOTAL | |
0 N vps.mydomain.tld established 49s 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec identity print | |
Flags: D - dynamic, X - disabled | |
0 peer=vps.kgtech.fi auth-method=eap eap-methods=eap-mschapv2 | |
mode-config=ike2-rw certificate="" username="xxxxxxx" password="zzzzzzz" | |
generate-policy=port-strict policy-template-group=ike2-rw |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec mode-config print | |
Flags: * - default, R - responder | |
0 * name="request-only" responder=no src-address-list=local1 | |
1 name="ike2-rw" responder=no src-address-list=local3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec peer print | |
Flags: X - disabled, D - dynamic, R - responder | |
0 name="vps.mydomain.tld" address=vps.mydomain.tld profile=vps-client-profile | |
exchange-mode=ike2 send-initial-contact=yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec policy print | |
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, | |
* - default | |
# P TUN SRC-ADDRESS | |
0 TX* ::/0 | |
1 T ::/0 | |
2 DA v yes 10.10.10.2/32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec policy print | |
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, | |
* - default | |
# P TUN SRC-ADDRESS | |
0 TX* ::/0 | |
1 T ::/0 | |
2 DA v yes 10.10.10.2/32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec proposal print | |
Flags: X - disabled, * - default | |
0 * name="default" auth-algorithms=sha256,sha1 | |
enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128- | |
ctr,aes-128-gcm,3des | |
lifetime=30m pfs-group=modp1024 | |
1 name="vps-client-proposal" auth-algorithms=sha256,sha1 | |
enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128- | |
ctr,aes-128-gcm,3des | |
lifetime=30m pfs-group=modp1024 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec settings print | |
xauth-use-radius: no | |
accounting: yes | |
interim-update: 0s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[admin@MikroTik] > /ip ipsec statistics print | |
in-errors: 0 | |
in-buffer-errors: 0 | |
in-header-errors: 0 | |
in-no-states: 0 | |
in-state-protocol-errors: 0 | |
in-state-mode-errors: 0 | |
in-state-sequence-errors: 0 | |
in-state-expired: 0 | |
in-state-mismatches: 0 | |
in-state-invalid: 0 | |
in-template-mismatches: 187 | |
in-no-policies: 0 | |
in-policy-blocked: 0 | |
in-policy-errors: 0 | |
out-errors: 0 | |
out-bundle-errors: 0 | |
out-bundle-check-errors: 0 | |
out-no-states: 274 | |
out-state-protocol-errors: 0 | |
out-state-mode-errors: 987 | |
out-state-sequence-errors: 0 | |
out-state-expired: 0 | |
out-policy-blocked: 0 | |
out-policy-dead: 0 | |
out-policy-errors: 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment