使用IPSec Xauth PSK 翻網
[i=s] 本帖最後由 gfx86674 於 2015-3-3 11:07 編輯 [/i][img]http://i.imgur.com/iSydlng.png[/img]
Mikrotik官網提這是[url=http://wiki.mikrotik.com/wiki/Manual:IP/IPsec]Road Warrior服務[/url],直白一點其實是手機的[color=Red]IPSec Xauth PSK[/color].
RouterOS v6.12開始支援手機,但用的人似乎不多...
[color=Blue]多一種VPN選擇,有興趣的參考看看.[/color]
若原先已在主機設定L2TP over IPSec Server,得先關閉其下的IPSec ,
透過UDP Port:500 連進RouterOS ,主機才不會分不清封包是IPSec Xauth 或L2TP over IPSec.
另外[color=Red]sha1[/color] /[color=Red]aes-128 cbc[/color] 加密需啟用才行.
[img]http://i.imgur.com/uHjiSEy.png[/img]
接下來無需繁雜的設定,直接匯入即可.[code]/ip pool
add name=IPSec_Xauth ranges=172.19.15.0/24
/ip ipsec mode-config
add address-pool=IPSec_Xauth address-prefix-length=24 \
name="IPSec_Xauth (Android)" split-include=0.0.0.0/0
/ip ipsec policy group
add name="IPSec_Xauth (Android)"
/ip ipsec policy
add comment="IPSec_Xauth (Android)" dst-address=0.0.0.0/0 \
group="IPSec_Xauth (Android)" src-address=172.19.15.0/24 template=yes
/ip ipsec peer
add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (Android)" \
enc-algorithm=aes-128 generate-policy=port-strict \
mode-config="IPSec_Xauth (Android)" \
passive=yes policy-template-group="IPSec_Xauth (Android)" secret=abc1234
/ip firewall mangle
add action=change-mss chain=forward dst-address=172.19.15.0/30 new-mss=\
clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=no \
protocol=tcp src-address=172.19.15.0/30 tcp-flags=syn
[/code]172.19.15.0/24 是您個人的VPN網域 ,secret=abc1234則是您的[color=Red]個人預先共用金鑰[/color] ,可自訂:
至於用戶 帳號/密碼,則可在這新增:
[img]http://i.imgur.com/dWzYbUx.png[/img]
Android手機:
[img]http://i.imgur.com/cOoXXRz.png[/img] [img]http://i.imgur.com/4mUsak5.png[/img] CHing,你真厉害!想问一下你用了RouterOS多久呢? [i=s] 本帖最後由 gfx86674 於 2015-1-7 15:43 編輯 [/i]
2013年5月開始吧,
買了RB450G後即在此註冊帳號,並開始學習RouterOS. 多个选择,谢谢分享 請問你用host name to access ? 我只能方放lP才可以連接。 [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41679&ptid=6506]5#[/url] [i]ckleea[/i] [/b]
都可以,範例我是用host-name連接. [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41680&ptid=6506]6#[/url] [i]gfx86674[/i] [/b]
奇怪,我的不行。你的ROS版本是那個? 你有沒有做一個給lOS? [i=s] 本帖最後由 gfx86674 於 2015-8-5 11:29 編輯 [/i]
[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41683&ptid=6506]8#[/url] [i]ckleea[/i] [/b]
ios 6.x 可以!! [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41684&ptid=6506]9#[/url] [i]gfx86674[/i] [/b]
Thanks. After I revert back to 6.29.1, I can use hostname to login [quote]回復 gfx86674
Thanks. After I revert back to 6.29.1, I can use hostname to login
[size=2][color=#999999]ckleea 發表於 2015-8-2 07:17[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41686&ptid=6506][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]
iOS與Android設定有一點點不同 ,若iOS直接連接Android設定,
連線後可以讀取您Server的區域網路 ,但無法翻網.
若您有上官網查尋Road Warrior (xauth) setup相關,會有這段解釋:
[attach]3670[/attach]
但真的無解嗎? 未必然...
把[color=Red]0.0.0.0/0[/color] 拆成兩個網段, [color=Blue]0.0.0.0/1[/color]與[color=Blue]128.0.0.0/1[/color] ,
連線時再同時掛上,問題即刻就解決囉!!
所以匯入:[code]/ip ipsec mode-config
add address-pool=xauth-pool address-prefix-length=24 \
name="xauth(ios)" send-dns=no split-include=0.0.0.0/1,128.0.0.0/1
/ip ipsec policy group
add name="xauth(ios)"
/ip ipsec proposal
add lifetime=8h name=xauth pfs-group=none
/ip ipsec peer
add auth-method=pre-shared-key-xauth comment="Xauth(ios)" \
enc-algorithm=aes-128 generate-policy=port-strict lifetime=8h \
local-address=123.123.123.123 mode-config="xauth(ios)" \
nat-traversal=no passive=yes policy-template-group="xauth(ios)" \
secret=abc1234
/ip ipsec policy
add comment="xauth(ios)" dst-address=0.0.0.0/1 group="xauth(ios)" \
proposal=xauth src-address=172.19.15.0/30 template=yes
add comment="xauth(ios)" dst-address=128.0.0.0/1 group="xauth(ios)" \
proposal=xauth src-address=172.19.15.0/30 template=yes
/ip pool
add name=xauth-pool ranges=172.19.15.1-172.19.15.2
[/code]iOS就可用Xauth PSK翻網囉{:5_219:}
[attach]3671[/attach] [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41687&ptid=6506]11#[/url] [i]gfx86674[/i] [/b]
謝謝分享,終於將你的script整理成一個單一script for Android & IOS 手機[code]/ip pool
add name=IPSec_Xauth ranges=172.19.15.0/24
/ip ipsec mode-config
add address-pool=IPSec_Xauth address-prefix-length=24 \
name="IPSec_Xauth (Android)" split-include=0.0.0.0/0
/ip ipsec policy group
add name="IPSec_Xauth (Android)"
/ip ipsec policy
add comment="IPSec_Xauth (Android)" dst-address=0.0.0.0/0 \
group="IPSec_Xauth (Android)" src-address=172.19.15.0/24 template=yes
/ip ipsec peer
add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (Android)" \
enc-algorithm=aes-128 generate-policy=port-strict \
mode-config="IPSec_Xauth (Android)" \
passive=yes policy-template-group="IPSec_Xauth (Android)" secret=abcde1234
/ip firewall mangle
add action=change-mss chain=forward dst-address=172.19.15.0/30 new-mss=\
clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=no \
protocol=tcp src-address=172.19.15.0/30 tcp-flags=syn
/ip ipsec mode-config
add address-pool=IPSec_Xauth address-prefix-length=24 \
name="IPSec_Xauth (IOS)" send-dns=no split-include=0.0.0.0/1,128.0.0.0/1
/ip ipsec policy group
add name="IPSec_Xauth (IOS)"
/ip ipsec proposal
add lifetime=8h name=xauth pfs-group=none
/ip ipsec peer
add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (IOS)" \
enc-algorithm=aes-128 generate-policy=port-strict lifetime=8h \
local-address=123.123.123.123 mode-config="IPSec_Xauth (IOS)" \
nat-traversal=no passive=yes policy-template-group="IPSec_Xauth (IOS)" \
secret=abcde1234
/ip ipsec policy
add comment="IPSec_Xauth (IOS)" dst-address=0.0.0.0/1 group="IPSec_Xauth (IOS)" \
proposal=xauth src-address=172.19.15.0/30 template=yes
add comment="IPSec_Xauth (IOS)" dst-address=128.0.0.0/1 group="IPSec_Xauth (IOS)" \
proposal=xauth src-address=172.19.15.0/30 template=yes
[/code]請問 " local-address=123.123.123.123"的意思是甚麼? [quote]回復 gfx86674
謝謝分享,終於將你的script整理成一個單一script for Android & IOS 手機請問 " local ...
[size=2][color=#999999]ckleea 發表於 2015-9-5 08:29[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41787&ptid=6506][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]
您分享器對外的public-address ,
因為每個人使用的address都不同,所以用123.123.123.123代替. [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41789&ptid=6506]13#[/url] [i]gfx86674[/i] [/b]
謝謝。
請問你是否android and IOS 共用?。
我的iPhone sometimes work, IPad not works at all
同時,我亦加入IPSec site to site policies, 會有影響? [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41790&ptid=6506]14#[/url] [i]ckleea[/i] [/b]
不要混用,您可以同時新增iOS/Android兩種設定. 但兩者設定不要同時開,會有問題.
[attach]3698[/attach]
[attach]3699[/attach]
[attach]3700[/attach]
[attach]3701[/attach] [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41792&ptid=6506]15#[/url] [i]gfx86674[/i] [/b]
謝謝。 楼主,按照你的方法配置成功了,ios可以连接但是有一个问题,就是两个客户端之间无法通信,user1连接的是ios客户端,user2连接的是windows7,在ios客户端上使用rdp客户端连接windows7的远程桌面是无法成功的。在policies添加了特定的ip策略也无法成功。 [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=43056&ptid=6506]17#[/url] [i]vancho[/i] [/b]
是iOS版本的問題.
iOS6(32位元)之前確定可使用 ,iOS7核心換成64位元後就無法再正常運行.
頁:
[1]