電訊茶室's Archiver

gfx86674 發表於 2015-1-6 20:30

使用IPSec Xauth PSK 翻網

[i=s] 本帖最後由 gfx86674 於 2015-3-3 11:07 編輯 [/i]

[img]http://i.imgur.com/iSydlng.png[/img]
Mikrotik官網提這是[url=http://wiki.mikrotik.com/wiki/Manual:IP/IPsec]Road Warrior服務[/url],直白一點其實是手機的[color=Red]IPSec Xauth PSK[/color].
RouterOS v6.12開始支援手機,但用的人似乎不多...

[color=Blue]多一種VPN選擇,有興趣的參考看看.[/color]

若原先已在主機設定L2TP over IPSec Server,得先關閉其下的IPSec ,
透過UDP Port:500 連進RouterOS ,主機才不會分不清封包是IPSec Xauth 或L2TP over IPSec.

另外[color=Red]sha1[/color] /[color=Red]aes-128 cbc[/color] 加密需啟用才行.
[img]http://i.imgur.com/uHjiSEy.png[/img]

接下來無需繁雜的設定,直接匯入即可.[code]/ip pool
add name=IPSec_Xauth ranges=172.19.15.0/24

/ip ipsec mode-config
add address-pool=IPSec_Xauth address-prefix-length=24 \
name="IPSec_Xauth (Android)" split-include=0.0.0.0/0

/ip ipsec policy group
add name="IPSec_Xauth (Android)"

/ip ipsec policy
add comment="IPSec_Xauth (Android)" dst-address=0.0.0.0/0 \
group="IPSec_Xauth (Android)" src-address=172.19.15.0/24 template=yes

/ip ipsec peer
add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (Android)" \
enc-algorithm=aes-128 generate-policy=port-strict \
mode-config="IPSec_Xauth (Android)" \
passive=yes policy-template-group="IPSec_Xauth (Android)" secret=abc1234

/ip firewall mangle
add action=change-mss chain=forward dst-address=172.19.15.0/30 new-mss=\
    clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=no \
    protocol=tcp src-address=172.19.15.0/30 tcp-flags=syn
[/code]172.19.15.0/24 是您個人的VPN網域  ,secret=abc1234則是您的[color=Red]個人預先共用金鑰[/color] ,可自訂:

至於用戶 帳號/密碼,則可在這新增:
[img]http://i.imgur.com/dWzYbUx.png[/img]

Android手機:
[img]http://i.imgur.com/cOoXXRz.png[/img]  [img]http://i.imgur.com/4mUsak5.png[/img]

角色 發表於 2015-1-7 13:53

CHing,你真厉害!想问一下你用了RouterOS多久呢?

gfx86674 發表於 2015-1-7 15:11

[i=s] 本帖最後由 gfx86674 於 2015-1-7 15:43 編輯 [/i]

2013年5月開始吧,
買了RB450G後即在此註冊帳號,並開始學習RouterOS.

fems 發表於 2015-1-7 18:56

多个选择,谢谢分享

ckleea 發表於 2015-8-1 12:54

請問你用host name to access ? 我只能方放lP才可以連接。

gfx86674 發表於 2015-8-1 13:16

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41679&ptid=6506]5#[/url] [i]ckleea[/i] [/b]
都可以,範例我是用host-name連接.

ckleea 發表於 2015-8-1 15:52

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41680&ptid=6506]6#[/url] [i]gfx86674[/i] [/b]


    奇怪,我的不行。你的ROS版本是那個?

ckleea 發表於 2015-8-1 15:53

你有沒有做一個給lOS?

gfx86674 發表於 2015-8-1 16:14

[i=s] 本帖最後由 gfx86674 於 2015-8-5 11:29 編輯 [/i]

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41683&ptid=6506]8#[/url] [i]ckleea[/i] [/b]
ios 6.x 可以!!

ckleea 發表於 2015-8-2 07:17

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41684&ptid=6506]9#[/url] [i]gfx86674[/i] [/b]

Thanks. After I revert back to 6.29.1, I can use hostname to login

gfx86674 發表於 2015-8-2 22:06

[quote]回復  gfx86674
Thanks. After I revert back to 6.29.1, I can use hostname to login
[size=2][color=#999999]ckleea 發表於 2015-8-2 07:17[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41686&ptid=6506][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]
iOS與Android設定有一點點不同 ,若iOS直接連接Android設定,
連線後可以讀取您Server的區域網路 ,但無法翻網.

若您有上官網查尋Road Warrior (xauth) setup相關,會有這段解釋:
[attach]3670[/attach]

但真的無解嗎? 未必然...
把[color=Red]0.0.0.0/0[/color] 拆成兩個網段, [color=Blue]0.0.0.0/1[/color]與[color=Blue]128.0.0.0/1[/color] ,
連線時再同時掛上,問題即刻就解決囉!!

所以匯入:[code]/ip ipsec mode-config
add address-pool=xauth-pool address-prefix-length=24 \
name="xauth(ios)" send-dns=no split-include=0.0.0.0/1,128.0.0.0/1

/ip ipsec policy group
add name="xauth(ios)"

/ip ipsec proposal
add lifetime=8h name=xauth pfs-group=none

/ip ipsec peer
add auth-method=pre-shared-key-xauth comment="Xauth(ios)" \
    enc-algorithm=aes-128 generate-policy=port-strict lifetime=8h \
    local-address=123.123.123.123 mode-config="xauth(ios)" \
    nat-traversal=no passive=yes policy-template-group="xauth(ios)" \
    secret=abc1234

/ip ipsec policy
add comment="xauth(ios)" dst-address=0.0.0.0/1 group="xauth(ios)" \
    proposal=xauth src-address=172.19.15.0/30 template=yes
add comment="xauth(ios)" dst-address=128.0.0.0/1 group="xauth(ios)" \
    proposal=xauth src-address=172.19.15.0/30 template=yes

/ip pool
add name=xauth-pool ranges=172.19.15.1-172.19.15.2
[/code]iOS就可用Xauth PSK翻網囉{:5_219:}
[attach]3671[/attach]

ckleea 發表於 2015-9-5 08:29

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41687&ptid=6506]11#[/url] [i]gfx86674[/i] [/b]


謝謝分享,終於將你的script整理成一個單一script for Android & IOS 手機[code]/ip pool
add name=IPSec_Xauth ranges=172.19.15.0/24

/ip ipsec mode-config
add address-pool=IPSec_Xauth address-prefix-length=24 \
name="IPSec_Xauth (Android)" split-include=0.0.0.0/0

/ip ipsec policy group
add name="IPSec_Xauth (Android)"

/ip ipsec policy
add comment="IPSec_Xauth (Android)" dst-address=0.0.0.0/0 \
group="IPSec_Xauth (Android)" src-address=172.19.15.0/24 template=yes

/ip ipsec peer
add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (Android)" \
enc-algorithm=aes-128 generate-policy=port-strict \
mode-config="IPSec_Xauth (Android)" \
passive=yes policy-template-group="IPSec_Xauth (Android)" secret=abcde1234

/ip firewall mangle
add action=change-mss chain=forward dst-address=172.19.15.0/30 new-mss=\
    clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=no \
    protocol=tcp src-address=172.19.15.0/30 tcp-flags=syn

/ip ipsec mode-config
add address-pool=IPSec_Xauth address-prefix-length=24 \
name="IPSec_Xauth (IOS)" send-dns=no split-include=0.0.0.0/1,128.0.0.0/1

/ip ipsec policy group
add name="IPSec_Xauth (IOS)"

/ip ipsec proposal
add lifetime=8h name=xauth pfs-group=none

/ip ipsec peer
add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (IOS)" \
    enc-algorithm=aes-128 generate-policy=port-strict lifetime=8h \
    local-address=123.123.123.123 mode-config="IPSec_Xauth (IOS)" \
    nat-traversal=no passive=yes policy-template-group="IPSec_Xauth (IOS)" \
    secret=abcde1234

/ip ipsec policy
add comment="IPSec_Xauth (IOS)" dst-address=0.0.0.0/1 group="IPSec_Xauth (IOS)" \
    proposal=xauth src-address=172.19.15.0/30 template=yes
add comment="IPSec_Xauth (IOS)" dst-address=128.0.0.0/1 group="IPSec_Xauth (IOS)" \
    proposal=xauth src-address=172.19.15.0/30 template=yes
[/code]請問 " local-address=123.123.123.123"的意思是甚麼?

gfx86674 發表於 2015-9-5 13:03

[quote]回復  gfx86674


謝謝分享,終於將你的script整理成一個單一script for Android & IOS 手機請問 " local ...
[size=2][color=#999999]ckleea 發表於 2015-9-5 08:29[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41787&ptid=6506][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]
您分享器對外的public-address ,
因為每個人使用的address都不同,所以用123.123.123.123代替.

ckleea 發表於 2015-9-5 14:21

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41789&ptid=6506]13#[/url] [i]gfx86674[/i] [/b]

謝謝。

請問你是否android and IOS 共用?。
我的iPhone sometimes work, IPad not works at all

同時,我亦加入IPSec site to site policies, 會有影響?

gfx86674 發表於 2015-9-5 15:44

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41790&ptid=6506]14#[/url] [i]ckleea[/i] [/b]
不要混用,您可以同時新增iOS/Android兩種設定. 但兩者設定不要同時開,會有問題.
[attach]3698[/attach]
[attach]3699[/attach]
[attach]3700[/attach]
[attach]3701[/attach]

ckleea 發表於 2015-9-5 15:54

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=41792&ptid=6506]15#[/url] [i]gfx86674[/i] [/b]


    謝謝。

vancho 發表於 2016-8-17 21:39

楼主,按照你的方法配置成功了,ios可以连接但是有一个问题,就是两个客户端之间无法通信,user1连接的是ios客户端,user2连接的是windows7,在ios客户端上使用rdp客户端连接windows7的远程桌面是无法成功的。在policies添加了特定的ip策略也无法成功。

gfx86674 發表於 2016-8-18 01:18

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=43056&ptid=6506]17#[/url] [i]vancho[/i] [/b]
是iOS版本的問題.
iOS6(32位元)之前確定可使用 ,iOS7核心換成64位元後就無法再正常運行.

頁: [1]

Powered by Discuz! Archiver 7.2  © 2001-2009 Comsenz Inc.