[VPN] 使用IPSec Xauth PSK 翻網

gfx86674

Mikrotik官網提這是Road Warrior服務,直白一點其實是手機的IPSec Xauth PSK.
RouterOS v6.12開始支援手機,但用的人似乎不多...

多一種VPN選擇,有興趣的參考看看.

若原先已在主機設定L2TP over IPSec Server,得先關閉其下的IPSec ,
透過UDP Port:500 連進RouterOS ,主機才不會分不清封包是IPSec Xauth 或L2TP over IPSec.

另外sha1 /aes-128 cbc 加密需啟用才行.


接下來無需繁雜的設定,直接匯入即可.

1. /ip pool
   
2. add name=IPSec_Xauth ranges=172.19.15.0/24
   
3. 
   
4. /ip ipsec mode-config
   
5. add address-pool=IPSec_Xauth address-prefix-length=24 \
   
6. name="IPSec_Xauth (Android)" split-include=0.0.0.0/0
   
7. 
   
8. /ip ipsec policy group
   
9. add name="IPSec_Xauth (Android)"
   
10. 
    
11. /ip ipsec policy
    
12. add comment="IPSec_Xauth (Android)" dst-address=0.0.0.0/0 \
    
13. group="IPSec_Xauth (Android)" src-address=172.19.15.0/24 template=yes
    
14. 
    
15. /ip ipsec peer
    
16. add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (Android)" \
    
17. enc-algorithm=aes-128 generate-policy=port-strict \
    
18. mode-config="IPSec_Xauth (Android)" \
    
19. passive=yes policy-template-group="IPSec_Xauth (Android)" secret=abc1234
    
20. 
    
21. /ip firewall mangle
    
22. add action=change-mss chain=forward dst-address=172.19.15.0/30 new-mss=\
    
23.     clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn
    
24. add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=no \
    
25.     protocol=tcp src-address=172.19.15.0/30 tcp-flags=syn

複製代碼

172.19.15.0/24 是您個人的VPN網域  ,secret=abc1234則是您的個人預先共用金鑰 ,可自訂:

至於用戶 帳號/密碼,則可在這新增:


Android手機:
  

角色

CHing，你真厉害！想问一下你用了RouterOS多久呢？

gfx86674

2013年5月開始吧,
買了RB450G後即在此註冊帳號,並開始學習RouterOS.

fems

多个选择，谢谢分享

ckleea

請問你用host name to access ? 我只能方放lP才可以連接。

gfx86674

回復 5# ckleea
都可以,範例我是用host-name連接.

ckleea

回復 6# gfx86674


    奇怪，我的不行。你的ROS版本是那個？

ckleea

你有沒有做一個給lOS？

gfx86674

回復 8# ckleea
ios 6.x 可以!!

ckleea

回復 9# gfx86674

Thanks. After I revert back to 6.29.1, I can use hostname to login

gfx86674

回復  gfx86674
Thanks. After I revert back to 6.29.1, I can use hostname to login
ckleea 發表於 2015-8-2 07:17

iOS與Android設定有一點點不同 ,若iOS直接連接Android設定,
連線後可以讀取您Server的區域網路 ,但無法翻網.

若您有上官網查尋Road Warrior (xauth) setup相關,會有這段解釋:


但真的無解嗎? 未必然...
把0.0.0.0/0 拆成兩個網段, 0.0.0.0/1與128.0.0.0/1 ,
連線時再同時掛上,問題即刻就解決囉!!

所以匯入:

1. /ip ipsec mode-config
   
2. add address-pool=xauth-pool address-prefix-length=24 \
   
3. name="xauth(ios)" send-dns=no split-include=0.0.0.0/1,128.0.0.0/1
   
4. 
   
5. /ip ipsec policy group
   
6. add name="xauth(ios)"
   
7. 
   
8. /ip ipsec proposal
   
9. add lifetime=8h name=xauth pfs-group=none
   
10. 
    
11. /ip ipsec peer
    
12. add auth-method=pre-shared-key-xauth comment="Xauth(ios)" \
    
13.     enc-algorithm=aes-128 generate-policy=port-strict lifetime=8h \
    
14.     local-address=123.123.123.123 mode-config="xauth(ios)" \
    
15.     nat-traversal=no passive=yes policy-template-group="xauth(ios)" \
    
16.     secret=abc1234
    
17. 
    
18. /ip ipsec policy
    
19. add comment="xauth(ios)" dst-address=0.0.0.0/1 group="xauth(ios)" \
    
20.     proposal=xauth src-address=172.19.15.0/30 template=yes
    
21. add comment="xauth(ios)" dst-address=128.0.0.0/1 group="xauth(ios)" \
    
22.     proposal=xauth src-address=172.19.15.0/30 template=yes
    
23. 
    
24. /ip pool
    
25. add name=xauth-pool ranges=172.19.15.1-172.19.15.2

複製代碼

iOS就可用Xauth PSK翻網囉

ckleea

回復 11# gfx86674


謝謝分享，終於將你的script整理成一個單一script for Android & IOS 手機

1. /ip pool
   
2. add name=IPSec_Xauth ranges=172.19.15.0/24
   
3. 
   
4. /ip ipsec mode-config
   
5. add address-pool=IPSec_Xauth address-prefix-length=24 \
   
6. name="IPSec_Xauth (Android)" split-include=0.0.0.0/0
   
7. 
   
8. /ip ipsec policy group
   
9. add name="IPSec_Xauth (Android)"
   
10. 
    
11. /ip ipsec policy
    
12. add comment="IPSec_Xauth (Android)" dst-address=0.0.0.0/0 \
    
13. group="IPSec_Xauth (Android)" src-address=172.19.15.0/24 template=yes
    
14. 
    
15. /ip ipsec peer
    
16. add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (Android)" \
    
17. enc-algorithm=aes-128 generate-policy=port-strict \
    
18. mode-config="IPSec_Xauth (Android)" \
    
19. passive=yes policy-template-group="IPSec_Xauth (Android)" secret=abcde1234
    
20. 
    
21. /ip firewall mangle
    
22. add action=change-mss chain=forward dst-address=172.19.15.0/30 new-mss=\
    
23.     clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn
    
24. add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=no \
    
25.     protocol=tcp src-address=172.19.15.0/30 tcp-flags=syn
    
26. 
    
27. /ip ipsec mode-config
    
28. add address-pool=IPSec_Xauth address-prefix-length=24 \
    
29. name="IPSec_Xauth (IOS)" send-dns=no split-include=0.0.0.0/1,128.0.0.0/1
    
30. 
    
31. /ip ipsec policy group
    
32. add name="IPSec_Xauth (IOS)"
    
33. 
    
34. /ip ipsec proposal
    
35. add lifetime=8h name=xauth pfs-group=none
    
36. 
    
37. /ip ipsec peer
    
38. add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (IOS)" \
    
39.     enc-algorithm=aes-128 generate-policy=port-strict lifetime=8h \
    
40.     local-address=123.123.123.123 mode-config="IPSec_Xauth (IOS)" \
    
41.     nat-traversal=no passive=yes policy-template-group="IPSec_Xauth (IOS)" \
    
42.     secret=abcde1234
    
43. 
    
44. /ip ipsec policy
    
45. add comment="IPSec_Xauth (IOS)" dst-address=0.0.0.0/1 group="IPSec_Xauth (IOS)" \
    
46.     proposal=xauth src-address=172.19.15.0/30 template=yes
    
47. add comment="IPSec_Xauth (IOS)" dst-address=128.0.0.0/1 group="IPSec_Xauth (IOS)" \
    
48.     proposal=xauth src-address=172.19.15.0/30 template=yes

複製代碼

請問 " local-address=123.123.123.123"的意思是甚麼?

gfx86674

回復  gfx86674


謝謝分享，終於將你的script整理成一個單一script for Android & IOS 手機請問 " local ...
ckleea 發表於 2015-9-5 08:29

您分享器對外的public-address ,
因為每個人使用的address都不同,所以用123.123.123.123代替.

ckleea

回復 13# gfx86674

謝謝。

請問你是否android and IOS 共用？。
我的iPhone sometimes work, IPad not works at all

同時，我亦加入IPSec site to site policies, 會有影響？

gfx86674

回復 14# ckleea
不要混用,您可以同時新增iOS/Android兩種設定. 但兩者設定不要同時開,會有問題.