两边都是ADSL情况下的IPSEC设置

两边都是ADSL情况下的IPSEC设置 回首页
说明: 
    192.168.111.0/24 ROS-A机的局域网IP地址段
    192.168.222.0/24 ROS-B机的局域网IP地址段
    A.dyndns.org, ROS-A机 ADSL的DDNS.
    B.dyndns.org, ROS-B机 ADSL的DDNS.
    pppoe-out1, ADSL拨号接口

在ROS5.12测试成功.
DDNS更新方法，不在这里讨论。
------------------------------------------------------------------------------------------------

在ROS-A机ROS设置[src是A, dst是B]:

/ip fir nat add chain=srcnat src-address=192.168.111.0/24 dst-address=192.168.222.0/24 action=accept

# 这条前面有定义的话, 就不用再写一遍了. #
# wan ROS-A机的外网端口.也可以修改为pppoe-out1端口. #
/ip fir nat add chain=srcnat out-interface=wan action=masquerade

# 1.1.1.1为 ROS-A机外网IP
# 2.2.2.2为 ROS-B机外网IP
# 这里先写入，后面会重新把它们纠正为真实IP的. #
/ip ipsec polic add src-add=192.168.111.0/24 dst-add=192.168.222.0/24 protocol=all tunnel=y sa-src-add=1.1.1.1 sa-dst-add=2.2.2.2

# password为密码, dpd-interval为0（关闭）DPD用来检测对等体是否存活. ADSL用户建议关闭DPD. #
/ip ipsec peer add addres=2.2.2.2 secret=password nat-traversal=y generate-policy=y dpd-interval=0

添加自动修改IP脚本:

# 定义本地变量addr_dst1
:local addr_dst1

# 定义本地变量addr_src1
:local addr_src1

# 在ipsec的policy里取得ROS-B机外网IP地址,给变量addr_dst1  (get 0: 获取第一条）#
:set addr_dst1 [/ip ipsec policy get 0 sa-dst-addres]

# 在ipsec的policy里取得ROS-A机外网IP地址,给变量addr_src1
:set addr_src1 [/ip ipsec policy get 0 sa-src-addres]

# 解析ROS-B ADSL的IP地址, 如果不对 #
:if ([:resolve B.dyndns.org] != $addr_dst1 ) do={

#修改/ip ipsec policy 里第一条对方外网IP
    /ip ipsec policy set 0 sa-dst-address=[:resolve B.dyndns.org]

#修改/ip ipsec peer 里第一条对方外网IP
    /ip ipsec peer set 0 addres=[:resolve B.dyndns.org]

}

# 解析自己ADSL的IP地址, 如果不对 #
:if ([:resolve A.dyndns.org] != $addr_src1 ) do={

#修改/ip ipsec policy 里第一条自己外网IP
    /ip ipsec policy set 0 sa-src-address=[:resolve A.dyndns.org]

}

在ROS-B机ROS设置[src是B, dst是A]:

/ip fir nat add chain=srcnat src-address=192.168.222.0/24 dst-address=192.168.111.0/24 action=accept

# 这条前面有定义的话, 就不用再写一遍了. #
# wan ROS-A机的外网端口.也可以修改为pppoe-out1端口. #
/ip fir nat add chain=srcnat out-interface=wan action=masquerade

# 1.1.1.1为 ROS-A机外网IP
# 2.2.2.2为 ROS-B机外网IP
# 这里先写入，后面会重新把它们纠正为真实IP的. #
/ip ipsec polic add src-add=192.168.222.0/24 dst-add=192.168.111.0/24 protocol=all tunnel=y sa-src-add=2.2.2.2 sa-dst-add=1.1.1.1

# password为密码, dpd-interval为0（关闭）DPD用来检测对等体是否存活. ADSL用户建议关闭DPD. #
/ip ipsec peer add addres=1.1.1.1 secret=password nat-traversal=y generate-policy=y dpd-interval=0

添加自动修改IP脚本:

# 定义本地变量addr_dst1
:local addr_dst1

# 定义本地变量addr_src1
:local addr_src1

# 在ipsec的policy里取得ROS-A机外网IP地址,给变量addr_dst1  (get 0: 获取第一条）#
:set addr_dst1 [/ip ipsec policy get 0 sa-dst-addres]

# 在ipsec的policy里取得ROS-B机外网IP地址,给变量addr_src1
:set addr_src1 [/ip ipsec policy get 0 sa-src-addres]

# 解析ROS-A ADSL的IP地址, 如果不对 #
:if ([:resolve A.dyndns.org] != $addr_dst1 ) do={

#修改/ip ipsec policy 里第一条对方外网IP
    /ip ipsec policy set 0 sa-dst-address=[:resolve A.dyndns.org]

#修改/ip ipsec peer 里第一条对方外网IP
    /ip ipsec peer set 0 addres=[:resolve A.dyndns.org]

}

# 解析自己ADSL的IP地址, 如果不对 #
:if ([:resolve B.dyndns.org] != $addr_src1 ) do={

#修改/ip ipsec policy 里第一条自己外网IP
    /ip ipsec policy set 0 sa-src-address=[:resolve B.dyndns.org]
}


参考：
http://alsacecom.fr/blog/?p=117
http://www.nasa-security.net/mikrotik/l2tp-ipsec-vpn-site-to-site-mikrotik-how-to/
http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Site-to-Site_L2TP

VLAN over VPN using MikroTik
http://berbagitulisan.com/?p=9