ipsec成功,但是有点小问题
ros 3.30IPSec
成功是成功了,但两边都是dsl,动态IP。
本想给peer和policy里的规则加上comment,可发现窗口里居然没有常见的那个黄色的小标签,用命令行也加不上去。。郁闷~~
大家有什么办法没。
我现在用的这句话改的local和remote IP/ip ipsec policy set src-address=$iplocal dst-address=$ipremote sa-src-address=$iplocal sa-dst-address=$ipremote但是,如果以后policy规则多了,用什么属性find啊。。。 倒。 /ip ipsec policy set comment=
上面的命令可以加入comment啊 > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=113.224.44.54/32:any dst-address=116.2.32.63/32:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=113.224.44.54 sa-dst-address=116.2.32.63 proposal=default
priority=0
> /ip ipsec policy set 0 comment="test"
echo: system,info ipsec policy changed by wolf
> /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=113.224.44.54/32:any dst-address=116.2.32.63/32:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=113.224.44.54 sa-dst-address=116.2.32.63 proposal=default
priority=0
>奇怪,我的怎么不好使。。。
ros 3.30 L6 动态Ip用域名
不过ros的ipsec还有点问题,nat后连接不太正常
http://forum.mikrotik.com/viewtopic.php?f=2&t=33595
This issue still hasn't been resolved, even on 5.0b3.
It looks like the problem is in ipsec policy.
installed sa:
0 E spi=0x1C55FBB src-address=78.38.29.135 dst-address=78.153.66.123
generated policy:
0 D src-address=10.254.254.130/32:any dst-address=78.153.66.123/32:any (10.254.254.130 is the internal ip of the client behind NAT)
so the client properly encrypts the packets and when the RouterOS wants to reply to them, they fall out of ipsec policy and go out via default - public route.
This issue makes L2TP server with NAT-T impossible to use.
Hope it will get fixed soon. 回复 5# mdctmk
我知道用域名。但是域名不能留在设置里。比如说,对端ip变了,怎么用脚本更换? ros 的ipsec 有nat在就是不正常。这么长时间了,还没解决 上回IPSec把我的路由搞死了。。再也不用IPSec了。。。 {:2_31:} 上回IPSec把我的路由搞死了。。再也不用IPSec了。。。
小狼 发表于 2010-10-9 23:26 http://bbs.routerclub.com/images/common/back.gif
页:
[1]