标签:group name certificate ikev2 routeros server add ipsec
原视频:
https://www.youtube.com/watch?v=Urkr46gwGQs
https://www.youtube.com/watch?v=7qApFFtSxrY
https://www.youtube.com/watch?v=ISH6OiK2lMY
相关脚本:
https://docs.google.com/document/d/14k5KOplh6xoDkmOYnJyF6fGBkCXX1tQqPjWLgS2e2h8/edit
Ros v6.45.6 版本测试成功
命令行
证书部分:
CA签发机构
/certificate add name=my.ca common-name=my.ca days-valid=3650 key-usage=key-cert-sign,crl-sign,digital-signature,data-encipherment,key-encipherment trusted=yes
签发
/certificate sign my.ca
导出证书
/certificate export-certificate my.ca
服务端证书
/certificate add name=server common-name=server subject-alt-name=DNS:server days-valid=3650 key-usage=digital-signature,tls-server
签发
/certificate sign server ca=my.ca
信任证书
/certificate set trusted=yes server
多个客户端证书
/certificate add name=ios common-name=ios subject-alt-name=DNS:ios days-valid=3650 key-usage=digital-signature,tls-client
签发
/certificate sign ios ca=my.ca
信任证书
/certificate set trusted=yes ios
导出证书
/certificate export-certificate ios export-passphrase=12345678 type=pkcs12
/certificate add name=pad common-name=pad subject-alt-name=DNS:pad days-valid=3650 key-usage=digital-signature,tls-client
签发
/certificate sign pad ca=my.ca
信任证书
/certificate set trusted=yes pad
导出证书
/certificate export-certificate pad export-passphrase=12345678 type=pkcs12
/certificate add name=mac common-name=mac subject-alt-name=DNS:mac days-valid=3650 key-usage=digital-signature,tls-client
签发
/certificate sign mac ca=my.ca
信任证书
/certificate set trusted=yes mac
导出证书
/certificate export-certificate mac export-passphrase=12345678 type=pkcs12
/certificate add name=android common-name=android subject-alt-name=DNS:android days-valid=3650 key-usage=digital-signature,tls-client
签发
/certificate sign android ca=my.ca
信任证书
/certificate set trusted=yes android
导出证书
/certificate export-certificate android export-passphrase=12345678 type=pkcs12
IKEV2 部分:
创建 IKEV2 地址池
/ip pool add name=ikev2-pool ranges=192.168.89.225-192.168.89.238
mode-config 模式配置
/ip ipsec mode-config add name=ikev2-cfg address-pool=ikev2-pool address-prefix-length=28 static-dns=192.168.50.1 system-dns=no
创建 组
/ip ipsec policy group add name=ikev2-group
创建 方案
/ip ipsec proposal add name=ipkev2-proposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=1d pfs-group=none
创建 策略
/ip ipsec policy add src-address=0.0.0.0/0 dst-address=192.168.89.224/28 protocol=all template=yes group=ikev2-group action=encrypt ipsec-protocols=esp proposal=ipkev2-proposal comment=ikev2-Policy
创建 资料
/ip ipsec profile add name=ikev2-profile hash-algorithm=sha256 enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048,modp1536,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
创建 对等体
/ip ipsec peer add address=0.0.0.0/0 exchange-mode=ike2 profile=ikev2-profile name=ikev2-peer
创建 多个身份
/ip ipsec identity add peer=ikev2-peer auth-method=digital-signature mode-config=ikev2-cfg my-id=fqdn:server match-by=certificate certificate=server remote-certificate=ios generate-policy=port-strict policy-template-group=ikev2-group comment=--ios--
/ip ipsec identity add peer=ikev2-peer auth-method=digital-signature mode-config=ikev2-cfg my-id=fqdn:server match-by=certificate certificate=server remote-certificate=pad generate-policy=port-strict policy-template-group=ikev2-group comment=--pad--
/ip ipsec identity add peer=ikev2-peer auth-method=digital-signature mode-config=ikev2-cfg my-id=fqdn:server match-by=certificate certificate=server remote-certificate=mac generate-policy=port-strict policy-template-group=ikev2-group comment=--mac--
/ip ipsec identity add peer=ikev2-peer auth-method=digital-signature mode-config=ikev2-cfg my-id=fqdn:server match-by=certificate certificate=server remote-certificate=android generate-policy=port-strict policy-template-group=ikev2-group comment=--android--
标签:group,name,certificate,ikev2,routeros,server,add,ipsec 来源: https://www.cnblogs.com/itfat/p/13378793.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。