recently got the task to provide a VPNC-link to a group of users ... my MTik-arsenal came to mind
followed some older posts in the forum and got it running with v7.1beta1 (unforti not with a production-release because of limits in xauth-implementation) *1)
.
I had no access to the remote-vpn-device [fritzbox] so proposals, profiles and the local-(key-id) that is used may differ in software- & vendor-versions [with cisco-vpn-srv's the key-id should be the group-name].
.
*1) should also work with 6.48beta12 ... untested ... [What's new in 6.48beta12 (2020-Jul-06 13:33): ike1 - allow using "my-id" parameter with XAuth]
.
Code: Select all
/ip firewall address-list
add address=192.168.222.0/24 list=fritzbox-nat-clients
.
/ip ipsec mode-config
add name=fritz-server responder=no src-address-list=fritzbox-nat-clients use-responder-dns=no
.
/ip ipsec policy group
add name=fritz-group
.
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des,des hash-algorithm=sha512 lifetime=8h name=fritzbox proposal-check=exact
.
/ip ipsec peer
add address=some-fritz-ddns-name.myfritz.net exchange-mode=aggressive local-address=192.168.222.170 name=some-fritz-ddns-name.myfritz.net profile=fritzbox
.
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm,3des,des lifetime=1h name=fritzbox \
pfs-group=none
.
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=fritz-server my-id=key-id:userxyz notrack-chain=output password=******** peer=some-fritz-ddns-name.myfritz.net \
policy-template-group=fritz-group remote-id=fqdn:some-fritz-ddns-name.myfritz.net secret=the-ipsec-psk username=userxyz
.
/ip ipsec policy
add dst-address=0.0.0.0/0 group=fritz-group proposal=fritzbox src-address=0.0.0.0/0 template=yes
Only external configuration is to provide a route via the MTik-device to the remote-network for the local clients.
.