I tried to configure dual WAN with two channels together. Unfortunately, the Internet works only on the RT channel. together they do not work. Could you help me in finding the problem? Configuration in attached.
Mikrotik CCR1009-7G-1C
6.44.1
Code: Select all
/interface bridge
add arp=proxy-arp name=bridge-local protocol-mode=none
/interface ethernet
set [ find default-name=combo1 ] comment=RT
set [ find default-name=ether1 ] comment=BAZANET speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
/interface pppoe-client
add disabled=no interface=combo1 name=pppoe-rt password=szt use-peer-dns=yes \
user=szt
/interface list
add name=WAN
add name=LAN
/ip ipsec policy group
add name=group-main
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 name=LDK2
add dh-group=modp2048 hash-algorithm=sha256 name=PVH nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-128 name=compgroup
/ip ipsec peer
add address=58.25.165.181/32 disabled=yes exchange-mode=ike2 name=compgroupMG \
profile=compgroup
add address=65.98.246.143/32 exchange-mode=ike2 name=compgroupRT profile=compgroup
add address=66.88.199.65/32 exchange-mode=ike2 name=PVH profile=PVH
add address=66.88.198.44/32 disabled=yes exchange-mode=ike2 name=compgroupBAZA \
profile=compgroup
add address=53.96.169.8/32 exchange-mode=ike2 name=LDK2 profile=LDK2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ipsec-tunnel-sa
/system logging action
set 0 memory-lines=10000
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
/interface list member
add interface=pppoe-rt list=WAN
add interface=ether1 list=WAN
add interface=bridge-local list=LAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.52.2/24 interface=bridge-local network=192.168.52.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=58.25.165.182 disabled=yes name=jabber.compname.ru
add address=172.17.0.5 name=jabber.compname.ru
add address=192.168.51.2 disabled=yes name=compnamesrv0.compname.local
add address=192.168.51.3 disabled=yes name=compnamesrv1.compname.local
add address=172.17.0.8 disabled=yes name=1csrv.compgroup.local
/ip firewall address-list
add address=172.16.0.0/16 list=compgroup
add address=172.17.0.0/16 list=compgroup
add address=172.19.0.0/16 list=compgroup
add address=172.20.0.0/16 list=compgroup
add address=172.25.0.0/16 list=compgroup
add address=192.168.1.0/24 list=LDK2
add address=192.168.6.0/24 list=PVH
add address=192.168.4.0/24 list=compname
add address=192.168.10.0/24 list=compname
add address=192.168.50.0/24 list=compname
add address=192.168.51.0/24 list=compname
add address=192.168.52.0/24 list=compname
add address=192.168.53.0/24 list=compname
add address=192.168.55.0/24 list=compname
add address=192.168.56.0/24 list=compname
add address=192.168.100.0/24 list=compname
add address=192.168.8.0/24 list=compname
add address=vk.com list=BlockedSites
add address=ok.ru list=BlockedSites
add address=mamba.ru list=BlockedSites
add address=odnoklassniki.ru list=BlockedSites
add address=love.mail.ru list=BlockedSites
add address=facebook.com list=BlockedSites
add address=instagram.com list=BlockedSites
add address=badoo.com list=BlockedSites
add address=flickr.com list=BlockedSites
add address=coub.com list=BlockedSites
add address=192.168.10.20 comment=Energetik list=AllowIP
add address=192.168.0.0/16 list=Internal
add address=172.16.0.0/16 list=Internal
add address=172.17.0.0/16 list=Internal
add address=172.19.0.0/16 list=Internal
add address=172.20.0.0/16 list=Internal
add address=172.25.0.0/16 list=Internal
add address=10.10.16.0/24 list=Internal
add address=192.168.5.0/24 list=compname
add address=10.10.16.0/24 list=compname
add address=192.168.54.0/24 list=compname
add address=detmir.ru list=BlockedSites
add address=vkuseraudio.ru list=BlockedSites
add address=vkontakte.ru list=BlockedSites
add address=192.168.50.147 comment=OIT list=AllowIP
add address=192.168.77.0/24 list=compname
add address=bonprix.ru list=BlockedSites
add address=iloveyou.ru list=BlockedSites
add address=razlozhi.ru list=BlockedSites
add address=youravon.com list=BlockedSites
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
add address=100.64.0.0/10 comment=RFC6890 list=bogons
add address=192.0.0.0/24 comment=RFC6890 list=bogons
add address=240.0.0.0/4 comment=RFC6890 list=bogons
add address=192.168.52.0/24 list=local
add address=192.168.5.0/24 list=local
add address=bugaga.ru list=BlockedSites
add address=spletnik.ru list=BlockedSites
add address=avito.ru disabled=yes list=BlockedSites
add address=auto.ru list=BlockedSites
add address=avto.ru list=BlockedSites
add address=ozon.ru list=BlockedSites
add address=kinoabc.ru list=BlockedSites
add address=kinoklub77.ru list=BlockedSites
/ip firewall filter
add action=drop chain=input src-address=185.202.67.13
add action=accept chain=input comment="Allow ICMP input local" disabled=yes \
protocol=icmp
add action=accept chain=forward comment="Allow ICMP input local" disabled=yes \
protocol=icmp
add action=reject chain=forward comment=BlockedSites dst-address-list=\
!AllowIP log-prefix="Block sites" protocol=tcp reject-with=tcp-reset \
src-address-list=BlockedSites
add action=drop chain=forward comment="drop comerc" dst-address=\
!192.168.77.0/24 src-address=192.168.5.19
add action=accept chain=forward dst-address=66.88.198.44
add action=accept chain=input comment="Allow IKE" dst-port=500,4500 protocol=\
udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="Allow established input connections" \
connection-state=established,related log-prefix="allow established"
add action=accept chain=forward comment="Allow established connections" \
connection-state=established,related,untracked log-prefix=\
"allow established"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="Vzliot Data collector forward" \
dst-address=192.168.10.20 dst-port=2060 protocol=tcp
add action=accept chain=forward comment="Vzliot Data collector forward" \
dst-port=2060 protocol=tcp src-address=192.168.10.20
add action=accept chain=input comment="PPTP Server" dst-port=1723 \
in-interface=pppoe-rt protocol=tcp
add action=accept chain=input in-interface=pppoe-rt protocol=gre
add action=accept chain=forward comment="Allow forward pptp" log-prefix=\
"accept pptp" out-interface=bridge-local src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow forward pptp" dst-address=\
192.168.5.0/24 log-prefix="accept pptp"
add action=accept chain=input comment="Allow connection to winbox" dst-port=\
8291,8728,80 protocol=tcp src-address=58.25.165.182
add action=accept chain=input comment="Allow connection to winbox" dst-port=\
8291,8728,80 protocol=tcp src-address=65.98.227.148
add action=accept chain=input comment="allow connection from local networks"
add action=accept chain=forward comment="Allow DNS request forward" disabled=\
yes dst-address-list=compname protocol=udp src-port=53
add action=accept chain=forward disabled=yes protocol=udp src-address-list=\
compname src-port=53
add action=accept chain=input comment="Allow ICMP input local" in-interface=\
bridge-local protocol=icmp
add action=accept chain=forward comment="Allow forward from local network" \
in-interface=bridge-local out-interface=pppoe-rt
add action=accept chain=forward comment="Allow forward from local network" \
in-interface=bridge-local out-interface=ether1
add action=accept chain=forward comment="Allow PVH" dst-address-list=compname \
log-prefix="Allow PVH" src-address-list=PVH
add action=accept chain=forward comment="Allow PVH" dst-address-list=PVH \
src-address-list=compname
add action=accept chain=forward comment="Allow compgroup" dst-address-list=compname \
src-address-list=compgroup
add action=accept chain=forward comment="Allow compgroup" dst-address-list=compgroup \
src-address-list=compname
add action=accept chain=forward comment="Allow forward between UCM compname LDK" \
dst-address=192.168.1.15 src-address=192.168.55.2
add action=accept chain=forward comment="Allow forward between UCM compname LDK" \
dst-address=192.168.55.2 src-address=192.168.1.15
add action=accept chain=forward comment=\
"Allow forward 192.168.10.32 to LDK2 " dst-address-list=LDK2 src-address=\
192.168.10.32
add action=accept chain=input comment="Allow ICMP input" disabled=yes \
log-prefix=ping protocol=icmp
add action=accept chain=forward comment="Allow ICMP forward" disabled=yes \
protocol=icmp
add action=drop chain=forward comment="Drop forward to LDK2" \
dst-address-list=LDK2 log-prefix=LDK2
add action=drop chain=forward comment="Drop forward between out iface" \
in-interface=pppoe-rt out-interface=pppoe-rt
add action=drop chain=forward comment="Drop forward between out iface" \
in-interface=ether1 out-interface=ether1
add action=drop chain=forward comment="Drop forward between out iface" \
in-interface=ether1 out-interface=pppoe-rt
add action=drop chain=forward comment="Drop forward between out iface" \
in-interface=pppoe-rt out-interface=ether1
add action=drop chain=input comment="Drop invalid connection input" \
connection-state=invalid
add action=drop chain=forward comment="Drop invalid connection forward" \
connection-state=invalid
add action=drop chain=input comment="Drop all input" log-prefix="all drop"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all forward" log-prefix=\
"all drop"
/ip firewall mangle
add action=mark-connection chain=input comment="Mark IPSEC INRT" \
ipsec-policy=in,ipsec log-prefix="Mark IPSEC" new-connection-mark=INRT \
passthrough=yes
add action=mark-connection chain=input comment="Mark IPSEC INBAZA" \
ipsec-policy=in,ipsec log-prefix="Mark IPSEC" new-connection-mark=INBAZA \
passthrough=yes
add action=mark-connection chain=input comment="Mark input INRT" \
in-interface=pppoe-rt new-connection-mark=INRT passthrough=yes
add action=mark-routing chain=output comment="Mark output routeRT" \
connection-mark=INRT new-routing-mark=routeRT passthrough=no
add action=mark-connection chain=input comment="Mark input INBAZA " \
in-interface=ether1 new-connection-mark=INBAZA passthrough=yes
add action=mark-routing chain=output comment="Mark output routeBAZA" \
connection-mark=INBAZA new-routing-mark=routeBAZA passthrough=no
add action=mark-connection chain=prerouting comment=\
"Mark forward RT ForwardRT" in-interface=pppoe-rt new-connection-mark=\
ForwardRT passthrough=yes
add action=mark-routing chain=prerouting comment=\
"Mark routing ForwardRT routeRT" connection-mark=ForwardRT in-interface=\
!pppoe-rt new-routing-mark=routeRT passthrough=no
add action=mark-connection chain=prerouting comment=\
"Mark forward BAZA ForwardBAZA" in-interface=ether1 new-connection-mark=\
ForwardBAZA passthrough=yes
add action=mark-routing chain=prerouting comment=\
"Mark routing ForwardBAZA routeBAZA" connection-mark=ForwardBAZA \
in-interface=!ether1 new-routing-mark=routeBAZA passthrough=no
add action=mark-routing chain=output dst-address-list=!bogons log-prefix=\
"Mark BAZA" new-routing-mark=routeBAZA passthrough=yes src-address=\
66.88.199.205
add action=mark-routing chain=output dst-address-list=!bogons log-prefix=\
"Mark RT" new-routing-mark=routeRT passthrough=yes src-address=\
25.99.224.234
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT WAN" ipsec-policy=out,none \
log-prefix="NAT RT" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Vzliot Data collector" dst-port=2060 \
in-interface-list=WAN log-prefix="vzliot nat" protocol=tcp to-addresses=\
192.168.10.20 to-ports=2060
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.4.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.10.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.50.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.51.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.52.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.53.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.54.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.55.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.56.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
src-address=10.10.16.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.4.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.10.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.50.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.51.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.52.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.53.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.54.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.55.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.56.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
src-address=10.10.16.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer=PVH policy-template-group=group-main secret=\
df3w4f
add peer=LDK2 policy-template-group=group-main secret=\
"dsfsdef"
add peer=compgroupRT policy-template-group=group-main secret=23D6bg
add peer=compgroupBAZA policy-template-group=group-main secret=23D6bg
/ip ipsec policy
set 0 comment=Template group=group-main
add comment=compgroupRT16compnameRT4 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.4.0/24 tunnel=yes
add comment=compgroupRT16compnameRT10 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.10.0/24 tunnel=yes
add comment=compgroupRT16compnameRT50 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.50.0/24 tunnel=yes
add comment=compgroupRT16compnameRT51 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.51.0/24 tunnel=yes
add comment=compgroupRT16compnameRT52 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.52.0/24 tunnel=yes
add comment=compgroupRT16compnameRT53 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.53.0/24 tunnel=yes
add comment=compgroupRT16compnameRT54 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.54.0/24 tunnel=yes
add comment=compgroupRT16compnameRT55 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.55.0/24 tunnel=yes
add comment=compgroupRT16compnameRT56 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.56.0/24 tunnel=yes
add comment=compgroupRT16compnameRT77 dst-address=172.16.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.77.0/24 tunnel=yes
add comment=compgroupRT17compnameRT5 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
10.10.16.0/24 tunnel=yes
add comment=compgroupRT17compnameRT4 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.4.0/24 tunnel=yes
add comment=compgroupRT17compnameRT10 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.10.0/24 tunnel=yes
add comment=compgroupRT17compnameRT50 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.50.0/24 tunnel=yes
add comment=compgroupRT17compnameRT51 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.51.0/24 tunnel=yes
add comment=compgroupRT17compnameRT52 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.52.0/24 tunnel=yes
add comment=compgroupRT17compnameRT53 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.53.0/24 tunnel=yes
add comment=compgroupRT17compnameRT54 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.54.0/24 tunnel=yes
add comment=compgroupRT17compnameRT55 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.55.0/24 tunnel=yes
add comment=compgroupRT17compnameRT56 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.56.0/24 tunnel=yes
add comment=compgroupRT17compnameRT77 dst-address=172.17.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.77.0/24 tunnel=yes
add comment=compgroupRT19compnameRT5 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
10.10.16.0/24 tunnel=yes
add comment=compgroupRT19compnameRT4 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.4.0/24 tunnel=yes
add comment=compgroupRT19compnameRT10 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.10.0/24 tunnel=yes
add comment=compgroupRT19compnameRT50 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.50.0/24 tunnel=yes
add comment=compgroupRT19compnameRT51 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.51.0/24 tunnel=yes
add comment=compgroupRT19compnameRT52 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.52.0/24 tunnel=yes
add comment=compgroupRT19compnameRT53 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.53.0/24 tunnel=yes
add comment=compgroupRT19compnameRT54 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.54.0/24 tunnel=yes
add comment=compgroupRT19compnameRT55 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.55.0/24 tunnel=yes
add comment=compgroupRT19compnameRT56 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.56.0/24 tunnel=yes
add comment=compgroupRT19compnameRT77 dst-address=172.19.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.77.0/24 tunnel=yes
add comment=compgroupRT20compnameRT5 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
10.10.16.0/24 tunnel=yes
add comment=compgroupRT20compnameRT4 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.4.0/24 tunnel=yes
add comment=compgroupRT20compnameRT10 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.10.0/24 tunnel=yes
add comment=compgroupRT20compnameRT50 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.50.0/24 tunnel=yes
add comment=compgroupRT20compnameRT51 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.51.0/24 tunnel=yes
add comment=compgroupRT20compnameRT52 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.52.0/24 tunnel=yes
add comment=compgroupRT20compnameRT53 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.53.0/24 tunnel=yes
add comment=compgroupRT20compnameRT54 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.54.0/24 tunnel=yes
add comment=compgroupRT20compnameRT55 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.55.0/24 tunnel=yes
add comment=compgroupRT20compnameRT56 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.56.0/24 tunnel=yes
add comment=compgroupRT20compnameRT77 dst-address=172.20.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.77.0/24 tunnel=yes
add comment=compgroupRT25compnameRT5 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
10.10.16.0/24 tunnel=yes
add comment=compgroupRT25compnameRT4 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.4.0/24 tunnel=yes
add comment=compgroupRT25compnameRT10 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.10.0/24 tunnel=yes
add comment=compgroupRT25compnameRT50 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.50.0/24 tunnel=yes
add comment=compgroupRT25compnameRT51 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.51.0/24 tunnel=yes
add comment=compgroupRT25compnameRT52 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.52.0/24 tunnel=yes
add comment=compgroupRT25compnameRT53 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.53.0/24 tunnel=yes
add comment=compgroupRT25compnameRT54 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.54.0/24 tunnel=yes
add comment=compgroupRT25compnameRT55 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.55.0/24 tunnel=yes
add comment=compgroupRT25compnameRT56 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.56.0/24 tunnel=yes
add comment=compgroupRT25compnameRT77 dst-address=172.25.0.0/16 level=unique \
sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
192.168.77.0/24 tunnel=yes
add comment=PVHcompnameRT5 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=10.10.16.0/24 tunnel=yes
add comment=PVHcompnameRT4 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.4.0/24 tunnel=yes
add comment=PVHcompnameRTVPN dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.5.0/24 tunnel=yes
add comment=PVHcompnameRT10 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.10.0/24 tunnel=yes
add comment=PVHcompnameRT50 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.50.0/24 tunnel=yes
add comment=PVHcompnameRT51 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.51.0/24 tunnel=yes
add comment=PVHcompnameRT52 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.52.0/24 tunnel=yes
add comment=PVHcompnameRT53 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.53.0/24 tunnel=yes
add comment=PVHcompnameRT54 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.54.0/24 tunnel=yes
add comment=PVHcompnameRT55 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.55.0/24 tunnel=yes
add comment=PVHcompnameRT56 dst-address=192.168.6.0/24 level=unique proposal=\
ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
25.99.224.234 src-address=192.168.56.0/24 tunnel=yes
add comment=LDK2compname5 disabled=yes dst-address=192.168.1.0/24 level=unique \
sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
10.10.16.0/24 tunnel=yes
add comment=LDK2compname4 disabled=yes dst-address=192.168.1.0/24 level=unique \
sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
192.168.4.0/24 tunnel=yes
add comment=LDK2compname10 dst-address=192.168.1.0/24 level=unique sa-dst-address=\
53.96.169.8 sa-src-address=25.99.224.234 src-address=192.168.10.0/24 \
tunnel=yes
add comment=LDK2compname50 disabled=yes dst-address=192.168.1.0/24 level=unique \
sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
192.168.50.0/24 tunnel=yes
add comment=LDK2compname51 disabled=yes dst-address=192.168.1.0/24 level=unique \
sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
192.168.51.0/24 tunnel=yes
add comment=LDK2compname52 dst-address=192.168.1.0/24 level=unique sa-dst-address=\
53.96.169.8 sa-src-address=25.99.224.234 src-address=192.168.52.0/24 \
tunnel=yes
add comment=LDK2compname53 disabled=yes dst-address=192.168.1.0/24 level=unique \
sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
192.168.53.0/24 tunnel=yes
add comment=LDK2compname54 disabled=yes dst-address=192.168.1.0/24 level=unique \
sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
192.168.54.0/24 tunnel=yes
add comment=LDK2compname55 dst-address=192.168.1.0/24 level=unique sa-dst-address=\
53.96.169.8 sa-src-address=25.99.224.234 src-address=192.168.55.0/24 \
tunnel=yes
add comment=LDK2compname56 disabled=yes dst-address=192.168.1.0/24 level=unique \
sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA4 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA10 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA50 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA51 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA52 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA53 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA54 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA55 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA56 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA77 disabled=yes dst-address=172.16.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.77.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA5 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=10.10.16.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA4 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA10 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA50 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA51 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA52 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA53 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA54 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA55 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA56 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA77 disabled=yes dst-address=172.17.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.77.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA5 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=10.10.16.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA4 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA10 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA50 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA51 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA52 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA53 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA54 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA55 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA56 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA5 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=10.10.16.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA4 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA10 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA50 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA51 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA52 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA53 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA54 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA55 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA56 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA77 disabled=yes dst-address=172.20.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.77.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA5 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=10.10.16.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA4 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA10 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA50 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA51 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA52 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA53 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA54 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA55 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA56 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA77 disabled=yes dst-address=172.19.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.77.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA77 disabled=yes dst-address=172.25.0.0/16 level=\
unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
src-address=192.168.77.0/24 tunnel=yes
add comment=PVHcompnameBAZA5 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=10.10.16.0/24 tunnel=yes
add comment=PVHcompnameBAZA4 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.4.0/24 tunnel=yes
add comment=PVHcompnameBAZAVPN disabled=yes dst-address=192.168.6.0/24 level=\
unique proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 \
sa-src-address=66.88.199.205 src-address=192.168.5.0/24 tunnel=yes
add comment=PVHcompnameBAZA10 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.10.0/24 tunnel=yes
add comment=PVHcompnameBAZA50 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.50.0/24 tunnel=yes
add comment=PVHcompnameBAZA51 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.51.0/24 tunnel=yes
add comment=PVHcompnameBAZA52 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.52.0/24 tunnel=yes
add comment=PVHcompnameBAZA53 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.53.0/24 tunnel=yes
add comment=PVHcompnameBAZA54 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.54.0/24 tunnel=yes
add comment=PVHcompnameBAZA55 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.55.0/24 tunnel=yes
add comment=PVHcompnameBAZA56 disabled=yes dst-address=192.168.6.0/24 level=unique \
proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
66.88.199.205 src-address=192.168.56.0/24 tunnel=yes
/ip route
add distance=1 gateway=pppoe-rt routing-mark=routeRT
add distance=1 gateway=66.88.199.1 routing-mark=routeBAZA
add check-gateway=ping distance=10 gateway=8.8.8.8 target-scope=30
add check-gateway=ping distance=20 gateway=8.8.4.4 target-scope=30
add distance=1 dst-address=8.8.4.4/32 gateway=66.88.199.1
add distance=1 dst-address=8.8.8.8/32 gateway=25.99.132.1
add distance=1 dst-address=10.10.16.0/24 gateway=192.168.52.1
add comment="to LDK2 from RT" distance=1 dst-address=53.96.169.8/32 gateway=\
pppoe-rt
add comment="DNS RT" distance=1 dst-address=53.96.171.200/32 gateway=pppoe-rt
add comment="DNS BAZA" distance=1 dst-address=66.88.196.1/32 gateway=ether1
add comment="DNS BAZA" distance=1 dst-address=66.88.196.2/32 gateway=ether1
add comment=compgroup_BAZA_IP disabled=yes distance=1 dst-address=66.88.198.44/32 \
gateway=pppoe-rt
add comment="to PVH from RT" distance=1 dst-address=66.88.199.65/32 gateway=\
pppoe-rt
add comment="to PVH from BAZA" disabled=yes distance=1 dst-address=\
66.88.199.65/32 gateway=66.88.199.1
add comment="to compgroupRT from RT" distance=1 dst-address=65.98.246.143/32 \
gateway=pppoe-rt
add distance=1 dst-address=172.16.0.0/16 gateway=bridge-local
add distance=1 dst-address=172.17.0.0/16 gateway=bridge-local
add distance=1 dst-address=172.19.0.0/16 gateway=bridge-local
add distance=1 dst-address=172.20.0.0/16 gateway=bridge-local
add distance=1 dst-address=172.25.0.0/16 gateway=bridge-local
add distance=1 dst-address=192.168.1.0/24 gateway=bridge-local
add distance=1 dst-address=192.168.4.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.6.0/24 gateway=bridge-local
add distance=1 dst-address=192.168.8.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.50.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.51.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.53.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.54.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.55.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.56.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.77.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.100.0/24 gateway=192.168.52.1
add comment="DNS RT" distance=1 dst-address=212.48.197.77/32 gateway=pppoe-rt
/ip route rule
add action=lookup-only-in-table routing-mark=routeRT table=routeRT
add action=lookup-only-in-table routing-mark=routeBAZA table=routeBAZA
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=compname.local
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTikKcompname
/system logging
add disabled=yes topics=ipsec,!debug
add topics=pptp,!packet,!debug
/system ntp client
set enabled=yes primary-ntp=192.168.51.2
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Backup on-event="/system script run backup" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2019 start-time=23:00:00
add disabled=yes interval=1m name=SwitchIPsec on-event=\
"/system script run SwitchPVHIPSec" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2019 start-time=13:06:17
/system script
add dont-require-permissions=no name=backup owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
log info message=\"Starting backup script...\"\r\
\n:local name [/system identity get name]\r\
\n:local date [/system clock get date]\r\
\n:local time [/system clock get time]\r\
\n:local day [ :pick \$date 4 6 ]\r\
\n:local month [ :pick \$date 0 3 ]\r\
\n:local year [ :pick \$date 7 11 ]\r\
\n:local hours [ :pick \$time 0 2]\r\
\n:local mins [ :pick \$time 3 5]\r\
\n:local sec [ :pick \$time 6 8]\r\
\n:local backupNameSCR (\$name.\"_\".\$day.\"-\".\$month.\"-\".\$year.\"_\
\".\$hours.\"-\".\$mins.\"-\".\$sec.\".scr\")\r\
\n:local backupNameBackup (\$name.\"_\".\$day.\"-\".\$month.\"-\".\$year.\
\"_\".\$hours.\"-\".\$mins.\"-\".\$sec.\".backup\")\r\
\n\r\
\n:local ftpIP \"192.168.51.6\"\r\
\n:local ftpPath \"/Automation/Backups/Mikrotik/\"\r\
\n:local ftpLogin \"mi\"\r\
\n:local ftpPassword \"mi\"\r\
\n\r\
\n/log info message=\"Saving backup file\"\r\
\n/system backup save name=\$name dont-encrypt=yes\r\
\ndelay 10\r\
\n\r\
\n/log info message=\"Saving backup script file\"\r\
\n/export file=\$name\r\
\ndelay 10\r\
\n\r\
\n/log info message=\"Sending to ftp\"\r\
\n\r\
\n/tool fetch address=\$ftpIP src-path=(\$name.\".rsc\") mode=ftp user=\$f\
tpLogin password=\$ftpPassword upload=yes dst-path=(\$ftpPath.\$backupName\
SCR)\r\
\n/log info message=(\"System Backup \".\$backupNameSCR)\r\
\n\r\
\n/tool fetch address=(\$ftpIP) src-path=(\$name.\".backup\") mode=ftp use\
r=(\$ftpLogin) password=(\$ftpPassword) upload=yes dst-path=(\$ftpPath.\$\
backupNameBackup)\r\
\n/log info message=(\"System Backup\".\$backupNameBackup)\r\
\n"
add dont-require-permissions=no name=SwitchPVHIPSec owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local PingCount 3\r\
\n\r\
\n\r\
\n:local PeerNamePVHBAZA PVH\r\
\n\r\
\n \r\
\n#Destinations\r\
\n:local KcompnameIPRT\t25.99.224.234\r\
\n:local KcompnameIPBAZA\t66.88.199.205\r\
\n:local PVHIPBAZA 66.88.199.65\r\
\n\r\
\n:local StatusPVHIPBAZA 66.88.199.205\r\
\n\r\
\n:local RouteNamePVHBAZA \"to PVH from BAZA\"\r\
\n:local RouteNamePVHRT \"to PVH from RT\"\r\
\n \r\
\n####\r\
\n# Ping:\r\
\n:local StatusPVHBAZAfromBAZA [/ping \$StatusPVHIPBAZA count=\$PingCount \
src-address=\$KcompnameIPRT]\r\
\n:local StatusPVHBAZAfromBAZA [/ping \$StatusPVHIPBAZA count=\$PingCount \
src-address=\$KcompnameIPBAZA]\r\
\n\r\
\n# :local StatusPVHBAZAfromRT [/ping \$StatusPVHIPBAZA count=\$PingCount]\
\r\
\n# :local StatusPVHBAZAfromRT [/ping \$StatusPVHIPBAZA count=\$PingCount]\
\r\
\n###\r\
\n \r\
\n \r\
\n####\r\
\n# Templates\r\
\n####\r\
\n:local EnablePVHBAZAfromBAZA [:parse (\"{/ip ipsec policy set [find sa-s\
rc-address=\$KcompnameIPBAZA sa-dst-address=\$PVHIPBAZA disabled=yes] disabled=\
no; /ip ipsec peer set [find name=\$PeerNamePVHBAZA disabled=yes] disabled\
=no; /ip route set [find comment=\$RouteNamePVHBAZA disabled=yes] disabled\
=no}\")];\r\
\n:local DisablePVHBAZAfromBAZA [:parse (\"{/ip ipsec policy set [find sa-\
src-address=\$KcompnameIPBAZA sa-dst-address=\$PVHIPBAZA] disabled=yes; /ip ips\
ec peer set [find name=\$PeerNamePVHBAZA disabled=no] disabled=yes; /ip ro\
ute set [find comment=\$RouteNamePVHBAZA disabled=no] disabled=yes}\")];\r\
\n####\r\
\n:local EnablePVHBAZAfromRT [:parse (\"{/ip ipsec policy set [find sa-src\
-address=\$KcompnameIPRT sa-dst-address=\$PVHIPBAZA] disabled=no; /ip ipsec pee\
r set [find name=\$PeerNamePVHBAZA disabled=yes] disabled=no; /ip route se\
t [find comment=\$RouteNamePVHRT disabled=yes] disabled=no}\")];\r\
\n:local DisablePVHBAZAfromRT [:parse (\"{/ip ipsec policy set [find sa-sr\
c-address=\$KcompnameIPRT sa-dst-address=\$PVHIPBAZA] disabled=yes; /ip ipsec p\
eer set [find name=\$PeerNamePVHBAZA disabled=no] disabled=yes; /ip route \
set [find comment=\$RouteNamePVHRT disabled=no] disabled=yes}\")];\r\
\n \r\
\n\r\
\n####\r\
\n############################## IPsec ######\r\
\n:if (\$StatusPVHBAZAfromRT>0) do={\r\
\n\$DisablePVHBAZAfromBAZA;\r\
\n# \$DisablePVHOtherfromBaza;\r\
\n# \$DisablePVHOtherfromRT;\r\
\ndelay 2;\r\
\n\$EnablePVHBAZAfromRT;\r\
\n}\r\
\n\r\
\n:if ((\$StatusPVHBAZAfromRT=0)&&(\$StatusPVHBAZAfromBAZA>0)) do={\r\
\n\$DisablePVHBAZAfromRT;\r\
\n# \$DisablePVHOtherfromBaza;\r\
\n# \$DisablePVHOtherfromRT;\r\
\ndelay 2;\r\
\n\$EnablePVHBAZAfromBAZA;\r\
\n}"