Community discussions

MikroTik App
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Routing all traffic over ipsec vpn

Mon Apr 25, 2022 7:38 pm

Hi,
Miktorik to Palo Alto ipsec is active and working. I want to route all traffic over ipsec. How can i do that ?
top.jpg
My Conf:
# apr/25/2022 18:30:26 by RouterOS 6.49.6
# software id = SM8Q-MVJ5
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxx

/ip firewall address-list

add address=10.10.5.0/24 list=local
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-mark=!ipsec connection-state=established,related
add action=accept chain=input comment="IPSEC Port" dst-port=500,1701,4500 \
    protocol=udp
add action=accept chain=forward comment="IPSEC Input" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSEC Output" ipsec-policy=out,ipsec

/ip firewall mangle
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec

/ip firewall nat
add action=accept chain=srcnat comment=IPSEC dst-address=192.168.100.0/23 \
    src-address=10.10.5.0/24
add action=masquerade chain=srcnat comment=Internet

/ip ipsec mode-config
add name=Mode_Config responder=no src-address-list=local

/ip ipsec policy group
add name=group5

/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-128 lifetime=8h name=ike_crypto

/ip ipsec peer
add address=28.222.XXX.XXX/32 local-address=5.27.XXX.XXX name=ipsec \
    profile=ike_crypto

/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec_crypto pfs-group=\
    modp1536

/ip ipsec identity
add mode-config=Mode_Config peer=ipsec policy-template-group=group5 \
    secret=MySecret

/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 peer=ipsec proposal=ipsec_crypto src-address=\
    10.10.5.0/24 tunnel=yes

/ip address
add address=10.10.5.1/24 interface=Bridge_LAN network=10.10.5.0
add address=5.27.XXX.XXX interface=UpLink network=5.27.XXX.XXX
add address=192.168.1.15/24 interface=UpLink network=192.168.1.0

/ip route
add distance=1 gateway=192.168.1.1
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: araqiel, Maggiore81, Marc1963 and 92 guests