Miktorik to Palo Alto ipsec is active and working. I want to route all traffic over ipsec. How can i do that ?
My Conf:
Code: Select all
# apr/25/2022 18:30:26 by RouterOS 6.49.6
# software id = SM8Q-MVJ5
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxx
/ip firewall address-list
add address=10.10.5.0/24 list=local
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-mark=!ipsec connection-state=established,related
add action=accept chain=input comment="IPSEC Port" dst-port=500,1701,4500 \
protocol=udp
add action=accept chain=forward comment="IPSEC Input" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSEC Output" ipsec-policy=out,ipsec
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment=\
"mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat comment=IPSEC dst-address=192.168.100.0/23 \
src-address=10.10.5.0/24
add action=masquerade chain=srcnat comment=Internet
/ip ipsec mode-config
add name=Mode_Config responder=no src-address-list=local
/ip ipsec policy group
add name=group5
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-128 lifetime=8h name=ike_crypto
/ip ipsec peer
add address=28.222.XXX.XXX/32 local-address=5.27.XXX.XXX name=ipsec \
profile=ike_crypto
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec_crypto pfs-group=\
modp1536
/ip ipsec identity
add mode-config=Mode_Config peer=ipsec policy-template-group=group5 \
secret=MySecret
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 peer=ipsec proposal=ipsec_crypto src-address=\
10.10.5.0/24 tunnel=yes
/ip address
add address=10.10.5.1/24 interface=Bridge_LAN network=10.10.5.0
add address=5.27.XXX.XXX interface=UpLink network=5.27.XXX.XXX
add address=192.168.1.15/24 interface=UpLink network=192.168.1.0
/ip route
add distance=1 gateway=192.168.1.1