Amigo, vou tentar listar um passo a passo para seguir:
Para funcionar no mikrotik, no server da openvpn *não *pode ter: — Compressão Lzo — Porta UDP Alguns ajustes são necessários. Ainda no linux, converter as chaves para RSA: openssl rsa -in ca.key -text > ca.rsa openssl rsa -in client2.key -text > client2.rsa *NO MIKROTIK* Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do mikrotik. Depois no terminal do mesmo executar 1 2 3 4 /certificate import file-name=ca.crt (pressione enter até concluir) /certificate import file-name=ca.rsa (pressione enter até concluir) /certificate import file-name=client4.crt (pressione enter até concluir) /certificate import file-name=client4.rsa (pressione enter até concluir) No MIKROTIK: *INTERFACES –> ADD –> OPENVPN CLIENT* 1 2 3 4 5 6 7 8 9 Dialup: A.B.C.D (ip do servidor openvpn) porta: 1195 mode: ip user: cliente4 (nome da chave) pass: vazia profile: default-encryptation Certificate: client4.crt_0 Auth: sha1 Cipher: blowfish 128 Após conexão, em *IP –> ROUTE* observe se automaticamente criou a rota para o rede destino/rede_destino saindo pelo openvpn client. Criei um masquerad no firewall com: 1 2 3 SOURCE: rede LAN mikrotik OutInterface: openvpncliete criada Aba Action: Masquerad *Step 4 — Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN ONDE O SERVIDOR VPN ASTERISK ENCONTRA-SE* To keep things simple we’re going to do our routing directly with iptables rather than the new firewalld. First, make sure the iptables service is installed and enabled. yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables –flush Next we’ll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables Then we must enable IP forwarding in sysctl. Open sysctl.conf for editing. 1 2 3 4 vi /etc/sysctl.conf Add the following line at the top of the file: net.ipv4.ip_forward = 1 Then restart the network service so the IP forwarding will take effect. 1 systemctl restart network.service *Step 5 — Starting OpenVPN* Now we’re ready to run our OpenVPN service. So lets add it to systemctl: 1 2 systemctl -f enable [email protected] systemctl start [email protected] *No mk crie uma regra de mascaramento:* NAT –> ADD Chain: srcnat Src. Address: rede lan (exemplo: 192.168.88.0/24) Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24) Out Interface: nome-da-open-vpn-interface Action: Masquerade *Em MANGLE:* ADD Chain: Prerouting Src. Address: rede lan (exemplo: 192.168.88.0/24) Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24) Action: Mark routing New Routing Mark: OpenVpn-NOME *Desmarcar Passthrough* * IP –> ROUTES* ADD Dst. Address: 192.168.218.0/24 (lan do outro lado) Geteway: openvpn-gw-criado-automaticamente Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle) Boa sorte. Ulisses Féres Cerqueira Infraestrutura e Projeto 55 32 3722-4004 ramal 928 55 32 98489-6455 [email protected] www.abratel.com.br [image: http://www.digavoip.com.br/assinatura/logo.png] 2018-03-14 15:38 GMT-03:00 Marcel Laino <[email protected]>: > a vpn esta conectada, porem nao pinga e nao acessa nada. nos logs aparece > isso. > > openVPN_mikrotik_BAHIA / wan mikrotik: 32852 Byte de cabeçalho de > descompressão do stub de compressão incorreta: 42 > > > > > <https://mailtrack.io/> Enviado com Mailtrack > <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign= > signaturevirality&> > > Att, > > *Marcel Laino* > Vivo: (11) 95287-5837 > [email protected] > facebook.com/marcellaino <http://Facebook.com/marcellaino> > youtube.com/marcellaino > br.linkedin.com/in/marcellaino > google.com/+MarcelLaino > > On Wed, Mar 14, 2018 at 3:36 PM, Marcel Laino <[email protected]> > wrote: > > > Alguem pode ajudar com essa configuracao. a vpn esta conectada, porem as > > redes nao se falam de jeito nenhum. > > > > segui esse cenario, porem nao vai. tentei ipsec e tb n conecta. tinha > > ipsec conectado com esse mikrotik na versao 2.1.5 porem atualizei o > pfsense > > e nao conectou mais. > > > > *pfSense:* > > > > 1. System -> Cert Manager -> CAs > > Create new CA (*vpn-tunnel-ca*). Export "CA cert" file (my-ca.crt). > > > > 2. System -> Cert Manager -> Certificates > > Create two certificates (use CA created above) - one for the VPN Server > > (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and > key > > files for client certificate (mik-vpn.crt and mik-vpn.key). > > > > 3. VPN -> OpenVPN -> Server > > Create new VPN server: > > > > Server Mode: Peer to Peer (SSL/TLS) > > Protocol: TCP > > Device Mode: tun > > Interface: ITD > > Local port: 1195 > > TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS > > key) > > Peer Certificate Authority: vpn-tunnel-ca > > Server Certificate: vpn-tunnel > > Encryption algorithm: BF-CBC (128-bit) > > Auth Digest Algorithm: SHA1 (160-bit) > > IPv4 Tunnel Network: x <http://172.20.20.0/30>.x.x.x/30 > > IPv4 Local Network/s: l <http://192.168.0.0/24>an > > IPv4 Remote Network/s: lan client <http://10.10.2.0/26> > > Compression: No Preference > > Advanced: client-to-client > > > > 4. VPN -> OpenVPN -> Client Specific Overrides > > Create new override: > > > > Common name: mik-vpn > > Advanced: iroute (lan client) mask > > > > > > *MikroTik:* > > > > 1. Copy two certificate files and the key file to Files. Import all of > > them from System/Certificates. > > > > 2. PPP -> Interface - create new OVPN Client: > > Name: ovpn-office > > Connect To: wan pfsense > > Port: 1195 > > Mode: ip > > User: any > > Certificate: mik-vpn.crt_0 > > Auth: sha 1 > > Cipher: blowfish 128 > > Add Default Route: (do not check this) > > > > It works as expected - I can ping workstations from both sides of the > > tunnel. > > > > Att, > > > > *Marcel Laino* > > Vivo: (11) 95287-5837 > > [email protected] > > facebook.com/marcellaino <http://Facebook.com/marcellaino> > > youtube.com/marcellaino > > br.linkedin.com/in/marcellaino > > google.com/+MarcelLaino > > > > > > > > > > <https://mailtrack.io/> Enviado com Mailtrack > > <https://mailtrack.io?utm_source=gmail&utm_medium= > signature&utm_campaign=signaturevirality&> > > > _______________________________________________ > Pfsense-pt mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/pfsense-pt > _______________________________________________ Pfsense-pt mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/pfsense-pt
