Bom dia. Para funcionar no mikrotik, no server da openvpn *não *pode ter: — Compressão Lzo (eu estava usando o padrao: no preference ) — Porta UDP ( configurei para rodar TCP apenas ipv4)
Vou converter as chaves pelo shell do pfsense e enviar para o tecnico do mikrotik importar. pois a vpn conectou, mas nao pinga e nem acessa o \\. agora precisa fazer todas aquelas configuracoes de iptables mesmo do lado do mikrotik ? apenas preciso que as lans se falem via ip para acessar o \\ na outra ponta. fazendo os acertos do certificado as redes nao vao se falar ainda ? Att, *Marcel Laino* Vivo: (11) 95287-5837 [email protected] facebook.com/marcellaino <http://Facebook.com/marcellaino> youtube.com/marcellaino br.linkedin.com/in/marcellaino google.com/+MarcelLaino On Thu, Mar 15, 2018 at 10:27 AM, Ulisses Féres - Abratel Telecom < [email protected]> wrote: > Amigo, vou tentar listar um passo a passo para seguir: > > > Para funcionar no mikrotik, no server da openvpn *não *pode ter: > — Compressão Lzo > — Porta UDP > > Alguns ajustes são necessários. Ainda no linux, converter as chaves para > RSA: > > > openssl rsa -in ca.key -text > ca.rsa > openssl rsa -in client2.key -text > client2.rsa > > *NO MIKROTIK* > > Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do > mikrotik. > Depois no terminal do mesmo executar > 1 > 2 > 3 > 4 > /certificate import file-name=ca.crt (pressione enter até concluir) > /certificate import file-name=ca.rsa (pressione enter até concluir) > /certificate import file-name=client4.crt (pressione enter até concluir) > /certificate import file-name=client4.rsa (pressione enter até concluir) > > No MIKROTIK: > > *INTERFACES –> ADD –> OPENVPN CLIENT* > 1 > 2 > 3 > 4 > 5 > 6 > 7 > 8 > 9 > Dialup: A.B.C.D (ip do servidor openvpn) > porta: 1195 > mode: ip > user: cliente4 (nome da chave) > pass: vazia > profile: default-encryptation > Certificate: client4.crt_0 > Auth: sha1 > Cipher: blowfish 128 > > Após conexão, em *IP –> ROUTE* observe se automaticamente criou a rota > para o rede destino/rede_destino saindo pelo openvpn client. > > Criei um masquerad no firewall com: > 1 > 2 > 3 > SOURCE: rede LAN mikrotik > OutInterface: openvpncliete criada > Aba Action: Masquerad > > *Step 4 — Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN ONDE O > SERVIDOR VPN ASTERISK ENCONTRA-SE* > > To keep things simple we’re going to do our routing directly with iptables > rather than the new firewalld. > > First, make sure the iptables service is installed and enabled. > > yum install iptables-services -y > systemctl mask firewalld > systemctl enable iptables > systemctl stop firewalld > systemctl start iptables > iptables –flush > Next we’ll add a rule to iptables to forward our routing to our OpenVPN > subnet, and save this rule. > > iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE > iptables-save > /etc/sysconfig/iptables > Then we must enable IP forwarding in sysctl. Open sysctl.conf for editing. > 1 > 2 > 3 > 4 > vi /etc/sysctl.conf > Add the following line at the top of the file: > > net.ipv4.ip_forward = 1 > > Then restart the network service so the IP forwarding will take effect. > 1 > systemctl restart network.service > > *Step 5 — Starting OpenVPN* > > Now we’re ready to run our OpenVPN service. So lets add it to systemctl: > 1 > 2 > systemctl -f enable [email protected] > systemctl start [email protected] > > *No mk crie uma regra de mascaramento:* > NAT –> ADD > Chain: srcnat > Src. Address: rede lan (exemplo: 192.168.88.0/24) > Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24) > Out Interface: nome-da-open-vpn-interface > Action: Masquerade > > *Em MANGLE:* > ADD > Chain: Prerouting > Src. Address: rede lan (exemplo: 192.168.88.0/24) > Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24) > Action: Mark routing > New Routing Mark: OpenVpn-NOME > *Desmarcar Passthrough* > > > * IP –> ROUTES* > ADD > Dst. Address: 192.168.218.0/24 (lan do outro lado) > Geteway: openvpn-gw-criado-automaticamente > Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle) > > Boa sorte. > > > > Ulisses Féres Cerqueira > Infraestrutura e Projeto > 55 32 3722-4004 ramal 928 > 55 32 98489-6455 > [email protected] > www.abratel.com.br > > [image: http://www.digavoip.com.br/assinatura/logo.png] > > > > > 2018-03-14 15:38 GMT-03:00 Marcel Laino <[email protected]>: > > > a vpn esta conectada, porem nao pinga e nao acessa nada. nos logs aparece > > isso. > > > > openVPN_mikrotik_BAHIA / wan mikrotik: 32852 Byte de cabeçalho de > > descompressão do stub de compressão incorreta: 42 > > > > > > > > > > <https://mailtrack.io/> Enviado com Mailtrack > > <https://mailtrack.io?utm_source=gmail&utm_medium= > signature&utm_campaign= > > signaturevirality&> > > > > Att, > > > > *Marcel Laino* > > Vivo: (11) 95287-5837 > > [email protected] > > facebook.com/marcellaino <http://Facebook.com/marcellaino> > > youtube.com/marcellaino > > br.linkedin.com/in/marcellaino > > google.com/+MarcelLaino > > > > On Wed, Mar 14, 2018 at 3:36 PM, Marcel Laino <[email protected]> > > wrote: > > > > > Alguem pode ajudar com essa configuracao. a vpn esta conectada, porem > as > > > redes nao se falam de jeito nenhum. > > > > > > segui esse cenario, porem nao vai. tentei ipsec e tb n conecta. tinha > > > ipsec conectado com esse mikrotik na versao 2.1.5 porem atualizei o > > pfsense > > > e nao conectou mais. > > > > > > *pfSense:* > > > > > > 1. System -> Cert Manager -> CAs > > > Create new CA (*vpn-tunnel-ca*). Export "CA cert" file (my-ca.crt). > > > > > > 2. System -> Cert Manager -> Certificates > > > Create two certificates (use CA created above) - one for the VPN Server > > > (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and > > key > > > files for client certificate (mik-vpn.crt and mik-vpn.key). > > > > > > 3. VPN -> OpenVPN -> Server > > > Create new VPN server: > > > > > > Server Mode: Peer to Peer (SSL/TLS) > > > Protocol: TCP > > > Device Mode: tun > > > Interface: ITD > > > Local port: 1195 > > > TLS Authentication: (clear checkbox, MikroTik doesn't support shared > TLS > > > key) > > > Peer Certificate Authority: vpn-tunnel-ca > > > Server Certificate: vpn-tunnel > > > Encryption algorithm: BF-CBC (128-bit) > > > Auth Digest Algorithm: SHA1 (160-bit) > > > IPv4 Tunnel Network: x <http://172.20.20.0/30>.x.x.x/30 > > > IPv4 Local Network/s: l <http://192.168.0.0/24>an > > > IPv4 Remote Network/s: lan client <http://10.10.2.0/26> > > > Compression: No Preference > > > Advanced: client-to-client > > > > > > 4. VPN -> OpenVPN -> Client Specific Overrides > > > Create new override: > > > > > > Common name: mik-vpn > > > Advanced: iroute (lan client) mask > > > > > > > > > *MikroTik:* > > > > > > 1. Copy two certificate files and the key file to Files. Import all of > > > them from System/Certificates. > > > > > > 2. PPP -> Interface - create new OVPN Client: > > > Name: ovpn-office > > > Connect To: wan pfsense > > > Port: 1195 > > > Mode: ip > > > User: any > > > Certificate: mik-vpn.crt_0 > > > Auth: sha 1 > > > Cipher: blowfish 128 > > > Add Default Route: (do not check this) > > > > > > It works as expected - I can ping workstations from both sides of the > > > tunnel. > > > > > > Att, > > > > > > *Marcel Laino* > > > Vivo: (11) 95287-5837 > > > [email protected] > > > facebook.com/marcellaino <http://Facebook.com/marcellaino> > > > youtube.com/marcellaino > > > br.linkedin.com/in/marcellaino > > > google.com/+MarcelLaino > > > > > > > > > > > > > > > <https://mailtrack.io/> Enviado com Mailtrack > > > <https://mailtrack.io?utm_source=gmail&utm_medium= > > signature&utm_campaign=signaturevirality&> > > > > > _______________________________________________ > > Pfsense-pt mailing list > > [email protected] > > http://lists.pfsense.org/mailman/listinfo/pfsense-pt > > > _______________________________________________ > Pfsense-pt mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/pfsense-pt <https://mailtrack.io/> Enviado com Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality&;> _______________________________________________ Pfsense-pt mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/pfsense-pt
