Re: [Pfsense-pt] openvpn pfsense 2.4.2 x mikrotik

[Marcel Laino]

​do meu lado (pfsense) eu liberei tudo na regra do tunel da openvpn.

criei uma regra na LAN, para permitir tudo para a lan do cliente.​
e criei outra regra na WAN permitindo a entrada do IP WAN do cliente. nao
falta mais nada certo ? vou enviar o email para ele.




<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality&;>

Att,

*Marcel Laino*
Vivo: (11) 95287-5837
marcella...@gmail.com
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino

On Thu, Mar 15, 2018 at 12:42 PM, Victor Franca <victor.fra...@ewinfo.com.br
> wrote:

> pela descrição, se não se falam é regra de firewall.  Se do seu lado está
> OK, sim ele terá que fazer as regras de Iptables lá.
>
> 2018-03-15 11:58 GMT-03:00 Marcel Laino <marcella...@gmail.com>:
>
> > ​Bom dia.
> >
> > Para funcionar no mikrotik, no server da openvpn *não *pode ter:
> > — Compressão Lzo (eu estava usando o padrao: no preference )
> > — Porta UDP ( configurei para rodar TCP apenas ipv4)​
> >
> > Vou converter as chaves pelo shell do pfsense e enviar para o tecnico do
> > mikrotik importar. pois a vpn conectou, mas nao pinga e nem acessa o \\.
> > agora precisa fazer todas aquelas configuracoes de iptables mesmo do lado
> > do mikrotik ? apenas preciso que as lans se falem via ip para acessar o
> \\
> > na outra ponta.
> > fazendo os acertos do certificado as redes nao vao se falar ainda ?
> >
> >
> >
> >
> >
> >
> > ‌
> >
> > Att,
> >
> > *Marcel Laino*
> > Vivo: (11) 95287-5837
> > marcella...@gmail.com
> > facebook.com/marcellaino <http://Facebook.com/marcellaino>
> > youtube.com/marcellaino
> > br.linkedin.com/in/marcellaino
> > google.com/+MarcelLaino
> >
> > On Thu, Mar 15, 2018 at 10:27 AM, Ulisses Féres - Abratel Telecom <
> > ufe...@abratel.com.br> wrote:
> >
> > > Amigo, vou tentar listar um passo a passo para seguir:
> > >
> > >
> > > Para funcionar no mikrotik, no server da openvpn *não *pode ter:
> > > — Compressão Lzo
> > > — Porta UDP
> > >
> > > Alguns ajustes são necessários. Ainda no linux, converter as chaves
> para
> > > RSA:
> > >
> > >
> > > openssl rsa -in ca.key -text > ca.rsa
> > > openssl rsa -in client2.key -text > client2.rsa
> > >
> > > *NO MIKROTIK*
> > >
> > > Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do
> > > mikrotik.
> > > Depois no terminal do mesmo executar
> > > 1
> > > 2
> > > 3
> > > 4
> > > /certificate import file-name=ca.crt (pressione enter até concluir)
> > > /certificate import file-name=ca.rsa (pressione enter até concluir)
> > > /certificate import file-name=client4.crt (pressione enter até
> concluir)
> > > /certificate import file-name=client4.rsa (pressione enter até
> concluir)
> > >
> > > No MIKROTIK:
> > >
> > > *INTERFACES –> ADD –> OPENVPN CLIENT*
> > > 1
> > > 2
> > > 3
> > > 4
> > > 5
> > > 6
> > > 7
> > > 8
> > > 9
> > > Dialup: A.B.C.D (ip do servidor openvpn)
> > > porta: 1195
> > > mode: ip
> > > user: cliente4 (nome da chave)
> > > pass: vazia
> > > profile: default-encryptation
> > > Certificate: client4.crt_0
> > > Auth: sha1
> > > Cipher: blowfish 128
> > >
> > > Após conexão, em *IP –> ROUTE*  observe se automaticamente criou a rota
> > > para o rede destino/rede_destino saindo pelo openvpn client.
> > >
> > > Criei um masquerad no firewall com:
> > > 1
> > > 2
> > > 3
> > > SOURCE: rede LAN mikrotik
> > > OutInterface: openvpncliete criada
> > > Aba Action: Masquerad
> > >
> > > *Step 4 — Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN
> > ONDE O
> > > SERVIDOR VPN ASTERISK ENCONTRA-SE*
> > >
> > > To keep things simple we’re going to do our routing directly with
> > iptables
> > > rather than the new firewalld.
> > >
> > > First, make sure the iptables service is installed and enabled.
> > >
> > > yum install iptables-services -y
> > > systemctl mask firewalld
> > > systemctl enable iptables
> > > systemctl stop firewalld
> > > systemctl start iptables
> > > iptables –flush
> > > Next we’ll add a rule to iptables to forward our routing to our OpenVPN
> > > subnet, and save this rule.
> > >
> > > iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
> > > iptables-save > /etc/sysconfig/iptables
> > > Then we must enable IP forwarding in sysctl. Open sysctl.conf for
> > editing.
> > > 1
> > > 2
> > > 3
> > > 4
> > > vi /etc/sysctl.conf
> > > Add the following line at the top of the file:
> > >
> > > net.ipv4.ip_forward = 1
> > >
> > > Then restart the network service so the IP forwarding will take effect.
> > > 1
> > > systemctl restart network.service
> > >
> > > *Step 5 — Starting OpenVPN*
> > >
> > > Now we’re ready to run our OpenVPN service. So lets add it to
> systemctl:
> > > 1
> > > 2
> > > systemctl -f enable openvpn@server.service
> > > systemctl start openvpn@server.service
> > >
> > > *No mk crie uma regra de mascaramento:*
> > > NAT –> ADD
> > > Chain: srcnat
> > > Src. Address: rede lan (exemplo: 192.168.88.0/24)
> > > Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
> > > Out Interface: nome-da-open-vpn-interface
> > > Action: Masquerade
> > >
> > > *Em MANGLE:*
> > > ADD
> > > Chain: Prerouting
> > > Src. Address: rede lan (exemplo: 192.168.88.0/24)
> > > Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
> > > Action: Mark routing
> > > New Routing Mark: OpenVpn-NOME
> > > *Desmarcar Passthrough*
> > >
> > >
> > > * IP –> ROUTES*
> > > ADD
> > > Dst. Address: 192.168.218.0/24 (lan do outro lado)
> > > Geteway: openvpn-gw-criado-automaticamente
> > > Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle)
> > >
> > > Boa sorte.
> > >
> > >
> > >
> > > Ulisses Féres Cerqueira
> > > Infraestrutura e Projeto
> > > 55 32 3722-4004 ramal 928
> > > 55 32 98489-6455
> > > ufe...@abratel.com.br
> > > www.abratel.com.br
> > >
> > >  [image: http://www.digavoip.com.br/assinatura/logo.png]
> > >
> > >
> > >
> > >
> > > 2018-03-14 15:38 GMT-03:00 Marcel Laino <marcella...@gmail.com>:
> > >
> > > > a vpn esta conectada, porem nao pinga e nao acessa nada. nos logs
> > aparece
> > > > isso.
> > > >
> > > > openVPN_mikrotik_BAHIA / wan mikrotik: 32852 Byte de cabeçalho de
> > > > descompressão do stub de compressão incorreta: 42
> > > >
> > > >
> > > >
> > > > ‌
> > > > <https://mailtrack.io/> Enviado com Mailtrack
> > > > <https://mailtrack.io?utm_source=gmail&utm_medium=
> > > signature&utm_campaign=
> > > > signaturevirality&>
> > > >
> > > > Att,
> > > >
> > > > *Marcel Laino*
> > > > Vivo: (11) 95287-5837
> > > > marcella...@gmail.com
> > > > facebook.com/marcellaino <http://Facebook.com/marcellaino>
> > > > youtube.com/marcellaino
> > > > br.linkedin.com/in/marcellaino
> > > > google.com/+MarcelLaino
> > > >
> > > > On Wed, Mar 14, 2018 at 3:36 PM, Marcel Laino <marcella...@gmail.com
> >
> > > > wrote:
> > > >
> > > > > Alguem pode ajudar com essa configuracao. a vpn esta conectada,
> porem
> > > as
> > > > > redes nao se falam de jeito nenhum.
> > > > >
> > > > > segui esse cenario, porem nao vai. tentei ipsec e tb n conecta.
> tinha
> > > > > ipsec conectado com esse mikrotik na versao 2.1.5 porem atualizei o
> > > > pfsense
> > > > > e nao conectou mais.
> > > > >
> > > > > *pfSense:*
> > > > >
> > > > > 1. System -> Cert Manager -> CAs
> > > > > Create new CA (*vpn-tunnel-ca*). Export "CA cert" file (my-ca.crt).
> > > > >
> > > > > 2. System -> Cert Manager -> Certificates
> > > > > Create two certificates (use CA created above) - one for the VPN
> > Server
> > > > > (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert
> > and
> > > > key
> > > > > files for client certificate (mik-vpn.crt and mik-vpn.key).
> > > > >
> > > > > 3. VPN -> OpenVPN -> Server
> > > > > Create new VPN server:
> > > > >
> > > > > Server Mode: Peer to Peer (SSL/TLS)
> > > > > Protocol: TCP
> > > > > Device Mode: tun
> > > > > Interface: ITD
> > > > > Local port: 1195
> > > > > TLS Authentication: (clear checkbox, MikroTik doesn't support
> shared
> > > TLS
> > > > > key)
> > > > > Peer Certificate Authority: vpn-tunnel-ca
> > > > > Server Certificate: vpn-tunnel
> > > > > Encryption algorithm: BF-CBC (128-bit)
> > > > > Auth Digest Algorithm: SHA1 (160-bit)
> > > > > IPv4 Tunnel Network: x <http://172.20.20.0/30>.x.x.x/30
> > > > > IPv4 Local Network/s: l <http://192.168.0.0/24>an
> > > > > IPv4 Remote Network/s: lan client <http://10.10.2.0/26>
> > > > > Compression: No Preference
> > > > > Advanced: client-to-client
> > > > >
> > > > > 4. VPN -> OpenVPN -> Client Specific Overrides
> > > > > Create new override:
> > > > >
> > > > > Common name: mik-vpn
> > > > > Advanced: iroute (lan client) mask
> > > > >
> > > > >
> > > > > *MikroTik:*
> > > > >
> > > > > 1. Copy two certificate files and the key file to Files. Import all
> > of
> > > > > them from System/Certificates.
> > > > >
> > > > > 2. PPP -> Interface - create new OVPN Client:
> > > > > Name: ovpn-office
> > > > > Connect To: wan pfsense
> > > > > Port: 1195
> > > > > Mode: ip
> > > > > User: any
> > > > > Certificate: mik-vpn.crt_0
> > > > > Auth: sha 1
> > > > > Cipher: blowfish 128
> > > > > Add Default Route: (do not check this)
> > > > >
> > > > > It works as expected - I can ping workstations from both sides of
> the
> > > > > tunnel.
> > > > >
> > > > > Att,
> > > > >
> > > > > *Marcel Laino*
> > > > > Vivo: (11) 95287-5837
> > > > > marcella...@gmail.com
> > > > > facebook.com/marcellaino <http://Facebook.com/marcellaino>
> > > > > youtube.com/marcellaino
> > > > > br.linkedin.com/in/marcellaino
> > > > > google.com/+MarcelLaino
> > > > >
> > > > >
> > > > >
> > > > > ‌
> > > > > <https://mailtrack.io/> Enviado com Mailtrack
> > > > > <https://mailtrack.io?utm_source=gmail&utm_medium=
> > > > signature&utm_campaign=signaturevirality&>
> > > > >
> > > > _______________________________________________
> > > > Pfsense-pt mailing list
> > > > Pfsense-pt@lists.pfsense.org
> > > > http://lists.pfsense.org/mailman/listinfo/pfsense-pt
> > > >
> > > _______________________________________________
> > > Pfsense-pt mailing list
> > > Pfsense-pt@lists.pfsense.org
> > > http://lists.pfsense.org/mailman/listinfo/pfsense-pt
> >
> >
> > <https://mailtrack.io/> Enviado com Mailtrack
> > <https://mailtrack.io?utm_source=gmail&utm_medium=
> signature&utm_campaign=
> > signaturevirality&>
> > _______________________________________________
> > Pfsense-pt mailing list
> > Pfsense-pt@lists.pfsense.org
> > http://lists.pfsense.org/mailman/listinfo/pfsense-pt
> >
>
>
>
> --
> ..................................................................
> Atenciosamente
>
>
> Victor França
>
> Analista de Suporte
>
> EW Informática
>
> Rua Uruguaiana nº 10, Sala 309 - Rio de Janeiro, Centro.
>
> +55 21 3203 - 0368 (Opção 5)
> +55 21 99519 - 5342 (VIVO)
>
> e-mail: victor.fra...@ewinfo.com.br
> GTalk: victor.fra...@ewinfo.com.br
> Telegram: https://t.me/victorfmaraujo
>
> Acesse nosso site http://ewinfo.com.br e solicite seu atendimento pelo
> nosso chat on-line
> _______________________________________________
> Pfsense-pt mailing list
> Pfsense-pt@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/pfsense-pt
>
_______________________________________________
Pfsense-pt mailing list
Pfsense-pt@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/pfsense-pt