分类目录归档:routeros

routeros ipsec with centos host to host 加密

routeros 设置

/ip ipsec peer add address=xx.xx.xx.xx/32 port=500 auth-method=pre-shared-key secret=”xxxxx” generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no my-id-user-fqdn=”” proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
/ip ipsec proposal add name=”default” auth-algorithms=sha1 enc-algorithms=3des lifetime=0s pfs-group=none
/ip ipsec policy add src-address=xx.xx.xx.xx/32 src-port=any dst-address=xx.xx.xx.xx/32 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=ah-esp tunnel=no sa-src-address=xx.xx.xx.xx sa-dst-address=xx.xx.xx.xx proposal=default priority=0

centos 安装

ipsec-tools
配置文件

/etc/racoon/racoon.conf

path include “/etc/racoon”;
path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;
path script “/etc/racoon/scripts”;

remote anonymous {
exchange_mode aggressive, main, base;
mode_cfg on;
proposal_check obey;
nat_traversal on;
generate_policy unique;
ike_frag on;
passive on;
dpd_delay 30;

proposal {
    lifetime time 28800 sec;
    encryption_algorithm 3des;
    hash_algorithm md5;
    authentication_method xauth_psk_server;
    dh_group 2;
}

}

sainfo anonymous {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

include “/etc/racoon/xx.xx.xx.xx.conf”;

/etc/racoon/xxxxx.conf

remote xx.xx.xx.xx
{
exchange_mode main, aggressive;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

/etc/racoon/psk.txt

xx.xx.xx.xx password