اتصال VPN IPSec بين MikroTik و Kerio Control

• 4.1 في الحقل "مفتاح محدد مسبقًا:" أدخل عبارة المفتاح التي سيتم استخدامها للاتصال ؛
• ملاحظة:
  
  أوصي بشكل قاطع بتعيين جميع العبارات الرئيسية على جميع أنفاق VPN التي تم إنشاؤها على خادم Kerio محدد واحد!
  
  هذا يرجع إلى حقيقة أن كيريو لديه خطأ عائم ، والذي يتم التعبير عنه في ما يلي.
  
  تخيل أنه في تكوين Kerio ، كما في حالتي ، هناك عدة واجهات "نفق VPN" تم تكوينها للاتصال بـ MikroTik ، والتي تختلف عن بعضها البعض فقط في الإعدادات الموجودة في حقل "المعرف المحلي:" (سيتم مناقشتها أدناه).
  
  لذلك ، عند إنشاء (سأطلق عليه ذلك) نفق وارد ، بغض النظر عن عنوان IP الخارجي الذي ستتصل به Kerio مع MikroTik ، سيقوم Kerio (لسبب ما) بتنشيط الواجهة الأولى التي تظهر ، وإذا كان عنوان IP المحدد في الإعدادات النفق على جانب كيريو يختلف عن النفق الذي يشير إليه MikroTik ، النفق غير منظم.
  
  وفي حالة الإشارة إلى عبارات رئيسية مختلفة لجميع الأنفاق ، تتوقف هذه المشكلة.
• 4.2 في حقل "المعرف المحلي:" ، أدخل عنوان IP من تجمع عناوين ISP # 1 (في المثال 11.11.11.111) المعين لواجهة Keran Control # 1 WAN ، التي ستصل إليها MikroTik ؛
• 4.3 في حقل "المعرف البعيد:" ، أدخل FQDN ، والذي تم الحصول عليه بواسطة MikroTik من DDNS (IP ---> Cloud ---> DNS Name). يسمح لنا هذا الإعداد بعدم الاهتمام بكيفية وصول ISP MikroTik إلى Kerio ؛
• 4.4 في حقل "تشفير المرحلة الأولى (IKE):" حدد aes128-sha1-modp2048 من القائمة ؛
• 4.5 في حقل "المرحلة الثانية من التشفير (ESP):" حدد 3des-sha1-modp2048 من القائمة ؛
• ملاحظة:
  تحرير الإعدادات الافتراضية المستخدمة من خلال زر "تغيير ..." ؛
  يتم اختيار كل من الأصفار باستخدام "أسلوب بدس العلمية".

• 6.1 ألغ تحديد المربع "استخدام الشبكات المحلية المكتشفة تلقائيًا" ؛
• 6.2 قم بتعيين خانة الاختيار "استخدام الشبكات المخصصة:" ، وأضف عنوان الشبكة "يغطي" مجموعة كاملة من العناوين المستخدمة في الشبكة المحلية وراء Kerio Control إلى قائمة الشبكات (في المثال - 192.168.0.0/16).

• المصدر - تشير إلى FQDN التي تلقاها MikroTik لدينا من DDNS ؛
• الوجهة - جدار الحماية
• خدمة - بينغ.
• يمكنك أيضًا تحديد إصدار IP (IPv4) ، لكن هذا ليس ضروريًا.

 /ip ipsec proposal add enc-algorithms=3des name=KerioVPNProposal#01 pfs-group=modp2048 

 /ip ipsec policy group add name=1 add name=2 add name=3 add name=4 

 /ip ipsec peer add address=11.11.11.111/32 comment=vs01-i01-01.domain.ru exchange-mode=\ main-l2tp local-address=33.33.33.111 my-id=\ fqdn:mikrotik.sn.mynetname.net policy-template-group=1 profile=\ profile_4 secret=pass1111 

 /ip ipsec policy add comment=KerioVPNPolicy dst-address=192.168.77.0/24 proposal=KerioVPNProposal#01 \ sa-dst-address=11.11.11.111 sa-src-address=33.33.33.111 src-address=\ 192.168.22.0/24 tunnel=yes 

 :if ([:len [/system script job find script=SetIPSecSADstAddrFromDNS]]>1) do={ :error } :local DnsNameFromComment :local ResolvedIpFromComment :local ResolvedIpWithMaskFromComment :local IpPeerAddr :foreach IpSecPeerCount in=[/ip ipsec peer find] do={ :set DnsNameFromComment [/ip ipsec peer get $IpSecPeerCount comment] :if ($DnsNameFromComment!="") do={ :do { :set ResolvedIpFromComment [:resolve $DnsNameFromComment] :set ResolvedIpWithMaskFromComment ($ResolvedIpFromComment . "/32") :set IpPeerAddr [/ip ipsec peer get $IpSecPeerCount address] :if ($ResolvedIpWithMaskFromComment!=$IpPeerAddr) do={ :log warning ("[SetIPSecSADstAddrFromDNS]     " . DnsNameFromComment . "  IP-  " . $IpPeerAddr . "  " . $ResolvedIpFromComment) #:log warning ("[SetIPSecSADstAddrFromDNS] In the peer to the server " . DnsNameFromComment . " changed IP address from " . $IpPeerAddr . " on " . $ResolvedIpFromComment) /ip ipsec peer set $IpSecPeerCount address=$ResolvedIpWithMaskFromComment } } on-error={ :set ResolvedIpFromComment "unknown" :log error ("[SetIPSecSADstAddrFromDNS]     " . $DnsNameFromComment) #:log error ("[SetIPSecSADstAddrFromDNS] Cant resolve name " . $DnsNameFromComment) } } } :log warning ("[SetIPSecSADstAddrFromDNS]  IP- VPN- ") #:log warning ("[SetIPSecSADstAddrFromDNS] The IP-addresses of the VPN-servers are checked") 

 #   IP --> Cloud   DNS- #  : # # $start (true/false); # #  ""  "updated" :global subUpdateCloudDns do={ put ($start); :if ($start=false) do={ set $CloudDnsStatus; #     set $m 1; log warning ("[subUpdateCloudDns] ---> DDNS  --->  "); #log warning ("[subUpdateCloudDns] ---> DDNS status ---> CHECK STARTED"); do { log warning ("[subUpdateCloudDns] ---> DDNS ,  ---> " . $m); [/ip cloud force-update]; delay 30000ms; set $CloudDnsStatus ([/ip cloud get status]); set $m ($m+1); :if ($CloudDnsStatus="updated") do={ log warning ("[subUpdateCloudDns] ---> DDNS  ---> " . $CloudDnsStatus); #log warning ("[subUpdateCloudDns] ---> DDNS status ---> " . $CloudDnsStatus); } else={ log error ("[subUpdateCloudDns] ---> DDNS  ---> " . $CloudDnsStatus); #log error ("[subUpdateCloudDns] ---> DDNS status ---> " . $CloudDnsStatus); } } while=(($CloudDnsStatus!="updated") and ($m<10)); return ($CloudDnsStatus); } } #    IP --> Cloud #   : # # 0 - ; # 1 - ,   ; # 2 -    :global subCheckCloudDDNS do={ set $CloudDnsActive ([/ip cloud get ddns-enabled]); #  - ( $m=0 ) set $m 0; :if ($CloudDnsActive=yes) do { #  IP--->Cloud  ( $m=1 ) set $m ($m+1); set $CloudDnsStatus ([/ip cloud get status]); #    IP- (  IP--->Cloud    DNS) set $CloudDnsIP ([/ip cloud get public-address]); set $CheckIpAddr ([resolve [/ip cloud get dns-name]]); :if ($CloudDnsIP!=$CheckIpAddr) do={ #  IP  (  MikroTik  )... set $CloudDnsStatus "updating..."; } :if ($CloudDnsStatus="updated") do { #  IP--->Cloud    ( $m=2 ) set $m ($m+1); } } return ($m); } #       #  : # # $ScriptName ( ) :global subRepeatScript do={ put ($ScriptName); :if ($ScriptName!="") do { [/system script run $ScriptName]; } } #     VPN-   # #   IP- VPN-     :global subGetVpnServers do={ #    IP- VPN-        :foreach IpSecPeerId in=[/ip ipsec peer find passive!=yes] do={ set $CheckIpAddr [/ip ipsec peer get $IpSecPeerId address]; :if ($CheckIpAddr!="") do={ set $MaskPos [find $CheckIpAddr "/"]; set $GroupFromPeer ([/ip ipsec peer get $IpSecPeerId policy-template-group]); set $IpFromPeer ([pick $CheckIpAddr 0 $MaskPos]); set $VpnServersList ($VpnServersList, {{$GroupFromPeer; $IpFromPeer}}); } } return ($VpnServersList); } #        # #    ID   :global subDisableIpSecPeers do={ # ...  ,  (passive=false) ... :foreach IpSecPeerId in=[/ip ipsec peer find passive!=yes] do={ log warning ("[IP IPSec Peer] --->    ---> " . [/ip ipsec peer get $IpSecPeerId comment]); #log warning ("[IP IPSec Peer] ---> processed peer on ---> " . [/ip ipsec peer get $IpSecPeerId comment]); #  address   ... set $CheckIpAddr [/ip ipsec peer get $IpSecPeerId address]; :if ($CheckIpAddr!="") do={ #  address  ,  IP-  ... set $MaskPos ([find $CheckIpAddr "/"]); set $CheckIpAddr ([pick $CheckIpAddr 0 $MaskPos]); # ...   IPSec- :foreach IpSecPolicyId in=[/ip ipsec policy find sa-dst-address=$CheckIpAddr] do={ :if ($IpSecPolicyId!="") do={ :if ([/ip ipsec policy get $IpSecPolicyId disabled]!=yes) do={ [/ip ipsec policy disable $IpSecPolicyId]; log warning ("[IP IPSec Policy] --->  " . [/ip ipsec policy get $IpSecPolicyId comment] . " "); #log warning ("[IP IPSec Policy] ---> policy " . [/ip ipsec policy get $IpSecPolicyId comment] . " deactivated"); } #    ID     set $IdList ($IdList, $IpSecPolicyId); } } } # :     ,      :if ([/ip ipsec peer get $IpSecPeerId disabled]!=yes) do={ [/ip ipsec peer disable $IpSecPeerId]; log warning ("[IP IPSec Peer] ---> " . [/ip ipsec peer get $IpSecPeerId comment] . " ---> "); #log warning ("[IP IPSec Peer] ---> " . [/ip ipsec peer get $IpSecPeerId comment] . " ---> deactivated"); } } return ($IdList); } #        #  : # # $PeerID (ID   VPN-); # $PolIdList ( ID  $subDisableIpSecPeers); # $CloudIP (IP MikroTik  DDNS); # $SrcIP (src-address    VPN-) :global subEnableIpSecPeers do={ put ($PeerID); put ($PolIdList); put ($CloudIP); :if (($PeerID!="")&&($PeerID!=nil)&&($PolIdList!="")&&($PolIdList!=nil)&&($CloudIP!="")&&($CloudIP!=nil)) do={ #   VPN- set $ActiveVPN [/ip ipsec peer get $PeerID address]; :if ($ActiveVPN!="") do={ #  ,  IP-   set $MaskPos [find $ActiveVPN "/"]; set $ActiveVPN ([pick $ActiveVPN 0 $MaskPos]); } #   ,      :if ([/ip ipsec peer get $PeerID disabled]=yes) do={ delay 5000ms; [/ip ipsec peer enable $PeerID]; log warning ("[IP IPSec Peer] --->  peer  ---> " . [/ip ipsec peer get $PeerID address]); #log warning ("[IP IPSec Peer] ---> activated peer on ---> " . [/ip ipsec peer get $PeerID address]); } #    ID   PolIdList, ,    Src. Address, SA Src. Address  SA Dst. Address,   :foreach IpSecPolicyId in=$PolIdList do={ :if ($IpSecPolicyId!="") do={ :if ([/ip ipsec policy get $IpSecPolicyId src-address]!=$SrcIP) do={ [/ip ipsec policy set $IpSecPolicyId src-address=$SrcIP]; log warning ("[IP IPSec Policy] --->  src-address"); #log warning ("[IP IPSec Policy] ---> src-address changed"); } :if ([/ip ipsec policy get $IpSecPolicyId sa-src-address]!=$CloudIP) do={ [/ip ipsec policy set $IpSecPolicyId sa-src-address=$CloudIP]; log warning ("[IP IPSec Policy] --->  sa-src-address"); #log warning ("[IP IPSec Policy] ---> sa-src-address changed"); } :if ([/ip ipsec policy get $IpSecPolicyId sa-dst-address]!=$ActiveVPN) do={ [/ip ipsec policy set $IpSecPolicyId sa-dst-address=$ActiveVPN]; log warning ("[IP IPSec Policy] --->  sa-dst-address"); #log warning ("[IP IPSec Policy] ---> sa-dst-address changed"); } :if ([/ip ipsec policy get $IpSecPolicyId disabled]=yes) do={ delay 3000ms; [/ip ipsec policy enable $IpSecPolicyId]; log warning ("[IP IPSec Policy] --->  "); #log warning ("[IP IPSec Policy] ---> policy activated"); #  DNS- [/ip dns cache flush] } } } } } #      ID  #  : # # $PeerIP (IP    ); # $CloudIP (IP MikroTik  DDNS); # $action (enable/disable/skip) # #    ID,   ,  :global subGetPoliciesByPeer do={ put ($PeerIP); put ($CloudIP); put ($action); :if (($action="")||($action=nil)) do={ set $action "skip"; } :foreach IpSecPolicyId in=[/ip ipsec policy find sa-dst-address=$PeerIP] do={ :if ($IpSecPolicyId!="") do={ #     $action=disable,   :if (([/ip ipsec policy get $IpSecPolicyId disabled]!=yes)&&($action="disable")) do={ [/ip ipsec policy disable $IpSecPolicyId]; log warning ("[IP IPSec Policy] --->  "); #log warning ("[IP IPSec Policy] ---> policy deactivated"); } #     $CloudIP  sa-src-address!=$CloudIP ( ISP),     sa-src-address :if (($CloudIP!="")&&($CloudIP!=nil)&&([/ip ipsec policy get $IpSecPolicyId sa-src-address]!=$CloudIP)) do={ [/ip ipsec policy disable $IpSecPolicyId]; [/ip ipsec policy set $IpSecPolicyId sa-src-address=$CloudIP]; log warning ("[IP IPSec Policy] --->   --->  sa-src-address ---> " . $CloudIP); #log warning ("[IP IPSec Policy] ---> policy deactivated ---> new sa-src-address ---> " . $CloudIP); #   ,  Kerio   delay 30000ms; } #     $action=enable,   :if (([/ip ipsec policy get $IpSecPolicyId disabled]=yes)&&($action="enable")) do={ [/ip ipsec policy enable $IpSecPolicyId]; log warning ("[IP IPSec Policy] --->  "); #log warning ("[IP IPSec Policy] ---> policy activated"); #  DNS- [/ip dns cache flush] } #    ID     set $IdList ($IdList, $IpSecPolicyId); } } return ($IdList); } #   local-address  #  : # # $PeerID (ID   VPN-); # $CloudIP (IP MikroTik  DDNS) :global subCheckPeerLocalIp do={ put ($PeerID); put ($CloudIP); :if (($PeerID!="")&&($PeerID!=nil)&&($CloudIP!="")&&($CloudIP!=nil)) do={ #   DDNS-IP :if ([/ip ipsec peer get $PeerID local-address]!=$CloudIP) do={ [/ip ipsec peer set $PeerID local-address=$CloudIP]; log warning ("[IP IPSec Peer] --->  local-address"); #log warning ("[IP IPSec Peer] ---> local-address changed"); } } } 

 :if ([:len [/system script job find script=scriptCheckActiveVpnServer]]>1) do={ :error } #      scheduleStartup #   ,       :global subCheckCloudDDNS :global subCheckPeerLocalIp :global subDisableIpSecPeers :global subEnableIpSecPeers :global subGetPoliciesByPeer :global subGetVpnServers :global subUpdateCloudDns :local CheckIP :local CheckPeer #     DDNS ( ) :local CloudDnsStatus ([:put [$subCheckCloudDDNS]]) :local Exit false :local DefMikroTikSrcNet 192.168.11.0/24 :local DefKerioDstNet 192.168.77.0/24 :local DefKerioPropName KerioVPNProposal#01 :local DefKerioPolName KerioVPNPolicy :local IpSecPolicyId :local KerioName :local KerioVpnNatRuleName KerioVpnNatOut :local m :local n 1 :local PeerCount 0 :local PeerDisabled :local PingCount 3 :local PingResult :local PoliciesList :local PublicIp :local VpnServersList #   DDNS ,  ,    IP- MikroTik :if ($CloudDnsStatus=0) do={ #  Cloud DDNS  ,         :log error ("[schedule CheckActiveVpnServer] --->    VPN-   Cloud DDNS! (IP -> Cloud)") # :log error ("[schedule CheckActiveVpnServer] ---> to connect to the VPN server, you need to activate Cloud DDNS! (IP -> Cloud)") :error } :if ($CloudDnsStatus=1) do={ #  Cloud DDNS ,   ,   ( ) :set CloudDnsStatus [:put [$subUpdateCloudDns start=false]] :if ($CloudDnsStatus="updated") do={ :set CloudDnsStatus 2 } } :if ($CloudDnsStatus=2) do { #  Cloud DDNS    ... #  IP  DDNS :set PublicIp [/ip cloud get public-address] #   VPN-  ,    ( ) :set VpnServersList ([:put [$subGetVpnServers]]) #     :foreach VpnIpId in=$VpnServersList do={ :set PeerCount ($PeerCount+1) } #   VPN-    DDNS-IP ( ,   VPN-    ) :while (($Exit!=true)&&$n<=$PeerCount) do={ :foreach VpnIpId in=$VpnServersList do={ #  IP- VPN-    :if (($VpnIpId->0)=$n) do={ :set CheckIP ($VpnIpId->1) :if ($CheckIP!="") do={ #    IP :set PingResult ([:put [/ping address=$CheckIP count=$PingCount src-address=$PublicIp]]) :if ($PingResult=$PingCount) do={ :log warning ("[schedule CheckActiveVpnServer] ---> DDNS-IP ---> " . $PublicIp . " ---> VPN-IP ---> " . $CheckIP . " ---> Ping Result ---> " . $PingResult) #  IP ,     IP- :set CheckPeer (:put [/ip ipsec peer find address=($CheckIP . "/32")]) :if ($CheckPeer!="") do={ #   ,     src- (IP ---> Firewall ---> Address Lists),     Kerio #    Kerio    :set KerioName [/ip ipsec peer get $CheckPeer comment] #    (  ,  FQDN  Kerio   KerioName-Parameter1-...-Parameter_n :if ($KerioName!="") do={ #    :set m ([find $KerioName "-"]) #  KerioName    :set KerioName ([pick $KerioName 0 $m]) #    Firewall -> Address List (       : # Name ---> KerioName (eg srv1) # Address ---> DefMikroTikSrcNet (eg 192.168.99.0/24)) :set m [/ip firewall address-list find list=$KerioName] :set DefMikroTikSrcNet ([/ip firewall address-list get $m address]) } # ...          Kerio :set IpSecPolicyId (:put [/ip ipsec policy find comment="$DefKerioPolName"]) #      ,       # (    )         :if ($IpSecPolicyId="") do={ [/ip ipsec policy add disabled=yes dst-address=$DefKerioDstNet proposal=$DefKerioPropName sa-dst-address=$CheckIP sa-src-address=$PublicIp src-address=$DefMikroTikSrcNet tunnel=yes comment=$DefKerioPolName place-before=0] :log warning ("[schedule CheckActiveVpnServer] --->   " . $DefKerioPolName . " --->    ") #:log warning ("[schedule CheckActiveVpnServer] ---> created policy " . $DefKerioPolName . " ---> default parameters used") } else={ #   ,     src-address,   . :if ($DefMikroTikSrcNet!=[/ip ipsec policy get $IpSecPolicyId src-address]) do={ [/ip ipsec policy set $IpSecPolicyId src-address=$DefMikroTikSrcNet]; :log warning ("[schedule CheckActiveVpnServer] --->  " . $DefKerioPolName . "  ---> src-address   ---> " . $DefMikroTikSrcNet) #:log warning ("[schedule CheckActiveVpnServer] ---> policy " . $DefKerioPolName . " changed ---> src-address changed to ---> " . $DefMikroTikSrcNet) } } #   :set m #  NAT-      Kerio  :set m [/ip firewall nat find comment=$KerioVpnNatRuleName] :if ($m!="") do={ #   src-address   ipsec,       Kerio  :if ([/ip firewall nat get $m to-addresses]!=$DefMikroTikSrcNet) do={ [/ip firewall nat set $m to-addresses $DefMikroTikSrcNet] :log warning ("[IP Firewall NAT] --->    ---> " . $KerioVpnNatRuleName) #:log warning ("[IP Firewall NAT] ---> netmap rule changed ---> " . $KerioVpnNatRuleName) } } # ... local-address      IP MikroTik,    ( ) :put [$subCheckPeerLocalIp PeerID=$CheckPeer CloudIP=$PublicIp] # ...    :set PeerDisabled ([/ip ipsec peer get $CheckPeer disabled]) :if ($PeerDisabled=true) do={ #   ... #       ( ) :set PoliciesList ([:put [$subDisableIpSecPeers]]) #     VPN-   ( ) :put [$subEnableIpSecPeers PeerID=$CheckPeer PolIdList=$PoliciesList CloudIP=$PublicIp SrcIP=$DefMikroTikSrcNet] } else={ #   ... #      ,    ( ) :set PoliciesList ([:put [$subGetPoliciesByPeer PeerIP=$CheckIP CloudIP=$PublicIp SrcIP=$DefMikroTikSrcNet action="enable"]]) } :set Exit true } } else={ :log error ("[schedule CheckActiveVpnServer] ---> DDNS-IP ---> " . $PublicIp . " ---> VPN-IP ---> " . $CheckIP . " ---> Ping Result ---> " . $PingResult) } } } } :set n ($n+1) } } 

 :global StartupScript true :global RepeatRun false /system script run scriptFunctionsList 

 /system script run scriptSetIPSecSADstAddrFromDNS 

 /system script run scriptCheckActiveVpnServer