Marcel Laino
2018-03-14 18:36:30 UTC
Alguem pode ajudar com essa configuracao. a vpn esta conectada, porem as
redes nao se falam de jeito nenhum.
segui esse cenario, porem nao vai. tentei ipsec e tb n conecta. tinha ipsec
conectado com esse mikrotik na versao 2.1.5 porem atualizei o pfsense e nao
conectou mais.
*pfSense:*
1. System -> Cert Manager -> CAs
Create new CA (*vpn-tunnel-ca*). Export "CA cert" file (my-ca.crt).
2. System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server
(vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key
files for client certificate (mik-vpn.crt and mik-vpn.key).
3. VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: ITD
Local port: 1195
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS
key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: BF-CBC (128-bit)
Auth Digest Algorithm: SHA1 (160-bit)
IPv4 Tunnel Network: x <http://172.20.20.0/30>.x.x.x/30
IPv4 Local Network/s: l <http://192.168.0.0/24>an
IPv4 Remote Network/s: lan client <http://10.10.2.0/26>
Compression: No Preference
Advanced: client-to-client
4. VPN -> OpenVPN -> Client Specific Overrides
Create new override:
Common name: mik-vpn
Advanced: iroute (lan client) mask
*MikroTik:*
1. Copy two certificate files and the key file to Files. Import all of them
from System/Certificates.
2. PPP -> Interface - create new OVPN Client:
Name: ovpn-office
Connect To: wan pfsense
Port: 1195
Mode: ip
User: any
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)
It works as expected - I can ping workstations from both sides of the
tunnel.
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
***@gmail.com
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality&>
redes nao se falam de jeito nenhum.
segui esse cenario, porem nao vai. tentei ipsec e tb n conecta. tinha ipsec
conectado com esse mikrotik na versao 2.1.5 porem atualizei o pfsense e nao
conectou mais.
*pfSense:*
1. System -> Cert Manager -> CAs
Create new CA (*vpn-tunnel-ca*). Export "CA cert" file (my-ca.crt).
2. System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server
(vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key
files for client certificate (mik-vpn.crt and mik-vpn.key).
3. VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: ITD
Local port: 1195
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS
key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: BF-CBC (128-bit)
Auth Digest Algorithm: SHA1 (160-bit)
IPv4 Tunnel Network: x <http://172.20.20.0/30>.x.x.x/30
IPv4 Local Network/s: l <http://192.168.0.0/24>an
IPv4 Remote Network/s: lan client <http://10.10.2.0/26>
Compression: No Preference
Advanced: client-to-client
4. VPN -> OpenVPN -> Client Specific Overrides
Create new override:
Common name: mik-vpn
Advanced: iroute (lan client) mask
*MikroTik:*
1. Copy two certificate files and the key file to Files. Import all of them
from System/Certificates.
2. PPP -> Interface - create new OVPN Client:
Name: ovpn-office
Connect To: wan pfsense
Port: 1195
Mode: ip
User: any
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)
It works as expected - I can ping workstations from both sides of the
tunnel.
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
***@gmail.com
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality&>