Доброго времени суток. Прежде чем перейти к проблеме распишу схему работы. Есть два провайдера. Оба подключены по pppoe. Соответственно трафик маркируется и пускается через nat. Вот настройки firewall mangle, nat и /ip route /ip firewall mangle add action=mark-connection chain=input in-interface=rtk new-connection-mark=input-RTK-conn passthrough=yes add action=mark-routing chain=output connection-mark=input-RTK-conn new-routing-mark=RTK-route passthrough=no add action=mark-connection chain=forward in-interface=rtk new-connection-mark=fw-RTK-conn passthrough=no add action=mark-routing chain=prerouting connection-mark=fw-RTK-conn in-interface=ether5-lan new-routing-mark=RTK-route passthrough=yes add action=mark-connection chain=input in-interface=mts new-connection-mark=input-MTS-conn passthrough=yes add action=mark-routing chain=output connection-mark=input-MTS-conn new-routing-mark=MTS-route passthrough=no add action=mark-connection chain=forward in-interface=mts new-connection-mark=fw-MTS-conn passthrough=no add action=mark-routing chain=prerouting connection-mark=fw-MTS-conn in-interface=ether5-lan new-routing-mark=MTS-route passthrough=yes /ip firewall nat add action=src-nat chain=srcnat comment="SRC NAT to RTK" dst-address-list=!worknet out-interface=rtk src-address-list=worknet to-addresses=77.39.16.140 add action=src-nat chain=srcnat dst-address-list=!worknet ipsec-policy=out,none out-interface=mts src-address-list=worknet to-addresses=213.27.32.36 add action=netmap chain=dstnat dst-port=6000 in-interface=rtk log-prefix=RDP protocol=tcp src-address-list=mother to-addresses=172.31.10.10 to-ports=3389 add action=netmap chain=dstnat dst-port=6000 in-interface=mts log-prefix=RDP protocol=tcp src-address-list=mother to-addresses=172.31.10.10 to-ports=3389 /ip firewall filter add action=drop chain=input comment="No windows update" disabled=yes dst-address-list=noupdate protocol=tcp add action=drop chain=input comment="No windows update" disabled=yes protocol=tcp src-address-list=noupdate add action=accept chain=input comment="Accept WinBox" connection-state=new dst-port=8291 protocol=tcp add action=drop chain=forward comment="Drop invalid connection packets" connection-state=invalid disabled=yes add action=accept chain=input comment="Accept established connections" connection-state=established,related add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=2222 protocol=tcp add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=blacklist address-list-timeout=3h chain=input comment="drop ssh 3 stage" connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage3 add action=drop chain=input comment="drop ssh brute forcers" src-address-list=blacklist add action=drop chain=input in-interface-list=inet protocol=tcp src-port=3128 add action=drop chain=input comment="drop incomming DNS" dst-port=53 in-interface-list=inet protocol=udp /ip route add distance=2 gateway=rtk routing-mark=RTK-route add distance=1 gateway=mts routing-mark=MTS-route add disabled=yes distance=1 gateway=mts add distance=1 dst-address=10.9.0.0/16 gateway=ipip-mother-mts add distance=1 dst-address=161.8.0.0/16 gateway=ipip-mother-mts add disabled=yes distance=1 dst-address=193.16.208.74/32 gateway=mts А теперь собственно проблема. По определенным причинам нужно сделать ipsec tunel с материнской организацией. Mikrotik'ов они не знают, знать не хотят, все у них крутится на cisco. Прислали письмо со следующими параметрами: encryption 3des hash sha group 5 2 lifetime 86400 DH - esp-3des esp-sha-hmac peer 193.16.208.74 PSK, думаю, нужно согласовать отдельно. Локальная сеть 172.31.10.0/23, сети * - 10.9.0.0/16, 161.8.0.0/16 делаю: /interface ipip add allow-fast-path=no clamp-tcp-mss=no disabled=yes ipsec-secret=secret local-address=213.27.32.36 name=ipip-mother-mts remote-address=193.16.208.7 /ip firewall filter add action=accept chain=forward dst-port=500,4500 log=yes log-prefix="IPSEC FW" protocol=udp src-port=500,4500 /ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively /ip ipsec policy group set [ find default=yes ] name=default /ip ipsec profile set [ find default=yes ] dh-group=modp1536,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024 /ip ipsec policy set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes /ip ipsec settings set accounting=yes interim-update=0s xauth-use-radius=no Включаю тунель - пир создается, но не поднимается. /ip ipsec peer> print Flags: X - disabled, D - dynamic, R - responder 0 D name="ipip-mmk-mts" address=193.16.208.74/32 local-address=213.27.32.36 profile=default exchange-mode=main send-initial-contact=yes /ip ipsec active-peers> print Flags: R - responder, N - natt-peer # ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS [mikrotik@MikroTik] /ip ipsec active-peers> Подцепляется политика /ip ipsec policy> print Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default # PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT 0 T * ::/0 ::/0 all 1 D ipip-mmk-mts no 213.27.32.36/32 193.16.208.74/32 ipencap encrypt require 0 есть SA c моего внешнего адреса: /ip ipsec installed-sa> print Flags: H - hw-aead, A - AH, E - ESP 0 E spi=0x56841A0 src-address=193.16.208.74 dst-address=213.27.32.36 state=larval add-lifetime=0s/30s replay=0 1 E spi=0xE5F933B src-address=193.16.208.74 dst-address=213.27.32.36 state=larval add-lifetime=0s/30s replay=0 2 E spi=0 src-address=213.27.32.36 dst-address=193.16.208.74 state=larval add-lifetime=0s/30s replay=0 3 E spi=0x4724F36 src-address=193.16.208.74 dst-address=213.27.32.36 state=larval add-lifetime=0s/30s replay=0 4 E spi=0xEBACB6D src-address=193.16.208.74 dst-address=213.27.32.36 state=larval add-lifetime=0s/30s replay=0 А вот обратные протухают и сбрасываются. Подозреваю, что чтото не так в файрволе - нехватает какого-то правила, а вот какого, не могу понять
16:36:42 system,info log rule changed by mikrotik 16:36:50 ipsec,info initiate new phase 1 (Identity Protection): 213.27.32.36[500]<=>193.16.208.74[500] 16:36:50 ipsec,info ISAKMP-SA established 213.27.32.36[500]-193.16.208.74[500] spi:fa26cab8e033fdcc:0dcf315d6e03d5f8 16:36:50 ipsec,info purging ISAKMP-SA 213.27.32.36[500]<=>193.16.208.74[500] spi=fa26cab8e033fdcc:0dcf315d6e03d5f8. 16:36:50 ipsec,info ISAKMP-SA deleted 213.27.32.36[500]-193.16.208.74[500] spi:fa26cab8e033fdcc:0dcf315d6e03d5f8 rekey:1 16:37:00 ipsec,info initiate new phase 1 (Identity Protection): 213.27.32.36[500]<=>193.16.208.74[500] 16:37:00 ipsec,info ISAKMP-SA established 213.27.32.36[500]-193.16.208.74[500] spi:bfee288de577a3dc:6bf6589910e5a054 16:37:00 ipsec,info purging ISAKMP-SA 213.27.32.36[500]<=>193.16.208.74[500] spi=bfee288de577a3dc:6bf6589910e5a054. 16:37:00 ipsec,info ISAKMP-SA deleted 213.27.32.36[500]-193.16.208.74[500] spi:bfee288de577a3dc:6bf6589910e5a054 rekey:1
>До тех пор, пока не поднимется, рано настраивать файрволл Да уже настроен. И выключать - значит лишить инета предприятие - значит лишние вопли. Кроме того - все равно разбираться, почему именно в такой конфигурации не работает. Завтра попробую отключить цепочки mangle и включить тунель.