Top-Themen

AppleEntwicklungHardwareInternetLinuxMicrosoftMultimediaNetzwerkeOff TopicSicherheitSonstige SystemeVirtualisierungWeiterbildungZusammenarbeit

Aktuelle Themen

Administrator.de FeedbackApache ServerAppleAssemblerAudioAusbildungAuslandBackupBasicBatch & ShellBenchmarksBibliotheken & ToolkitsBlogsCloud-DiensteClusterCMSCPU, RAM, MainboardsCSSC und C++DatenbankenDatenschutzDebianDigitiales FernsehenDNSDrucker und ScannerDSL, VDSLE-BooksE-BusinessE-MailEntwicklungErkennung und -AbwehrExchange ServerFestplatten, SSD, RaidFirewallFlatratesGoogle AndroidGrafikGrafikkarten & MonitoreGroupwareHardwareHosting & HousingHTMLHumor (lol)Hyper-VIconsIDE & EditorenInformationsdiensteInstallationInstant MessagingInternetInternet DomäneniOSISDN & AnaloganschlüsseiTunesJavaJavaScriptKiXtartKVMLAN, WAN, WirelessLinuxLinux DesktopLinux NetzwerkLinux ToolsLinux UserverwaltungLizenzierungMac OS XMicrosoftMicrosoft OfficeMikroTik RouterOSMonitoringMultimediaMultimedia & ZubehörNetzwerkeNetzwerkgrundlagenNetzwerkmanagementNetzwerkprotokolleNotebook & ZubehörNovell NetwareOff TopicOpenOffice, LibreOfficeOutlook & MailPapierkorbPascal und DelphiPeripheriegerätePerlPHPPythonRechtliche FragenRedHat, CentOS, FedoraRouter & RoutingSambaSAN, NAS, DASSchriftartenSchulung & TrainingSEOServerServer-HardwareSicherheitSicherheits-ToolsSicherheitsgrundlagenSolarisSonstige SystemeSoziale NetzwerkeSpeicherkartenStudentenjobs & PraktikumSuche ProjektpartnerSuseSwitche und HubsTipps & TricksTK-Netze & GeräteUbuntuUMTS, EDGE & GPRSUtilitiesVB for ApplicationsVerschlüsselung & ZertifikateVideo & StreamingViren und TrojanerVirtualisierungVisual StudioVmwareVoice over IPWebbrowserWebentwicklungWeiterbildungWindows 7Windows 8Windows 10Windows InstallationWindows MobileWindows NetzwerkWindows ServerWindows SystemdateienWindows ToolsWindows UpdateWindows UserverwaltungWindows VistaWindows XPXenserverXMLZusammenarbeit

Hilfe mit VPN - Zertifikate Mikrotik - Shrew VPN

Frage Sonstige Systeme MikroTik RouterOS

Mitglied: Nova10

Nova10 (Level 1) - Jetzt verbinden

21.11.2014, aktualisiert 10:39 Uhr, 1648 Aufrufe, 2 Kommentare

Hallo,

Ich bin in Deutschland seit 4 monat, deshalb bin ich noch nicht mit Deutsch gut. Ich hoffe, dass es ok ist, dass ich in englisch sprechen.

I'm trying to do the next scenario for testing purposes (all inside LAN, without going out internet) using Mikrotik and Shrew VPN:
fc063c7f4fffec43804ba16bf34559be - Klicke auf das Bild, um es zu vergrößern

After a long fight I was able to connect using RSA Signatures, I created the certificates in mikrotik as follow here: http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

But when I revoke the client1 or client2 certificate and kill the connection I'm still able to connect.

Most likely I'm doing something wrong, but I don't know what to try anymore...

I add here the configuration of shrew and mikro for if someone have an idea

01.
n:version:4 
02.
n:network-ike-port:500 
03.
n:network-mtu-size:1380 
04.
n:client-addr-auto:1 
05.
n:network-natt-port:4500 
06.
n:network-natt-rate:15 
07.
n:network-frag-size:540 
08.
n:network-dpd-enable:0 
09.
n:client-banner-enable:0 
10.
n:network-notify-enable:0 
11.
n:client-dns-used:1 
12.
n:client-dns-auto:1 
13.
n:client-dns-suffix-auto:1 
14.
n:client-splitdns-used:1 
15.
n:client-splitdns-auto:1 
16.
n:client-wins-used:1 
17.
n:client-wins-auto:1 
18.
n:phase1-dhgroup:2 
19.
n:phase1-keylen:256 
20.
n:phase1-life-secs:86400 
21.
n:phase1-life-kbytes:0 
22.
n:vendor-chkpt-enable:0 
23.
n:phase2-keylen:256 
24.
n:phase2-life-secs:28800 
25.
n:phase2-life-kbytes:0 
26.
n:policy-nailed:1 
27.
n:policy-list-auto:0 
28.
b:auth-server-cert-xxxx 
29.
b:auth-client-cert-xxxxx 
30.
b:auth-client-key- xxxxx 
31.
s:auth-client-cert-name:cert_export_client1.crt 
32.
s:auth-client-key-name:cert_export_client1.key 
33.
s:auth-server-cert-name:cert_export_ca.crt 
34.
s:network-host:10.0.0.1 
35.
s:client-auto-mode:pull 
36.
s:client-iface:virtual 
37.
s:network-natt-mode:enable 
38.
s:network-frag-mode:enable 
39.
s:auth-method:mutual-rsa 
40.
s:ident-client-type:asn1dn 
41.
s:ident-server-type:asn1dn 
42.
s:phase1-exchange:main 
43.
s:phase1-cipher:aes 
44.
s:phase1-hash:sha1 
45.
s:phase2-transform:esp-aes 
46.
s:phase2-hmac:sha1 
47.
s:ipcomp-transform:disabled 
48.
n:phase2-pfsgroup:2 
49.
s:policy-level:require 
50.
s:policy-list-include:10.0.0.1 / 255.255.255.255
Mikrotiktest
01.
/ip address 
02.
add address=192.168.100.1/24 comment=LAN disabled=no interface=ether2 \ 
03.
    network=192.168.100.0 
04.
add address=10.0.0.1/24 comment=WAN disabled=no interface=ether1 network=\ 
05.
    10.0.0.0 
06.
/ip route 
07.
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \ 
08.
    !bgp-med !bgp-origin !bgp-prepend !check-gateway disabled=no distance=1 \ 
09.
    dst-address=0.0.0.0/0 gateway=ether1 !route-tag !routing-mark scope=30 \ 
10.
    target-scope=10 
11.
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \ 
12.
    !bgp-med !bgp-origin !bgp-prepend !check-gateway disabled=no distance=1 \ 
13.
    dst-address=192.168.110.0/24 gateway=10.0.0.2 !route-tag !routing-mark \ 
14.
    scope=30 target-scope=10 
15.
/ip ipsec mode-config 
16.
set (unknown) name=request-only send-dns=yes 
17.
/ip ipsec policy group 
18.
set default name=default 
19.
add name=RoadWarriors 
20.
/ip ipsec proposal 
21.
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\ 
22.
    aes-256-cbc lifetime=8h name=default pfs-group=modp1024 
23.
/ip pool 
24.
add name=dhcp_pool1 ranges=192.168.100.10-192.168.100.50 
25.
add name=ipsec ranges=192.168.130.51-192.168.130.150 
26.
/ip dhcp-server 
27.
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\ 
28.
    static disabled=no interface=ether2 lease-script="" lease-time=3d name=\ 
29.
    dhcp1 
30.
/ip ipsec mode-config 
31.
add address-pool=ipsec address-prefix-length=24 name=cfg1 send-dns=yes \ 
32.
    split-include=0.0.0.0/0 
33.
 
34.
/ip ipsec peer 
35.
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server dh-group=\ 
36.
    modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \ 
37.
    enc-algorithm=aes-256 exchange-mode=main generate-policy=port-overrade \ 
38.
    hash-algorithm=sha1 lifebytes=0 lifetime=1d local-address=0.0.0.0 \ 
39.
    mode-config=cfg1 nat-traversal=yes passive=yes policy-template-group=\ 
40.
    RoadWarriors port=500 proposal-check=obey remote-certificate=none \ 
41.
    send-initial-contact=no 
42.
/ip ipsec policy 
43.
set 0 disabled=no dst-address=0.0.0.0/32 group=default proposal=default \ 
44.
    protocol=all src-address=0.0.0.0/32 template=yes 
45.
add disabled=no dst-address=0.0.0.0/0 group=RoadWarriors proposal=default \ 
46.
    protocol=all src-address=192.168.130.0/24 template=yes
In mikrotik2 I've only configured LAN WAN and ip routes.

Any tip or help would be very apreciated

Mit freundlichen Grüßen

Nova
Mitglied: aqui
21.11.2014 um 10:51 Uhr
For being just 4 month in Germany your German sounds excellent. No problem with English....
In your MT config there is the /certificate section missing. Is that done intentionally due to security reasons ?
Which option did you use following the MT instruction ? Generating them on the MT itself or did you use the OpenSSL option ?
A lot of questions but this was not quite clear in your description.
P.S.: Dont be so formal with "Mit freundlichen Grüßen" In forums like these we follow the golden German rule You can say "you" to me
Bitte warten ..
Mitglied: Nova10
21.11.2014 um 11:31 Uhr
Hallo,

thanks for the answer and tips

Sorry for not adding the certificates, the export in Mikrotik doesn't show the info. I generated them directly in Mikrotik, exactly as they said, (myca, server, client1, client2).

I tried with PSK before and it worked, with RSA also, both establish the tunnel, but the weird thing is that two tunnels are created for each client and the tunnels don't generate any traffic. Even if I do pings or anything.

example:

05dc4981384e23182421b8ff083cf2c2 - Klicke auf das Bild, um es zu vergrößern

8 Tunnels, 4 for client1, 4 for client2.

I don't really know what to try anymore.

Thanks again.
Bitte warten ..
Neuester Wissensbeitrag
Internet

Unbemerkt - Telekom Netzumschaltung! - BNG - Broadband Network Gateway

(3)

Erfahrungsbericht von ashnod zum Thema Internet ...

Ähnliche Inhalte
Router & Routing
gelöst VPN-Datendurchsatz bei MikroTik weit unterhalb von Consumer-VDSL (7)

Frage von LarsIP zum Thema Router & Routing ...

LAN, WAN, Wireless
gelöst Mikrotik als VPN-Client hinter Fritzbox zu Fritzbox (5)

Frage von PharIT zum Thema LAN, WAN, Wireless ...

Router & Routing
gelöst Mikrotik VPN - Router hat Zugriff, Client nicht (28)

Frage von BirdyB zum Thema Router & Routing ...

Heiß diskutierte Inhalte
Windows Server
Outlook Verbindungsversuch mit Exchange (15)

Frage von xbast1x zum Thema Windows Server ...

Grafikkarten & Monitore
Tonprobleme bei Fernseher mit angeschlossenem Laptop über HDMI (11)

Frage von Y3shix zum Thema Grafikkarten & Monitore ...

Microsoft Office
Keine Updates für Office 2016 (11)

Frage von Motte990 zum Thema Microsoft Office ...