s_kolew Публикувано 25 Септември, 2017 Доклад Сподели Публикувано 25 Септември, 2017 Привет, опитвам се да настроя OpenVPN server на Mikrotik RB, но когато се свържа с клиента, получавам следните логове с грешки и не успявам да се свържа: ovpn,debug,error,63336,61312,61900,62792,31696,63948,62736,61896,l2tp,info,61900,debug,79,65535,critical,360,39064,37776,79,64024,39576,4544,4043,37776,63948,54192,63948,error duplicate packet, dropping Конфигурацията е следната: [admin@CoreMikrotik] > export # sep/25/2017 16:46:42 by RouterOS 6.40.3 # software id = PC33-NERL # # model = RouterBOARD 962UiGS-5HacT2HnT # serial number = 6737052E08AF /caps-man channel add control-channel-width=20mhz frequency=2432 name=channel_2.4 tx-power=40 add band=5ghz-a control-channel-width=20mhz frequency=5180 name=channel_5G_48 add band=2ghz-b/g/n control-channel-width=20mhz frequency=2447 name=channel_2.4_guest add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5230 name=channel_5G_46_guest /interface bridge add admin-mac=E4:8D:8C:6B:F0:73 auto-mac=no name=br1_lan add name=br2_guest /interface ethernet set [ find default-name=ether1 ] comment=WAN /interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee distance=indoors frequency=auto mode=\ ap-bridge ssid=MikroTik-6BF078 wireless-protocol=802.11 /ip neighbor discovery set ether1 discover=no /caps-man datapath add bridge=br1_lan client-to-client-forwarding=yes local-forwarding=yes name=datapath add bridge=br2_guest name=datapath_guest /caps-man security add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security1 passphrase="\$Credit\$" add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=guest passphrase="\$CreditGuest\$" /caps-man configuration add channel=channel_2.4 datapath=datapath mode=ap name=cfg_2.4GhZ_lan security=security1 ssid=CRM13 add channel=channel_5G_48 datapath=datapath mode=ap name=cfg_5GhZ_lan security=security1 ssid=CRM13 add channel=channel_2.4_guest datapath=datapath_guest mode=ap name=cfg_2.4GhZ_guest security=guest ssid=Credit_guest add channel=channel_5G_46_guest datapath=datapath_guest mode=ap name=cfg_5GhZ_guest security=guest ssid=Credit_guest /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=dynamic-keys name=Credit_core \ wpa-pre-shared-key="\$Credit\$" wpa2-pre-shared-key="\$Credit\$" /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=2442 mode=\ ap-bridge security-profile=Credit_core ssid=Credit_core wireless-protocol=802.11 /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip pool add name=office_pool_no_vlan ranges=10.132.1.100-10.132.1.200 add name=office_guest_pool ranges=10.132.2.100-10.132.2.200 add name=vpn_pool ranges=10.132.1.201-10.132.1.210 /ip dhcp-server add address-pool=office_pool_no_vlan disabled=no interface=br1_lan name=office_no_vlan add address-pool=office_guest_pool disabled=no interface=br2_guest name=office_guest /ppp profile set *FFFFFFFE local-address=10.132.1.1 remote-address=vpn_pool /caps-man manager set enabled=yes /caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=cfg_2.4GhZ_lan name-format=\ prefix-identity name-prefix=ofc2g add action=create-dynamic-enabled hw-supported-modes=an,ac master-configuration=cfg_5GhZ_lan name-format=\ prefix-identity name-prefix=ofc5g /interface bridge port add bridge=br1_lan interface=ether3 add bridge=br1_lan interface=sfp1 add bridge=br1_lan interface=ether4 add bridge=br1_lan interface=ether5 add bridge=br1_lan interface=ether2 /interface list member add interface=br1_lan list=LAN add comment=defconf interface=ether1 list=WAN /interface ovpn-server server set auth=sha1 certificate=MTserver cipher=aes256 default-profile=default-encryption enabled=yes keepalive-timeout=\ disabled mode=ethernet port=1195 require-client-certificate=yes /interface wireless cap set bridge=br1_lan caps-man-addresses=10.132.1.1 discovery-interfaces=br1_lan interfaces=wlan1 /ip address add address=10.132.1.1/24 interface=br1_lan network=10.132.1.0 add address=10.132.2.1/24 interface=br2_guest network=10.132.2.0 /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 /ip dhcp-server network add address=10.132.1.0/24 comment=defconf gateway=10.132.1.1 netmask=24 add address=10.132.2.0/24 dns-server=8.8.8.8 gateway=10.132.2.1 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 name=router.lan /ip firewall address-list add address=10.132.1.0/24 list=office_net add address=10.132.2.0/24 list=guest_net /ip firewall filter add action=accept chain=input comment="Allow OpenVPN" dst-port=1195 protocol=tcp add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=accept chain=input comment="Allow OpenVPN" dst-port=1195 protocol=udp /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat out-interface=ether1 /ppp secret add name=admin password=XXXXXXX profile=default-encryption service=ovpn /system clock set time-zone-name=Europe/Sofia /system identity set name=CoreMikrotik /tool mac-server set [ find default=yes ] disabled=yes add interface=br1_lan /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=br1_lan [admin@CoreMikrotik] > Ето това получавам като output на OpenVPn клиента: Mon Sep 25 16:45:09 2017 MANAGEMENT: >STATE:1506347109,TCP_CONNECT,,,,,, Mon Sep 25 16:45:10 2017 TCP connection established with [AF_INET]10.16.131.29:1195 Mon Sep 25 16:45:10 2017 TCP_CLIENT link local: (not bound) Mon Sep 25 16:45:10 2017 TCP_CLIENT link remote: [AF_INET]10.16.131.29:1195 Mon Sep 25 16:45:10 2017 MANAGEMENT: >STATE:1506347110,WAIT,,,,,, Mon Sep 25 16:45:10 2017 MANAGEMENT: >STATE:1506347110,AUTH,,,,,, Mon Sep 25 16:45:10 2017 TLS: Initial packet from [AF_INET]10.16.131.29:1195, sid=a8b8e6e1 f37bb201 Mon Sep 25 16:45:11 2017 VERIFY OK: depth=1, C=BG, ST=BG, L=Sofia, CN=CA Mon Sep 25 16:45:11 2017 VERIFY KU OK Mon Sep 25 16:45:11 2017 Validating certificate extended key usage Mon Sep 25 16:45:11 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Sep 25 16:45:11 2017 VERIFY EKU OK Mon Sep 25 16:45:11 2017 VERIFY OK: depth=0, C=BG, ST=BG, L=Sofia, CN=MTserver Mon Sep 25 16:45:11 2017 Connection reset, restarting [0] Mon Sep 25 16:45:11 2017 SIGUSR1[soft,connection-reset] received, process restarting Mon Sep 25 16:45:11 2017 MANAGEMENT: >STATE:1506347111,RECONNECTING,connection-reset,,,,, Mon Sep 25 16:45:11 2017 Restart pause, 20 second(s) Адрес на коментара Сподели в други сайтове More sharing options...
0 cna Отговорено 1 Юли, 2019 Доклад Сподели Отговорено 1 Юли, 2019 И аз се мъча с един ОВПН + сертификати, ОВПН клиент инсталиран на Уиндоус. След конеция се получава грешката с дублирания пакет, но си работи. Връзка ТЦП има, но ЮДП отсъства. Примерно споделени ресурси в мрежата (уиндоуси), не се достъпват. Някой ако има опит с подобен сценарий нека сподели. Адрес на коментара Сподели в други сайтове More sharing options...
0 Администратор JohnTRIVOLTA Отговорено 1 Юли, 2019 Администратор Доклад Сподели Отговорено 1 Юли, 2019 Преди 9 часа, cna написа: И аз се мъча с един ОВПН + сертификати, ОВПН клиент инсталиран на Уиндоус. След конеция се получава грешката с дублирания пакет, но си работи. Връзка ТЦП има, но ЮДП отсъства. Примерно споделени ресурси в мрежата (уиндоуси), не се достъпват. Някой ако има опит с подобен сценарий нека сподели. Има си в Уин L2TP с IPSec PSK който работи превъзходно . Споменатите по-горе протоколи работят също превъзходно между бордове ! Адрес на коментара Сподели в други сайтове More sharing options...
0 cna Отговорено 2 Юли, 2019 Доклад Сподели Отговорено 2 Юли, 2019 Преди 9 часа, JohnTRIVOLTA написа: Има си в Уин L2TP с IPSec PSK който работи превъзходно . Споменатите по-горе протоколи работят също превъзходно между бордове ! Между бордове знам че работи. Трябва ми: СЕРВ <==> Уин Адрес на коментара Сподели в други сайтове More sharing options...
0 gbdesign Отговорено 2 Юли, 2019 Доклад Сподели Отговорено 2 Юли, 2019 L2TP върху IPSec между Микротик и Уиндоус си работи перфектно. Ползвам го от години. Ако клиентите трябва сами да си настройват "бузата", по-лесно става с SSTP но с истински сертификат и DNS запис. Адрес на коментара Сподели в други сайтове More sharing options...
Въпрос
s_kolew
Привет,
опитвам се да настроя OpenVPN server на Mikrotik RB, но когато се свържа с клиента, получавам следните логове с грешки и не успявам да се свържа:
ovpn,debug,error,63336,61312,61900,62792,31696,63948,62736,61896,l2tp,info,61900,debug,79,65535,critical,360,39064,37776,79,64024,39576,4544,4043,37776,63948,54192,63948,error duplicate packet, dropping
Конфигурацията е следната:
[admin@CoreMikrotik] > export # sep/25/2017 16:46:42 by RouterOS 6.40.3 # software id = PC33-NERL # # model = RouterBOARD 962UiGS-5HacT2HnT # serial number = 6737052E08AF /caps-man channel add control-channel-width=20mhz frequency=2432 name=channel_2.4 tx-power=40 add band=5ghz-a control-channel-width=20mhz frequency=5180 name=channel_5G_48 add band=2ghz-b/g/n control-channel-width=20mhz frequency=2447 name=channel_2.4_guest add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5230 name=channel_5G_46_guest /interface bridge add admin-mac=E4:8D:8C:6B:F0:73 auto-mac=no name=br1_lan add name=br2_guest /interface ethernet set [ find default-name=ether1 ] comment=WAN /interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee distance=indoors frequency=auto mode=\ ap-bridge ssid=MikroTik-6BF078 wireless-protocol=802.11 /ip neighbor discovery set ether1 discover=no /caps-man datapath add bridge=br1_lan client-to-client-forwarding=yes local-forwarding=yes name=datapath add bridge=br2_guest name=datapath_guest /caps-man security add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security1 passphrase="\$Credit\$" add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=guest passphrase="\$CreditGuest\$" /caps-man configuration add channel=channel_2.4 datapath=datapath mode=ap name=cfg_2.4GhZ_lan security=security1 ssid=CRM13 add channel=channel_5G_48 datapath=datapath mode=ap name=cfg_5GhZ_lan security=security1 ssid=CRM13 add channel=channel_2.4_guest datapath=datapath_guest mode=ap name=cfg_2.4GhZ_guest security=guest ssid=Credit_guest add channel=channel_5G_46_guest datapath=datapath_guest mode=ap name=cfg_5GhZ_guest security=guest ssid=Credit_guest /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=dynamic-keys name=Credit_core \ wpa-pre-shared-key="\$Credit\$" wpa2-pre-shared-key="\$Credit\$" /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=2442 mode=\ ap-bridge security-profile=Credit_core ssid=Credit_core wireless-protocol=802.11 /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip pool add name=office_pool_no_vlan ranges=10.132.1.100-10.132.1.200 add name=office_guest_pool ranges=10.132.2.100-10.132.2.200 add name=vpn_pool ranges=10.132.1.201-10.132.1.210 /ip dhcp-server add address-pool=office_pool_no_vlan disabled=no interface=br1_lan name=office_no_vlan add address-pool=office_guest_pool disabled=no interface=br2_guest name=office_guest /ppp profile set *FFFFFFFE local-address=10.132.1.1 remote-address=vpn_pool /caps-man manager set enabled=yes /caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=cfg_2.4GhZ_lan name-format=\ prefix-identity name-prefix=ofc2g add action=create-dynamic-enabled hw-supported-modes=an,ac master-configuration=cfg_5GhZ_lan name-format=\ prefix-identity name-prefix=ofc5g /interface bridge port add bridge=br1_lan interface=ether3 add bridge=br1_lan interface=sfp1 add bridge=br1_lan interface=ether4 add bridge=br1_lan interface=ether5 add bridge=br1_lan interface=ether2 /interface list member add interface=br1_lan list=LAN add comment=defconf interface=ether1 list=WAN /interface ovpn-server server set auth=sha1 certificate=MTserver cipher=aes256 default-profile=default-encryption enabled=yes keepalive-timeout=\ disabled mode=ethernet port=1195 require-client-certificate=yes /interface wireless cap set bridge=br1_lan caps-man-addresses=10.132.1.1 discovery-interfaces=br1_lan interfaces=wlan1 /ip address add address=10.132.1.1/24 interface=br1_lan network=10.132.1.0 add address=10.132.2.1/24 interface=br2_guest network=10.132.2.0 /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 /ip dhcp-server network add address=10.132.1.0/24 comment=defconf gateway=10.132.1.1 netmask=24 add address=10.132.2.0/24 dns-server=8.8.8.8 gateway=10.132.2.1 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 name=router.lan /ip firewall address-list add address=10.132.1.0/24 list=office_net add address=10.132.2.0/24 list=guest_net /ip firewall filter add action=accept chain=input comment="Allow OpenVPN" dst-port=1195 protocol=tcp add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=accept chain=input comment="Allow OpenVPN" dst-port=1195 protocol=udp /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat out-interface=ether1 /ppp secret add name=admin password=XXXXXXX profile=default-encryption service=ovpn /system clock set time-zone-name=Europe/Sofia /system identity set name=CoreMikrotik /tool mac-server set [ find default=yes ] disabled=yes add interface=br1_lan /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=br1_lan [admin@CoreMikrotik] >Ето това получавам като output на OpenVPn клиента:
Mon Sep 25 16:45:09 2017 MANAGEMENT: >STATE:1506347109,TCP_CONNECT,,,,,, Mon Sep 25 16:45:10 2017 TCP connection established with [AF_INET]10.16.131.29:1195 Mon Sep 25 16:45:10 2017 TCP_CLIENT link local: (not bound) Mon Sep 25 16:45:10 2017 TCP_CLIENT link remote: [AF_INET]10.16.131.29:1195 Mon Sep 25 16:45:10 2017 MANAGEMENT: >STATE:1506347110,WAIT,,,,,, Mon Sep 25 16:45:10 2017 MANAGEMENT: >STATE:1506347110,AUTH,,,,,, Mon Sep 25 16:45:10 2017 TLS: Initial packet from [AF_INET]10.16.131.29:1195, sid=a8b8e6e1 f37bb201 Mon Sep 25 16:45:11 2017 VERIFY OK: depth=1, C=BG, ST=BG, L=Sofia, CN=CA Mon Sep 25 16:45:11 2017 VERIFY KU OK Mon Sep 25 16:45:11 2017 Validating certificate extended key usage Mon Sep 25 16:45:11 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Sep 25 16:45:11 2017 VERIFY EKU OK Mon Sep 25 16:45:11 2017 VERIFY OK: depth=0, C=BG, ST=BG, L=Sofia, CN=MTserver Mon Sep 25 16:45:11 2017 Connection reset, restarting [0] Mon Sep 25 16:45:11 2017 SIGUSR1[soft,connection-reset] received, process restarting Mon Sep 25 16:45:11 2017 MANAGEMENT: >STATE:1506347111,RECONNECTING,connection-reset,,,,, Mon Sep 25 16:45:11 2017 Restart pause, 20 second(s)Адрес на коментара
Сподели в други сайтове
19 отговори на този въпрос
Recommended Posts
Създайте нов акаунт или се впишете, за да коментирате
За да коментирате, трябва да имате регистрация
Създайте акаунт
Присъединете се към нашата общност. Регистрацията става бързо!
Регистрация на нов акаунтВход
Имате акаунт? Впишете се оттук.
Вписване