https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Groups
На сервере сделано:
/certificate
add common-name=ca name=ca
sign ca ca-crl-host=192.168.0.89
add common-name=192.168.0.89 subject-alt-name=IP:192.168.0.89 key-usage=tls-server name=server1
sign server1 ca=ca
/ip pool add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec proposal
add name=rw-proposal pfs-group=none
/ip ipsec mode-conf
add name=rw-conf system-dns=yes address-pool=rw-pool address-prefix=32
/ip ipsec policy
group add name=rw-policies
add template=yes dst-address=192.168.77.0/24 group=rw-policies proposal=rw-proposal
/ip ipsec peer
add auth-method=rsa-signature certificate=server1 generate-policy=port-strict \
mode-config=rw-conf passive=yes remote-certificate=none exchange-mode=ike2 \
policy-template-group=rw-policies
/certificate
add common-name=RouterOS_client name=RouterOS_client key-usage=tls-client
sign RouterOS_client ca=ca
export-certificate RouterOS_client export-passphrase=1234567890 type=pkcs12
На клиенте сделано:
/certificate import file-name=cert_export_RouterOS_client.p12 passphrase=1234567890
/put [/certificate get [find common-name=RouterOS_client] name]
/ip ipsec peer
add address=192.168.0.89 auth-method=rsa-signature certificate=cert_export_RouterOS_client.p12_0 \
mode-config=request-only exchange-mode=ike2 generate-policy=port-strict
/ip ipsec
remote-peers print
installed-sa print
/certificate
add common-name=Windows_client name=Windows_client key-usage=tls-client
sign Windows_client ca=ca
export-certificate Windows_client export-passphrase=1234567890 type=pkcs12
Соединение устанавливается,
/ip ipsec> remote-peers print
Flags: R - responder, N - natt-peer
# ID STATE
0 192.168.0.89 established
Но как пустить весь трафик на клиенте через сервер? В политиках не разбираюсь совсем..
