IPSEC Mikrotik Strongswan

Strongswan:

config setup                                                                                                                                    
        charondebug="all"
        uniqueids=yes
conn con1
        # ike=blowfish-sha1-modp1024!
        # esp=blowfish-sha1!
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
        keyexchange=ikev1
        authby=secret
        type=tunnel
        leftid=%net_behind_mktk%
        left=%net_behind_mktk%
        leftsubnet=%net_behind_mktk%/32
        rightid=%mktk_inet_ip%
        right=%mktk_inet_ip%
        # rightsubnet=%1_net_behind_mktk%,%2_net_behind_mktk%
conn con1-1
        also=mlg1
        rightsubnet=%1_net_behind_mktk%
        auto=start
conn con1-2
        also=mlg1
        rightsubnet=%2_net_behind_mktk%
        auto=start

Mikrotik:

/ip ipsec profile add \

  enc-algorithm=aes-256 \

  hash-algorithm=sha256 \

  name=strongswan
/ip ipsec peer add \

  address=%linux_inet_ip% \

  local-address=%mktk_inet_ip% \

  name=strongswan \

  profile=strongswan \

  send-initial-contact=no
/ip ipsec proposal add \

  auth-algorithms=sha256 \

  enc-algorithms=aes-256-cbc \

  lifetime=1h \

  name=strongswan \

  pfs-group=modp2048
/ip ipsec identity add \

  notrack-chain=prerouting \

  peer=strongswan \

  secret=%PSK%
/ip ipsec policy add \

  dst-address=%net_behind_linux% \

  sa-dst-address=%linux_inet_ip% \

  sa-src-address=%mktk_inet_ip% \

  src-address=%1_net_behind_mktk% \

  level=unique \

  proposal=strongswan \

  tunnel=yes
/ip ipsec policy add \

  dst-address=%net_behind_linux% \

  sa-dst-address=%linux_inet_ip% \

  sa-src-address=%mktk_inet_ip% \

  src-address=%2_net_behind_mktk% \

  level=unique \

  proposal=strongswan \

  tunnel=yes

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090