# ipsecadd_sbercloud
:local ipsecName "sbercloud";
:local ipsecComment "$ipsecName";
:local peerAddr "89.232.179.63";
:local peerLocalAddr "213.33.195.92";
:local ipsecSecret "asdfasfasdfasfasdf";
:local srcList [:toarray "192.168.1.0/24"];
:local dstList [:toarray "192.168.5.0/24"];
:if ([:len [/ip/ipsec/policy/find where comment="$ipsecName"]] > 0) do={/ip ipsec policy remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/identity/find where comment="$ipsecName"]] > 0) do={/ip ipsec identity remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/proposal/find where name="$ipsecName"]] > 0) do={/ip ipsec proposal remove $ipsecName}
:if ([:len [/ip/ipsec/peer/find where name="$ipsecName"]] > 0) do={/ip ipsec peer remove $ipsecName}
:if ([:len [/ip/ipsec/profile/find where name="$ipsecName"]] > 0) do={/ip ipsec profile remove $ipsecName}
:if ([:len [/ip/firewall/raw/find where comment="$ipsecName"]] > 0) do={/ip firewall raw remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/route/find where comment="$ipsecName"]] > 0) do={/ip route remove [find comment~"$ipsecComment"]}
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 nat-traversal=yes name=$ipsecName
/ip ipsec peer add address=$peerAddr local-address=$peerLocalAddr name=$ipsecName profile=$ipsecName comment="$ipsecComment vrrp" exchange-mode=ike2 disabled=yes
/ip ipsec proposal add name=$ipsecName lifetime=1h auth-algorithms="" enc-algorithms=aes-128-gcm pfs-group=modp2048
/ip ipsec identity add peer=$ipsecName secret=$ipsecSecret comment=$ipsecComment
:foreach dstAddr in $dstList do={
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=0.0.0.0/0 src-address=$dstAddr place-before=*0;
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=$dstAddr src-address=0.0.0.0/0 place-before=*0;
:foreach srcAddr in $srcList do={
/ip ipsec policy add dst-address=$dstAddr level=unique peer=$ipsecName proposal=$ipsecName src-address=$srcAddr tunnel=yes comment=$ipsecComment
}
/ip route add distance=1 dst-address=$peerAddr gateway=213.33.195.81 pref-src=$peerLocalAddr routing-table=902-beeline comment=$ipsecName
/ip route add distance=1 dst-address=$peerAddr gateway=213.33.195.81 pref-src=$peerLocalAddr routing-table=main comment=$ipsecName
}
:local ipsecName "sbercloud";
:local ipsecComment "$ipsecName";
:local peerAddr "89.232.179.63";
:local peerLocalAddr "213.33.195.92";
:local ipsecSecret "asdfasfasdfasfasdf";
:local srcList [:toarray "192.168.1.0/24"];
:local dstList [:toarray "192.168.5.0/24"];
:if ([:len [/ip/ipsec/policy/find where comment="$ipsecName"]] > 0) do={/ip ipsec policy remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/identity/find where comment="$ipsecName"]] > 0) do={/ip ipsec identity remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/proposal/find where name="$ipsecName"]] > 0) do={/ip ipsec proposal remove $ipsecName}
:if ([:len [/ip/ipsec/peer/find where name="$ipsecName"]] > 0) do={/ip ipsec peer remove $ipsecName}
:if ([:len [/ip/ipsec/profile/find where name="$ipsecName"]] > 0) do={/ip ipsec profile remove $ipsecName}
:if ([:len [/ip/firewall/raw/find where comment="$ipsecName"]] > 0) do={/ip firewall raw remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/route/find where comment="$ipsecName"]] > 0) do={/ip route remove [find comment~"$ipsecComment"]}
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 nat-traversal=yes name=$ipsecName
/ip ipsec peer add address=$peerAddr local-address=$peerLocalAddr name=$ipsecName profile=$ipsecName comment="$ipsecComment vrrp" exchange-mode=ike2 disabled=yes
/ip ipsec proposal add name=$ipsecName lifetime=1h auth-algorithms="" enc-algorithms=aes-128-gcm pfs-group=modp2048
/ip ipsec identity add peer=$ipsecName secret=$ipsecSecret comment=$ipsecComment
:foreach dstAddr in $dstList do={
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=0.0.0.0/0 src-address=$dstAddr place-before=*0;
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=$dstAddr src-address=0.0.0.0/0 place-before=*0;
:foreach srcAddr in $srcList do={
/ip ipsec policy add dst-address=$dstAddr level=unique peer=$ipsecName proposal=$ipsecName src-address=$srcAddr tunnel=yes comment=$ipsecComment
}
/ip route add distance=1 dst-address=$peerAddr gateway=213.33.195.81 pref-src=$peerLocalAddr routing-table=902-beeline comment=$ipsecName
/ip route add distance=1 dst-address=$peerAddr gateway=213.33.195.81 pref-src=$peerLocalAddr routing-table=main comment=$ipsecName
}
Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090
Комментариев нет:
Отправить комментарий