Home > MikroTik > Router > MikroTik Router OS V3.0 User Manual

MikroTik Router OS V3.0 User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual MikroTik Router OS V3.0 User Manual. The MikroTik manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 191

    Page 191                                           F            1.3  $$$     KI6      ( [admin@Our_GW] interface pptp-server> /ppp secret add name=joe service=pptp \\... password=top_s3 local-address=10.0.0.1 remote-address=10.0.0.2[admin@Our_GW] interface pptp-server> add name=from_remote user=joe[admin@Our_GW] interface... 
      	  
 	
 	  	

 

 
 
 	
  
 

 
 
 


 
 		  	 
 	 	  F


  

 
 
  
1.3	
 	 $$$ 


 

 
  KI6   
 
 (
[admin@Our_GW] interface pptp-server> /ppp secret add name=joe service=pptp \\... password=top_s3 local-address=10.0.0.1 remote-address=10.0.0.2[admin@Our_GW] interface pptp-server> add name=from_remote user=joe[admin@Our_GW] interface...

    Page 192

    Page 192 2.3    F*$               0                  (    F*$   [admin@Our_GW] interface eoip> add name=eoip-remote tunnel-id=0 \\... remote-address=10.0.0.2[admin@Our_GW] interface eoip> enable eoip-remote[admin@Our_GW] interface eoip> printFlags: X - disabled, R - running0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0[admin@Our_GW] interface eoip>... 
    2.3
 
 F*$ 


  	
 
  


 

	 	
 
 
 0 
  	 

 
 


 

	 
 
 
 	

 (	  
 F*$ 



[admin@Our_GW] interface eoip> add name=eoip-remote tunnel-id=0 \\... remote-address=10.0.0.2[admin@Our_GW] interface eoip> enable eoip-remote[admin@Our_GW] interface eoip> printFlags: X - disabled, R - running0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0[admin@Our_GW] interface eoip>...

    Page 193

    Page 193 Page 182 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
    Page 182 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

    Page 194

    Page 194 IP Security Document revision 3.6 (October 10, 2007, 12:17 GMT) This document applies to MikroTik RouterOS V3.0 Table of Contents TableofContents Specifications Description PolicySettings Description PropertyDescription Notes Example Peers Description PropertyDescription Notes Example RemotePeerStatistics Description PropertyDescription Example InstalledSAs Description PropertyDescription Example FlushingInstalledSATable Description PropertyDescription Example MikroTikRoutertoMikroTikRouter... 
    IP Security
Document revision 3.6 (October 10, 2007, 12:17 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Specifications
Description
PolicySettings
Description
PropertyDescription
Notes
Example
Peers
Description
PropertyDescription
Notes
Example
RemotePeerStatistics
Description
PropertyDescription
Example
InstalledSAs
Description
PropertyDescription
Example
FlushingInstalledSATable
Description
PropertyDescription
Example
MikroTikRoutertoMikroTikRouter...

    Page 195

    Page 195 Description *$ &*$ !        &           ( *$   Encryption +     7  &             8   *$                       !   $  5   &!$5        (     •Packet matching- packet source/destination, protocol and ports (for TCP and UDP) are compared to values in policy rules, one after another •Action- if rule... 
    Description
*$ &*$ !
 
  &

 
	 
 
	

 ( *$ 


Encryption
+
 	
  7
	

 & 
 
  


 
 

 

	 8 *$  	
		 


 
 
 
  	
   

 !
 $ 5	
		 &!$5  	 
   
	
 	(

 	

•Packet matching- packet source/destination, protocol and ports (for TCP and UDP) are
compared to values in policy rules, one after another
•Action- if rule...

    Page 196

    Page 196                   &!+     *LF                     (  •                            %  (  !+      *LF      *LF               •*LF            *               - ... 
    	


	

  
 	
 	
	
 	
	

  
 		

 &!+

  
 
 *LF 	
  
 


  	 
  
	

 
 
  	
(	

•   
	 	
  	    
 
  

  	


	
 

  
%
 	( 	
 !+   

 *LF 	
 	
 
	
 	
 *LF 	
 

	





 
 
 

•*LF 	
 
 
 
 




*
 
 	  
	 



 	
 
 - ...

    Page 197

    Page 197 &                       05$    
    &
	
 
 	
 	  

 
 
	 	 
	
 	
 
 05$  

    Page 198

    Page 198 traffic. AH is applied after ESP, and in case of tunnel mode ESP will be applied in tunnel mode and AH - in transport mode level(unique|require|use; default:require) - specifies what to do if some of the SAs for this policy cannot be found: •use- skip this transform, do not drop packet and do not acquire SA from IKE daemon •require- drop packet and acquire SA •unique- drop packet and acquire a unique SA that is only used with this particular policy manual-sa(name; default:none) - name of manual-sa... 
    traffic. AH is applied after ESP, and in case of tunnel mode ESP will be applied in tunnel mode and
AH - in transport mode
level(unique|require|use; default:require) - specifies what to do if some of the SAs for this
policy cannot be found:
•use- skip this transform, do not drop packet and do not acquire SA from IKE daemon
•require- drop packet and acquire SA
•unique- drop packet and acquire a unique SA that is only used with this particular policy
manual-sa(name; default:none) - name of manual-sa...

    Page 199

    Page 199   !   (       0!  8      (         ( (  Example                &/.../DN  /.../DC        [admin@MikroTik] ip ipsec policy> add sa-src-address=10.0.0.147 \\... sa-dst-address=10.0.0.148 action=encrypt[admin@MikroTik] ip ipsec policy> printFlags: X - disabled, D - dynamic, I - inactive0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any... 
    
  ! 	 (	 
 
 
 0!  8	 
 

	

 	 (	 
 
 


 	
 ( (	
Example
 	 	  
 

 	 
 
	 

 
 
 &/.../DN 	
 /.../DC  
  



[admin@MikroTik] ip ipsec policy> add sa-src-address=10.0.0.147 \\... sa-dst-address=10.0.0.148 action=encrypt[admin@MikroTik] ip ipsec policy> printFlags: X - disabled, D - dynamic, I - inactive0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any...

    Page 200

    Page 200 exchange-mode(multiple choice: main|aggressive|base; default:main) - different ISAKMP phase 1 exchange modes according to RFC 2408. Do not use other modes then main unless you know what you are doing generate-policy(yes | no; default:no) - allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. This way it is possible, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peers IP address is not known at the... 
    exchange-mode(multiple choice: main|aggressive|base; default:main) - different ISAKMP
phase 1 exchange modes according to RFC 2408. Do not use other modes then main unless you
know what you are doing
generate-policy(yes | no; default:no) - allow this peer to establish SA for non-existing policies.
Such policies are created dynamically for the lifetime of SA. This way it is possible, for example, to
create IPsec secured L2TP tunnels, or any other setup where remote peers IP address is not known
at the...
    Start reading MikroTik Router OS V3.0 User Manual
    All MikroTik manuals