原视频：

https://www.youtube.com/watch?v=Urkr46gwGQs

https://www.youtube.com/watch?v=7qApFFtSxrY

https://www.youtube.com/watch?v=ISH6OiK2lMY

相关脚本：

https://docs.google.com/document/d/14k5KOplh6xoDkmOYnJyF6fGBkCXX1tQqPjWLgS2e2h8/edit

Ros v6.45.6 版本测试成功

 

命令行

证书部分：

CA签发机构

/certificate add name=my.ca common-name=my.ca days-valid=3650 key-usage=key-cert-sign,crl-sign,digital-signature,data-encipherment,key-encipherment trusted=yes

签发

/certificate sign my.ca

导出证书

/certificate export-certificate my.ca

服务端证书

/certificate add name=server common-name=server subject-alt-name=DNS:server days-valid=3650 key-usage=digital-signature,tls-server

签发

/certificate sign server ca=my.ca

信任证书

/certificate set trusted=yes server

多个客户端证书

/certificate add name=ios common-name=ios subject-alt-name=DNS:ios days-valid=3650 key-usage=digital-signature,tls-client

签发

/certificate sign ios ca=my.ca

信任证书

/certificate set trusted=yes ios

导出证书

/certificate export-certificate ios export-passphrase=12345678 type=pkcs12

/certificate add name=pad common-name=pad subject-alt-name=DNS:pad days-valid=3650 key-usage=digital-signature,tls-client

签发

/certificate sign pad ca=my.ca

信任证书

/certificate set trusted=yes pad

导出证书

/certificate export-certificate pad export-passphrase=12345678 type=pkcs12

/certificate add name=mac common-name=mac subject-alt-name=DNS:mac days-valid=3650 key-usage=digital-signature,tls-client

签发

/certificate sign mac ca=my.ca

信任证书

/certificate set trusted=yes mac

导出证书

/certificate export-certificate mac export-passphrase=12345678 type=pkcs12

/certificate add name=android common-name=android subject-alt-name=DNS:android days-valid=3650 key-usage=digital-signature,tls-client

签发

/certificate sign android ca=my.ca

信任证书

/certificate set trusted=yes android

导出证书

/certificate export-certificate android export-passphrase=12345678 type=pkcs12

IKEV2 部分：

创建 IKEV2 地址池

/ip pool add name=ikev2-pool ranges=192.168.89.225-192.168.89.238

mode-config 模式配置

/ip ipsec mode-config add name=ikev2-cfg address-pool=ikev2-pool address-prefix-length=28 static-dns=192.168.50.1 system-dns=no

创建 组

/ip ipsec policy group add name=ikev2-group

创建 方案 

/ip ipsec proposal add name=ipkev2-proposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=1d pfs-group=none

创建 策略 

/ip ipsec policy add src-address=0.0.0.0/0 dst-address=192.168.89.224/28 protocol=all template=yes group=ikev2-group action=encrypt ipsec-protocols=esp proposal=ipkev2-proposal  comment=ikev2-Policy

创建 资料

/ip ipsec profile add name=ikev2-profile hash-algorithm=sha256 enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048,modp1536,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

创建 对等体 

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=ike2 profile=ikev2-profile name=ikev2-peer

创建 多个身份 

/ip ipsec identity add peer=ikev2-peer auth-method=digital-signature mode-config=ikev2-cfg my-id=fqdn:server match-by=certificate certificate=server remote-certificate=ios generate-policy=port-strict policy-template-group=ikev2-group comment=--ios--

/ip ipsec identity add peer=ikev2-peer auth-method=digital-signature mode-config=ikev2-cfg my-id=fqdn:server match-by=certificate certificate=server remote-certificate=pad generate-policy=port-strict policy-template-group=ikev2-group comment=--pad--

/ip ipsec identity add peer=ikev2-peer auth-method=digital-signature mode-config=ikev2-cfg my-id=fqdn:server match-by=certificate certificate=server remote-certificate=mac generate-policy=port-strict policy-template-group=ikev2-group comment=--mac--

/ip ipsec identity add peer=ikev2-peer auth-method=digital-signature mode-config=ikev2-cfg my-id=fqdn:server match-by=certificate certificate=server remote-certificate=android generate-policy=port-strict policy-template-group=ikev2-group comment=--android--