chephei
(usa Outra)
Enviado em 08/03/2019 - 22:22h
Boa noite pessoal,
Estou com o seguinte cenário, tenho que fazer um servidor AD (Samba4) em uma cloud na AWS e conectar ela em minhas filiais, para fazer propagar o DNS via vpn nos mikoritk. Segue o esboço:
SERVER-AD:
/etc/hosts
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 s1.athenas.local s1 athenas.local
172.31.12.155 s1.athenas.local s1 athenas.local
/etc/resolv.conf
; generated by /usr/sbin/dhclient-script#search sa-east-1.compute.internal
search athenas.local
domain athenas.local
nameserver 172.31.12.155
nameserver 8.8.8.8
#nameserver 172.31.0.2
/etc/named.conf
options { listen-on port 53 { 127.0.0.1;any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
listen-on-v6 port 53 { ::1; };
forwarders { 172.31.12.155; 10.255.255.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost;any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf";
/etc/xl2tpd/xl2tpd.conf
[global]port = 1701
[lns default]
;ip range = 10.255.252.10-10.255.255.100
;local ip = 10.255.255.1
ip range = 172.31.12.180-172.31.15.200
local ip = 172.31.12.155
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ipsec.conf
version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no
plutoopts=“--interface=eth0”
conn shared
left=%defaultroute
leftid=MEU-IP-PUBLICO
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
sha2-truncbug=yes
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
#rightaddresspool=10.255.255.10-10.255.255.100
rightaddresspool=172.31.12.180-172.31.15.200
modecfgdns="8.8.8.8 8.8.4.4"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
ikev2=never
cisco-unity=yes
also=shared
Agora é a configuração do meu mikrotik:
https://print.sig.digital/08-5-2019_22-20-56.jpg
Consigo pingar dentro do MK, mas não consigo pingar dentro da minha maquina
https://print.sig.digital/08-5-2019_22-21-16.jpg
https://print.sig.digital/08-5-2019_22-21-36.jpg
Configurações do mikrotik:
https://print.sig.digital/08-5-2019_22-21-57.jpg
Como poderia da melhor maneira, fazer esse AD(Samba4) funcionar via VPN ?