Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_ipsec
Trace:
networking:router:mikrotik_vpn_ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_ipsec [2019/03/23 09:44]
gcooper 		networking:router:mikrotik_vpn_ipsec [2023/06/21 15:26] (current)
gcooper
Line 29: Line 29:
     * Cisco Transform Set     * Cisco Transform Set
     * Default proposal and default profile in your identity will result in ''SHA1-AES-CBC'' with 128-bit encryption     * Default proposal and default profile in your identity will result in ''SHA1-AES-CBC'' with 128-bit encryption
 +      * Very fast but less secure than ''SHA256-AES-CBC'' with 256-bit encryption
 +      * Many Mikrotik routers support hardware acceleration of ''SHA256-AES-CBC'' with 256-bit encryption
   * NAT Bypass Rule   * NAT Bypass Rule
     * S2S traffic won't pass until done     * S2S traffic won't pass until done
Line 38: Line 40:
 :!: Note that older ROS had the default proposal with ''3DES'' encryption while newer versions have ''AES''. :!: Note that older ROS had the default proposal with ''3DES'' encryption while newer versions have ''AES''.
  
-:!: You need to use ''SHA1'' or ''SHA256'' with ''AES-CBC'' to take advantage of hardware encryption in most Mikrotik routers.  https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration+:!: You need to use ''SHA1'' or ''SHA256'' with ''AES-CBC'' to take advantage of **hardware encryption** in most Mikrotik routers.  https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration
  
 :!: Note that we use /32 instead of the actual subnet mask of the WAN interfaces for simplicity and security.  Use the proper subnet masks for the subnets behind the routers. :!: Note that we use /32 instead of the actual subnet mask of the WAN interfaces for simplicity and security.  Use the proper subnet masks for the subnets behind the routers.
Line 53: Line 55:
 :global SubnetBehindRouter2 "10.1.101.0/24" :global SubnetBehindRouter2 "10.1.101.0/24"
  
-:global PreSharedKey "MyPreSharedKey"+:global PreSharedKey "YourPreSharedKey"
 </file> </file>
  
Line 72: Line 74:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \ add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \
-  src-address=$SubnetBehindRouter1 tunnel=yes proposal=default+  src-address=$SubnetBehindRouter1 peer=$Site2Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 99: Line 101:
 # Peer Definition # Peer Definition
 /ip ipsec peer /ip ipsec peer
-  add address=$Router1WanCidr port=500 auth-method=pre-shared-key secret="$PreSharedKey"+  add address=$Router1WanCidr name=$Site1Name profile=default 
 + 
 +# Peer Identity 
 +/ip ipsec identity 
 +add peer=$Site1Name secret=$PreSharedKey
  
 # Policy Definition # Policy Definition
 /ip ipsec policy /ip ipsec policy
-  add src-address=$SubnetBehindRouter2 src-port=any dst-address=$SubnetBehindRouter1 dst-port=any \ +add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr 
-  sa-src-address=$Router2WanAddr sa-dst-address=$Router1WanAddr \ +  src-address=$SubnetBehindRouter2 peer=$Site1Name tunnel=yes
-  tunnel=yes action=encrypt proposal=default+
  
 # NAT bypass rule # NAT bypass rule
 /ip firewall nat /ip firewall nat
-  add chain=srcnat action=accept comment="NAT Bypass for VPN" place-before=0 \+  add chain=srcnat action=accept comment="NAT Bypass for $Site1Name VPN" place-before=0 \
   src-address=$SubnetBehindRouter2 dst-address=$SubnetBehindRouter1   src-address=$SubnetBehindRouter2 dst-address=$SubnetBehindRouter1
  
 # Cleanup # Cleanup
 /system script environment /system script environment
 +  remove Site1Name
   remove Router1WanAddr   remove Router1WanAddr
   remove Router1WanCidr   remove Router1WanCidr
 +  remove SubnetBehindRouter1
 +  remove Site2Name
   remove Router2WanAddr   remove Router2WanAddr
   remove Router2WanCidr   remove Router2WanCidr
-  remove SubnetBehindRouter1 
   remove SubnetBehindRouter2   remove SubnetBehindRouter2
 / /
 </file> </file>
  
-:!: Try to bring up the tunnel by pinging a host (IP) from one LAN subnet to the other.  You must send traffic through the tunnel for it to be established.+:!: Try to bring up the tunnel by pinging a host (IP) from one LAN subnet to the other.  You must send traffic **through** the tunnel for it to be established.
  
-:!: **Important note**: While the router will properly route traffic between the LANs at this point, the router itself does not have a route to the remote subnet.  If you need the router itself (i.e. netwatch, etc.) to be able to access the remote subnet, you will have to add a route:+:!: **Important note**: While the router will properly route traffic **between the LANs** at this point, the router itself does not have a route to the remote subnet.  If you need the router itself (i.e. netwatch, etc.) to be able to access the remote subnet, you will have to add a route:
  
 <file> <file>
 /ip route add disabled=no dst-address=<CidrBehindRemoteRouter> gateway=<LocalLanIF> /ip route add disabled=no dst-address=<CidrBehindRemoteRouter> gateway=<LocalLanIF>
 +</file>
  
-# for example where the remote subnet is 192.168.0.0/24 and the local LAN interface is bridge1:+For example where the remote subnet is ''192.168.0.0/24'' and the local LAN interface is ''bridge1'': 
 + 
 +<file>
 /ip route add disabled=no dst-address=192.168.0.0/24 gateway=bridge1 /ip route add disabled=no dst-address=192.168.0.0/24 gateway=bridge1
 </file> </file>
  
 ===== One Side with Dynamic IP ===== ===== One Side with Dynamic IP =====
 +
 +https://mivilisnet.wordpress.com/2020/07/06/mikrotik-site-to-site-ipsec-when-one-router-has-a-dynamic-wan-ip-address/
 +
 +<note tip>To convert a S2S VPN connection from **two-sides-static** to **one-side-dynamic**:
 +
 +  * Modify the (dynamic IP) peer definition on the router with static WAN IP:
 +    * Set the IP address to ''0.0.0.0/0''
 +    * Select ''Passive''
 +    * Deselect ''Send INITIAL_CONTACT''
 +    * Responder
 +  * Modify the (static IP) peer definition on the router with dynamic WAN IP:
 +    * Set the IP address to the static WAN IP address of the other router
 +    * Deselect ''Passive''
 +    * Select ''Send INITIAL_CONTACT''
 +    * Initiator
 +</note>
 +
 +==== Router with Static IP ====
 +
 +:!: In this example, this router has two LAN subnets behind it.
 +
 +<file>
 +/ip ipsec peer
 +add name=peername passive=yes
 +/ip ipsec identity
 +add peer=peername secret=yourpresharedkey
 +/ip ipsec policy
 +set 0 disabled=yes
 +add comment="Destination and Source LAN Subnets" dst-address=192.168.20.0/24 peer=peername src-address=\
 +    192.168.0.0/24 tunnel=yes
 +add comment="Additional LAN Subnet Behind This Router" dst-address=192.168.20.0/24 peer=peername src-address=\
 +    192.168.2.0/24 tunnel=yes
 +</file>
 +
 +==== Router with Dynamic IP ====
 +
 +:!: This router has a single LAN subnet behind it.
 +
 +<file>
 +/ip ipsec peer
 +add address=123.123.123.123/32 name=peer-with-static-ip-name
 +/ip ipsec identity
 +add peer=peer-with-static-ip-name secret=yourpresharedkey
 +/ip ipsec policy
 +set 0 disabled=yes
 +add dst-address=192.168.0.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes
 +add dst-address=10.10.1.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes
 +</file>
 +
 +FIXME The rest of this section needs verification
  
 http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html
Line 187: Line 247:
  
 ===== Firewall ===== ===== Firewall =====
 +
 +**IPSec Firewall Rules**: https://jcutrer.com/howto/networking/mikrotik/firewall-ruleset-ipsec-whitelisting
  
 http://forum.mikrotik.com/viewtopic.php?f=2&t=79151 http://forum.mikrotik.com/viewtopic.php?f=2&t=79151
networking/router/mikrotik_vpn_ipsec.1553355883.txt.gz · Last modified: 2019/03/23 09:44 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki