Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_ipsec
Trace:
networking:router:mikrotik_vpn_ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_ipsec [2019/03/23 09:59]
gcooper 		networking:router:mikrotik_vpn_ipsec [2023/06/21 15:26] (current)
gcooper
Line 40: Line 40:
 :!: Note that older ROS had the default proposal with ''3DES'' encryption while newer versions have ''AES''. :!: Note that older ROS had the default proposal with ''3DES'' encryption while newer versions have ''AES''.
  
-:!: You need to use ''SHA1'' or ''SHA256'' with ''AES-CBC'' to take advantage of hardware encryption in most Mikrotik routers.  https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration+:!: You need to use ''SHA1'' or ''SHA256'' with ''AES-CBC'' to take advantage of **hardware encryption** in most Mikrotik routers.  https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration
  
 :!: Note that we use /32 instead of the actual subnet mask of the WAN interfaces for simplicity and security.  Use the proper subnet masks for the subnets behind the routers. :!: Note that we use /32 instead of the actual subnet mask of the WAN interfaces for simplicity and security.  Use the proper subnet masks for the subnets behind the routers.
Line 55: Line 55:
 :global SubnetBehindRouter2 "10.1.101.0/24" :global SubnetBehindRouter2 "10.1.101.0/24"
  
-:global PreSharedKey "MyPreSharedKey"+:global PreSharedKey "YourPreSharedKey"
 </file> </file>
  
Line 74: Line 74:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \ add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \
-  src-address=$SubnetBehindRouter1 tunnel=yes+  src-address=$SubnetBehindRouter1 peer=$Site2Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 110: Line 110:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \ add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \
-  src-address=$SubnetBehindRouter2 tunnel=yes+  src-address=$SubnetBehindRouter2 peer=$Site1Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 130: Line 130:
 </file> </file>
  
-:!: Try to bring up the tunnel by pinging a host (IP) from one LAN subnet to the other.  You must send traffic through the tunnel for it to be established.+:!: Try to bring up the tunnel by pinging a host (IP) from one LAN subnet to the other.  You must send traffic **through** the tunnel for it to be established.
  
-:!: **Important note**: While the router will properly route traffic between the LANs at this point, the router itself does not have a route to the remote subnet.  If you need the router itself (i.e. netwatch, etc.) to be able to access the remote subnet, you will have to add a route:+:!: **Important note**: While the router will properly route traffic **between the LANs** at this point, the router itself does not have a route to the remote subnet.  If you need the router itself (i.e. netwatch, etc.) to be able to access the remote subnet, you will have to add a route:
  
 <file> <file>
 /ip route add disabled=no dst-address=<CidrBehindRemoteRouter> gateway=<LocalLanIF> /ip route add disabled=no dst-address=<CidrBehindRemoteRouter> gateway=<LocalLanIF>
 +</file>
  
-# for example where the remote subnet is 192.168.0.0/24 and the local LAN interface is bridge1:+For example where the remote subnet is ''192.168.0.0/24'' and the local LAN interface is ''bridge1'': 
 + 
 +<file>
 /ip route add disabled=no dst-address=192.168.0.0/24 gateway=bridge1 /ip route add disabled=no dst-address=192.168.0.0/24 gateway=bridge1
 </file> </file>
  
 ===== One Side with Dynamic IP ===== ===== One Side with Dynamic IP =====
 +
 +https://mivilisnet.wordpress.com/2020/07/06/mikrotik-site-to-site-ipsec-when-one-router-has-a-dynamic-wan-ip-address/
 +
 +<note tip>To convert a S2S VPN connection from **two-sides-static** to **one-side-dynamic**:
 +
 +  * Modify the (dynamic IP) peer definition on the router with static WAN IP:
 +    * Set the IP address to ''0.0.0.0/0''
 +    * Select ''Passive''
 +    * Deselect ''Send INITIAL_CONTACT''
 +    * Responder
 +  * Modify the (static IP) peer definition on the router with dynamic WAN IP:
 +    * Set the IP address to the static WAN IP address of the other router
 +    * Deselect ''Passive''
 +    * Select ''Send INITIAL_CONTACT''
 +    * Initiator
 +</note>
 +
 +==== Router with Static IP ====
 +
 +:!: In this example, this router has two LAN subnets behind it.
 +
 +<file>
 +/ip ipsec peer
 +add name=peername passive=yes
 +/ip ipsec identity
 +add peer=peername secret=yourpresharedkey
 +/ip ipsec policy
 +set 0 disabled=yes
 +add comment="Destination and Source LAN Subnets" dst-address=192.168.20.0/24 peer=peername src-address=\
 +    192.168.0.0/24 tunnel=yes
 +add comment="Additional LAN Subnet Behind This Router" dst-address=192.168.20.0/24 peer=peername src-address=\
 +    192.168.2.0/24 tunnel=yes
 +</file>
 +
 +==== Router with Dynamic IP ====
 +
 +:!: This router has a single LAN subnet behind it.
 +
 +<file>
 +/ip ipsec peer
 +add address=123.123.123.123/32 name=peer-with-static-ip-name
 +/ip ipsec identity
 +add peer=peer-with-static-ip-name secret=yourpresharedkey
 +/ip ipsec policy
 +set 0 disabled=yes
 +add dst-address=192.168.0.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes
 +add dst-address=10.10.1.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes
 +</file>
 +
 +FIXME The rest of this section needs verification
  
 http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html
Line 194: Line 247:
  
 ===== Firewall ===== ===== Firewall =====
 +
 +**IPSec Firewall Rules**: https://jcutrer.com/howto/networking/mikrotik/firewall-ruleset-ipsec-whitelisting
  
 http://forum.mikrotik.com/viewtopic.php?f=2&t=79151 http://forum.mikrotik.com/viewtopic.php?f=2&t=79151
networking/router/mikrotik_vpn_ipsec.1553356768.txt.gz · Last modified: 2019/03/23 09:59 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki