Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_s2s_static
Trace:
networking:router:mikrotik_vpn_s2s_static

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_s2s_static [2014/04/30 22:29]
gcooper 		— (current)
Line 1: Line 1:
-====== Mikrotik IPSec Site to Site VPN ====== 
  
-http://wiki.mikrotik.com/wiki/Manual:IP/IPsec 
- 
-http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC 
- 
-:!: **Important note**: You **must** allow the IPSec traffic through your firewall for a connection to be established.  See Firewall section below. 
- 
-===== Mikrotik Routers on Both Ends with Static IPs ===== 
- 
-**Diagram**: http://gregsowell.com/?p=787 
- 
-**Video for Diagram**: http://gregsowell.com/wink/mtklan2lan/mtklan2lan.swf 
- 
-**From the Mikrotik Wiki**: http://wiki.mikrotik.com/wiki/IPsec#Site_to_Site_IpSec_Tunnel 
- 
-{{ :networking:router:site-to-site-ipsec-example.png?nolink |Sample Site-to-Site Configuration Diagram}} 
- 
-==== IPSec Components ==== 
- 
-On each Mikrotik router: 
- 
-  * Peer Definition 
-    * Phase 1 
-  * Policy Definition 
-    * Phase 2 
-  * Proposal 
-    * Settings used in Phase 2 
-    * Cisco Transform Set 
-    * Default proposal already exists and works well with static IPs 
-  * NAT Bypass Rule 
-    * S2S traffic won't pass until done 
- 
-==== Variables for Both Routers ==== 
- 
-Modify these for your networks and paste them at the CLI of both routers: 
- 
-:!: Note that the following uses the default proposal with ''3des'' encryption.  Do we need to use ''aes'' (128? 256?) to take advantage of hardware encryption in CloudCore router? 
- 
-:!: Note that we use /32 instead of the actual subnet mask of the WAN interfaces for simplicity and security.  Less exposure and we don't actually have to track down the real subnet mask.  Use the proper subnet masks for the subnets behind the routers. 
- 
-<file> 
-:global Router1WanAddr "192.168.90.1" 
-:global Router1WanCidr "192.168.90.1/32" 
- 
-:global Router2WanAddr "192.168.80.1" 
-:global Router2WanCidr "192.168.80.1/32" 
- 
-:global SubnetBehindRouter1 "10.1.202.0/24" 
-:global SubnetBehindRouter2 "10.1.101.0/24" 
- 
-:global PreSharedKey "MyPreSharedKey" 
-</file> 
- 
-==== Router 1 ==== 
- 
-Paste this into the CLI of router 1:  
- 
-<file> 
-# Peer Definition 
-/ip ipsec peer 
-  add address=$Router2WanCidr port=500 auth-method=pre-shared-key secret="$PreSharedKey" 
- 
-# Policy Definition 
-/ip ipsec policy 
-  add src-address=$SubnetBehindRouter1 src-port=any dst-address=$SubnetBehindRouter2 dst-port=any \ 
-  sa-src-address=$Router1WanAddr sa-dst-address=$Router2WanAddr \ 
-  tunnel=yes action=encrypt proposal=default 
- 
-# NAT bypass rule 
-/ip firewall nat 
-  add chain=srcnat action=accept comment="NAT Bypass for VPN" place-before=0 \ 
-  src-address=$SubnetBehindRouter1 dst-address=$SubnetBehindRouter2 
- 
-# Cleanup 
-/system script environment 
-  remove Router1WanAddr 
-  remove Router1WanCidr 
-  remove Router2WanAddr 
-  remove Router2WanCidr 
-  remove SubnetBehindRouter1 
-  remove SubnetBehindRouter2 
-/ 
-</file> 
- 
-==== Router 2 ==== 
- 
-Paste this into the CLI of router 2:  
- 
-<file> 
-# Peer Definition 
-/ip ipsec peer 
-  add address=$Router1WanCidr port=500 auth-method=pre-shared-key secret="$PreSharedKey" 
- 
-# Policy Definition 
-/ip ipsec policy 
-  add src-address=$SubnetBehindRouter2 src-port=any dst-address=$SubnetBehindRouter1 dst-port=any \ 
-  sa-src-address=$Router2WanAddr sa-dst-address=$Router1WanAddr \ 
-  tunnel=yes action=encrypt proposal=default 
- 
-# NAT bypass rule 
-/ip firewall nat 
-  add chain=srcnat action=accept comment="NAT Bypass for VPN" place-before=0 \ 
-  src-address=$SubnetBehindRouter2 dst-address=$SubnetBehindRouter1 
- 
-# Cleanup 
-/system script environment 
-  remove Router1WanAddr 
-  remove Router1WanCidr 
-  remove Router2WanAddr 
-  remove Router2WanCidr 
-  remove SubnetBehindRouter1 
-  remove SubnetBehindRouter2 
-/ 
-</file> 
- 
-:!: Try to bring up the tunnel by pinging a host (IP) from one LAN subnet to the other.  You must send traffic through the tunnel for it to be established. 
- 
-:!: **Important note**: While the router will properly route traffic between the LANs at this point, the router itself does not have a route to the remote subnet.  If you need the router itself (i.e. netwatch, etc.) to be able to access the remote subnet, you will have to add a route: 
- 
-<file> 
-/ip route add disabled=no dst-address=<CidrBehindRemoteRouter> gateway=<LocalLanIF> 
- 
-# for example where the remote subnet is 192.168.0.0/24 and the local LAN interface is bridge1: 
-/ip route add disabled=no dst-address=192.168.0.0/24 gateway=bridge1 
-</file> 
- 
-===== One Side with Dynamic/Private/DHCP Address ===== 
- 
-FIXME 
- 
-:!: If you have more than one peer, especially if any other peers are statically addresses, change the ''[find]'' in the next commands to the number of the peer with the dynamic IP address. 
- 
-On router with static address, adjust the peer definition from above: 
- 
-<file> 
-/ip ipsec peer 
-  print 
-  set address=0.0.0.0/0 [find] 
-  set generate-policy=port-override [find] 
-</file> 
- 
-and remove or disable any existing policies, possibly deleting all like: 
- 
-<file> 
-/ip ipsec policy remove [find] 
-</file> 
- 
-===== VPN Status ===== 
- 
-Check status: 
- 
-<file> 
-/ip ipsec remote-peers print 
-/ip ipsec installed-sa print 
-/ip ipsec statistics print 
-/ip ipsec policy print stats 
-</file>  
- 
-===== Multiple Subnets Behind Routers ===== 
- 
-Add an additional policy for the additional subnet to both routers similar to the first. 
- 
-===== Close All IPsec Connections ===== 
- 
-<file> 
-/ip ipsec remote-peers kill-connections 
-</file> 
- 
-:!: The tunnel will not necessarily come up on its own.  Traffic destined for the remote network will bring the tunnel up automatically. 
- 
-===== Troublshooting ===== 
- 
-==== Logging ==== 
- 
-**System -> Logginging -> Add -> Topics -> IPSec -> Memory** 
- 
-===== Firewall ===== 
- 
-http://forum.mikrotik.com/viewtopic.php?f=2&t=79151 
- 
-http://superuser.com/questions/679236/mikrotik-firewall-rule-block-all-connection-except-to-vpn-server 
- 
-**L2TP/IPSec** uses: 
- 
-  * TCP port 1701 
-    * L2TP 
-  * UDP port 500 
-    * Internet Security Association and Key Management Protocol (ISAKMP) 
-    * To negotiate security method (password, certificate, kerberos) 
-  * AH (Protocol ID 50) 
-    * Authentication Header 
-  * ESP (Protocol ID 51) 
-    * Encapsulated Secure Payload 
-  * UDP Port 4500 
-    * NAT Traversal (NAT-T) 
- 
-Accept L2TP/IPSec: 
- 
-:!: These rules could be further limited by interface and/or source address. 
- 
-<file> 
-/ip firewall filter 
-  add chain=input action=accept in-interface=ether1 protocol=tcp dst-port=1701 \ 
-    place-before=0 comment="Accept L2TP" 
-  add chain=input action=accept in-interface=ether1 protocol=udp dst-port=500 \ 
-    place-before=0 comment="Accept IPSec (ISAKMP)" 
-  add chain=input action=accept in-interface=ether1 protocol=ipsec-esp \ 
-    place-before=0 comment="Accept IPSec (ESP)" 
-  add chain=input action=accept in-interface=ether1 protocol=ipsec-ah \ 
-    place-before=0 comment="Accept IPSec (AH)" 
-</file> 
networking/router/mikrotik_vpn_s2s_static.1398918546.txt.gz · Last modified: 2014/04/30 22:29 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki