====== Mikrotik IPSec Site to Site VPN ======

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

:!: **Important note**: You **must** allow the IPSec traffic through your firewall for a connection to be established.  See Firewall section below.

===== Both Ends with Static IPs =====

**Diagram**: http://gregsowell.com/?p=787

**Video for Diagram**: http://gregsowell.com/wink/mtklan2lan/mtklan2lan.swf

**From the Mikrotik Wiki**: http://wiki.mikrotik.com/wiki/IPsec#Site_to_Site_IpSec_Tunnel

{{ :networking:router:site-to-site-ipsec-example.png?nolink |Sample Site-to-Site Configuration Diagram}}

==== IPSec Components ====

On each Mikrotik router:

  * Peer Definition and Authentication Identity
    * Phase 1
  * Policy Definition
    * Phase 2
  * Proposal
    * Settings used in Phase 2
    * Cisco Transform Set
    * Default proposal and default profile in your identity will result in ''SHA1-AES-CBC'' with 128-bit encryption
      * Very fast but less secure than ''SHA256-AES-CBC'' with 256-bit encryption
      * Many Mikrotik routers support hardware acceleration of ''SHA256-AES-CBC'' with 256-bit encryption
  * NAT Bypass Rule
    * S2S traffic won't pass until done

==== Variables for Both Routers ====

Modify these for your networks and paste them at the CLI of both routers:

:!: Note that older ROS had the default proposal with ''3DES'' encryption while newer versions have ''AES''.

:!: You need to use ''SHA1'' or ''SHA256'' with ''AES-CBC'' to take advantage of **hardware encryption** in most Mikrotik routers.  https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration

:!: Note that we use /32 instead of the actual subnet mask of the WAN interfaces for simplicity and security.  Use the proper subnet masks for the subnets behind the routers.

<file>
:global Site1Name "YourSite1Name"
:global Router1WanAddr "192.168.90.1"
:global Router1WanCidr "192.168.90.1/32"
:global SubnetBehindRouter1 "10.1.202.0/24"

:global Site2Name "YourSite2Name"
:global Router2WanAddr "192.168.80.1"
:global Router2WanCidr "192.168.80.1/32"
:global SubnetBehindRouter2 "10.1.101.0/24"

:global PreSharedKey "YourPreSharedKey"
</file>

==== Router 1 (Left; Core) ====

Paste this into the CLI of router 1: 

<file>
# Peer Definition
/ip ipsec peer
  add address=$Router2WanCidr name=$Site2Name profile=default

# Peer Identity
/ip ipsec identity
add peer=$Site2Name secret=$PreSharedKey

# Policy Definition
/ip ipsec policy
add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \
  src-address=$SubnetBehindRouter1 peer=$Site2Name tunnel=yes

# NAT bypass rule
/ip firewall nat
  add chain=srcnat action=accept comment="NAT Bypass for $Site2Name VPN" place-before=0 \
  src-address=$SubnetBehindRouter1 dst-address=$SubnetBehindRouter2

# Cleanup
/system script environment
  remove Site1Name
  remove Router1WanAddr
  remove Router1WanCidr
  remove SubnetBehindRouter1
  remove Site2Name
  remove Router2WanAddr
  remove Router2WanCidr
  remove SubnetBehindRouter2
/
</file>

==== Router 2 (Right; CPE) ====

Paste this into the CLI of router 2: 

<file>
# Peer Definition
/ip ipsec peer
  add address=$Router1WanCidr name=$Site1Name profile=default

# Peer Identity
/ip ipsec identity
add peer=$Site1Name secret=$PreSharedKey

# Policy Definition
/ip ipsec policy
add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \
  src-address=$SubnetBehindRouter2 peer=$Site1Name tunnel=yes

# NAT bypass rule
/ip firewall nat
  add chain=srcnat action=accept comment="NAT Bypass for $Site1Name VPN" place-before=0 \
  src-address=$SubnetBehindRouter2 dst-address=$SubnetBehindRouter1

# Cleanup
/system script environment
  remove Site1Name
  remove Router1WanAddr
  remove Router1WanCidr
  remove SubnetBehindRouter1
  remove Site2Name
  remove Router2WanAddr
  remove Router2WanCidr
  remove SubnetBehindRouter2
/
</file>

:!: Try to bring up the tunnel by pinging a host (IP) from one LAN subnet to the other.  You must send traffic **through** the tunnel for it to be established.

:!: **Important note**: While the router will properly route traffic **between the LANs** at this point, the router itself does not have a route to the remote subnet.  If you need the router itself (i.e. netwatch, etc.) to be able to access the remote subnet, you will have to add a route:

<file>
/ip route add disabled=no dst-address=<CidrBehindRemoteRouter> gateway=<LocalLanIF>
</file>

For example where the remote subnet is ''192.168.0.0/24'' and the local LAN interface is ''bridge1'':

<file>
/ip route add disabled=no dst-address=192.168.0.0/24 gateway=bridge1
</file>

===== One Side with Dynamic IP =====

https://mivilisnet.wordpress.com/2020/07/06/mikrotik-site-to-site-ipsec-when-one-router-has-a-dynamic-wan-ip-address/

<note tip>To convert a S2S VPN connection from **two-sides-static** to **one-side-dynamic**:

  * Modify the (dynamic IP) peer definition on the router with static WAN IP:
    * Set the IP address to ''0.0.0.0/0''
    * Select ''Passive''
    * Deselect ''Send INITIAL_CONTACT''
    * Responder
  * Modify the (static IP) peer definition on the router with dynamic WAN IP:
    * Set the IP address to the static WAN IP address of the other router
    * Deselect ''Passive''
    * Select ''Send INITIAL_CONTACT''
    * Initiator
</note>

==== Router with Static IP ====

:!: In this example, this router has two LAN subnets behind it.

<file>
/ip ipsec peer
add name=peername passive=yes
/ip ipsec identity
add peer=peername secret=yourpresharedkey
/ip ipsec policy
set 0 disabled=yes
add comment="Destination and Source LAN Subnets" dst-address=192.168.20.0/24 peer=peername src-address=\
    192.168.0.0/24 tunnel=yes
add comment="Additional LAN Subnet Behind This Router" dst-address=192.168.20.0/24 peer=peername src-address=\
    192.168.2.0/24 tunnel=yes
</file>

==== Router with Dynamic IP ====

:!: This router has a single LAN subnet behind it.

<file>
/ip ipsec peer
add address=123.123.123.123/32 name=peer-with-static-ip-name
/ip ipsec identity
add peer=peer-with-static-ip-name secret=yourpresharedkey
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.0.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes
add dst-address=10.10.1.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes
</file>

FIXME The rest of this section needs verification

http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html

On the router with a dynamic address, add the following script to update the VPN policy:

<file>
add name=update_ipsec_pol_dyn_ip policy=read,write,test \
    source="# Script to update the IPSec policies in case of a dynamic IP address change\r\
    \n#\r\
    \n:log info \"Running IPSec policy update script for dynamic IP change\"\r\
    \n:log info \"WAN interface is ether1\"\
    \n:local WANip [/ip address get [find interface=\"ether1\"] address]\
    \n:log info \"Interface IP is \$WANip\"\
    \n:local WANip [:pick \"\$WANip\" 0 ([:len \$WANip] - 3)]\
    \n:log info \"IP sans the slash notation is \$WANip\"\
    \n/ip ipsec policy set 0 sa-src-address=\$WANip\
    \n# If you have multiple policies for the same connection, add more lines\
    \n# You might need this if you have multiple IP subnets behind the remote peer\
    \n/ip ipsec policy set 1 sa-src-address=\$WANip"
</file>

===== VPN Status =====

Check status:

<file>
/ip ipsec remote-peers print
/ip ipsec installed-sa print
/ip ipsec statistics print
/ip ipsec policy print stats
</file> 

===== Multiple Subnets Behind Routers =====

  - Add an **additional policy** for the additional subnet to **both routers** similar to the first.
  - Additionally, you must add an **additional NAT bypass rule** to **both routers**.

===== Close All IPsec Connections =====

<file>
/ip ipsec remote-peers kill-connections
</file>

:!: The tunnel will not necessarily come up on its own.  Traffic destined for the remote network will bring the tunnel up automatically.

===== Troubleshooting =====

==== Logging ====

**System -> Logging -> Add -> Topics -> IPSec -> Memory**

===== Firewall =====

**IPSec Firewall Rules**: https://jcutrer.com/howto/networking/mikrotik/firewall-ruleset-ipsec-whitelisting

http://forum.mikrotik.com/viewtopic.php?f=2&t=79151

http://superuser.com/questions/679236/mikrotik-firewall-rule-block-all-connection-except-to-vpn-server

**L2TP/IPSec** uses:

  * TCP port 1701
    * L2TP
  * UDP port 500
    * Internet Security Association and Key Management Protocol (ISAKMP)
    * To negotiate security method (password, certificate, kerberos)
  * AH (Protocol ID 50)
    * Authentication Header
  * ESP (Protocol ID 51)
    * Encapsulated Secure Payload
  * UDP Port 4500
    * NAT Traversal (NAT-T)

Accept L2TP/IPSec:

:!: These rules could be further limited by interface and/or source address.

<file>
/ip firewall filter
  add chain=input action=accept in-interface=ether1 protocol=tcp dst-port=1701 \
    place-before=0 comment="Accept L2TP"
  add chain=input action=accept in-interface=ether1 protocol=udp dst-port=500 \
    place-before=0 comment="Accept IPSec (ISAKMP)"
  add chain=input action=accept in-interface=ether1 protocol=ipsec-esp \
    place-before=0 comment="Accept IPSec (ESP)"
  add chain=input action=accept in-interface=ether1 protocol=ipsec-ah \
    place-before=0 comment="Accept IPSec (AH)"
</file>