DokuWiki

User Tools

Site Tools

Trace:
mikrotik_ikev1_with_ipsec_psk

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
mikrotik_ikev1_with_ipsec_psk [2022/03/04 14:28]
mgamel [Site to Site IPsec tunnel] 		mikrotik_ikev1_with_ipsec_psk [2022/03/04 14:47] (current)
mgamel
Line 1: Line 1:
 ==== Document Sources ==== ==== Document Sources ====
 https://​wiki.mikrotik.com/​wiki/​Manual:​IP/​IPsec\\ https://​wiki.mikrotik.com/​wiki/​Manual:​IP/​IPsec\\
 +
 +{{:​site-to-site-ipsec-example.png?​800|}}
 ==== Site to Site IPsec tunnel ==== ==== Site to Site IPsec tunnel ====
 +== Site 1 Config==
 Start off by creating new Phase 1 profile and Phase 2 proposal entries using stronger or weaker encryption parameters that suits your needs. It is advised to create separate entries for each menu so that they are unique for each peer in case it is necessary to adjust any of the settings in the future. These parameters must match between the sites or else the connection will not establish.\\ Start off by creating new Phase 1 profile and Phase 2 proposal entries using stronger or weaker encryption parameters that suits your needs. It is advised to create separate entries for each menu so that they are unique for each peer in case it is necessary to adjust any of the settings in the future. These parameters must match between the sites or else the connection will not establish.\\
  
Line 10: Line 13:
 add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048 add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
 </​code>​ </​code>​
 +
 +Continue by configuring a peer. Specify the address of the remote router. This address should be reachable through UDP/500 and UDP/4500 ports, so make sure appropriate actions are taken regarding the router'​s firewall. Specify the name for this peer as well as the newly created profile.\\
 +
 +<​code>​
 +/ip ipsec peer
 +add address=192.168.80.1/​32 name=ike1-site2 profile=ike1-site2
 +</​code>​
 +The next step is to create an identity. For a basic pre-shared key secured tunnel, there is nothing much to set except for a strong secret and the peer to which this identity applies.
 +
 +<​code>​
 +/ip ipsec identity
 +add peer=ike1-site2 secret=thisisnotasecurepsk
 +</​code>​
 +
 +Lastly, create a policy which controls the networks/​hosts between whom traffic should be encrypted.
 +
 +<​code>​
 +/ip ipsec policy
 +add src-address=10.1.202.0/​24 src-port=any dst-address=10.1.101.0/​24 dst-port=any \
 +tunnel=yes action=encrypt proposal=ike1-site2 peer=ike1-site2
 +</​code>​
 +
 +== Site 2 Config ==
 +
 +Office 2 configuration is almost identical as Office 1 with proper IP address configuration. Start off by creating new Phase 1 profile and Phase 2 proposal entries.
 +
 +<​code>​
 +/ip ipsec profile
 +add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1
 +/ip ipsec proposal
 +add enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048
 +</code
 +Next is the peer and identity.
 +<​code>​
 +/ip ipsec peer
 +add address=192.168.90.1/​32 name=ike1-site1 profile=ike1-site1
 +/ip ipsec identity
 +add peer=ike1-site1 secret=thisisnotasecurepsk
 +</​code>​
 +When it is done, create a policy:
 +<​code>​
 +/ip ipsec policy
 +add src-address=10.1.101.0/​24 src-port=any dst-address=10.1.202.0/​24 dst-port=any \
 +tunnel=yes action=encrypt proposal=ike1-site1 peer=ike1-site1
 +</​code>​
 +At this point, the tunnel should be established and two IPsec Security Associations should be created on both routers:
 +<​code>​
 +/ip ipsec
 +active-peers print
 +installed-sa print
 +</​code>​
 +== NAT and Fasttrack Bypass ==
 +At this point if you try to send traffic over the IPsec tunnel, it will not work, packets will be lost. This is because both routers have NAT rules (masquerade) that is changing source address before packet is encrypted. Router is unable to encrypt the packet, because source address do not match address specified in policy configuration. For more information see IPsec packet flow example.
 +
 +To fix this we need to set up IP/​Firewall/​NAT bypass rule.
 +
 +== Office 1 Router ==
 +<​code>​
 +/ip firewall nat
 +add chain=srcnat action=accept ​ place-before=0 \
 + ​src-address=10.1.202.0/​24 dst-address=10.1.101.0/​24
 +</​code>​
 +== Office 2 Router ==
 +<​code>​
 +/ip firewall nat
 +add chain=srcnat action=accept ​ place-before=0 \
 + ​src-address=10.1.101.0/​24 dst-address=10.1.202.0/​24
 +</​code>​
 +It is very important that bypass rule is placed at the top of all other NAT rules.
 +
 +Another issue is if you have IP/​Fasttrack enabled, packet bypasses IPsec policies. So we need to add accept rule before FastTrack.
 +
 +<​code>​
 +/ip firewall filter
 +add chain=forward action=accept place-before=1
 + ​src-address=10.1.101.0/​24 dst-address=10.1.202.0/​24 connection-state=established,​related
 +add chain=forward action=accept place-before=1
 + ​src-address=10.1.202.0/​24 dst-address=10.1.101.0/​24 connection-state=established,​related
 +</​code>​
 +However, this can add significant load to router'​s CPU if there is a fair amount of tunnels and significant traffic on each tunnel.
 +
 +Solution is to use IP/​Firewall/​Raw to bypass connection tracking, that way eliminating need of filter rules listed above and reducing load on CPU by approximately 30%.
 +
 +<​code>​
 +/ip firewall raw
 +add action=notrack chain=prerouting src-address=10.1.101.0/​24 dst-address=10.1.202.0/​24
 +add action=notrack chain=prerouting src-address=10.1.202.0/​24 dst-address=10.1.101.0/​24
 +</​code>​
 +
 +
mikrotik_ikev1_with_ipsec_psk.1646404130.txt.gz ยท Last modified: 2022/03/04 14:28 by mgamel

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki