Differences

This shows you the differences between two versions of the page.

--- mikrotik_ikev1_with_ipsec_psk [2022/03/04 14:33]
mgamel
+++ mikrotik_ikev1_with_ipsec_psk [2022/03/04 14:47] (current)
mgamel
@@ Line 2: / Line 2: @@
 https://wiki.mikrotik.com/wiki/Manual:IP/IPsec\\
+{{:site-to-site-ipsec-example.png?800|}}
 ==== Site to Site IPsec tunnel ====
+== Site 1 Config==
 Start off by creating new Phase 1 profile and Phase 2 proposal entries using stronger or weaker encryption parameters that suits your needs. It is advised to create separate entries for each menu so that they are unique for each peer in case it is necessary to adjust any of the settings in the future. These parameters must match between the sites or else the connection will not establish.\\
@@ Line 31: / Line 33: @@
 add src-address=10.1.202.0/24 src-port=any dst-address=10.1.101.0/24 dst-port=any \
 tunnel=yes action=encrypt proposal=ike1-site2 peer=ike1-site2
+</code>
+== Site 2 Config ==
+Office 2 configuration is almost identical as Office 1 with proper IP address configuration. Start off by creating new Phase 1 profile and Phase 2 proposal entries.
+<code>
+/ip ipsec profile
+add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1
+/ip ipsec proposal
+add enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048
+</code
+Next is the peer and identity.
+<code>
+/ip ipsec peer
+add address=192.168.90.1/32 name=ike1-site1 profile=ike1-site1
+/ip ipsec identity
+add peer=ike1-site1 secret=thisisnotasecurepsk
+</code>
+When it is done, create a policy:
+<code>
+/ip ipsec policy
+add src-address=10.1.101.0/24 src-port=any dst-address=10.1.202.0/24 dst-port=any \
+tunnel=yes action=encrypt proposal=ike1-site1 peer=ike1-site1
+</code>
+At this point, the tunnel should be established and two IPsec Security Associations should be created on both routers:
+<code>
+/ip ipsec
+active-peers print
+installed-sa print
+</code>
+== NAT and Fasttrack Bypass ==
+At this point if you try to send traffic over the IPsec tunnel, it will not work, packets will be lost. This is because both routers have NAT rules (masquerade) that is changing source address before packet is encrypted. Router is unable to encrypt the packet, because source address do not match address specified in policy configuration. For more information see IPsec packet flow example.
+To fix this we need to set up IP/Firewall/NAT bypass rule.
+== Office 1 Router ==
+<code>
+/ip firewall nat
+add chain=srcnat action=accept  place-before=0 \
+ src-address=10.1.202.0/24 dst-address=10.1.101.0/24
+</code>
+== Office 2 Router ==
+<code>
+/ip firewall nat
+add chain=srcnat action=accept  place-before=0 \
+ src-address=10.1.101.0/24 dst-address=10.1.202.0/24
+</code>
+It is very important that bypass rule is placed at the top of all other NAT rules.
+Another issue is if you have IP/Fasttrack enabled, packet bypasses IPsec policies. So we need to add accept rule before FastTrack.
+<code>
+/ip firewall filter
+add chain=forward action=accept place-before=1
+ src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related
+add chain=forward action=accept place-before=1
+ src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,related
+</code>
+However, this can add significant load to router's CPU if there is a fair amount of tunnels and significant traffic on each tunnel.
+Solution is to use IP/Firewall/Raw to bypass connection tracking, that way eliminating need of filter rules listed above and reducing load on CPU by approximately 30%.
+<code>
+/ip firewall raw
+add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
+add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24
 </code>

DokuWiki

User Tools

Site Tools

Differences

Page Tools