Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSEC Tunnel between Mikrotik routers

Post Reply
 
kapara
just joined
Topic Author
Posts: 13
Joined: Wed Jan 05, 2011 7:17 pm

IPSEC Tunnel between Mikrotik routers

Tue Mar 15, 2011 8:44 pm

I am having a very difficult time getting this to work. Documentation is very sparse and even when I enter the commands from the command line the commands error out. I am using the commands from the Wiki for IPSEC VPN. I am running Ver. 4.11. I am willing to pay someone to assist with this. I can pay via Paypal and can provide webex access.

Remote location has 2 internal subnets which must be able to route over IPSEC tunnel to primary location. More details can be provided later. Need someone who really understands IPSEC on Mikrotik.

Thanks,

Mark
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Re: IPSEC Tunnel between Mikrotik routers

Fri Mar 18, 2011 7:00 pm

If you post the commands that you're using to configure this and the error messages we can probably help you here.

Regards

Andrew
Top
 
psamsig
Member Candidate
Member Candidate
Posts: 161
Joined: Sun Dec 06, 2009 1:36 pm
Location: Denmark

Re: IPSEC Tunnel between Mikrotik routers

Sun Mar 20, 2011 12:10 am

1. site, Wan 1.1.1.1, Lan 10.1.1.0/24, getting VPN access to 10.2.2.0/24 and 192.168.2.0/24 from 10.1.1.0/24
Code: Select all
/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=8h name=md5-aes-128-8h pfs-group=none

/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=20s \
    dpd-maximum-failures=1 enc-algorithm=aes-128 exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=8h nat-traversal=no proposal-check=obey secret=vErYsEcReTpReShArEdKeY send-initial-contact=yes
    
/ip ipsec policy
add src-address=10.1.1.0/24:any dst-address=10.2.2.0/24:any \
    sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 \
    ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
    action=encrypt tunnel=yes disabled=no 
add src-address=10.1.1.0/24:any dst-address=192.168.2.0/24:any \
    sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 \
    ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
    action=encrypt tunnel=yes disabled=no 

# So VPN trafic don't get NATed, covers all of 10.x.x.x and 192.168.x.x
/ip firewall nat
add place-before=0 action=accept chain=srcnat disabled=no dst-address=192.168.0.0/16
add place-before=0 action=accept chain=srcnat disabled=no dst-address=10.0.0.0/8

# Needed for Netwatch to work   
/ip route
add disabled=no distance=1 dst-address=10.2.2.0/24 gateway=Lan scope=30 target-scope=10
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=Lan scope=30 target-scope=10

# Netwatch ensures tunnels stays up, make sure the addresses exists and is pingable
/tool netwatch
add disabled=no host=10.2.2.1 interval=1m timeout=1s
add disabled=no host=192.168.2.1 interval=1m timeout=1s
2. site, Wan 2.2.2.2, Lan1 10.2.2.0/24, Lan2 192.168.2.0/24, getting VPN access to 10.1.1.0/24 from 10.2.2.0/24 and 192.168.2.0/24
Code: Select all
/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=8h name=md5-aes-128-8h pfs-group=none
    
/ip ipsec peer
add address=1.1.1.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=20s \
    dpd-maximum-failures=1 enc-algorithm=aes-128 exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=8h nat-traversal=no proposal-check=obey secret=vErYsEcReTpReShArEdKeY send-initial-contact=no
    
/ip ipsec policy
add src-address=10.2.2.0/24:any dst-address=10.1.1.0/24:any \
    sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 \
    ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
    action=encrypt tunnel=yes disabled=no
add src-address=192.168.2.0/24:any dst-address=10.1.1.0/24:any \
    sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 \
    ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
    action=encrypt tunnel=yes disabled=no
    
# So VPN trafic don't get NATed, covers all og 10.x.x.x
/ip firewall nat
add place-before=0 action=accept chain=srcnat disabled=no dst-address=10.0.0.0/8
Last edited by psamsig on Sun Mar 20, 2011 4:28 pm, edited 1 time in total.
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Re: IPSEC Tunnel between Mikrotik routers

Sun Mar 20, 2011 4:25 pm

Two things to start with:

1: The peer addresses are incorrect. Site 1 should specify the WAN address of site 2 & vice versa

2: The NAT exclusion rules should have an action of 'reject'

Regards

Andrew
Top
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSEC Tunnel between Mikrotik routers

Mon Mar 21, 2011 9:26 am

Sorry, just a question: why should "reject" those packets?
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Re: IPSEC Tunnel between Mikrotik routers

Mon Mar 21, 2011 9:39 am

If you have a NAT rule that applies to all traffic leaving the local network then you'll need to exclude the traffic that is destined for the VPN tunnel and the remote office. You do this by placing a NAT rule before the general one that rejects this traffic.

There are some exceptions to this, e.g. if you have an overlapping address range between the two sites but this would normally be handled by 1 to 1 NAT mapping.

Regards

Andrew
Top
Post Reply

Who is online

Users browsing this forum: cerrisauro, dioeyandika, sas2k and 107 guests
  4. RouterOS
  5. General