Notes:
- I've been using latest ROS6 (6.47.8) for this guide. Steps might be different on ROS7.
- Tutorial shows how to connect 2 routers, but at the end of this guide there are steps on how to connect 3rd router.
- Router A (internal VPN IP 10.22.22.1) - VPN server. Has public IP.
- Router B (internal VPN IP 10.22.22.2) - VPN client. No public IP (it's behind NAT).
- Once we establish VPN tunnel, we will establish EoIP on top of that.
- HW accel. IPSEC encryption listed here. I am using AES-256 because it's supported by every Mikrotik router which has HW accel. IPSEC encryption of some sort. If you connect router without hardware acceleration, you might want to reduce encryption for a better performance (at a cost of lower security).
Setup IPSEC/IKE2 connection
Router A (VPN server) steps:
Code: Select all
# Create CA certificate and sign it
/certificate add name="My CA" common-name="My CA" key-size=4096 days-valid=7300 key-usage=key-cert-sign,crl-sign
/certificate sign "My CA"
# Create server certificate and sign it
/certificate add name="My server" common-name="My server" subject-alt-name="DNS:XXXXXXXXXXX.sn.mynetname.net" key-size=4096 days-valid=3650 key-usage=tls-server
/certificate sign "My server" ca="My CA"
# Create client certificate, sign it and export it as PKCS12 keystore
/certificate add name="My client" common-name="My client" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign "My client" ca="My CA"
/certificate export-certificate "My client" file-name=myclient type=pkcs12 export-passphrase=1234567890
# Copy myclient.p12 file from the Mikrotik to your PC
# Because we need to have internal VPN address 10.22.22.1 which does not happen automatically, create empty bridge and assign it
/interface bridge add name=loopback
/ip address add address=10.22.22.1/24 interface=loopback
# IPSEC configuration
/ip ipsec mode-config add address=10.22.22.2 name="My mc" split-include=10.22.22.1/32 system-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add exchange-mode=ike2 name="My server" passive=yes profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My server" generate-policy=port-strict match-by=certificate mode-config="My mc" peer="My server" policy-template-group="My group" remote-certificate="My client"
/ip ipsec policy add dst-address=10.22.22.2/32 level=unique peer="My server" proposal="My proposal" src-address=10.22.22.1/32 tunnel=yes
# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0
# Additional steps:
# 1. You might need to add additional rule in firewall -> filter in order to allow traffic from/to 10.22.22.1-10.22.22.2.
# 2. Bypass fasttrack. Easiest way is to add above rule(s) over FastTrack rule.
# 3. You might need to whitelist firewall access for your client router so it can connect via IPSEC/IKE2.
Router B (VPN client) steps:
Code: Select all
# Upload myclient.p12 file to Mikrotik
# Import uploaded certificate
/certificate import as-value file-name=myclient.p12 passphrase=1234567890
# Rename imported certificates
/certificate set [find where common-name="My CA"] name="My CA"
/certificate set [find where common-name="My client"] name="My client"
# IPSEC configuration
/ip ipsec mode-config add name="My mc" responder=no use-responder-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add address=<address> exchange-mode=ike2 name="My peer" profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My client" generate-policy=port-strict mode-config="My mc" peer="My peer" policy-template-group="My group"
/ip ipsec policy add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" src-address=10.22.22.2/32 tunnel=yes
# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addresses=10.22.22.2 place-before=0
# Additional steps:
# 1. You might need to add additional rule in firewall -> filter in order to allow traffic from/to 10.22.22.1-10.22.22.2.
# 2. Bypass fasttrack. Easiest way is to add above rule(s) over fasttrack rule.
# At this point you should see "PH2 State" established in "/ip ipsec policies" and 2 entries in "/ip ipsec installed-sa"...
Ping should work in both directions. Validate them:
Code: Select all
# Run in Router A
ping 10.22.22.2
# Run in Router B
ping 10.22.22.1
Setup EoIP tunnel
Note that we disable keepalive in order to get rid of EoIP tunnel flapping which causes disconnects (e.g. in multiplayer games).
Code: Select all
# Run in Router A
/interface eoip add !keepalive local-address=10.22.22.1 name="My EoIP" remote-address=10.22.22.2 tunnel-id=0
# Run in Router B
/interface eoip add !keepalive local-address=10.22.22.2 name="My EoIP" remote-address=10.22.22.1 tunnel-id=0
BONUS: Connect additional router to VPN server
Router A (VPN server) steps:
Code: Select all
# Generate client2 cert
/certificate add name="My client" common-name="My client2" key-size=4096 days-valid=3650 key-usage=tls-client
# Sign cert using signed CA
/certificate sign "My client2" ca="My CA"
# Export client certificates in P12 format
/certificate export-certificate "My client2" file-name=myclient2 type=pkcs12 export-passphrase=1234567890
# Copy myclient2.p12 file from the Mikrotik to your PC
# IPSEC configuration
/ip ipsec mode-config add address=10.22.22.3 name="My mc2" split-include=10.22.22.1/32 system-dns=no
/ip ipsec identity add auth-method=digital-signature certificate="My server" generate-policy=port-strict match-by=certificate mode-config="My mc2" peer="My server" policy-template-group="My group" remote-certificate="My client2"
/ip ipsec policy add dst-address=10.22.22.3/32 level=unique peer="My server" proposal="My proposal" src-address=10.22.22.1/32 tunnel=yes
# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.3 to-addresses=10.22.22.1 place-before=0
Router C (VPN client, the second router we are connecting to VPN server) steps:
Code: Select all
# Upload myclient2.p12 file to Mikrotik
# Import uploaded certificate
/certificate import as-value file-name=myclient2.p12 passphrase=1234567890
# Rename imported certificates
/certificate set [find where common-name="My CA"] name="My CA"
/certificate set [find where common-name="My client2"] name="My client2"
# IPSEC configuration
/ip ipsec mode-config add name="My mc" responder=no use-responder-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add address=<address> exchange-mode=ike2 name="My peer" profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My client2" generate-policy=port-strict mode-config="My mc" peer="My peer" policy-template-group="My group"
/ip ipsec policy add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" src-address=10.22.22.3/32 tunnel=yes
# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addresses=10.22.22.3 place-before=0