6.45.6 ipsec site to site tutorial request

RouterOS General
1

Hello ,
I am new .
I buy 2 routers hap ac2 and upgraded both to 6.45.6 os.
I try everry tutorial on the internet to set ipsec site to site but no one of this tutorial work.

So if you have time pls make a tutorial IPSEC site to site on version 6.45.6 step by step if its posible with pictures. - > talk a lot
Thank you all.

2

Did you look at this example?
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IPsec_tunnel

3

When you can start from scratch and do not need compatibility with another existing setup, do yourself a favor and skip the IPsec site-to-site tunnel setup.
It is possible to get it working but it is SO MUCH easier to do it this way:

  • make sure both sides have a different LAN range, not both the default 192.168.88.0/24! Change one to 192.168.188.0/24 for example.
  • create GRE interface at each end with IPsec secret set to the same (long random) value
  • add different IP address at each end in a network range that you are not yet using, like 10.0.0.1/30 and 10.0.0.2/30
  • add routes for the remote side that use this address as gateway, like 192.168.88.1/24 with gateway 10.0.0.1

That will just work, and it will be extendable to multiple sites and multiple network ranges, and no tricks with NAT required.

4

Sir, I’m trying to follow the example here:
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_GRE_tunnel_over_IPsec_.28IKEv2.29_using_DNS

But it’s impossible to make it work, Mikrotik tutorials are always incomplete, and extremely frustrating :frowning:

All I’m trying to do is a very simple VPN site-to-site with two Mikrotik routers. But the tutorial ignores Mikrotik default firewall rules. I suspect something in the default firewall configuration is blocking access, but I don’t know what.

Could you please post which lines do we have to add to obtain a working site-to-site VPN between two Mikrotik HAP AC2 routers in their default configuration??

5

The default firewall configurations differ for different RouterOS releases, so it is better to post the configuration export.

For IPsec itself, you have to permit, at responder side, inbound connections to UDP port 500 and for ESP if there is no NAT between the peers; if there is NAT, connections to UDP ports 500 and 4500 must be permitted and permitting ESP is not necessary.

So one or both rules below, as explained above, must be placed just before (above) the last action=drop rule in chain input:
chain=input protocol=udp dst-port=500,4500 src-address=ip.of.remote.peer action=accept
chain=input protocol=ipsec-esp src-address=ip.of.remote.peer action=accept

Handling of GRE in firewall got broken by a security patch in 6.45.something, so if you don’t have a strong reason to use GRE, use an IPIP tunnel instead. It has less overhead and it causes less headache. If you don’t disable the keepalive functionality of the IPIP interface, you don’t need to add any firewall rule for the IPIP protocol; otherwise, add
chain=input protocol=ipencap ipsec-policy=in,ipsec action=accept
right before or right after the rule(s) mentioned above.

6

I’ve upgraded both Mikrotik HAP AC2 to the latest stable version (6.48.1) This is the relevant configuration in the Mikrotik Site1 (HeadQuarters):


/interface bridge add name=blankbridge1
/interface gre add local-address=192.168.99.1 name=gre-tunnel1 remote-address=192.168.99.2

/ip ipsec mode-config add address=192.168.99.2 address-prefix-length=32 name=cfg1 split-include=192.168.99.1/32
/ip ipsec policy group add name=group1
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-128 lifetime=8h name=profile1
/ip ipsec peer add name=peer1 passive=yes profile=profile1 send-initial-contact=no
/ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=proposal1 pfs-group=none
/ip ipsec identity add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=cfg1 password=blablabla peer=peer1 policy-template-group=group1 secret=blablapsk username=user1
/ip ipsec policy add dst-address=192.168.99.2/32 group=group1 proposal=proposal1 src-address=192.168.99.1/32 template=yes

/ip route add distance=1 dst-address=192.168.9.0/24 gateway=172.16.1.2

/ip address add address=192.168.99.1 interface=blankbridge1 network=192.168.99.1
/ip address add address=192.168.8.1/24 comment=defconf interface=bridge network=192.168.8.0
/ip address add address=172.16.1.1/30 interface=gre-tunnel1 network=172.16.1.0

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
/ip firewall filter add action=accept chain=input protocol=gre
/ip firewall filter add action=accept chain=input dst-port=500,4500 in-interface-list=WAN protocol=udp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

And this is the relevant configuration in Mikrotik Site 2 (Branch Office)


/interface gre add local-address=192.168.99.2 name=gre-tunnel1 remote-address=192.168.99.1

/ip ipsec mode-config add name=cfg1 responder=no use-responder-dns=no
/ip ipsec policy group add name=group1
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-128 lifetime=8h name=profile1
/ip ipsec peer add address=blablabla.sn.mynetname.net name=peer1 profile=profile1
/ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=proposal1 pfs-group=none
/ip ipsec identity add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=cfg1 password=blablabla peer=peer1 policy-template-group=group1 secret=blablapsk username=user1
/ip ipsec policy add dst-address=192.168.99.1/32 group=group1 proposal=proposal1 src-address=192.168.99.2/32 template=yes

/ip route add distance=1 dst-address=192.168.8.0/24 gateway=172.16.1.1

/ip address add address=192.168.9.1/24 comment=defconf interface=bridge network=192.168.9.0
/ip address add address=172.16.1.2/30 interface=gre-tunnel1 network=172.16.1.0

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
/ip firewall filter add action=accept chain=input protocol=gre
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Unfortunately, it doesn’t work. I get an IPSec connection, but the GRE tunnels don’t work, and the routes are unreachable :frowning:

7

So you insist it must be GRE, you cannot use IPIP instead? Why?

8

I’ve also tried with IPIP, but I get the same results as with GRE :frowning:

There must be something in the default Firewall configuration, but what could it be?

I’ve already disabled FastTrack. Should I try to tweak the NAT ???

I thought that GRE tunnels would allow me to avoid having to do strange NAT tricks

9

Ah, yes, you forgot to exempt the traffic between 192.168.99.1 and 192.168.99.2 from the masquerade rule, so it gets src-nated and the IPsec policy cannot see it.

Add a rule src-address=192.168.99.0/30 dst-address=192.168.99.0/30 chain=src-nat action=accept before (above) the masquerade one at both devices. Then either disable the tunnel interfaces at both devices and wait 10 minutes before re-enabling them, or issue /ip firewall connection remove [find protocol=gre] (or protocol=ipencap in case of IPIP tunnel).

10

Yes, you’re right. Adding that rule and restarting both routers solved the problem!

I’ve been able to go back to GRE tunnels, and they work correctly too!! :slight_smile:

I understand that GRE tunnels have more overhead than IPIP, but they support IPv6. To be honest, I don’t really need IPv6 right now, but I suppose it’s better to configure GRE tunnels to be “future proof” whenever I need IPv6 some day.

Anyway, thanks a lot. I get frustrated a lot with the current (old) Mikrotik wiki. I understand that all the information is there, but it’s spread out in different chapters and very difficult to find. It’s extraordinarily difficult for newbies!

11

The NAT rule should have been no problem, unless the GRE or IPIP tunnel interface is in the interface list WAN. It should NOT be in that list!

12

@pe1chl, the issue was different - it’s the transport (GRE or IPIP) packets that got src-nated, not the payload ones. The transport ones are routed via the WAN before the policy diverts them.

13

Ok… I don’t understand why the external addresses of the GRE tunnels were set to a NAT’ed address, I always set those to the external address of the router.
Of course this method may be more convenient when the external address is not fixed.

14

Yes, tunnel mode of the IPsec encapsulation allows to use fixed internal addresses as GRE/IPIP endpoint ones whilst the WAN address of at least the initiator keeps changing. The price to pay is the extra IP header, consuming part of MTU, so less space in the transport packet remains for the payload.