Good day, I am in dire need of some assistance with my site to site vpn that I have established with AWS.
Hardware: RB4011iGS+ (arm)
Software: RouterOS v7.10.1
LAN: 10.10.0.0/24
AWS VPC network: 10.0.0.0/16
Customer gateway inside IP Address: x.x.x.130
Virtual Private gateway inside Address: x.x.x.129
My ipsec policies are as follows;
0 0.0.0.0/0 10.10.0.0/24 all
;;; Tunnel 1
1 A ipsec-aws-vpn-peer-0 yes x.x.x.130/32 x.x.x.129/32 all
;;; Tunnel 1
2 A ipsec-aws-vpn-peer-0 yes 10.10.0.0/24 10.0.0.0/16 all
My Problems;
- I have to change the policy a position 1 to be src: 0.0.0.0/0 to dst: 0.0.0.0/0. In order for all traffic to go through the tunnel. However, when I do this, my non-ipsec required traffic, also routes through the ipsec tunnel. that means, when I browse to facebook.com, this tries to go through tthe tunnel and I need help to ste this up so that it doesn’t go through the tunnel, but instead directly through my WAN interface.
- When I have the setup as it is now, then I have trouble routing back from AWS. So currently, my WLAN devices are failing to get assisgned IP addresses from the DHCP server. However, a ping works just fine. I know this isn’t a good example to confirm connection. But I just need some assistance.
We previously had the set up on routeros v6 on a RB951G router, and it did not make use of BGP, and it all worked just fine. We are trying to implement it with BGP for the RB4011 router, because of the higher support.
I’m attaching my /export as well, for reference.
# 2023-07-17 15:15:04 by RouterOS 7.10.1
# software id = **ELIDED**
#
# model = RB4011iGS+
# serial number = **ELIDED**
/interface bridge
add admin-mac=48:A9:8A:B6:B9:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN Paratus"
set [ find default-name=ether2 ] name="ether2 - WAN MTC"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=\
aes-128 hash-algorithm=sha256 lifetime=8h name=ipsec-aws-vpn-profile-0
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=\
aes-128 hash-algorithm=sha256 lifetime=8h name=ipsec-aws-vpn-profile-1
/ip ipsec peer
add address=13.x.x.97/32 disabled=yes exchange-mode=ike2 local-address=\
160.x.x.13 name=ipsec-aws-vpn-peer-1 profile=ipsec-aws-vpn-profile-1
add address=13.x.x.251/32 exchange-mode=ike2 local-address=160.x.x.13 \
name=ipsec-aws-vpn-peer-0 profile=ipsec-aws-vpn-profile-0
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-aws-vpn-0
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=1h name=\
ipsec-aws-vpn-1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface="ether1 - WAN Paratus" list=WAN
add interface="ether2 - WAN MTC" list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
/ip address
add address=10.10.0.1/24 comment=defconf interface=bridge network=10.10.0.0
add address=160.x.x.13/26 interface="ether1 - WAN Paratus" network=\
160.242.72.0
add address=169.x.x.130/30 comment="Tunnel 1 - inside IP" interface=\
"ether1 - WAN Paratus" network=169.x.x.128
add address=169.x.x.62/30 comment="Tunnel 2 - inside IP" disabled=yes \
interface="ether1 - WAN Paratus" network=169.x.x.60
/ip dhcp-client
add comment=defconf disabled=yes interface=bridge
/ip dhcp-relay
add dhcp-server=10.0.0.10,10.0.1.10 disabled=no interface=bridge name=\
ZA-CPTDCO001
/ip dhcp-server
add address-pool=*1 disabled=yes interface=bridge lease-time=10m name=defconf
/ip dns
set allow-remote-requests=yes servers=8.8.4.4
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.0.0/24 list=aws-bgp-broadcast-list-hq
add address=13.x.x.90 list=binary-city-addresses
add address=160.x.x.159 list=binary-city-addresses
add address=41.x.x.128 list=binary-city-addresses
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN \
protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input protocol=icmp
add action=accept chain=forward
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related log-prefix=test-f22-comms
add action=accept chain=forward dst-address=169.x.x.129 src-address=\
169.x.x.130
add action=accept chain=forward dst-address=169.x.x.130 src-address=\
169.x.x.129
add action=accept chain=forward disabled=yes log=yes log-prefix=f22device \
src-address=10.10.0.28
add action=accept chain=forward dst-address=10.0.0.0/16 src-address=\
10.10.0.0/24
add action=accept chain=forward dst-address=10.10.0.0/24 src-address=\
10.0.0.0/16
add action=accept chain=input in-interface-list=WAN protocol=tcp \
src-address-list=binary-city-addresses
add action=accept chain=input in-interface-list=WAN protocol=udp \
src-address-list=binary-city-addresses
add action=drop chain=input comment="drop ALL from WAN" in-interface-list=WAN
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec log-prefix=test
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec log-prefix=logtest
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=10.0.0.0/16 \
new-connection-mark=cpt-network passthrough=yes
add action=accept chain=prerouting in-interface=bridge
/ip firewall nat
add action=accept chain=srcnat dst-address=169.x.x.129 src-address=\
169.x.x.130
add action=accept chain=dstnat dst-address=169.x.x.130 src-address=\
169.x.x.129
add action=accept chain=srcnat dst-address=169.x.x.61 src-address=\
169.x.x.62
add action=accept chain=srcnat comment="WHK ==> CPT" dst-address=10.0.0.0/16 \
src-address=10.10.0.0/24 to-addresses=169.254.173.130
add action=accept chain=dstnat comment="WHK ==> CPT" dst-address=10.10.0.0/24 \
src-address=10.0.0.0/16
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface="ether1 - WAN Paratus"
/ip ipsec identity
add peer=ipsec-aws-vpn-peer-0
add peer=ipsec-aws-vpn-peer-1
/ip ipsec policy
add action=none dst-address=10.10.0.0/24 src-address=0.0.0.0/0
add comment="Tunnel 2" disabled=yes dst-address=0.0.0.0/0 peer=\
ipsec-aws-vpn-peer-0 proposal=ipsec-aws-vpn-0 src-address=0.0.0.0/0 \
tunnel=yes
add comment="Tunnel 1" dst-address=169.x.x.129/32 peer=\
ipsec-aws-vpn-peer-0 src-address=169.x.x.130/32 tunnel=yes
add comment="Tunnel 1" dst-address=10.0.0.0/16 peer=ipsec-aws-vpn-peer-0 \
proposal=ipsec-aws-vpn-0 src-address=10.10.0.0/24 tunnel=yes
set 4 disabled=yes
add comment="Tunnel 1" disabled=yes dst-address=10.10.100.0/24 peer=\
ipsec-aws-vpn-peer-0 proposal=ipsec-aws-vpn-0 src-address=10.10.0.0/24 \
tunnel=yes
add comment="Tunnel 2" disabled=yes dst-address=169.x.x.61/32 peer=\
ipsec-aws-vpn-peer-1 src-address=169.x.x.62/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=160.242.72.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=10.0.0.0/16 gateway=10.10.0.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing bgp connection
add as=65000 connect=yes disabled=no hold-time=30s keepalive-time=10s listen=\
yes local.role=ebgp name=aws-cpt-bgp-0 output.network=\
aws-bgp-broadcast-list-hq remote.address=169.x.x.129/32 .as=64512 \
routing-table=main
add as=65000 connect=yes disabled=yes hold-time=30s keepalive-time=10s \
listen=yes local.address=169.x.x.62 .role=ebgp name=aws-cpt-bgp-1 \
output.network=aws-bgp-broadcast-list remote.address=169.x.x.61/32 \
.as=64512 router-id=169.x.x.62 routing-table=main
/system clock
set time-zone-name=Africa/Windhoek
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN