Hey Folks,
I was looking for some feedback on moving from IPSEC to Wireguard when using the VPN as a client.
I have my Mikrotik acting as an IKEv2 client, with perma-vpn to Nord (with associated blackhole config)
This has been working well for a while, but I occasionally get issues where the tunnel will hang and will need me to flush SAs to restore service - this is becoming bothersome of late
I am currently running v6.49.4 on a Hex S.
I can see that there is v6.49.7 but as the notes mention nothing about IPSEC, so I suspect upgrading may not help.
I have previously tried on v 7.x but the same IPSEC config that I have in v6.xx did not seem to work (it was a while ago, so I forget why exactly, and this therefore may be somewhat anecdotal). I found the Wireguard setup confusing and gave up.
Ive found a few posts - eg https://medium.com/@sruffilli/a-vpn-roadwarrior-setup-with-wireguard-and-mikrotik-routeros-6d42ca204c21 - which seem to cover this but before I undertake it it would be great to hear some success stories or any best practices.
My goal is to replicate what I have for the IPSEC setup, using Wireguard. That is quite simple:
- ALL traffic on local subnets behind the Mikrotik MUST go over the VPN at all times
- Traffic to be blackholed if VPN is down
If I Upgrade to v.7.6 should it be expected that my current config will remain working? My config is fairly streamlined:
[admin@MikroTik] > export hide-sensitive
# software id = RVJQ-3EWZ
#
# model = RB760iGS
/interface bridge
add name=blackhole
add admin-mac=xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add enc-algorithm=aes-128 hash-algorithm=sha256 name=NordVPN
/ip ipsec peer
add address=xxxxx.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
add address=192.168.88.2-192.168.88.254 list=local-range
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
add action=mark-routing chain=prerouting new-routing-mark=via-vpn passthrough=yes src-address-list=local
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none \
out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN \
peer=NordVPN policy-template-group=NordVPN username=xxxxxxxxxxx
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0
add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=blackhole routing-mark=via-vpn
/system logging
set 3 action=memory
add topics=ipsec
I seem to recall the issue was with the connection marking in v7?
Many Thanks
I’ve rolled back to v6 stable