Help understanding ipsec

I’m probably being really dense about this, but there’s something about IPSEC that I’m just not understanding. I can’t even seem to figure it out enough to ask the right question, so here goes…

How do I replace this GRE tunnel with an IPSEC policy?

The remote side is straight forward. There’s a GRE tunnel with an IP address. On the local side, there’s also a route and a NAT rule:

 /interface gre add name=gre0 remote-address=66.xx.yy.222
 /ip address add address=172.17.88.2/30 interface=gre0
 /ip route add dst-address=172.17.0.0/16 gateway=172.17.88.1
 /ip firewall nat add chain=srcnat action=masquerade out-interface=gre0

How do I do this with IPSEC?

Much thanks!

-Troy

My friend, i dont know much routeros syntax to help but i can recommend some topics from other vendors to better understand concepts of ipsec if thatss what you search for.
You can use GRE with IpSec to secure your traffic. Again, im still “fresh” with mtik CLI so i cant give you example how to execute it.

This will setup a pure IPSec tunnel between the two locations.

1.) Setup the peers for both routers. This is so each router knows who it can and should listen to.
Router 1

/ip ipsec peer
add address=66.xx.yy.222/32 auth-method=pre-shared-key dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=main generate-policy=no hash-algorithm=sha1 passive=no port=500 proposal-check=obey secret=<Your Secret> send-initial-contact=yes

Router 2

/ip ipsec peer
add address=23.xx.yy.213/32 auth-method=pre-shared-key dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=main generate-policy=no hash-algorithm=sha1 passive=no port=500 proposal-check=obey secret=<Your Secret> send-initial-contact=yes

2.) Setup the policy for both routers. This is so each router knows what traffic it wants to send down the IPSec tunnel.
Router 1

add action=encrypt dst-address=172.17.0.0/16 src-address=192.168.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=66.xx.yy.222 sa-src-address=23.xx.yy.213 tunnel=yes

Router 2

add action=encrypt dst-address=192.168.0.0/24 src-address=172.17.0.0/16 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=23.xx.yy.213 sa-src-address=66.xx.yy.222 tunnel=yes

3.) Setup the proposal to match between both peers. This is so both routers agree on how to encrypt the traffic.
Router 1

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc lifetime=8h name=default pfs-group=none

Router 2

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc lifetime=8h name=default pfs-group=none

Depending on your firewall, you may need to allow a few more input types of traffic to enable them to communicate to each other as well.

Feklar,

Thanks! I actually got this done in a lab environment as you were responding! I think I was getting hung up by trying to do too much at one time , being afraid to muck up a production network, and being too stubborn and lazy by not setting up a lab to begin with.

Anyways, once I got the NET-to-NET tunnel working, I changed it up to preserve NAT on the local side. It’s a bit different than when I was using the GRE tunnel, but it works and keeps the local network invisible to the remote network. It just sees my WAN IP, which is fine.

For posterity and the hope that it helps someone else, here’s my final lab setup:

In almost every lab I do, I configure OSPF to make it easier to throw subnets around without having to add/update/remote static routes. It makes the lab configs a bit longer, but the labs are much easier to work with this way.

The first router is to simulate the Internet. I use CGN (rfc6598) space for the “Internet,” and private (rfc1918) space for the networks. The “Internet” router has routing and firewall filters to ensure that RFC1918 addresses are not leaked.

MT_01 (Internet):

/routing ospf instance
set [ find default=yes ] distribute-default=always-as-type-1 \
    redistribute-connected=as-type-1
/ip address
add address=100.99.1.1/30 interface=ether2
add address=100.99.1.5/30 interface=ether3
add address=192.168.0.33/24 interface=ether1
/ip firewall filter
add chain=forward dst-address=192.168.0.0/24
add chain=forward src-address=192.168.0.0/24
add action=reject chain=forward dst-address=192.168.0.0/16
/ip route
add distance=1 gateway=192.168.0.1
/routing filter
add action=discard chain=ospf-out prefix=192.168.0.0/16 prefix-length=16-32
/routing ospf network
add area=backbone network=100.99.1.4/30
add area=backbone network=100.99.1.0/30
/system identity
set name=MT_01

MT_02 (Remote):

/interface bridge
add name=lo0
/ip address
add address=100.99.1.2/30 interface=ether2
add address=192.168.100.1/24 interface=lo0
/ip firewall nat
add chain=srcnat dst-address=100.99.1.6 src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ether2 src-address=192.168.100.0/24
/ip ipsec peer
add address=100.99.1.6/32 secret=test
/ip ipsec policy
add dst-address=100.99.1.6/32 sa-dst-address=100.99.1.6 sa-src-address=100.99.1.2 src-address=192.168.100.0/24 \
    tunnel=yes
/routing ospf network
add area=backbone network=100.99.1.0/30
/system identity
set name=MT_02

MT_03 (Local Router):

/ip address
add address=100.99.1.6/30 interface=ether2
add address=192.168.200.1/24 interface=ether3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2 src-address=192.168.200.0/24
/ip ipsec peer
add address=100.99.1.2/32 secret=test
/ip ipsec policy
add dst-address=192.168.100.0/24 sa-dst-address=100.99.1.2 sa-src-address=100.99.1.6 src-address=100.99.1.6/32 tunnel=yes
/routing ospf network
add area=backbone network=100.99.1.4/30
/system identity
set name=MT_03

MT_04 is just a host on the 192.168.200.0/24 network…

But wait… THERE’S MORE! I’m going into the basement to set up a real lab. I’m going to see if I can get the ASA firmware running on MT/KVM. I almost have it running on QEMU, but it’s horridly unstable. Wish me luck!