IPSec equivalent config for Mikrotik RouterOS

RouterOS General
1

Here is the IPSec config on a huawei AR1200. Please translate this to RouterOS settings!

sysname RouterA

acl number 3000 //Configure an ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0

ipsec proposal rtb //Configure an IPSec proposal.
encapsulation-mode transport //Set the encapsulation mode to transport.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192

ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256

ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol differ depending on the software version. In earlier versions of V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n’$7`DEV&=G(=Et02P/%*!%^%# //Configure the authentication password in the pre-shared key to huawei, in cipher text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and the password is displayed in plain text.
remote-address 1.2.2.1

ipsec policy rtb 1 isakmp //Configure an IPSec policy and define IKE negotiation.
security acl 3000 //Specify the ACL.
ike-peer rtb //Specify the IKE peer.
proposal rtb //Specify the IPSec proposal.

interface Ethernet1/0/1
ip address 1.2.1.1 255.255.255.252
ipsec policy rtb //Bind the IPSec policy to the interface.

interface GigabitEthernet0/0/1
ip address 10.1.0.1 255.255.255.0

interface Tunnel0/0/1 //Configure a tunnel interface.
ip address 1.3.1.1 255.255.255.252
tunnel-protocol gre
source 1.2.1.1 //Specify the source address of the tunnel interface.
destination 1.2.2.1 //Specify the destination address of the tunnel interface.

ip route-static 10.2.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static route.
ip route-static 0.0.0.0 0.0.0.0 1.2.1.2

return

2

Disclaimer: default values of some parameters are likely to differ between Huawei and Mikrotik. Unless you can make Huawei show its defaults, you’ll have to find out using logging (/system logging add topics=ipsec,!packet).

/ip ipsec profile add enc-algorithm=aes-128 hash-algorithm=sha256 dh-group=modp2048 name=huawei-profile


/ip ipsec proposal add name=huawei-proposal auth-algorithms=sha256 enc-algorithms=aes-192-cbc
Encapsulation mode (transport or tunnel) is set under /ip ipsec policy in RouterOS (tunnel=no or yes).


The binding of IPsec peer to a particular local interface is done by specifying local-address in peer configuration.


/ip ipsec peer add name=huawei-peer profile=huawei-profile exchange-mode=main address=1.2.2.1 local-address=1.2.1.1
/ip ipsec identity add peer=huawei-peer auth-method=pre-shared-key secret=“%^%#…”

This particular secret itself may be hard to specify using command line, I could not find how to escape the ` symbol. Try Winbox or WebFig.


The traffic matching criteria are specified directly on the /ip ipsec policy row in RouterOS if tunnel mode is used; for transport mode, there is no need to specify them as the policy inherits them from the peer.


/ip ipsec policy add tunnel=no peer=huawei-peer proposal=huawei-proposal