I’m trying to generate a VPN between my local network and a VPS.
The topology looks like this:
LAN (192.168.1.0/24)
|
Mikrotik router (public IP: DYNAMIC_IP_1, lan IP: 192.168.1.1)
|
internet
|
VPS server (public IP: STATIC_IP_1)
VPS runs strongswan with config:
conn %default
esp=aes192-sha1-modp1024!
ike=aes192-sha256-modp2048!
ikelifetime=60m
keylife=30m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=rsasig
left=STATIC_IP_1
leftcert=CERT_VPS.der
leftfirewall=yes
conn vpn_to_mikrotik
leftsendcert=always
right=%any
rightsubnet=192.168.1.0/24
rightsourceip=%config
rightcert=CERT_MIKROTIK.der
modeconfig=push
auto=add
The Mikrotik config is as follows:
/ip ipsec mode-config
add name=cfg-vpn send-dns=no split-include=192.168.1.0/24
/ip ipsec policy group
add name=policy-vpn
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc
/ip ipsec peer
add address=STATIC_IP_1/32 auth-method=rsa-signature certificate=\
CERT_MIKROTIK dh-group=modp2048 disabled=yes enc-algorithm=aes-192 \
generate-policy=port-strict hash-algorithm=sha256 lifetime=1h \
mode-config=cfg-vpn nat-traversal=no policy-template-group=policy-vpn \
remote-certificate=CERT_VPS
/ip ipsec policy
add dst-address=0.0.0.0/0 group=policy-vpn src-address=0.0.0.0/0 template=yes
The result is that first stage IKE goes ok, then at second stage with SA creation Mikrotik tries to create a policy that has the same src and sa-src addresses. Those are either both set to DYNAMIC_IP_1 (Mikrotik external IP) or to 192.168.1.1 (Mikrotik LAN IP, this happens when I set peer local-address to 192.168.1.1 in Mikrotik configuration).
My problem is that this makes the whole configuration stop, as it then doesn’t match the setup strongswan expects. Mikrotik should generate a policy with src-address set to 192.168.1.0/24 and sa-src-address to DYNAMIC_IP_1.
If I manually add the correct policy then the tunnel is correctly established, but it’s not a solution as the Mikrotik router gets a public IP but dynamically assigned and the ISP no longer offers the option of a static IP.
Also it seems from the logs that for whatever reason Mikrotik keeps requesting a virtual IP from strongswan and I’m at a loss as to why.
Oh, I’m using RouterOS 6.27 and cannot revert to 5.xx series as my board is not supported (which I painfully discovered when trying to downgrade, as most tutorials were written with 5.xx in mind)
As to why I’m doing this: this is stage one of getting two LANs together. Unfortunately neither has a static public IP so I had to get a VPS to be able to connect them together. Usually I’d use OpenVPN, but unfortunately RouterOS can’t use the UDP transport mode and I find encapsulating TCP traffic within TCP a bit insane. Thus I’ve wasted whole last week trying to get IPSEC based VPN to work and finally I’m out of ideas.