Hello ,
I’m trying to setup an IPSEC to Checkpoint device
but I get lost in all the setting in the checkpoint side
can some one help me understadnd where is phase 1 and phase 2 in Mikrotik ?
Thanks
phase 1 settings are “peer” in Mikrotik configuration.
phase 2 settings are “policy” in Mikrotik configuration.
This is what I thought - great
and the proposal - is for pashe 2 , right?
Thanks ,
The “proposal” object in current RouterOS is for Phase 2, correct. In 6.43rcX I’ve noticed that the Phase1 proposal has been separated from peer settings into a separate table, so now instead of configuring it in each peer’s settings, several peers can refer to the same proposal, but it is so far only done that way in the command line and I don’t know how it will be displayed in WebFig/Winbox.
this is what I thought
so the problem is in the the CheckPoint side …
by the way
just to be sure it’s working I should see the other dise in the “Installed SAs” right ?
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-128-cbc \
lifetime=1h
/ip ipsec peer
add address=1.2.3.4/32 dh-group=modp1024 enc-algorithm=aes-128 \
hash-algorithm=md5 nat-traversal=no secret=11111111
/ip ipsec policy
set 0 dst-address=10.8.8.0/24 src-address=10.90.0.0/24
/ip firewall filter
add action=accept chain=forward dst-address=10.8.8.0/24 src-address=\
10.90.0.0/24
add action=accept chain=forward dst-address=10.90.0.0/24 src-address=\
10.8.8.0/24
/ip firewall nat
add action=accept chain=srcnat dst-address=10.8.8.0/24 src-address=10.90.0.0/24
any thing else I need?(on the mikrotik side…)
Thanks ,
I can tell you from the 6.42.1 perspective:
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=Fortigate_proposal pfs-group=ecp384
/ip ipsec peer
add address=2.2.2.2/32 comment="****************." dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha256 \
notrack-chain=prerouting
/ip ipsec policy
add action=none comment="PH2^site-to-site^Do nothing in LAN subnet." dst-address=172.28.80.0/20 src-address=172.28.80.0/20
add comment="PH2^To FortiGate" dst-address=0.0.0.0/0 proposal=Fortigate_proposal sa-dst-address=1.1.1.1 sa-src-address=\
2.2.2.2 src-address=172.28.80.0/20 tunnel=yes
Important Things:
IPsec proposal:
Use same on both sides (ignore default)
IPsec peer:
Address - specify remote access IP (where to send all traffic)
Local Address - your MT internal WAN IP (NOT external public IP) if it is behind another router this one is not necessary if your MT is router itself.
IP IPsec policy: Here you define which traffic should be tunneled to the other end.
My first rule with action NONE means that traffic is not encrypted and tunneled on my side (because this side has 16 subnets starting from 172.28.80.0) which originates FROM and TO 172.28.80.0/20 ip range.
My second rule with TUNNEL=YES means that ALL traffic which originates from 172.28.80.0/20 IP addresses range going into the tunnel (because I want to use firewall functionality on the other side).
P. S. keep in mind that policies goes same as in Firewall which means that only the first policy matched is applied, that’s why my LAN subnets are never tunneled and all other traffic are.
After you done these you’re pretty much golden.
You should add no tracking rule (since you’re sending it into tunnel anyways). This rule should match IP addresses ranges of the IPSec policy:
0 ;;; DO NOT track traffic into tunnel.
chain=prerouting action=notrack log=no log-prefix="" src-address=172.28.80.0/20 dst-address=0.0.0.0/0
Lastly you do srcnat rules (otherwise your packets gets your WAN IP and never matches IPSec policy = never gets send through the tunnel). Here you add IP addreses which are same as in your IPSec policy (same as notrack rule). This one very important because otherwise your packets gets droped. Always set this rule on top on the others.:
chain=srcnat action=accept src-address=172.28.80.0/20 dst-address=0.0.0.0/0 log=no log-prefix=""
Also… Because “Fasttrack” is enabled by default I suggest you to disable it if you use tunnel (some people report weird issues with it in the tunnel/transport mode).
As for Phases… Well there are 2 Phases.
1st phase – tunnel is created between two routers. I, personally, open IP → IPsec → Remote Peers here I check if Phase 1 between two tunnel endpoints are created (check if time unders “Established” increases). If it does then you can go for Phase 2.
2nd phase – here both tunnel endpoints check between each other and create Phase 2 tunnel.
If you’re not getting “established” in either Phase then something is wrong with your configuration and endpoints cannot establish connection between each other for some reason.
great -
now I have another quesion
I have 2 WANs connected to the mikrotik
WAN1 is working with the CheckPoint VPN - no problem - working .
I want to able the client to connect to the internet (youtube,facebook) with ADSL2 - WAN2
so I have try to mangle and route :
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!VPN new-routing-mark=internet passthrough=yes
/ip route
add distance=2 gateway=ADSL2routing-mark=internet
add disabled=yes distance=2 gateway=ADSL2
but it doesn’t work
any idea what am I doing wrong ?
Thanks,
Almost everything you need to implement the idea should be here. But it depends on how wide your IPsec policy is, because e.g. if it matches packets with any source address and any destination address, it will steal also packets routed through the ADSL WAN, because it kicks in after all the other packet processing has been done. So you have think about this as well.
I make 3 static routes
****this part is for the Isec address onlt
1.1.1.1 - WAN1 (the peer IP , Unit on the remote site)
10.0.0.0/24 - WAN1 (netwrok 1 on IPSEC)
10.1.0.0./24 - WAN1 (network2 on IPSEC)
0.0.0.0/0 - WAN2 (all other netwroks )
and now it’s working
now I want to limit the outgoing data rate
so I mark all the “internet” data in mangle
but how do I make the queue?
Thanks .,
You’ve jumped too quickly from “how to establish an IPsec connection to CheckPoint” to “I want to able the client to connect to the internet (youtube,facebook) with ADSL2 - WAN2”.
It is not clear to me whether the idea is to
- use WAN 2 for any internet access (not just YT+FB which were given just as examples) and WAN 1 only to carry the IPsec connection,
- use WAN 1 for IPsec connection and general internet access, and WAN 2 only for YT + FB access
In my first response I was assuming you had in mind case b, but maybe I was wrong?
So describe the use scenario unambiguously and better also post the output of /export hide-sensitive after replacing all ocurrences of each public IP address with a distinctive meaningful pattern.
I had a problem wiht my IPSEC connection - something in the seting
this is why I ask
after you show me what to do - it works
and now I need to give an answer to make them surf using WLAN2 and IPSEC Waln1
this is a “working on progress” quesion 
up until this point - everything is working
IPSEC is from WAN1
Internet is WAN2
now I want to limit the internet to a 0.5M
I have created a simple queue - to 0.0.0.0/0
but it’s working all the time , 1 rule to all the users
I wan every user will get a queue to him salf
how do this ?
Thanks ,
OK, so you’ve verified your solution and changed the post before I finished my response to it. Good.
Just coming back to it, the routes to 10.0.0.0/24 and 10.0.0.0/24 are actually not necessary because the IPsec policies grab the packets to these destinations which have been originally routed using the default route.
To the bandwidth management, I have no practical experience with it so you’d better use a help from someone else, but I’m afraid few people expect a question regarding QoS/queues in a topic named “IPSEC to CheckPoint”