I’m new to the Mikrotik world, mainly a Linux and Cisco person. I’m trying to do a site-to-site VPN but not for accessing internal servers. I simply want to site-to-site for internet traffic in order to run remote sites through my linux inspection\monitoring appliance which is running Strongswan (a linux IPSec implementation). In strongswan terms the “right” subnet is the subnet you are redirecting and the left subnet is the destination. I make the left subnet 0.0.0.0/0 so that all non-local traffic is tunneled. Here is my config on strongswan and an ASA which works:
#Strongswan config
conn remotesite
keyexchange=ike
aggressive=yes
authby=secret
left=__STRONGSWAN_BOX_IP_ADDRESS__
leftsubnet=0.0.0.0/0
right=___REMOTE_SITE_IP_ADDRESS___
rightsubnet=192.168.1.0/24
auto=add
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha256,aes256-sha1,3des-sha1!
!ASA Config 5505
Set the tunnel group
tunnel-group __STRONGSWAN_BOX_IP___ type ipsec-l2l
tunnel-group __STRONGSWAN_BOX_IP___ ipsec-attributes
pre-shared-key *****
!
! Set up the cryptomap
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any
! Set up the IPSEC tunnel
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer __STRONGSWAN_BOX_IP___
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!Exempt tunneled subnet from NAT
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 0 access-list inside_nat0_outbound
Now on the Microtik I’ve tried the following. The peer does come up and I see the SA on strongswan but I do not see traffic going through:
- IPSec->Peers
- Set up my peer:
Address - Strongswan box.
Port - 500
Secret - PSK_HERE
default
mode - agressive
I then set my 3-tuple. This part is fine, the tunnel comes up
*IPSec → Policies
Src - 192.168.1.0/24
Dst - 0.0.0.0/0
Proto - all
Template - default
Action - encrypt
level - require
Protocal - ESP
Tunnel - Checked
SA Src - Mikrotik outside interface
SA Dst - Strongswan box.
Proposal - default
As far as NAT is concerned I tried exempting from NAT (disabling the NAT rule) similar to what I have to do on the ASA. This did not work. I tried with NAT on. My default route on the Mikrotik is the IP provided by the ISP (on the outside interface). My end clients are configured with 192.168.1.1 as their default route (Mikrotik inside interface)
I would prefer to not do anything fancy like GRE over IPSec. I just want a simple policy based VPN that will route internet traffic through it.
Any help would be appreciated.