IPSEC Tunnel between Mikrotik routers

kapara · March 15, 2011, 6:44pm

I am having a very difficult time getting this to work. Documentation is very sparse and even when I enter the commands from the command line the commands error out. I am using the commands from the Wiki for IPSEC VPN. I am running Ver. 4.11. I am willing to pay someone to assist with this. I can pay via Paypal and can provide webex access.

Remote location has 2 internal subnets which must be able to route over IPSEC tunnel to primary location. More details can be provided later. Need someone who really understands IPSEC on Mikrotik.

Thanks,

Mark

andrewluck · March 18, 2011, 5:00pm

If you post the commands that you’re using to configure this and the error messages we can probably help you here.

Regards

Andrew

psamsig · March 19, 2011, 10:10pm

site, Wan 1.1.1.1, Lan 10.1.1.0/24, getting VPN access to 10.2.2.0/24 and 192.168.2.0/24 from 10.1.1.0/24

/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=8h name=md5-aes-128-8h pfs-group=none

/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=20s \
    dpd-maximum-failures=1 enc-algorithm=aes-128 exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=8h nat-traversal=no proposal-check=obey secret=vErYsEcReTpReShArEdKeY send-initial-contact=yes
    
/ip ipsec policy
add src-address=10.1.1.0/24:any dst-address=10.2.2.0/24:any \
    sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 \
    ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
    action=encrypt tunnel=yes disabled=no 
add src-address=10.1.1.0/24:any dst-address=192.168.2.0/24:any \
    sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 \
    ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
    action=encrypt tunnel=yes disabled=no 

# So VPN trafic don't get NATed, covers all of 10.x.x.x and 192.168.x.x
/ip firewall nat
add place-before=0 action=accept chain=srcnat disabled=no dst-address=192.168.0.0/16
add place-before=0 action=accept chain=srcnat disabled=no dst-address=10.0.0.0/8

# Needed for Netwatch to work   
/ip route
add disabled=no distance=1 dst-address=10.2.2.0/24 gateway=Lan scope=30 target-scope=10
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=Lan scope=30 target-scope=10

# Netwatch ensures tunnels stays up, make sure the addresses exists and is pingable
/tool netwatch
add disabled=no host=10.2.2.1 interval=1m timeout=1s
add disabled=no host=192.168.2.1 interval=1m timeout=1s

site, Wan 2.2.2.2, Lan1 10.2.2.0/24, Lan2 192.168.2.0/24, getting VPN access to 10.1.1.0/24 from 10.2.2.0/24 and 192.168.2.0/24

/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=8h name=md5-aes-128-8h pfs-group=none
    
/ip ipsec peer
add address=1.1.1.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=20s \
    dpd-maximum-failures=1 enc-algorithm=aes-128 exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=8h nat-traversal=no proposal-check=obey secret=vErYsEcReTpReShArEdKeY send-initial-contact=no
    
/ip ipsec policy
add src-address=10.2.2.0/24:any dst-address=10.1.1.0/24:any \
    sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 \
    ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
    action=encrypt tunnel=yes disabled=no
add src-address=192.168.2.0/24:any dst-address=10.1.1.0/24:any \
    sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 \
    ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
    action=encrypt tunnel=yes disabled=no
    
# So VPN trafic don't get NATed, covers all og 10.x.x.x
/ip firewall nat
add place-before=0 action=accept chain=srcnat disabled=no dst-address=10.0.0.0/8

andrewluck · March 20, 2011, 2:25pm

Two things to start with:

1: The peer addresses are incorrect. Site 1 should specify the WAN address of site 2 & vice versa

2: The NAT exclusion rules should have an action of ‘reject’

Regards

Andrew

leonset · March 21, 2011, 7:26am

Sorry, just a question: why should “reject” those packets?

andrewluck · March 21, 2011, 7:39am

If you have a NAT rule that applies to all traffic leaving the local network then you’ll need to exclude the traffic that is destined for the VPN tunnel and the remote office. You do this by placing a NAT rule before the general one that rejects this traffic.

There are some exceptions to this, e.g. if you have an overlapping address range between the two sites but this would normally be handled by 1 to 1 NAT mapping.

Regards

Andrew