Mikrotik as IPSEC client from home with NAT for Linux server with non-standard ports.

Hello!

Is exist solution for this scheme:
I want Internet access availability over Mikrotik as IPSEC client from home with NAT(restricted by my home ISP (my address is private and no port redirect to external IP)) for Linux VPS-server with non-standard(restricted by VPS contract) ports.
How know that allow access or restrict by my provider needed IP protocols for this solution(for example GRE)?
Or if not exist compatible solution, then may I use OpenVPN client on home Mikrotik (same scheme) or the client implementation by Mikrotik is deprecated now?
And if OK(solution founded) but VPS is down, then automatically disable Internet avoid transparently switch to Internet access over my local ISP.
?
Where are can I read about same configuration or please write here exactly configs.

Hi noetn,

To see if your ISP allows the protocols (e.g. ESP, 50) to use IPSEC there are only two ways that come to mind:
1.) Try it out
2.) Ask the ISP if they allow UDP-Traffic to the ports 500 + 4500 and the IP Protocol 50.

For your request of an exakt config: Nobody will be able to give you that because you missed out on giving some detailed information, which you should never post on the web.

I’ve got a Mikrotik Client connecting from within a LAN for a site2site connection and I’m happy to give you my config

I’ll just assume you are using the most recent firmware of RouterOS, which would be 6.43.4 at this date and that you are using PSK-authentication on the Linux Server:

/ip ipsec peer profile add dh-group=modp4096 enc-algorithm=aes-256 hash-algorithm=sha256 name=256|DH14
/ip ipsec peer add address=>PUBLIC-IP-OF-LINUX-SERVER< profile=256|DH14 secret=>YOURPSK<

The code above is Phase one. You need to adjust the encryption and hash parameters to the standards set on the Linux server. The name of the peer profile is of your choosing!

/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=TEST pfs-group=modp1536
/ip ipsec policy add dst-address=>DISTANT-LAN-SUBNET< level=unique proposal=TEST sa-dst-address=>PUBLIC-IP-OF-LINUX-SERVER< sa-src-address=>YOUR-PUBLIC-IP< src-address=>YOUR-LAN-SUBNET< tunnel=yes

The code above would be Phase two. Again, you need to adjust the auth- and encryption algorithms to the ones used by the Linux Server.

Make sure your local subnet is bound to a bridge on the Tik and that Fast-Path is disabled on that bridge and you are golden

BR
Areanod

First of all, thanks Areanod!

Before understand letter below, I am afraid what not my local ISP, but foreighn VPS provider not allow “IP Protocol 50” - it is declare what redirect(NAT) only 20 tcp and udp ports..
Is it fatal or may be use configuration without “IP Protocol 50” and suitable NAT traversal option from Tik with enable 4500 udp port?

OpenVPN is painful as the Mikrotik implementation only supports TCP transport which is good on stable networks but can cause issues if packet loss happens between client and server, because packet loss in TCP over TCP scenario causes retransmission on both.

On Mikrotik, you can configure the remote UDP port for the initial connection setup (default 500) but not for the NAT traversal mode (default 4500). So the solution for the desperate ones is to dst-nat outgoing traffic, which requires to set up an IP-IP tunnel from the Mikrotik to itself on local addresses and set a route to the VPS via one end of the tunnel, and route packets received at the other end of the tunnel via WAN after dst-nat’ing them to the ports X and Y you can use instead of 500 and 4500. And use iptables to do the reverse at the Linux end where you redirect packets coming to ports X and Y back to 500 and 4500.

If the Mikrotik is behind a NAT, IPsec will find that out and instead of using plain ESP (IP protocol 50), it will encapsulate ESP into UDP on port 4500. If Mikrotik has a public IP on itself, you have to link the peer to a private address and set up a src-nat to the public one; this will cause the IPsec to behave the same as if there was a NAT outside.

For inspiration, take the relevant part of this topic. But its purpose is only loosely related, so don’t blindly copy-paste everything from there.

Thanks, sindy!

My home Mikrotik behind NAT with private IP addresses and port forwarding not accesible:
“On Mikrotik, you can configure the remote UDP port for the initial connection setup (default 500) but not for the NAT traversal mode (default 4500).”
Do you mean for udp 4500 source port (not dst) because target for INPUT must be 4500 (from home initial connection with random src port) as I was understand? Or both?

Is answers correct for IKEv2 ? And I can use StrongSwan on Linux?

OK, so from the very beginning. The basic function is the following:

          ,initiator.public.ip:500 <=======> responder.public.ip:500.
initiator{                                                           }responder
          `initiator.public.ip:4500 <=====> responder-public.ip:4500'

As in generic case both participants of an IPsec “session” are peers, no “random src port” is used on the initiator side. However, the NAT-T mechanism, which is optional for IKE(v1) but intrinsical in IKEv2, can deal with any change of src-port of packets coming from the initiator as they travel to the responder.

What I’ve understood from what you wrote was that the Linux cannot listen on UDP port 500 and 4500 so you have to chose some other ones, such as e.g. 1005 in place of 500 and 1045 in place of 4500 for ease of description.

As your home Mikrotik is placed behind a NATing modem/router, it must act as an initiator, i.e. send the first packet towards the Linux machine which has a fixed address and can listen, acting as an IPsec responder, on some ports (e.g., the 1005 and 1045 ones).

In the IPsec configuration of Mikrotik, you can say “send to responder port 1005 what you would normally send to responder port 500”, but you can not say “send to responder port 1045 what you would normally send to responder 4500”. So if the Linux VPS (whatever it is) contract does not permit your responder to listen at port 4500 and you are forced to use 1045 instead, you have to redirect (dst-pat) the outgoing packets of the initiator somewhere close to it, and redirect (dst-pat) the packets received at port 1045 on the responder Linux machine back to port 4500 where your IPsec stack listens.

On the responder side, the Linux, this is a matter of a single rule, iptables -t nat -A PREROUTING -i ethX -p udp --dport 1045 -j DNAT --to-destination :4500, as dst-nat of received packets is a commonly required handling. However, as dst-nat of sent packets is much less required, and so is src-nat of received packets, normal RouterOS handling doesn’t support either of these.

So as a workaround, you have to let the IPsec stack send the packet to port 4500, but instead of sending it directly out the WAN, you send it to an IP-IP tunnel whose other end is on the same Mikrotik. On that end, the packet becomes an incoming one, so it can be dst-nated to port 1045; using policy routing, you send it out the WAN; the policy routing criteria allowing the action=mark-routing mangle rules to distinguish between the first and second pass of the packet is that the original one has no in-interface as it is locally originated, while the second pass has the IP-IP tunnel interface as in-interface (and has connection-nat-state=dstnat and is handled by chain=prerouting), so you can use a rule like
/ip firewall mangle add chain=output action=mark-routing dst-address=the.responder.ip.addr protocol=udp dst-port=4500 new-routing-mark=via-ipip
to assign the routing mark causing the first pass packets to be routed via the following route:
/ip route add dst-address=0.0.0.0/0 gateway=ip.address.of.outer.ipip.end routing-mark=via-ipip
And you use an
/ip firewall nat add chain=dstnat action=dst-nat to-ports=1045 protocol=udp dst-port=4500 dst-address=the.responder.ip.addr
rule to redirect the packets to port 1045 before they are routed using the default routing table to the destination.

As your home modem/router src-nats the packets, you don’t need to do that on the Mikrotik to force use of UDP-encapsulated ESP.

See the post I’ve referred to above to find out how to set up the IPIP tunnel to the Mikrotik itself.

As you want to use IKEv2, the above is enough because with exchange-mode=ike2, RouterOS acting as initiator starts sending immediately towards port 4500 of the responder, so you don’t need to set up this complex treatment for port 500.

Other than that - yes, you can use StrongSwan at the responder side, with either a pre-shared key configuration or a certificate. But you have to ping through the tunnel periodically, otherwise the security association may close at StrongSwan side if there is no spontaneous traffic for an extended period of time.

Thanks for advice, sindy!

0. Is needed use exactly addition IPIP tunnel as show in link above?
   Because, at now moment I was sucesfull testing Linux-Linux IKEv2(StrongSwan) only (without IPIP) for avoid errors in configure in future with Mikrotik.

And was testing native iOS IKEv2-client, but with problems:

• standard ports needed on server (been increase VPS price..);
• no applying the DNS-servers from StrongSwan-server directive. Using the DNS by VPS-provider instead.

Appears additions questions:

1. How exclude path from all traffic over VPS address, IPTV-traffiq from any addresses (and local home provider) with one UDP port peer?
2. How enable VPN kill switch mode (disable traffic over local home provider, if disconnect from IPsec)? In Linux it is dealing by DROP on 500 and 4500 UDP ports and DROP non ipsec policy in OUTPUT on client computer.
3. How separate settings for WiFi and only the one port Mikrotik for IPsec mode?
4. How toggle this mode by manually request?

I’ve already explained above why the IPIP tunnel is necessary.

That was a very good idea, as it lets you be sure that the responder side is working properly once you start configuring the Mikrotik as an initiator.

I’m not sure what you mean by one UDP port peer, but IPsec policies are organized like firewall rules, i.e. the packets are checked against the policy list from its top to its bottom, so you can create policies with action=none matching the IP addresses, ports and protocols which should not be tunneled via the IPsec and should follow the normal routes. So an example:

 0     src-address=192.168.19.0/24 src-port=any dst-address=192.168.10.18/32 dst-port=any protocol=all action=none
 1      src-address=192.168.19.254/32 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=udp action=none
 2  A  src-address=192.168.19.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt
       level=unique ipsec-protocols=esp tunnel=yes sa-src-address=5.6.7.8 sa-dst-address=6.7.8.9

• Rule 0 prevents any traffic from the local subnet 192.168.19.0/24 to a single destination address 192.168.10.18 from being stolen from its regular route, encrypted and sent via the tunnel
  Rule 1 prevents UDP traffic from a single address in the local subnet, 192.168.19.254, to any destination, 0.0.0.0/0, from being stolen from its regular route, encrypted and sent via the tunnel
  Rule 2 makes any traffic from the local subnet 192.168.19.0/24 to any destination, 0.0.0.0/0, which was not matched by any of the two previous rules, be stolen from its regular route, encrypted and sent via the tunnel.

However, there is also another way to obtain the same results - assuming that your Mikrotik has a single IP address on WAN to which you have to src-nat all the outgoing connections which don’t use the IPsec tunnel, you can make use of this fact and make the src-address of your single policy not include this WAN IP (which may mean that you’ll need as many policies as you have LAN subnets rather than a single policy with src-address=0.0.0.0/0, but it may be e.g. sufficient to have a single policy with src-address=192.168.0.0/16 if neither your WAN IP nor any of the destinations fit into that range), and use match condition of /ip firewall nat rules to control which traffic will be src-nat’ed (masqueraded) to the WAN IP and will thus escape the IPsec policies, and which will stay with source IP address unchanged and thus will be matched by a corresponding policy.

You have to look at your overall architecture to find the best approach. If your IPsec responder machine actually src-nats all traffic from the initiator before forwarding it anywhere, you can invert the approach above and src-nat all traffic which should be tunneled to a single IP address which you’ll use as src-address of your policy. Ideally, that address would be a public one which you are sure neither the initiator nor the responder will ever need to access.

It depends on how you solve point 1). Normally, an IPsec policy with action=drop following the one with action=encrypt and the same traffic selector (src-address, dst-address etc.) should take care of this, but in recent RouterOS versions it never worked the way I supposed it to work. So another possibility which does work makes use of the fact that you can specify an interface as a gateway of a route, and RouterOS doesn’t care whether that interface is a point-to-point one or not. So you can create an /interface bridge with no member ports and use it as a gateway of the default route (dst-address=0.0.0.0/0); for the traffic which should bypass the IPsec tunnel (including the tunnel’s transport traffic!), you’ll create exceptional routes via the WAN gateway, and the traffic which should be handled by the tunnel will be matched by the IPsec policies. You cannot use a blackhole route because to be matched by an IPsec policy, the traffic has to be routed somewhere first.

The easiest way is to use different bridges for each group of ports, attach a different IP subnet to each bridge, and only let one of the subnets be handled by the IPsec setup. BTW, you can use different SSIDs and/or wireless access list matching on MAC addresses to provide different treatment for different wireless clients.

If your Mikrotik model is equipped with the user-configurable button, you can use a script to toggle the disabled attribute of the IPsec peer on each press of the button; otherwise, you can use a periodically scheduled script monitoring an /ip firewall address-list item and an /ip firewall filter rule creating that item for a couple of seconds when a matching packet passes through it; this way, you can imitate a button press by pinging some address from a device connected to your Mikrotik. Or, if your Mikrotik has a “passive PoE” output, you can connect a pushbutton in series with a resistor to it, so the script would monitor the PoE state. Or, you can evaluate one of the many data bits associated to connection of an external device - ethernet interface up on the Mikrotik, a pending dynamic DHCP lease (you can hang a script to DHCP server which is called at each lease change so you don’t need to schedule it for periodical run), an /interface wireless registration-table or /caps-man registration-table item)… So in principle the tunnel may only be up if at least one device is connected to the right SSID.

Thanks!

For understanding and resolve this answers, me needed more time.
I will write additional questions after - no know, may be for over weeks or else more..

–
Model: Mikrotik RB2011UAS-IN