ROS as VPN Client - any howto?

entrophy · May 19, 2017, 10:41pm

Well, hello there everybody.

Does anybody knows some good tutorial how to set up ROS as VPN Client?

I have RB750GR3. On my remote machine i have OpenVPN in UDP mode with ta auth, so it is currently useless for mikrotik. Of course I could set it up in TCP, without tls auth, etc. But still my face will hit big “openssl problem” wall.

At this point only some IPSec sollutions left for me. But after 2 weeks of trying to set this stuff working I’m giving up. Nothing is working, StrongSWAN log are crypting and doesn’t explain anything, every tutorial I can find regarding “routeros ipsec” is how to set up MT as IPSec server, not client. Every example configuration or tutorial doesn’t give me working vpn server. Well, seems to that I’m too dumb to understand IPSec.

Anyway, if somebody know place where I can find samples of configuration for both sides, or could help me writing some tutorial - i would be more than happy. It doesn’t need to be complex since I know how routing and firewalling on linux system works.

slav0nic · May 22, 2017, 3:34pm

if you need minimal VPN config, so you can use something like:

proto tcp-server
tls-server
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh2048.pem
user nobody
group nogroup
server 192.168.10.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
verb 5
mute 0
max-clients 5
keepalive 10 120
persist-key
persist-tun
auth SHA1
keepalive 10 120

tested on openvpn 2.4 debian

and connection like:

 > /interface ovpn-client print 

Flags: X - disabled, R - running 

 0    name="ovpn-out1" mac-address=02:C8:29:B8:FF:26 max-mtu=1500 connect-to=51.255.... port=1194 mode=ip user="doesnmakesense" password="" profile=default certificate=client.crt_0 auth=sha1 cipher=blowfish128 add-default-route=no

client.crt and client private key should be present on the router and imported, so you should see in certs (/certificate print) KT near client cert.

i also spent much time to understand why i have TLS error, my problem was with private key that was not correctly imported.

Pavleto · July 12, 2017, 10:32am

Hello,
Maybe someone can give a howto about setting up MT as a StrongSwan client with IKEv2?
I’ve installed Strong Swan on ubuntu using this manual: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html, config:

config setup
	charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
	# strictcrlpolicy=yes
	# uniqueids = no

# Add connections here.

conn %default
	dpdaction=clear
	dpddelay=35s
	dpdtimeout=300s
	fragmentation=yes
	rekey=no

	ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
	esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!

# left - local (server) side
	left=%any
	leftauth=pubkey
	leftcert=vpnHostCert.der
	leftsendcert=always
	leftsubnet=0.0.0.0/0

#authby=pubkey

# right - remote (client) side    
	right=%any
	rightauth=pubkey
	rightsourceip=192.168.100.0/24
	rightdns=8.8.8.8

conn IPSec-IKEv2-pubkey
	keyexchange=ikev2
	auto=add

And in MT i’ve set up:

[admin@MikroTik] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, 
* - default 
 3     ;;; IKEv2
       src-address=EXTERNAL_MT_ADDR/32 src-port=any dst-address=STRONGSWAN_EXT_ADDR/32 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=no proposal=IKEv2 priority=0 ph2-count=0
	   
[admin@MikroTik] /ip ipsec> peer print
Flags: X - disabled, D - dynamic, R - responder 

 2     address=STRONGSWAN_EXT_ADDR/32 auth-method=rsa-signature 
       certificate=MikrotikCert.pem_0 remote-certificate=vpnHostCert.der_0 
       generate-policy=port-strict policy-template-group=default 
       exchange-mode=ike2 mode-config=request-only send-initial-contact=yes 
       hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 
       dpd-interval=disable-dpd
	  
[admin@MikroTik] /ip ipsec> proposal print 
Flags: X - disabled, * - default 

 3    name="IKEv2" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m 
      pfs-group=none

Tried playing with cers, different AES’es and dh-group but always in WinBox “No Phase2”
Can somebody tell what i’m doing wrong? Or what i should do to make it work?
I’ve tried MT as OpenVPN client-too low speed, client to Softether: was low speed at download (some troubles with softether) and i hope what StrongSwan finally will give good speeds-)