Community discussions

MikroTik App
 
User avatar
floaty
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

MTik VPNC-style IPSec-Client with v7.1beta1

Sun Jul 26, 2020 12:27 am

.
recently got the task to provide a VPNC-link to a group of users ... my MTik-arsenal came to mind
followed some older posts in the forum and got it running with v7.1beta1 (unforti not with a production-release because of limits in xauth-implementation) *1)
.
I had no access to the remote-vpn-device [fritzbox] so proposals, profiles and the local-(key-id) that is used may differ in software- & vendor-versions [with cisco-vpn-srv's the key-id should be the group-name].
.
*1) should also work with 6.48beta12 ... untested ... [What's new in 6.48beta12 (2020-Jul-06 13:33): ike1 - allow using "my-id" parameter with XAuth]
.
/ip firewall address-list
add address=192.168.222.0/24 list=fritzbox-nat-clients
.
/ip ipsec mode-config
add name=fritz-server responder=no src-address-list=fritzbox-nat-clients use-responder-dns=no
.
/ip ipsec policy group
add name=fritz-group
.
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des,des hash-algorithm=sha512 lifetime=8h name=fritzbox proposal-check=exact
.
/ip ipsec peer
add address=some-fritz-ddns-name.myfritz.net exchange-mode=aggressive local-address=192.168.222.170 name=some-fritz-ddns-name.myfritz.net profile=fritzbox
.
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm,3des,des lifetime=1h name=fritzbox \
    pfs-group=none
.
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=fritz-server my-id=key-id:userxyz notrack-chain=output password=******** peer=some-fritz-ddns-name.myfritz.net \
    policy-template-group=fritz-group remote-id=fqdn:some-fritz-ddns-name.myfritz.net secret=the-ipsec-psk username=userxyz
.
/ip ipsec policy
add dst-address=0.0.0.0/0 group=fritz-group proposal=fritzbox src-address=0.0.0.0/0 template=yes
.
Only external configuration is to provide a route via the MTik-device to the remote-network for the local clients.
.
MTik-VPNC-Client.PNG
You do not have the required permissions to view the files attached to this post.
Last edited by floaty on Sun Jul 26, 2020 3:38 pm, edited 3 times in total.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
User avatar
floaty
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: MTik VPNC-style IPSec-Client with v7.1beta1

Sun Jul 26, 2020 2:37 am

.
just some illustrations added ....
... coped a while with the ROS-ipsec-template-thing ... doing this config ... I'm happy to understand now what it can be usefull for : )
.
installed-SAs.PNG
.
used-policies.png
You do not have the required permissions to view the files attached to this post.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
eguun
newbie
Posts: 38
Joined: Fri Apr 10, 2020 10:18 pm

Re: MTik VPNC-style IPSec-Client with v7.1beta1

Sun Oct 25, 2020 3:33 pm

Super guide, thanks floaty

Reported to work with release 6.47.6 that fixed that IKE xauth issue introduced with release 6.47.5

Thanks

Who is online

Users browsing this forum: vasa85 and 7 guests