Community discussions

MikroTik App
 
Mar
just joined
Topic Author
Posts: 8
Joined: Wed Feb 08, 2017 10:06 am

VPN IPSec tunnel

Wed Feb 08, 2017 10:20 am

Hello.

I have windows cisco systems vpn-client with username/password auth to remote network. Via this client IPSec-tunnel is working correctly. I need to create tunnel from mikrotik rb1100 router.

I cant find info this from wiki. Plesse let me know, where I should set login/password parameters. In ipsec-peers I cant find these fields.

Thank you.

Regards, Mar
 
Jevgenij
just joined
Posts: 3
Joined: Mon Feb 06, 2017 4:07 pm

Re: VPN IPSec tunnel

Thu Feb 09, 2017 9:45 am

Hello,

IPsec Server Config

At first we need a pool from which RoadWarrior will will get an address. Typically in office you set up DHCP server for local workstations, the same DHCP pool can be used.

/ip pool add name=ipsec-RW ranges=192.168.77.2-192.168.77.254

Next we need to set up what settings to send to the client using Mode Conf.

/ip ipsec mode-config add address-pool=ipsec-RW name=RW-cfg split-include=10.5.8.0/24,192.168.55.0/24

As you can see we specified from which pool to give out address and two allowed subnets.
Now to allow only specific source/destination address in generated policies we will use policy group and create policy templates:

/ip ipsec policy group add name=RoadWarrior
/ip ipsec policy add dst-address=192.168.77.0/24 group=RoadWarrior src-address=10.5.8.0/24 template=yes
add dst-address=192.168.77.0/24 group=RoadWarrior src-address=192.168.55.0/24 template=yes


Now we just add xauth users and peer with enabled Mode Conf and policy group.

/ip ipsec user
add name=user1 password=123
add name=user2 password=234


/ip ipsec peer add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg policy-template-group=RoadWarrior secret=123 passive=yes
 
Mar
just joined
Topic Author
Posts: 8
Joined: Wed Feb 08, 2017 10:06 am

Re: VPN IPSec tunnel

Sat Feb 11, 2017 7:07 pm

Hello,

IPsec Server Config

At first we need a pool from which RoadWarrior will will get an address. Typically in office you set up DHCP server for local workstations, the same DHCP pool can be used.

/ip pool add name=ipsec-RW ranges=192.168.77.2-192.168.77.254

Next we need to set up what settings to send to the client using Mode Conf.

/ip ipsec mode-config add address-pool=ipsec-RW name=RW-cfg split-include=10.5.8.0/24,192.168.55.0/24

As you can see we specified from which pool to give out address and two allowed subnets.
Now to allow only specific source/destination address in generated policies we will use policy group and create policy templates:

/ip ipsec policy group add name=RoadWarrior
/ip ipsec policy add dst-address=192.168.77.0/24 group=RoadWarrior src-address=10.5.8.0/24 template=yes
add dst-address=192.168.77.0/24 group=RoadWarrior src-address=192.168.55.0/24 template=yes


Now we just add xauth users and peer with enabled Mode Conf and policy group.

/ip ipsec user
add name=user1 password=123
add name=user2 password=234


/ip ipsec peer add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg policy-template-group=RoadWarrior secret=123 passive=yes
Thank you for detail info. I'l try to realized it the next week.

Who is online

Users browsing this forum: 8577, anav, mabfig, sentenzo, Steveocee and 49 guests