IPsec VPN for Mikrotik (client) and Debian strongSwan (server)
Posted: Sun Nov 15, 2020 12:24 pm
Hello!
I have AWS Lightsail Debian 10.5 instance with static ip and strongswan installed. I use it to securely access websites from my MacOS and iOS devices. To achieve this, I generate a mobileconfig and install it on MacOS and iOS devices. And it works okay.
I bought RB750Gr3 a while ago and it turned out to be a stable and efficient router! I have two wifi routers connected, Apple TV and ordinary Samsung tv. So I decided to make some of the RB750Gr3 external traffic go through secure channel the same way it works on MacOS and iOS devices.
I believe I have successfully managed to establish IPsec connection:
But I have no idea what to do next. The traffic isn't going through this tunnel.
So, there are a few questions:
P.S. I'm 100% beginner. I can attach screenshots of my current setup but I won't be able to answer questions. I have already checked dozens of guides before posting a question.
Server setup
Mikrotik setup
I have AWS Lightsail Debian 10.5 instance with static ip and strongswan installed. I use it to securely access websites from my MacOS and iOS devices. To achieve this, I generate a mobileconfig and install it on MacOS and iOS devices. And it works okay.
I bought RB750Gr3 a while ago and it turned out to be a stable and efficient router! I have two wifi routers connected, Apple TV and ordinary Samsung tv. So I decided to make some of the RB750Gr3 external traffic go through secure channel the same way it works on MacOS and iOS devices.
I believe I have successfully managed to establish IPsec connection:
new ike2 SA (I): xx.xxx.xx.xx[4500]-yy.yyy.yyy.yyy[4500] spi:....
peer authorized: xx.xxx.xx.xx[4500]-yy.yyy.yyy.yyy[4500] spi:....
But I have no idea what to do next. The traffic isn't going through this tunnel.
So, there are a few questions:
- My current setup is okay, isn't it? Is there something I should change?
- What should I do to route ALL the external traffic through the IPsec tunnel? (main task)
- Is it possible to route only some external traffic through the IPsec tunnel? (for example: google and youtube traffic)
P.S. I'm 100% beginner. I can attach screenshots of my current setup but I won't be able to answer questions. I have already checked dozens of guides before posting a question.
Server setup
Code: Select all
#!/bin/sh
cd
apt update && apt upgrade
apt install strongswan iptables-persistent strongswan-pki zsh
cd /etc/ipsec.d
ipsec pki --gen --type rsa --size 4096 --outform pem > private/root.pem
ipsec pki --self --ca --lifetime 3650 --in private/root.pem \
--type rsa --digest sha256 \
--dn "CN=root" \
--outform pem > cacerts/root.pem
ipsec pki --gen --type rsa --size 4096 --outform pem > private/server.pem
ipsec pki --pub --in private/server.pem --type rsa |
ipsec pki --issue --lifetime 3650 --digest sha256 \
--cacert cacerts/root.pem --cakey private/root.pem \
--dn "CN=$1" \
--san $1 \
--flag serverAuth --outform pem > certs/server.pem
ipsec pki --gen --type rsa --size 4096 --outform pem > private/client.pem
ipsec pki --pub --in private/client.pem --type rsa |
ipsec pki --issue --lifetime 3650 --digest sha256 \
--cacert cacerts/root.pem --cakey private/root.pem \
--dn "CN=client" --san client \
--flag clientAuth \
--outform pem > certs/client.pem
rm /etc/ipsec.d/private/root.pem
> /etc/ipsec.conf
touch /etc/ipsec.conf
echo "include /var/lib/strongswan/ipsec.conf.inc" >> /etc/ipsec.conf
echo "\n" >> /etc/ipsec.conf
echo "config setup" >> /etc/ipsec.conf
echo " uniqueids=never" >> /etc/ipsec.conf
echo " charondebug=\"ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2\"" >> /etc/ipsec.conf
echo "\n" >> /etc/ipsec.conf
echo "conn %default" >> /etc/ipsec.conf
echo " keyexchange=ikev2" >> /etc/ipsec.conf
echo " ike=aes128-sha2_256-ecp256!" >> /etc/ipsec.conf
echo " esp=aes128-sha2_256-ecp256!" >> /etc/ipsec.conf
echo " fragmentation=yes" >> /etc/ipsec.conf
echo " rekey=no" >> /etc/ipsec.conf
echo " compress=yes" >> /etc/ipsec.conf
echo " dpdaction=clear" >> /etc/ipsec.conf
echo " left=%any" >> /etc/ipsec.conf
echo " leftauth=pubkey" >> /etc/ipsec.conf
echo " leftsourceip=$1" >> /etc/ipsec.conf
echo " leftid=$1" >> /etc/ipsec.conf
echo " leftcert=server.pem" >> /etc/ipsec.conf
echo " leftsendcert=always" >> /etc/ipsec.conf
echo " leftsubnet=0.0.0.0/0" >> /etc/ipsec.conf
echo " right=%any" >> /etc/ipsec.conf
echo " rightauth=pubkey" >> /etc/ipsec.conf
echo " rightsourceip=10.10.10.0/24" >> /etc/ipsec.conf
echo " rightdns=8.8.8.8,8.8.4.4" >> /etc/ipsec.conf
echo "\n" >> /etc/ipsec.conf
echo "conn ikev2-pubkey" >> /etc/ipsec.conf
echo " auto=add" >> /etc/ipsec.conf
> /etc/ipsec.secrets
touch /etc/ipsec.secrets
echo "include /var/lib/strongswan/ipsec.secrets.inc" >> /etc/ipsec.secrets
echo "\n" >> /etc/ipsec.secrets
echo ": RSA server.pem" >> /etc/ipsec.secrets
ipsec restart
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.ip_no_pmtu_disc = 1" >> /etc/sysctl.conf
sysctl -p
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -Z
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
netfilter-persistent save
netfilter-persistent reload
cd /home/admin
openssl pkcs12 -export -in /etc/ipsec.d/certs/client.pem -inkey /etc/ipsec.d/private/client.pem -certfile /etc/ipsec.d/cacerts/root.pem -name "client" -out client.p12
chmod 777 client.p12
openssl verify -CAfile /etc/ipsec.d/cacerts/root.pem /etc/ipsec.d/certs/server.pem
openssl verify -CAfile /etc/ipsec.d/cacerts/root.pem /etc/ipsec.d/certs/client.pem
rebootMikrotik setup
Code: Select all
/certificate import file-name=client.p12 passphrase=123
/ip ipsec profile add name=aws_profile hash-algorithm=sha256 enc-algorithm=aes-128 dh-group=ecp256 proposal-check=obey
/ip ipsec proposal add name=aws_proposal auth-algorithms=sha256 enc-algorithms=aes-128-cbc pfs-group=ecp256
/ip ipsec policy group add name=aws_policy_group
/ip ipsec policy add group=aws_policy_group proposal=aws_proposal template=yes
/ip ipsec mode-config add name=aws_mode_config responder=no
/ip ipsec peer add name=aws_peer address=YOUR_IP_OR_DOMAIN/32 exchange-mode=ike2 profile=aws_profile
/ip ipsec identity add auth-method=digital-signature certificate=client.p12_0 generate-policy=port-strict mode-config=aws_mode_config peer=aws_peer policy-template-group=aws_policy_group