Page 1 of 1

IPsec VPN for Mikrotik (client) and Debian strongSwan (server)

Posted: Sun Nov 15, 2020 12:24 pm
by iwheelbuy

I have AWS Lightsail Debian 10.5 instance with static ip and strongswan installed. I use it to securely access websites from my MacOS and iOS devices. To achieve this, I generate a mobileconfig and install it on MacOS and iOS devices. And it works okay.

I bought RB750Gr3 a while ago and it turned out to be a stable and efficient router! I have two wifi routers connected, Apple TV and ordinary Samsung tv. So I decided to make some of the RB750Gr3 external traffic go through secure channel the same way it works on MacOS and iOS devices.

I believe I have successfully managed to establish IPsec connection:

new ike2 SA (I):[4500]-yy.yyy.yyy.yyy[4500] spi:....
peer authorized:[4500]-yy.yyy.yyy.yyy[4500] spi:....

But I have no idea what to do next. The traffic isn't going through this tunnel.

So, there are a few questions:

  • My current setup is okay, isn't it? Is there something I should change?
  • What should I do to route ALL the external traffic through the IPsec tunnel? (main task)
  • Is it possible to route only some external traffic through the IPsec tunnel? (for example: google and youtube traffic)

P.S. I'm 100% beginner. I can attach screenshots of my current setup but I won't be able to answer questions. I have already checked dozens of guides before posting a question.

Server setup


apt update && apt upgrade
apt install strongswan iptables-persistent strongswan-pki zsh
cd /etc/ipsec.d
ipsec pki --gen --type rsa --size 4096 --outform pem > private/root.pem
ipsec pki --self --ca --lifetime 3650 --in private/root.pem \
--type rsa --digest sha256 \
--dn "CN=root" \
--outform pem > cacerts/root.pem
ipsec pki --gen --type rsa --size 4096 --outform pem > private/server.pem
ipsec pki --pub --in private/server.pem --type rsa |
ipsec pki --issue --lifetime 3650 --digest sha256 \
--cacert cacerts/root.pem --cakey private/root.pem \
--dn "CN=$1" \
--san $1 \
--flag serverAuth --outform pem > certs/server.pem
ipsec pki --gen --type rsa --size 4096 --outform pem > private/client.pem
ipsec pki --pub --in private/client.pem --type rsa |
ipsec pki --issue --lifetime 3650 --digest sha256 \
--cacert cacerts/root.pem --cakey private/root.pem \
--dn "CN=client" --san client \
--flag clientAuth \
--outform pem > certs/client.pem
rm /etc/ipsec.d/private/root.pem
> /etc/ipsec.conf
touch /etc/ipsec.conf
echo "include /var/lib/strongswan/" >> /etc/ipsec.conf
echo "\n" >> /etc/ipsec.conf
echo "config setup" >> /etc/ipsec.conf
echo "        uniqueids=never" >> /etc/ipsec.conf
echo "        charondebug=\"ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2\"" >> /etc/ipsec.conf
echo "\n" >> /etc/ipsec.conf
echo "conn %default" >> /etc/ipsec.conf
echo "        keyexchange=ikev2" >> /etc/ipsec.conf
echo "        ike=aes128-sha2_256-ecp256!" >> /etc/ipsec.conf
echo "        esp=aes128-sha2_256-ecp256!" >> /etc/ipsec.conf
echo "        fragmentation=yes" >> /etc/ipsec.conf
echo "        rekey=no" >> /etc/ipsec.conf
echo "        compress=yes" >> /etc/ipsec.conf
echo "        dpdaction=clear" >> /etc/ipsec.conf
echo "        left=%any" >> /etc/ipsec.conf
echo "        leftauth=pubkey" >> /etc/ipsec.conf
echo "        leftsourceip=$1" >> /etc/ipsec.conf
echo "        leftid=$1" >> /etc/ipsec.conf
echo "        leftcert=server.pem" >> /etc/ipsec.conf
echo "        leftsendcert=always" >> /etc/ipsec.conf
echo "        leftsubnet=" >> /etc/ipsec.conf
echo "        right=%any" >> /etc/ipsec.conf
echo "        rightauth=pubkey" >> /etc/ipsec.conf
echo "        rightsourceip=" >> /etc/ipsec.conf
echo "        rightdns=," >> /etc/ipsec.conf
echo "\n" >> /etc/ipsec.conf
echo "conn ikev2-pubkey" >> /etc/ipsec.conf
echo "        auto=add" >> /etc/ipsec.conf
> /etc/ipsec.secrets
touch /etc/ipsec.secrets
echo "include /var/lib/strongswan/" >> /etc/ipsec.secrets
echo "\n" >> /etc/ipsec.secrets
echo ": RSA server.pem" >> /etc/ipsec.secrets
ipsec restart
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.ip_no_pmtu_disc = 1" >> /etc/sysctl.conf
sysctl -p
iptables -P INPUT ACCEPT
iptables -F
iptables -Z
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport  500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
netfilter-persistent save
netfilter-persistent reload
cd /home/admin
openssl pkcs12 -export -in /etc/ipsec.d/certs/client.pem -inkey /etc/ipsec.d/private/client.pem -certfile /etc/ipsec.d/cacerts/root.pem -name "client" -out client.p12
chmod 777 client.p12
openssl verify -CAfile /etc/ipsec.d/cacerts/root.pem /etc/ipsec.d/certs/server.pem
openssl verify -CAfile /etc/ipsec.d/cacerts/root.pem /etc/ipsec.d/certs/client.pem

Mikrotik setup

/certificate import file-name=client.p12 passphrase=123
/ip ipsec profile add name=aws_profile hash-algorithm=sha256 enc-algorithm=aes-128 dh-group=ecp256 proposal-check=obey
/ip ipsec proposal add name=aws_proposal auth-algorithms=sha256 enc-algorithms=aes-128-cbc pfs-group=ecp256
/ip ipsec policy group add name=aws_policy_group
/ip ipsec policy add group=aws_policy_group proposal=aws_proposal template=yes
/ip ipsec mode-config add name=aws_mode_config responder=no
/ip ipsec peer add name=aws_peer address=YOUR_IP_OR_DOMAIN/32 exchange-mode=ike2 profile=aws_profile
/ip ipsec identity add auth-method=digital-signature certificate=client.p12_0 generate-policy=port-strict mode-config=aws_mode_config peer=aws_peer policy-template-group=aws_policy_group