Community discussions

MikroTik App
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

IPSEC tunnel instructions

Tue Jul 13, 2021 10:03 pm

Hi, I have finally a broadband modem in two locations from my ISP.

  • Location A: hEX S, default configuration, 192.168.1.0/24, ROS 6.48.3
  • Location B: hAP ac, default configuration, 192.168.0.0/24, ROS 6.48.3

Each mikrotik has NAT enabled and masquerade. The good thing about the ISP modems is that I do not have double NAT.

Could you please recommend a most up to date or most recent manual/tutorial how to enable a proper IPSEC tunnel between both devices? I was always struggling with setting up IPSEC, most probably because double NAT, and ended up using PPTP/SSTP. However now that I have two broadband modems I would like to try IPSEC and use the full encryption potential of the mikrotik hardware. I would appreciate any advice you may have, as I haven't been around on this forum for quite a while. Many thanks.
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: IPSEC tunnel instructions

Tue Jul 13, 2021 10:13 pm

 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Tue Jul 13, 2021 10:32 pm

In that instruction 192.168.80.1 would be my public IP from my ISP, correct?
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: IPSEC tunnel instructions

Tue Jul 13, 2021 11:19 pm

Jup
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Tue Jul 13, 2021 11:36 pm

ok, thanks. Already working on it. Keep fingers crossed please :)
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Wed Jul 14, 2021 12:08 am

Do you know if these firewall rules are supposed to be added on both routers?
It is very important that bypass rule is placed at the top of all other NAT rules.

Another issue is if you have IP/Fasttrack enabled, packet bypasses IPsec policies. So we need to add accept rule before FastTrack.

/ip firewall filter
add chain=forward action=accept place-before=1
 src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related
add chain=forward action=accept place-before=1
 src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,related
 
User avatar
Husky
just joined
Posts: 8
Joined: Sat Apr 24, 2021 5:37 pm

Re: IPSEC tunnel instructions

Thu Jul 15, 2021 11:30 am

HI,

Yes, those firewall rules must be in place on both routers. But further down the tutorial, it mentions replacing those rules with Raw firewall rules instead for better performance (bypasses connection tracking). Just remember that if you need any port-forwarding stuff through the IPsec tunnel (example, port forward from router 1 to server behind router 2) to work properly through the tunnel that you must rather not do this and instead stick with the regular Filter rules so that connection tracking works.

In addition, you might notice that after a while (also after restarting both routers) that the tunnel comes up but you cannot ping or get traffic through them, you need to add another firewall filter rule to allow input for protocol ipsec-esp. If still not working, remember to add your routes.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC tunnel instructions

Thu Jul 15, 2021 11:47 am

I would advise not to use direct IPsec tunnels but to use a GRE (or IPIP) tunnel with the IPsec secret.
That will setup a GRE/IPsec or IPIP/IPsec tunnel which will give you a tunnel interface at each end.
You can then put a /30 address on each end of the tunnel (e.g. 192.168.2.1/30 and 192.168.2.2/30) and set routes to the other subnet via that address as a gateway.

This is much easier to understand and manage in the firewall, both for filtering and NAT.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSEC tunnel instructions

Thu Jul 15, 2021 5:22 pm

viewforum.php?f=23 CTRL+F "VPN". I've written at least 3 VPN guides, 1 of them is mostly what you are asking - connecting 2 mikrotik routers.
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 1:07 am

Thank for you comments. I will give it a try and browse through you links/manuals. Probably I will need to set up a GRE tunnel.

I have successfully established connection via IPSEC, my problem is now that the connection stops in the evening when there is no traffic. Restarting any of the routers does not help. I cannot ping the other end. I read that flushing SA on both routers at the same time would help. Strange.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 1:01 pm

IPsec can sometimes run into trouble when there are NAT routers (or other routers keeping a stateful firewall) inbetween.
With GRE you can enable keepalive to guarantee some traffic.
I normally use BGP over the GRE tunnels to set the routes between the networks (even when it is a simple network), and the BGP traffic also keeps the tunnel alive when there is no user data (so GRE keepalive kan be kept off).
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 1:58 pm

IPsec can sometimes run into trouble when there are NAT routers (or other routers keeping a stateful firewall) inbetween.
With GRE you can enable keepalive to guarantee some traffic.
I normally use BGP over the GRE tunnels to set the routes between the networks (even when it is a simple network), and the BGP traffic also keeps the tunnel alive when there is no user data (so GRE keepalive kan be kept off).

I set up GRE+IPSEC, disabled fastpath, added no track prerouting rules because of default fasttrack. So far so good. Could you possibly share a manual/instructions how to set it up - BGP over GRE on mikrotik, or any other resources you find useful. I dont know where to start with BGP? Many thanks.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 4:53 pm

BGP is really easy.
Under BGP->Instances, set the Router ID of each router to its primary IP address on the LAN. Set the AS to a different number on each router, you can use numbers like the default 65530, then 65531 on another, 65532 on a 3rd, etc. Numbers 64512 – 65534 are available for your use.
Under BGP->Peers, on each route add a peer entry for the neighboring router, with the peer's IP (from the /30 you put on the tunnel), the AS number of the neighboring router, and the following settings: nexthop choice = force self, hold time = 15s, ttl = 1.
Under BGP->Networks, on each router add the network addresses of your local networks (the /24 networks, usually).

That is all. Once you have done that, you should see the peer entries becoming "established" and the routes to the other side appear in the table.
There will now be traffic every 5 seconds (1/3 of the hold time you configured, can set that higher as well e.g. 30s)
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 6:24 pm

I set that up as you explained, but BGP state remains: connect, instead of established. Do you see a flaw on the screenshots? The GRE tunnel is established and ping is ok between both routers. The AS route in IP>ROUTES was manually added by me for the GRE tunnel to work. Only later did I set up BGP as advised by you. Any advise would be appreciated. Do I need to add anything to the firewall? It's GRE over IPSEC just in case. Thanks.

ROUTER 1 - 10.0.1.1
Image

-------------------------------------------------------------------

ROUTER 2 - 10.0.0.1
Image
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 6:55 pm

added this rule
add action=accept chain=input comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp

it works, how crazy, I can go ahead and add another location easily. Super
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 6:57 pm

Do I need to put all networks in BGP on all routers like seen on the screenshot?

10.0.0.0/24 and 10.0.1.0/24 on both routers?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 7:13 pm

no, on each router you only add the networks that are local to that router and that you want other routers to know about.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 7:15 pm

added this rule
add action=accept chain=input comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
Yes you need to allow input to port 179 tcp, of course not disabled like shown above. you can limit the src-address to the range you use on the GRE tunnels.
 
User avatar
ohara
Member
Member
Topic Author
Posts: 387
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

Re: IPSEC tunnel instructions

Fri Jul 16, 2021 11:32 pm

Thank you for your advice. Everything is working fine with BGP GRE+IPSec. This setup simplifies tunnel management a lot.

Could you please advise how I can accomplish the following: a workstation (for example local IP 10.0.1.199) is in location A. I would like to route the trafic of that workstation (10.0.1.199) through the ISP in location B. I would appreciate any advice, that I could use to start researching over the weekend. Thanks.

Who is online

Users browsing this forum: Bing [Bot], BioMax, PBondurant and 46 guests