Community discussions

 
yaomacbt
just joined
Topic Author
Posts: 6
Joined: Tue Sep 10, 2019 11:53 pm

MikroTik CHR on AWS with IPSec

Wed Sep 11, 2019 12:07 am

Hi Everyone,

We have a Mikrotik virtual CHR hosted on AWS working as the VPN gateway between our office and AWS cloud(using SSTP tunnel), which works perfect.

Recently one of our partner needs to build an IPsec tunnel to us, and we'd like to use this CHR as the peer on our side. However, the IPsec tunnel does not established.

Our AWS CHR is pretty simple with only one interface(both private and public IP assigned by AWS).

Does anyone have experience configure IPsec in AWS CHR before? Any comment will be appreciated.

Thanks,
Weiqi
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1018
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: MikroTik CHR on AWS with IPSec

Thu Sep 12, 2019 5:41 pm

AWS Doesn't normally pass a true public to the guest VM so you need to make sure that you have NAT Traversal enabled for IPSEC. What are the settings you are using? Can you share your config?
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1086
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MikroTik CHR on AWS with IPSec

Thu Sep 12, 2019 6:18 pm

I literally finished setting this up myself this morning.

Absolutely as above. You get a private LAN which is 1:1 NAT with a real public IP. You need NAT traversal and the key for me was IPSEC-ESP being open in the firewall.

My CHR at home connects no problem as well as parents RB750 but I had to do a registry "hack" in W10 to get it to connect.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1018
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: MikroTik CHR on AWS with IPSec

Thu Sep 12, 2019 9:07 pm

I literally finished setting this up myself this morning.

Absolutely as above. You get a private LAN which is 1:1 NAT with a real public IP. You need NAT traversal and the key for me was IPSEC-ESP being open in the firewall.

My CHR at home connects no problem as well as parents RB750 but I had to do a registry "hack" in W10 to get it to connect.

Great point, you definitely need the AWS firewall to 1:1 NAT (and permit) into the guest VM on UDP 500 (ISAKMP) and IP Protocol 50 (ESP for IPSEC)
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1086
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 10:57 am

The easiest way around that is to set Amazon AWS to forward "ALL" traffic onto the CHR istance rather than allowing specific ports and then control the firewall from the CHR. I did the registry hack on my laptop so it works from behind a NAT, my CHR at home works fine (+cool routing rules), my phone works on LTE but not on WiFi (must be a NAT-T setting not built into Android).
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
yaomacbt
just joined
Topic Author
Posts: 6
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 4:28 pm

I literally finished setting this up myself this morning.

Absolutely as above. You get a private LAN which is 1:1 NAT with a real public IP. You need NAT traversal and the key for me was IPSEC-ESP being open in the firewall.

My CHR at home connects no problem as well as parents RB750 but I had to do a registry "hack" in W10 to get it to connect.
Thank you for your reply Steveocee,

I have NAT-T enable, and how can make sure I open the IPSEC-ESP in the firewall?
I just edit the security group on the CHR instance make sure the port 500, 4500 are opened to the peer. Do I need to do something in the CHR firewall rules?

Thanks,
Weiqi
 
yaomacbt
just joined
Topic Author
Posts: 6
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 4:36 pm

I literally finished setting this up myself this morning.

Absolutely as above. You get a private LAN which is 1:1 NAT with a real public IP. You need NAT traversal and the key for me was IPSEC-ESP being open in the firewall.

My CHR at home connects no problem as well as parents RB750 but I had to do a registry "hack" in W10 to get it to connect.

Great point, you definitely need the AWS firewall to 1:1 NAT (and permit) into the guest VM on UDP 500 (ISAKMP) and IP Protocol 50 (ESP for IPSEC)
Thank you for your comment,
For:
you definitely need the AWS firewall to 1:1 NAT (and permit) into the guest VM on UDP 500 (ISAKMP) and IP Protocol 50 (ESP for IPSEC)
How can I do this? It's done at AWS side or I need to setup the firewall in the Mikrotik?

Thanks,
Weiqi
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1018
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 4:56 pm

Here is a good tutorial on how to open ports in AWS. And I do not agree that you should just open all ports. Unless you are an ISP or Hosting Data Center that has other security appliances deployed, You should only allow the ports that you need and deny the rest. AWS Has great security appliances that protect your VMs, use them. :D

https://ec2-tutorials.readthedocs.io/en ... ewall.html
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
yaomacbt
just joined
Topic Author
Posts: 6
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 6:04 pm

Here is a good tutorial on how to open ports in AWS. And I do not agree that you should just open all ports. Unless you are an ISP or Hosting Data Center that has other security appliances deployed, You should only allow the ports that you need and deny the rest. AWS Has great security appliances that protect your VMs, use them. :D

https://ec2-tutorials.readthedocs.io/en ... ewall.html
Thank you for the quick reply,

I've opened the port 500 and 4500 to the peer, how should I permit the inbound rule for IPsec-ESP protocol?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1086
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 6:13 pm

Why poke holes in a firewall you have little control over when you can forward all traffic to a firewall you have full control over? The option is easily accessible through MikroTik. If AWS don't give you option for it, make your life easier by putting a decent firewall on your CHR and pass everything through.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
yaomacbt
just joined
Topic Author
Posts: 6
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 7:06 pm

Why poke holes in a firewall you have little control over when you can forward all traffic to a firewall you have full control over? The option is easily accessible through MikroTik. If AWS don't give you option for it, make your life easier by putting a decent firewall on your CHR and pass everything through.
I am not sure if I am doing what you said, currently I have following routes on my AWS VPC:
0.0.0.0/0 target to the Internet gateway
All internal static routes target to the CHR interface
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1086
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 9:57 pm

This is all I have in mine. No need for anything else as I have a decent firewall on the CHR itself.
Capture.PNG
You do not have the required permissions to view the files attached to this post.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1018
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 11:37 pm

AWS gives you full control over the FW. To permit IP Protocol 50, you need this type of rule


Image
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
yaomacbt
just joined
Topic Author
Posts: 6
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Mon Sep 16, 2019 6:00 pm

This is all I have in mine. No need for anything else as I have a decent firewall on the CHR itself.
Capture.PNG
Thanks!
My current issue seems like on the other peer, will do more troubleshoot and update later.

Who is online

Users browsing this forum: No registered users and 69 guests