Community discussions

MikroTik App
 
yaomacbt
newbie
Topic Author
Posts: 31
Joined: Tue Sep 10, 2019 11:53 pm

MikroTik CHR on AWS with IPSec

Wed Sep 11, 2019 12:07 am

Hi Everyone,

We have a Mikrotik virtual CHR hosted on AWS working as the VPN gateway between our office and AWS cloud(using SSTP tunnel), which works perfect.

Recently one of our partner needs to build an IPsec tunnel to us, and we'd like to use this CHR as the peer on our side. However, the IPsec tunnel does not established.

Our AWS CHR is pretty simple with only one interface(both private and public IP assigned by AWS).

Does anyone have experience configure IPsec in AWS CHR before? Any comment will be appreciated.

Thanks,
Weiqi
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: MikroTik CHR on AWS with IPSec

Thu Sep 12, 2019 5:41 pm

AWS Doesn't normally pass a true public to the guest VM so you need to make sure that you have NAT Traversal enabled for IPSEC. What are the settings you are using? Can you share your config?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MikroTik CHR on AWS with IPSec

Thu Sep 12, 2019 6:18 pm

I literally finished setting this up myself this morning.

Absolutely as above. You get a private LAN which is 1:1 NAT with a real public IP. You need NAT traversal and the key for me was IPSEC-ESP being open in the firewall.

My CHR at home connects no problem as well as parents RB750 but I had to do a registry "hack" in W10 to get it to connect.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: MikroTik CHR on AWS with IPSec

Thu Sep 12, 2019 9:07 pm

I literally finished setting this up myself this morning.

Absolutely as above. You get a private LAN which is 1:1 NAT with a real public IP. You need NAT traversal and the key for me was IPSEC-ESP being open in the firewall.

My CHR at home connects no problem as well as parents RB750 but I had to do a registry "hack" in W10 to get it to connect.

Great point, you definitely need the AWS firewall to 1:1 NAT (and permit) into the guest VM on UDP 500 (ISAKMP) and IP Protocol 50 (ESP for IPSEC)
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 10:57 am

The easiest way around that is to set Amazon AWS to forward "ALL" traffic onto the CHR istance rather than allowing specific ports and then control the firewall from the CHR. I did the registry hack on my laptop so it works from behind a NAT, my CHR at home works fine (+cool routing rules), my phone works on LTE but not on WiFi (must be a NAT-T setting not built into Android).
 
yaomacbt
newbie
Topic Author
Posts: 31
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 4:28 pm

I literally finished setting this up myself this morning.

Absolutely as above. You get a private LAN which is 1:1 NAT with a real public IP. You need NAT traversal and the key for me was IPSEC-ESP being open in the firewall.

My CHR at home connects no problem as well as parents RB750 but I had to do a registry "hack" in W10 to get it to connect.
Thank you for your reply Steveocee,

I have NAT-T enable, and how can make sure I open the IPSEC-ESP in the firewall?
I just edit the security group on the CHR instance make sure the port 500, 4500 are opened to the peer. Do I need to do something in the CHR firewall rules?

Thanks,
Weiqi
 
yaomacbt
newbie
Topic Author
Posts: 31
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 4:36 pm

I literally finished setting this up myself this morning.

Absolutely as above. You get a private LAN which is 1:1 NAT with a real public IP. You need NAT traversal and the key for me was IPSEC-ESP being open in the firewall.

My CHR at home connects no problem as well as parents RB750 but I had to do a registry "hack" in W10 to get it to connect.

Great point, you definitely need the AWS firewall to 1:1 NAT (and permit) into the guest VM on UDP 500 (ISAKMP) and IP Protocol 50 (ESP for IPSEC)
Thank you for your comment,
For:
you definitely need the AWS firewall to 1:1 NAT (and permit) into the guest VM on UDP 500 (ISAKMP) and IP Protocol 50 (ESP for IPSEC)
How can I do this? It's done at AWS side or I need to setup the firewall in the Mikrotik?

Thanks,
Weiqi
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 4:56 pm

Here is a good tutorial on how to open ports in AWS. And I do not agree that you should just open all ports. Unless you are an ISP or Hosting Data Center that has other security appliances deployed, You should only allow the ports that you need and deny the rest. AWS Has great security appliances that protect your VMs, use them. :D

https://ec2-tutorials.readthedocs.io/en ... ewall.html
 
yaomacbt
newbie
Topic Author
Posts: 31
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 6:04 pm

Here is a good tutorial on how to open ports in AWS. And I do not agree that you should just open all ports. Unless you are an ISP or Hosting Data Center that has other security appliances deployed, You should only allow the ports that you need and deny the rest. AWS Has great security appliances that protect your VMs, use them. :D

https://ec2-tutorials.readthedocs.io/en ... ewall.html
Thank you for the quick reply,

I've opened the port 500 and 4500 to the peer, how should I permit the inbound rule for IPsec-ESP protocol?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 6:13 pm

Why poke holes in a firewall you have little control over when you can forward all traffic to a firewall you have full control over? The option is easily accessible through MikroTik. If AWS don't give you option for it, make your life easier by putting a decent firewall on your CHR and pass everything through.
 
yaomacbt
newbie
Topic Author
Posts: 31
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 7:06 pm

Why poke holes in a firewall you have little control over when you can forward all traffic to a firewall you have full control over? The option is easily accessible through MikroTik. If AWS don't give you option for it, make your life easier by putting a decent firewall on your CHR and pass everything through.
I am not sure if I am doing what you said, currently I have following routes on my AWS VPC:
0.0.0.0/0 target to the Internet gateway
All internal static routes target to the CHR interface
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 9:57 pm

This is all I have in mine. No need for anything else as I have a decent firewall on the CHR itself.
Capture.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: MikroTik CHR on AWS with IPSec

Fri Sep 13, 2019 11:37 pm

AWS gives you full control over the FW. To permit IP Protocol 50, you need this type of rule


Image
 
yaomacbt
newbie
Topic Author
Posts: 31
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec

Mon Sep 16, 2019 6:00 pm

This is all I have in mine. No need for anything else as I have a decent firewall on the CHR itself.
Capture.PNG
Thanks!
My current issue seems like on the other peer, will do more troubleshoot and update later.
 
yaomacbt
newbie
Topic Author
Posts: 31
Joined: Tue Sep 10, 2019 11:53 pm

Re: MikroTik CHR on AWS with IPSec  [SOLVED]

Mon Oct 14, 2019 5:28 pm

Thank you guys all, just want to give an update on the CHR IPsec, it is established now, I had to:
1. allow the IPsec port and ESP potocol on my CHR instance in AWS security group.
2. Then figured as what MiktoTik suggests, and enable NAT-T, the SA-srouce address I put my CHR's private IP, not the public IP.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: MikroTik CHR on AWS with IPSec

Mon Oct 14, 2019 7:42 pm

Thanks for the update....glad you got it working. :-)

Please mark this as solved
 
abubin
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Fri Aug 03, 2012 12:47 pm

Re: MikroTik CHR on AWS with IPSec

Fri Sep 17, 2021 9:31 am

Can I know why use Mikrotik CHR instead of AWS VPN service? Some feature that AWS VPN does not support?

Cause I am trying to connect Mkrotik in my DC to AWS VPN and is facing issues getting it setup properly. My lack of skill with mikrotik is getting the better of me. And the project is due yesterday. Imagine the pressure I am facing getting it working.

Who is online

Users browsing this forum: almdandi, baragoon, Bing [Bot], GoogleOther [Bot], HugoCar, loloski, pajapatak and 68 guests