Community discussions

MikroTik App
 
Adriand1976
just joined
Topic Author
Posts: 1
Joined: Fri Oct 25, 2019 10:37 am

6.45.6 ipsec site to site tutorial request

Fri Oct 25, 2019 10:46 am

Hello ,
I am new .
I buy 2 routers hap ac2 and upgraded both to 6.45.6 os.
I try everry tutorial on the internet to set ipsec site to site but no one of this tutorial work.

So if you have time pls make a tutorial IPSEC site to site on version 6.45.6 step by step if its posible with pictures. - > talk a lot
Thank you all.
 
User avatar
Lifz
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Tue Feb 26, 2013 1:05 pm

Re: 6.45.6 ipsec site to site tutorial request

Fri Oct 25, 2019 10:55 am

 
pe1chl
Forum Guru
Forum Guru
Posts: 7234
Joined: Mon Jun 08, 2015 12:09 pm

Re: 6.45.6 ipsec site to site tutorial request

Fri Oct 25, 2019 11:04 am

When you can start from scratch and do not need compatibility with another existing setup, do yourself a favor and skip the IPsec site-to-site tunnel setup.
It is possible to get it working but it is SO MUCH easier to do it this way:

- make sure both sides have a different LAN range, not both the default 192.168.88.0/24! Change one to 192.168.188.0/24 for example.
- create GRE interface at each end with IPsec secret set to the same (long random) value
- add different IP address at each end in a network range that you are not yet using, like 10.0.0.1/30 and 10.0.0.2/30
- add routes for the remote side that use this address as gateway, like 192.168.88.1/24 with gateway 10.0.0.1

That will just work, and it will be extendable to multiple sites and multiple network ranges, and no tricks with NAT required.
 
Filament
just joined
Posts: 15
Joined: Fri Jan 24, 2020 1:32 pm

Re: 6.45.6 ipsec site to site tutorial request

Sat Feb 20, 2021 4:54 pm

When you can start from scratch and do not need compatibility with another existing setup, do yourself a favor and skip the IPsec site-to-site tunnel setup.
It is possible to get it working but it is SO MUCH easier to do it this way
Sir, I'm trying to follow the example here:
https://wiki.mikrotik.com/wiki/Manual:I ... _using_DNS

But it's impossible to make it work, Mikrotik tutorials are always incomplete, and extremely frustrating :(

All I'm trying to do is a very simple VPN site-to-site with two Mikrotik routers. But the tutorial ignores Mikrotik default firewall rules. I suspect something in the default firewall configuration is blocking access, but I don't know what.

Could you please post which lines do we have to add to obtain a working site-to-site VPN between two Mikrotik HAP AC2 routers in their default configuration??
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: 6.45.6 ipsec site to site tutorial request

Sat Feb 20, 2021 5:43 pm

The default firewall configurations differ for different RouterOS releases, so it is better to post the configuration export.

For IPsec itself, you have to permit, at responder side, inbound connections to UDP port 500 and for ESP if there is no NAT between the peers; if there is NAT, connections to UDP ports 500 and 4500 must be permitted and permitting ESP is not necessary.

So one or both rules below, as explained above, must be placed just before (above) the last action=drop rule in chain input:
chain=input protocol=udp dst-port=500,4500 src-address=ip.of.remote.peer action=accept
chain=input protocol=ipsec-esp src-address=ip.of.remote.peer action=accept


Handling of GRE in firewall got broken by a security patch in 6.45.something, so if you don't have a strong reason to use GRE, use an IPIP tunnel instead. It has less overhead and it causes less headache. If you don't disable the keepalive functionality of the IPIP interface, you don't need to add any firewall rule for the IPIP protocol; otherwise, add
chain=input protocol=ipencap ipsec-policy=in,ipsec action=accept
right before or right after the rule(s) mentioned above.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Filament
just joined
Posts: 15
Joined: Fri Jan 24, 2020 1:32 pm

Re: 6.45.6 ipsec site to site tutorial request

Sat Feb 20, 2021 11:38 pm

I've upgraded both Mikrotik HAP AC2 to the latest stable version (6.48.1) This is the relevant configuration in the Mikrotik Site1 (HeadQuarters):

/interface bridge add name=blankbridge1
/interface gre add local-address=192.168.99.1 name=gre-tunnel1 remote-address=192.168.99.2

/ip ipsec mode-config add address=192.168.99.2 address-prefix-length=32 name=cfg1 split-include=192.168.99.1/32
/ip ipsec policy group add name=group1
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-128 lifetime=8h name=profile1
/ip ipsec peer add name=peer1 passive=yes profile=profile1 send-initial-contact=no
/ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=proposal1 pfs-group=none
/ip ipsec identity add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=cfg1 password=blablabla peer=peer1 policy-template-group=group1 secret=blablapsk username=user1
/ip ipsec policy add dst-address=192.168.99.2/32 group=group1 proposal=proposal1 src-address=192.168.99.1/32 template=yes

/ip route add distance=1 dst-address=192.168.9.0/24 gateway=172.16.1.2

/ip address add address=192.168.99.1 interface=blankbridge1 network=192.168.99.1
/ip address add address=192.168.8.1/24 comment=defconf interface=bridge network=192.168.8.0
/ip address add address=172.16.1.1/30 interface=gre-tunnel1 network=172.16.1.0

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
/ip firewall filter add action=accept chain=input protocol=gre
/ip firewall filter add action=accept chain=input dst-port=500,4500 in-interface-list=WAN protocol=udp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

And this is the relevant configuration in Mikrotik Site 2 (Branch Office)

/interface gre add local-address=192.168.99.2 name=gre-tunnel1 remote-address=192.168.99.1

/ip ipsec mode-config add name=cfg1 responder=no use-responder-dns=no
/ip ipsec policy group add name=group1
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-128 lifetime=8h name=profile1
/ip ipsec peer add address=blablabla.sn.mynetname.net name=peer1 profile=profile1
/ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=proposal1 pfs-group=none
/ip ipsec identity add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=cfg1 password=blablabla peer=peer1 policy-template-group=group1 secret=blablapsk username=user1
/ip ipsec policy add dst-address=192.168.99.1/32 group=group1 proposal=proposal1 src-address=192.168.99.2/32 template=yes

/ip route add distance=1 dst-address=192.168.8.0/24 gateway=172.16.1.1

/ip address add address=192.168.9.1/24 comment=defconf interface=bridge network=192.168.9.0
/ip address add address=172.16.1.2/30 interface=gre-tunnel1 network=172.16.1.0

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
/ip firewall filter add action=accept chain=input protocol=gre
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Unfortunately, it doesn't work. I get an IPSec connection, but the GRE tunnels don't work, and the routes are unreachable :(
Last edited by Filament on Sat Feb 20, 2021 11:56 pm, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: 6.45.6 ipsec site to site tutorial request

Sat Feb 20, 2021 11:49 pm

So you insist it must be GRE, you cannot use IPIP instead? Why?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Filament
just joined
Posts: 15
Joined: Fri Jan 24, 2020 1:32 pm

Re: 6.45.6 ipsec site to site tutorial request

Sun Feb 21, 2021 12:02 am

I've also tried with IPIP, but I get the same results as with GRE :(

There must be something in the default Firewall configuration, but what could it be?

I've already disabled FastTrack. Should I try to tweak the NAT ???

I thought that GRE tunnels would allow me to avoid having to do strange NAT tricks
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: 6.45.6 ipsec site to site tutorial request

Sun Feb 21, 2021 12:15 am

Ah, yes, you forgot to exempt the traffic between 192.168.99.1 and 192.168.99.2 from the masquerade rule, so it gets src-nated and the IPsec policy cannot see it.

Add a rule src-address=192.168.99.0/30 dst-address=192.168.99.0/30 chain=src-nat action=accept before (above) the masquerade one at both devices. Then either disable the tunnel interfaces at both devices and wait 10 minutes before re-enabling them, or issue /ip firewall connection remove [find protocol=gre] (or protocol=ipencap in case of IPIP tunnel).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Filament
just joined
Posts: 15
Joined: Fri Jan 24, 2020 1:32 pm

Re: 6.45.6 ipsec site to site tutorial request

Sun Feb 21, 2021 12:47 am

Yes, you're right. Adding that rule and restarting both routers solved the problem!

I've been able to go back to GRE tunnels, and they work correctly too!! :)

I understand that GRE tunnels have more overhead than IPIP, but they support IPv6. To be honest, I don't really need IPv6 right now, but I suppose it's better to configure GRE tunnels to be "future proof" whenever I need IPv6 some day.

Anyway, thanks a lot. I get frustrated a lot with the current (old) Mikrotik wiki. I understand that all the information is there, but it's spread out in different chapters and very difficult to find. It's extraordinarily difficult for newbies!
 
pe1chl
Forum Guru
Forum Guru
Posts: 7234
Joined: Mon Jun 08, 2015 12:09 pm

Re: 6.45.6 ipsec site to site tutorial request

Sun Feb 21, 2021 11:48 am

The NAT rule should have been no problem, unless the GRE or IPIP tunnel interface is in the interface list WAN. It should NOT be in that list!
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: 6.45.6 ipsec site to site tutorial request

Sun Feb 21, 2021 11:56 am

@pe1chl, the issue was different - it's the transport (GRE or IPIP) packets that got src-nated, not the payload ones. The transport ones are routed via the WAN before the policy diverts them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7234
Joined: Mon Jun 08, 2015 12:09 pm

Re: 6.45.6 ipsec site to site tutorial request

Sun Feb 21, 2021 2:52 pm

Ok... I don't understand why the external addresses of the GRE tunnels were set to a NAT'ed address, I always set those to the external address of the router.
Of course this method may be more convenient when the external address is not fixed.
 
sindy
Forum Guru
Forum Guru
Posts: 6869
Joined: Mon Dec 04, 2017 9:19 pm

Re: 6.45.6 ipsec site to site tutorial request

Sun Feb 21, 2021 3:42 pm

Yes, tunnel mode of the IPsec encapsulation allows to use fixed internal addresses as GRE/IPIP endpoint ones whilst the WAN address of at least the initiator keeps changing. The price to pay is the extra IP header, consuming part of MTU, so less space in the transport packet remains for the payload.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: eworm, lixxdee and 197 guests