Community discussions

MikroTik App
  4. RouterOS
  5. General

2 locations IPSEC, internet acces via tunnel

Post Reply
 
Michelw72
just joined
Topic Author
Posts: 8
Joined: Thu Jul 05, 2018 11:56 am

2 locations IPSEC, internet acces via tunnel

Sat Nov 28, 2020 7:49 pm

Hi, I am somewhat new to mikrotik and by no means an networking expert so please be gentle :)

I have 2 locations, "Home" and "parents" both using a mikrotik RB4011iGS+
On both sides I have configured a IPSEC tunnel. After experimenting with several options, a IPSEC tunnel gave me the most stable and fastest results.
I can ping from one side to the other gateway and I can reach all devices connected to the other sides router.

I have created an addresslist for a few devices on the Home location which I would like to fully route through the Parents locations internet connection, so that those devices connect to the internet using the "Parents" WAN IP-address.

I have been looking on the this forums and in in the microtik documentation. I understand I have to do policy based routing, since the IPSEC tunnel does not have an Interface, but sofar after trying for 2 days I have been unsuccessful in getting this working.

I would rather NOT change to GRE or L2TP, since this works great.

Home:
WAN IP: 213.71.XXX.YYY
local subnet 192.168.207.0/24
Gateway: 192.168.207.1

Relavant configuration:
Code: Select all
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=IPSEC-S2S

/ip ipsec peer
add address=86.93.XXX.YYY/32 name=IPSEC-S2S profile=IPSEC-S2S

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc name=l2tp-proposal pfs-group=ecp256
add enc-algorithms=aes-128-cbc name=IPSEC-S2S pfs-group=none

/ip address
add address=192.168.207.1/24 comment="to switch" interface=ether2 network=192.168.207.0

/ip firewall address-list
add address=192.168.207.13 comment="TEST 1" list=via_ipsec
add address=192.168.207.10 comment="TEST 2" list=via_ipsec

/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec-out connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="mark ipsec-in connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin-nat dst-address=192.168.207.0/24 src-address=192.168.207.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="force dns via mikrotik" dst-port=53 protocol=tcp to-addresses=192.168.207.1 to-ports=53
add action=dst-nat chain=dstnat comment="force dns via mikrotik" dst-port=53 protocol=udp to-addresses=192.168.207.1 to-ports=53

/ip ipsec identity
add comment="IPSEC-S2S tunnel" peer=IPSEC-S2S secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

/ip ipsec policy
add dst-address=192.168.1.0/24 peer=IPSEC-S2S proposal=IPSEC-S2S sa-dst-address=86.93.XXX.YYY sa-src-address=212.71.XXX.YYY src-address=192.168.207.0/24 tunnel=yes

Parents:
WAN IP: 86.93.XXX.YYY
local subnet 192.168.1.0/24
Gateway: 192.168.1.1

Configuration:
Code: Select all
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=IPSEC-S2S

/ip ipsec peer
add address=212.71.XXX.YYY/32 name=IPSEC-S2S profile=IPSEC-S2S send-initial-contact=no

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc name=l2tp-proposal pfs-group=none
add enc-algorithms=aes-128-cbc name=IPSEC-S2S pfs-group=none

/ip address
add address=192.168.1.1/24 comment="to switch" interface=ether2 network=192.168.1.0

/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin-NAT dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Force specified DNS server" dst-port=53 protocol=tcp to-addresses=192.168.1.1 to-ports=53
add action=dst-nat chain=dstnat comment="Force specified DNS server" dst-port=53 protocol=udp to-addresses=192.168.1.1 to-ports=53

/ip ipsec identity
add comment="IPSEC-S2S tunnel" peer=IPSEC-S2S secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

/ip ipsec policy
add dst-address=192.168.207.0/24 peer=IPSEC-S2S sa-dst-address=212.71.XXX.YYY sa-src-address=86.93.XXX.YYY src-address=192.168.1.0/24 tunnel=yes
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 locations IPSEC, internet acces via tunnel

Sat Nov 28, 2020 11:32 pm

For pure IPSec tunnels, what the tunnel can transport is determined by policies. So in your case the tunnel can transport only packets between 192.168.1.0/24 and 192.168.207.0/24, nothing else.

If you want to stay with just IPSec, you can add other policies for selected devices (192.168.1.X/32 <-> 0.0.0.0/0). You can't do it for whole home network, because IPSec takes everything that matches, and I don't think you can do anything with it using address lists (at least not until RouterOS gets support for IPSec VTI, which would give interfaces to IPSec tunnels).

Other way would be to use IPIP tunnel, which would give you regular interfaces, and IPSec would be only used to secure IPIP between routers.
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 locations IPSEC, internet acces via tunnel

Sat Nov 28, 2020 11:58 pm

You may find some inspiration in this similar recent topic.
Top
 
Michelw72
just joined
Topic Author
Posts: 8
Joined: Thu Jul 05, 2018 11:56 am

Re: 2 locations IPSEC, internet acces via tunnel

Sun Nov 29, 2020 10:27 am

If you want to stay with just IPSec, you can add other policies for selected devices (192.168.1.X/32 <-> 0.0.0.0/0). You can't do it for whole home network, because IPSec takes everything that matches, and I don't think you can do anything with it using address lists (at least not until RouterOS gets support for IPSec VTI, which would give interfaces to IPSec tunnels).
Hi, I added another policy to both sides:

Home:

Code: Select all
/ip ipsec policy
add comment=l2tp-policy proposal=l2tp-proposal template=yes
add dst-address=0.0.0.0/0 peer=IPSEC-S2S proposal=IPSEC-S2S sa-dst-address=86.93.XXX.YYY sa-src-address=212.71.XXX.YYY src-address=192.168.207.10/32 tunnel=yes
add dst-address=192.168.1.0/24 peer=IPSEC-S2S proposal=IPSEC-S2S sa-dst-address=86.93.XXX.YYY sa-src-address=212.71.XXX.YYY src-address=192.168.207.0/24 tunnel=yes

Parents:

Code: Select all
/ip ipsec policy
set 0 proposal=l2tp-proposal
add dst-address=192.168.207.10/32 peer=IPSEC-S2S sa-dst-address=212.71.XXX.YYY sa-src-address=86.93.XXX.YYY src-address=0.0.0.0/0 tunnel=yes
add dst-address=192.168.207.0/24 peer=IPSEC-S2S sa-dst-address=212.71.XXX.YYY sa-src-address=86.93.XXX.YYY src-address=192.168.1.0/24 tunnel=yes

And now if I check the WAN IP-Address on 192.168.207.10 I get:
Code: Select all
[~] curl ip.me
86.93.XXX.YYY

And traceroute:

Code: Select all
[~] traceroute test.net
traceroute to test.net (85.214.110.167), 30 hops max, 60 byte packets
 1  router.lan (192.168.207.1)  0.316 ms  0.288 ms  0.276 ms
 2  86-93-255-58.fixed.kpn.net (86.93.XXX.YYY)  16.160 ms  15.036 ms  15.165 ms
 3  195-190-228-38.fixed.kpn.net (195.190.228.38)  17.004 ms  17.052 ms  16.754 ms
 4  * * *
 5  * * *
 6  110.ae2.bb-rt1-1.e18.r23.rs.ber.de.as6724.net (85.214.2.66)  29.917 ms  29.753 ms  29.826 ms
 7  110.ae14.core-b2.as6724.net (85.214.2.79)  29.959 ms  33.591 ms *
 8  vl491.sw-vps1-1.10.as6724.net (85.214.0.193)  57.208 ms  57.278 ms vl493.sw-vps1-1.10.as6724.net (85.214.0.197)  56.411 ms
 9  * * *
10  h2439270.stratoserver.net (85.214.110.167)  28.469 ms  28.789 ms  28.579 ms
Code: Select all
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=18.4 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=18.2 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=18.5 ms

Sofar, so good

But when checking the speed the connection is extremely slow or the handshake fails all together

Code: Select all
[~] wget http://speed.transip.nl/100mb.bin
--2020-11-29 09:26:13--  http://speed.transip.nl/100mb.bin
Resolving speed.transip.nl (speed.transip.nl)... 149.210.210.109, 2a01:7c8:1337::100
Connecting to speed.transip.nl (speed.transip.nl)|149.210.210.109|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: ‘100mb.bin’

100mb.bin                                 0%[                                                                                ]  10.42K   993 B/s    eta 31h 34m^

when testing the local subnet on the other side, the speed is maximum (my upload is around 26Mb/s):
Testing from 192.168.207.10 to 192.168.1.10
Code: Select all
[~] iperf -c 192.168.1.10 --time 30
------------------------------------------------------------
Client connecting to 192.168.1.10, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.207.10 port 38972 connected with 192.168.1.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-30.0 sec  93.1 MBytes  26.0 Mbits/sec
Last edited by Michelw72 on Sun Nov 29, 2020 10:48 am, edited 1 time in total.
Top
 
Michelw72
just joined
Topic Author
Posts: 8
Joined: Thu Jul 05, 2018 11:56 am

Re: 2 locations IPSEC, internet acces via tunnel

Sun Nov 29, 2020 10:44 am

Fixed it by excluding ipsec from fasttrack:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec-out connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes                                                                              
add action=mark-connection chain=forward comment="mark ipsec-in connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes

Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack connection-mark=!ipsec connection-state=established,related

At some point I disabled the IPSEC connection mark. Re-enabled and boom!
Code: Select all
[~] speedtest-cli
Retrieving speedtest.net configuration...
Testing from KPN (86.93.XXX.YYY)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by TriNed B.V. (Sint-Oedenrode) [14.12 km]: 20.452 ms
Testing download speed................................................................................
Download: 46.25 Mbit/s
Testing upload speed......................................................................................................
Upload: 26.46 Mbit/s

Thanks everybody!
Top
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: 2 locations IPSEC, internet acces via tunnel

Sun Nov 29, 2020 11:22 am

I just can't miss opportunity to share my written guide :D

viewtopic.php?f=23&t=169538

EDIT: See the bottom of that post. Basically you need to disable DHCP server in parents router, add estalbished EoIP interface to main LAN bridges in both your home and parents routers. All devices in both locations will get IP addresses from your home, and route all traffic through your home. Not to mention that if you enable upnp in your home, devices connected in parents house will be able to open ports and show "NAT type: Open" in multiplayer games. It's like your device won't be able to tell the difference if your device is at home or parents, because everything is routed through your home router.
Top
Post Reply

Who is online

Users browsing this forum: flyr, Google [Bot], MircoADM and 96 guests
  4. RouterOS
  5. General