Community discussions

MikroTik App
 
pitchfork
just joined
Topic Author
Posts: 13
Joined: Sat Aug 22, 2020 6:24 am

Equivalent Mikrotik IPSEC settings for this Linux config

Sun Dec 20, 2020 8:51 am

I'm struggling to work out how to configure an IPSEC Client connection from my hapAC2 to my Fritzbox 7490. The Fritzbox has a static IP, the hapAC2 is on a dynamic IP provided by a mobile provider SIM in an LTE USB Modem.

I have got the VPN working from a Raspberry Pi ZeroW as the client, however I would like to connect from the hapAc2 so i can use WinBox remotely.

This is the Linux config:

IPSec gateway abc123.myfritz.net
IPSec ID pivpn
IPSec secret 1234abcd
IKE Authmode psk
Xauth username pivpn
Xauth password PiPass
local port 0
DPD idle timeout (our side) 0

Could someone please point me in the right direction for how to make this config using the Mikrotik as the client? All the examples I've found are using the Mikrotik as the server.
 
erkexzcx
Member Candidate
Member Candidate
Posts: 144
Joined: Mon Oct 07, 2019 11:42 pm

Re: Equivalent Mikrotik IPSEC settings for this Linux config

Sun Dec 20, 2020 12:52 pm

Before someone helps you, i will give you some hints on where to look at.

I've written few guidelines here and here on how to connect Mikrotik router using IPSEC/IKEv2. You have have an idea how configuration looks like and what steps you should take (e.g. exclude from fasttrack, add NAT, optionally setup killswitch etc).

All the ipsec settings you mentioned are available under "/ip ipsec", especially under "identities" and "peers" tabs. And lastly - here the official documentation: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
 
pitchfork
just joined
Topic Author
Posts: 13
Joined: Sat Aug 22, 2020 6:24 am

Re: Equivalent Mikrotik IPSEC settings for this Linux config

Wed Dec 30, 2020 10:39 am

Before someone helps you, i will give you some hints on where to look at.

I've written few guidelines here and here on how to connect Mikrotik router using IPSEC/IKEv2. You have have an idea how configuration looks like and what steps you should take (e.g. exclude from fasttrack, add NAT, optionally setup killswitch etc).

All the ipsec settings you mentioned are available under "/ip ipsec", especially under "identities" and "peers" tabs. And lastly - here the official documentation: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Thanks for the hints, everything I can find seems tobe on how to connect site to site, which is not what I need. The source site has an LTE modem with a SIM in it, there is no static IP addressing. I also don't know about certificates, I don't need a certificate under Linux just a preshared key.

Sigh, Mikrotik seems to be so complicated as a client. I think the part I'm missing is the NAT and fasttrack config. The examples I have seen seem to show you needing to know the source IP's which will change for me by ISP provided DHCP addresses.

I've even now been out and bought the equipment again so I can try to get it configured in a lab first.

I'll read the documentation again...
 
pitchfork
just joined
Topic Author
Posts: 13
Joined: Sat Aug 22, 2020 6:24 am

Re: Equivalent Mikrotik IPSEC settings for this Linux config

Wed Jan 06, 2021 5:58 am

Hmm I am using ROS 7.1beta3

The IPSEC command in the manual to set the auth-method is not available it seems in ROS 7...

this doesn't work:

/ip ipsec peer
add address=2.2.2.2 auth-method=pre-shared-key-xauth generate-policy=port-strict secret=123 \
xauth-login=user1 xauth-password=123 mode-config=request-only

This is what I see when I tab :

[admin@MikrotikRBM33G] /ip/ipsec/peer> add address=2.2.2.2
comment copy-from disabled exchange-mode local-address name passive port profile send-initial-contact
[admin@MikrotikRBM33G] /ip/ipsec/peer> add address=2.2.2.2
 
sindy
Forum Guru
Forum Guru
Posts: 6649
Joined: Mon Dec 04, 2017 9:19 pm

Re: Equivalent Mikrotik IPSEC settings for this Linux config

Wed Jan 06, 2021 9:32 am

In 7.1, auth-method is a property of /ip ipsec identity, which itself refers to a peer. But this has been true at least since 6.45, so what documentation do you use?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pitchfork
just joined
Topic Author
Posts: 13
Joined: Sat Aug 22, 2020 6:24 am

Re: Equivalent Mikrotik IPSEC settings for this Linux config

Thu Jan 14, 2021 12:19 pm

In 7.1, auth-method is a property of /ip ipsec identity, which itself refers to a peer. But this has been true at least since 6.45, so what documentation do you use?
The Mikrotik wiki here:

https://wiki.mikrotik.com/wiki/Manual:I ... figuration
 
sindy
Forum Guru
Forum Guru
Posts: 6649
Joined: Mon Dec 04, 2017 9:19 pm

Re: Equivalent Mikrotik IPSEC settings for this Linux config

Thu Jan 14, 2021 5:36 pm

The Mikrotik wiki here:
Hm, they forgot to update that part. At the road warrior client side, the single /ip ipsec peer row has now to be split into rows in two distinct tables:
/ip ipsec peer
add name=some-peer-name address=ip.of.the.responder exchange-mode=main
/ip ipsec identity
add peer=some-peer-name auth-method=pre-shared-key-xauth secret="123" username=test password=345


At the responder ("server") side, the /ip ipsec user table has been amalgamated into /ip ipsec identity as well:
/ip ipsec peer
add name=some-peer-name exchange-mode=main passive=yes
/ip ipsec identity
add peer=test auth-method=pre-shared-key-xauth secret="123" username=test password=345
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pitchfork
just joined
Topic Author
Posts: 13
Joined: Sat Aug 22, 2020 6:24 am

Re: Equivalent Mikrotik IPSEC settings for this Linux config

Fri Jan 15, 2021 4:14 am

Thank you, I'll try this.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], SteveM2 and 182 guests