Community discussions

MikroTik App
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Mon Oct 07, 2019 11:42 pm

Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 (with certs) tunnel + EoIP

Wed Nov 25, 2020 9:23 pm

Overview

Notes:
  • I've been using latest ROS6 (6.47.8) for this guide. Steps might be different on ROS7.
  • Tutorial shows how to connect 2 routers, but at the end of this guide there are steps on how to connect 3rd router.
  • Router A (internal VPN IP 10.22.22.1) - VPN server. Has public IP.
  • Router B (internal VPN IP 10.22.22.2) - VPN client. No public IP (it's behind NAT).
  • Once we establish VPN tunnel, we will establish EoIP on top of that.
  • HW accel. IPSEC encryption listed here. I am using AES-256 because it's supported by every Mikrotik router which has HW accel. IPSEC encryption of some sort. If you connect router without hardware acceleration, you might want to reduce encryption for a better performance (at a cost of lower security).

Setup IPSEC/IKE2 connection

Router A (VPN server) steps:
# Create CA certificate and sign it
/certificate add name="My CA" common-name="My CA" key-size=4096 days-valid=7300 key-usage=key-cert-sign,crl-sign
/certificate sign "My CA"

# Create server certificate and sign it
/certificate add name="My server" common-name="My server" subject-alt-name="DNS:XXXXXXXXXXX.sn.mynetname.net" key-size=4096 days-valid=3650 key-usage=tls-server
/certificate sign "My server" ca="My CA"

# Create client certificate, sign it and export it as PKCS12 keystore
/certificate add name="My client" common-name="My client" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign "My client" ca="My CA"
/certificate export-certificate "My client" file-name=myclient type=pkcs12 export-passphrase=1234567890

# Copy myclient.p12 file from the Mikrotik to your PC

# Because we need to have internal VPN address 10.22.22.1 which does not happen automatically, create empty bridge and assign it
/interface bridge add name=loopback
/ip address add address=10.22.22.1/24 interface=loopback

# IPSEC configuration
/ip ipsec mode-config add address=10.22.22.2 name="My mc" split-include=10.22.22.1/32 system-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add exchange-mode=ike2 name="My server" passive=yes profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My server" generate-policy=port-strict match-by=certificate mode-config="My mc" peer="My server" policy-template-group="My group" remote-certificate="My client"
/ip ipsec policy add dst-address=10.22.22.2/32 level=unique peer="My server" proposal="My proposal" src-address=10.22.22.1/32 tunnel=yes

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0

# Additional steps:
# 1. You might need to add additional rule in firewall -> filter in order to allow traffic from/to 10.22.22.1-10.22.22.2.
# 2. Bypass fasttrack. Easiest way is to add above rule(s) over FastTrack rule.
# 3. You might need to whitelist firewall access for your client router so it can connect via IPSEC/IKE2.

Router B (VPN client) steps:
# Upload myclient.p12 file to Mikrotik

# Import uploaded certificate
/certificate import as-value file-name=myclient.p12 passphrase=1234567890

# Rename imported certificates
/certificate set [find where common-name="My CA"] name="My CA"
/certificate set [find where common-name="My client"] name="My client"

# IPSEC configuration
/ip ipsec mode-config add name="My mc" responder=no use-responder-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add address=<address> exchange-mode=ike2 name="My peer" profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My client" generate-policy=port-strict mode-config="My mc" peer="My peer" policy-template-group="My group"
/ip ipsec policy add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" src-address=10.22.22.2/32 tunnel=yes

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addresses=10.22.22.2 place-before=0

# Additional steps:
# 1. You might need to add additional rule in firewall -> filter in order to allow traffic from/to 10.22.22.1-10.22.22.2.
# 2. Bypass fasttrack. Easiest way is to add above rule(s) over fasttrack rule.

# At this point you should see "PH2 State" established in "/ip ipsec policies" and 2 entries in "/ip ipsec installed-sa"...

Ping should work in both directions. Validate them:
# Run in Router A
ping 10.22.22.2

# Run in Router B
ping 10.22.22.1

Setup EoIP tunnel

Note that we disable keepalive in order to get rid of EoIP tunnel flapping which causes disconnects (e.g. in multiplayer games).
# Run in Router A
/interface eoip add !keepalive local-address=10.22.22.1 name="My EoIP" remote-address=10.22.22.2 tunnel-id=0

# Run in Router B
/interface eoip add !keepalive local-address=10.22.22.2 name="My EoIP" remote-address=10.22.22.1 tunnel-id=0
This is it!

BONUS: Connect additional router to VPN server

Router A (VPN server) steps:
# Generate client2 cert
/certificate add name="My client" common-name="My client2" key-size=4096 days-valid=3650 key-usage=tls-client

# Sign cert using signed CA
/certificate sign "My client2" ca="My CA"

# Export client certificates in P12 format
/certificate export-certificate "My client2" file-name=myclient2 type=pkcs12 export-passphrase=1234567890

# Copy myclient2.p12 file from the Mikrotik to your PC

# IPSEC configuration
/ip ipsec mode-config add address=10.22.22.3 name="My mc2" split-include=10.22.22.1/32 system-dns=no
/ip ipsec identity add auth-method=digital-signature certificate="My server" generate-policy=port-strict match-by=certificate mode-config="My mc2" peer="My server" policy-template-group="My group" remote-certificate="My client2"
/ip ipsec policy add dst-address=10.22.22.3/32 level=unique peer="My server" proposal="My proposal" src-address=10.22.22.1/32 tunnel=yes

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.3 to-addresses=10.22.22.1 place-before=0

Router C (VPN client, the second router we are connecting to VPN server) steps:
# Upload myclient2.p12 file to Mikrotik

# Import uploaded certificate
/certificate import as-value file-name=myclient2.p12 passphrase=1234567890

# Rename imported certificates
/certificate set [find where common-name="My CA"] name="My CA"
/certificate set [find where common-name="My client2"] name="My client2"

# IPSEC configuration
/ip ipsec mode-config add name="My mc" responder=no use-responder-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add address=<address> exchange-mode=ike2 name="My peer" profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My client2" generate-policy=port-strict mode-config="My mc" peer="My peer" policy-template-group="My group"
/ip ipsec policy add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" src-address=10.22.22.3/32 tunnel=yes

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addresses=10.22.22.3 place-before=0
As usually, check if you need to exclude traffic from fasttrack and add firewall filter rules in order to allow 2nd router connecting to the VPN server.
Last edited by erkexzcx on Mon Jun 21, 2021 9:09 pm, edited 14 times in total.
Linux <3
 
User avatar
cyon
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Tue Apr 29, 2014 12:58 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Mon Dec 07, 2020 9:14 am

I'm also/still having Issues.
 I love Mikrotik!
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Mon Oct 07, 2019 11:42 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Tue Dec 08, 2020 12:38 am

According to your issue(s) description - you are not having any issues.
Linux <3
 
brg3466
Member Candidate
Member Candidate
Posts: 124
Joined: Sat Aug 01, 2015 7:29 am

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Tue Dec 22, 2020 3:10 am

This helps a lot ! I just have one Mikrotik router behind the NAT and I don't want to use road-warrior mode because I want the server to get access to client as well. Thanks !
In fact , I have 2 questions:
1. on both Router A and Router B, you have a NAT rule, like below, why we need this rule:
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0

2. If, let's say , one subnet of Router A ( 192.168.1.0/24) has to route all its traffic through router B to access internet. how to do it ?
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Mon Oct 07, 2019 11:42 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Wed Dec 23, 2020 12:52 am

1. on both Router A and Router B, you have a NAT rule, like below, why we need this rule:
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0
Ping to internal IP (10.22.22.2) from Router A did not work without this rule, so I added it.

2. If, let's say , one subnet of Router A ( 192.168.1.0/24) has to route all its traffic through router B to access internet. how to do it ?
I believe there are multiple ways to do it. I am really not sure what would be the right way, but maybe you can use a separate routing table for such subnet? Or maybe you can use steps as per this tutorial in order to route all traffic originating from your specified subnet through VPN server?

I am not a networking professional and all the steps I've given are practically tested by me. If something is not right or can be improved - feedback is always welcome. :)
Linux <3
 
User avatar
cyon
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Tue Apr 29, 2014 12:58 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Mon Feb 08, 2021 11:36 am

Hello @erkexzcx

I'm looking for a VPN for my iPhone to my Mikrotik?
 I love Mikrotik!
 
Urajmal
just joined
Posts: 18
Joined: Thu Jul 26, 2018 6:23 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Mon Feb 08, 2021 1:20 pm

Hello @erkexzcx

I'm looking for a VPN for my iPhone to my Mikrotik?
See over here: https://www.bgocloud.com/knowledgebase/ ... cbook.html
 
User avatar
swa69er
just joined
Posts: 11
Joined: Sat Jan 02, 2021 11:54 am

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Thu Mar 11, 2021 4:46 am

this is great tutorial
I tried 1 router with Public IP and 1 non Public IP, behind NAT
tried on AWS EC2 + CHR
just follow the step it work perfectly

Then I add another router without Public IP, behind NAT
all 2 router PH2 state established but just for a minute
when I flush installed SAs
either 1 is established and 1 is no phase 2
 
plamensgurov
just joined
Posts: 3
Joined: Sun May 16, 2021 4:20 am

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Sun May 16, 2021 4:28 am

Hi, thanks for the tutorial!

When I try to execute the NAT command for Router A:
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0
I get:
no such item

The RouterOS is 6.48.2

Any suggestions?

Actually, never mind - on my version of the RouterOD these were not needed to be able to ping the two rooters.

Thanks
Plamen
Last edited by plamensgurov on Mon May 17, 2021 2:09 am, edited 1 time in total.
 
plamensgurov
just joined
Posts: 3
Joined: Sun May 16, 2021 4:20 am

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Wed May 19, 2021 8:27 am

Hi,

My goal is to use Router A (public IP) only as an intermediary. So that the LAN of Router B and Router C to be on the same broadcast, the DHCP server on the Router B to provide IP addresses to the ethernet port(s) of Router C and the WAN on Router B to be the gateway for the internet access of the entire network. So I have done the following:
  • in Router A, I have bridged the two EoIP interfaces
  • in Router B I added the EoIP interface to the main bridge
  • in Router C I have bridged the EoIP interface with Ether2 (removing it from the default DHCP)
But it doesn't work - if I define static IPs on two computes and plug them in Router B and Ether2 of Router C, they cannot ping each other.

Any suggestions?

Thanks
Plamen
 
plamensgurov
just joined
Posts: 3
Joined: Sun May 16, 2021 4:20 am

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 (with certs) tunnel + EoIP

Sat Jul 10, 2021 7:20 pm

Hi,

I was able to configure one "server" mikrotik (say A) with public IP and two others behind NAT one of which (say B) will be used to provide DHCP to the other one (say C)

I am getting:
ipsec,error no policy found/generated

in both mikrotiks.
When I was testing both mikrotiks (B and C) connected under different NATs but with the same outgoing public IP, everything worked, the link is established and even the EoIP - doing traceroute from C, I see the trace using B's WAN.

But when I move mikrotik C to a completely different network, I see that only one of the mikrotiks (B or C) can establish a connection to A at the same time.

Here is a snippet of the configuration on one of the ends:
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=ServerProposal pfs-group=ecp521

/ip ipsec identity
add auth-method=digital-signature certificate=ServerCrt generate-policy=port-strict match-by=certificate mode-config=B_MC peer=ServerPeer policy-template-group=ServerPoli remote-certificate=B_Crt
add auth-method=digital-signature certificate=ServerCrt generate-policy=port-strict match-by=certificate mode-config=C_MC peer=ServerPeer policy-template-group=ServerPoli remote-certificate=C_Crt
What could be the issue
 
sindy
Forum Guru
Forum Guru
Posts: 7910
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 (with certs) tunnel + EoIP

Sat Aug 28, 2021 3:41 pm

@plamensgurov, no one can help you without seeing the exported configurations from all three routers. What you want can work easily, so there must be some misconfiguration.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 3 guests