Community discussions

MikroTik App
 
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Mon Oct 07, 2019 11:42 pm

Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Wed Nov 25, 2020 9:23 pm

Overview

Notes:
  • I've been using latest ROS6 (6.47.8) for this guide. Steps might be different on ROS7.
  • Tutorial shows how to connect 2 routers, but at the end of this guide there are steps on how to connect 3rd router.
  • Router A (internal VPN IP 10.22.22.1) - VPN server. Has public IP.
  • Router B (internal VPN IP 10.22.22.2) - VPN client. No public IP (it's behind NAT).
  • Once we establish VPN tunnel, we will establish EoIP on top of that.
  • HW accel. IPSEC encryption listed here. I am using AES-256 because it's supported by every Mikrotik router which has HW accel. IPSEC encryption of some sort. If you connect router without hardware acceleration, you might want to reduce encryption for a better performance (at a cost of lower security).

Setup IPSEC/IKE2 connection

Router A (VPN server) steps:
# Generate CA
/certificate add name="My CA" common-name="My CA" key-size=4096 days-valid=3650 key-usage=key-cert-sign,crl-sign

# Generate client and server certs
/certificate add name="My client" common-name="My client" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-client
/certificate add name="My server" common-name="My server" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server

# Sign CA
/certificate sign "My CA"

# Sign certs using signed CA
/certificate sign "My client" ca="My CA"
/certificate sign "My server" ca="My CA"

# Trust certs
/certificate set "My client" trusted=yes
/certificate set "My server" trusted=yes

# Export client certificates in P12 format
/certificate export-certificate "My client" file-name=myclient type=pkcs12 export-passphrase=1234567890

# Copy myclient.p12 file from the Mikrotik to your PC

# Because we need to have internal VPN address 10.22.22.1 which does not happen automatically, create empty bridge and assign it
/interface bridge add name=loopback
/ip address add address=10.22.22.1/24 interface=loopback

# IPSEC configuration
/ip ipsec mode-config add address=10.22.22.2 name="My mc" split-include=10.22.22.1/32 system-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add exchange-mode=ike2 name="My server" passive=yes profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My server" generate-policy=port-strict match-by=certificate mode-config="My mc" peer="My server" policy-template-group="My group" remote-certificate="My client"
/ip ipsec policy add dst-address=10.22.22.2/32 level=unique peer="My server" proposal="My proposal" src-address=10.22.22.1/32 tunnel=yes

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0

# Additional steps:
# 1. You might need to add additional rule in firewall -> filter in order to allow traffic from/to 10.22.22.1-10.22.22.2.
# 2. Bypass fasttrack. Easiest way is to add above rule(s) over FastTrack rule.
# 3. You might need to whitelist firewall access for your client router so it can connect via IPSEC/IKE2.

Router B (VPN client) steps:
# Upload myclient.p12 file to Mikrotik

# Import uploaded certificate
/certificate import as-value file-name=myclient.p12 passphrase=1234567890

# Rename imported certificates
/certificate set [find where common-name="My CA"] name="My CA"
/certificate set [find where common-name="My client"] name="My client"

# IPSEC configuration
/ip ipsec mode-config add name="My mc" responder=no use-responder-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add address=<address> exchange-mode=ike2 name="My peer" profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My client" generate-policy=port-strict mode-config="My mc" peer="My peer" policy-template-group="My group"
/ip ipsec policy add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" src-address=10.22.22.2/32 tunnel=yes

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addresses=10.22.22.2 place-before=0

# Additional steps:
# 1. You might need to add additional rule in firewall -> filter in order to allow traffic from/to 10.22.22.1-10.22.22.2.
# 2. Bypass fasttrack. Easiest way is to add above rule(s) over fasttrack rule.

# At this point you should see "PH2 State" established in "/ip ipsec policies" and 2 entries in "/ip ipsec installed-sa"...

Ping should work in both directions. Validate them:
# Run in Router A
ping 10.22.22.2

# Run in Router B
ping 10.22.22.1

Setup EoIP tunnel

Note that we disable keepalive in order to get rid of EoIP tunnel flapping which causes disconnects (e.g. in multiplayer games).
# Run in Router A
/interface eoip add !keepalive local-address=10.22.22.1 name="My EoIP" remote-address=10.22.22.2 tunnel-id=0

# Run in Router B
/interface eoip add !keepalive local-address=10.22.22.2 name="My EoIP" remote-address=10.22.22.1 tunnel-id=0
This is it!

BONUS: Connect additional router to VPN server

Router A (VPN server) steps:
# Generate client2 cert
/certificate add name="My client" common-name="My client2" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-client

# Sign cert using signed CA
/certificate sign "My client2" ca="My CA"

# Trust certs
/certificate set "My client2" trusted=yes

# Export client certificates in P12 format
/certificate export-certificate "My client2" file-name=myclient2 type=pkcs12 export-passphrase=1234567890

# Copy myclient2.p12 file from the Mikrotik to your PC

# IPSEC configuration
/ip ipsec mode-config add address=10.22.22.3 name="My mc2" split-include=10.22.22.1/32 system-dns=no
/ip ipsec identity add auth-method=digital-signature certificate="My server" generate-policy=port-strict match-by=certificate mode-config="My mc2" peer="My server" policy-template-group="My group" remote-certificate="My client2"
/ip ipsec policy add dst-address=10.22.22.3/32 level=unique peer="My server" proposal="My proposal" src-address=10.22.22.1/32 tunnel=yes

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.3 to-addresses=10.22.22.1 place-before=0

Router C (VPN client, the second router we are connecting to VPN server) steps:
# Upload myclient2.p12 file to Mikrotik

# Import uploaded certificate
/certificate import as-value file-name=myclient2.p12 passphrase=1234567890

# Rename imported certificates
/certificate set [find where common-name="My CA"] name="My CA"
/certificate set [find where common-name="My client2"] name="My client2"

# IPSEC configuration
/ip ipsec mode-config add name="My mc" responder=no use-responder-dns=no
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add address=<address> exchange-mode=ike2 name="My peer" profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My client2" generate-policy=port-strict mode-config="My mc" peer="My peer" policy-template-group="My group"
/ip ipsec policy add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" src-address=10.22.22.3/32 tunnel=yes

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addresses=10.22.22.3 place-before=0
As usually, check if you need to exclude traffic from fasttrack and add firewall filter rules in order to allow 2nd router connecting to the VPN server.
Last edited by erkexzcx on Sun Dec 20, 2020 1:14 pm, edited 10 times in total.
 
User avatar
cyon
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Tue Apr 29, 2014 12:58 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Mon Dec 07, 2020 9:14 am

I'm also/still having Issues.
 I love Mikrotik!
 
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Mon Oct 07, 2019 11:42 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Tue Dec 08, 2020 12:38 am

According to your issue(s) description - you are not having any issues.
 
brg3466
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Sat Aug 01, 2015 7:29 am

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Tue Dec 22, 2020 3:10 am

This helps a lot ! I just have one Mikrotik router behind the NAT and I don't want to use road-warrior mode because I want the server to get access to client as well. Thanks !
In fact , I have 2 questions:
1. on both Router A and Router B, you have a NAT rule, like below, why we need this rule:
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0

2. If, let's say , one subnet of Router A ( 192.168.1.0/24) has to route all its traffic through router B to access internet. how to do it ?
 
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Mon Oct 07, 2019 11:42 pm

Re: Mikrotik (behind NAT) to Mikrotik IPSEC/IKE2 tunnel + EoIP on top of that

Wed Dec 23, 2020 12:52 am

1. on both Router A and Router B, you have a NAT rule, like below, why we need this rule:
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1 place-before=0
Ping to internal IP (10.22.22.2) from Router A did not work without this rule, so I added it.

2. If, let's say , one subnet of Router A ( 192.168.1.0/24) has to route all its traffic through router B to access internet. how to do it ?
I believe there are multiple ways to do it. I am really not sure what would be the right way, but maybe you can use a separate routing table for such subnet? Or maybe you can use steps as per this tutorial in order to route all traffic originating from your specified subnet through VPN server?

I am not a networking professional and all the steps I've given are practically tested by me. If something is not right or can be improved - feedback is always welcome. :)

Who is online

Users browsing this forum: No registered users and 4 guests