Community discussions

MikroTik App
 
chuckiviper
just joined
Topic Author
Posts: 3
Joined: Mon May 22, 2023 4:47 am

Multiple Nat Clients in IPsec

Mon May 22, 2023 5:55 am

I'm trying to get a Hub and Spoke IPsec configuration going on the 4 sites. I want to have Berlin, Rome and Paris all have a IPsec Tunnel to London and allow all the internal traffic to talk to each other. Such as 192.168.3.0/24 -> 192.168.4.0/24 via the London Router. However I'm running into the problem where either only Rome or Paris will have the SA installed. This is likely because they are both behind a ISP Nat (However not the same Nat Address). Berlin works fine because it has a static IP address.

Is this possible to do or will I need another static IP address?

I've made a mock network in GNS3 to simulate this.
Image

London (Hub) and Berlin (Spoke) which is has a static IP address.
Rome (Spoke) and Paris (Spoke) are Natted behind the Internet-Nat Router.
Rome behind 100.100.100.200 and Paris behind 200.200.200.200

London Configuration
London > export
# may/22/2023 14:26:33 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-London nat-traversal=no
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-London-Nat
/ip ipsec peer
add address=2.2.2.1/32 exchange-mode=ike2 local-address=1.1.1.1 name=Peer-Berlin profile=Profile-London send-initial-contact=no
add exchange-mode=ike2 local-address=1.1.1.1 name=Peer-NAT passive=yes profile=Profile-London-Nat send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm name=Proposal-London pfs-group=ecp521
/ip address
add address=1.1.1.1/24 interface=ether1 network=1.1.1.0
add address=192.168.1.254/24 interface=ether2 network=192.168.1.0
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=Berlin.crt match-by=certificate peer=Peer-Berlin remote-certificate=Berlin.crt
add auth-method=digital-signature certificate=Rome.crt match-by=certificate peer=Peer-NAT remote-certificate=Rome.crt
add auth-method=digital-signature certificate=Paris.crt match-by=certificate peer=Peer-NAT remote-certificate=Paris.crt
/ip ipsec policy
add dst-address=192.168.2.0/24 level=unique peer=Peer-Berlin proposal=Proposal-London src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=Peer-Berlin proposal=Proposal-London src-address=192.168.3.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=Peer-Berlin proposal=Proposal-London src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=1.1.1.2
/system identity
set name=London
[/code]

Berlin Configuration
Berlin > export
# may/22/2023 14:36:51 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-Berlin nat-traversal=no
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 local-address=2.2.2.1 name=Peer-London profile=Profile-Berlin
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=4h name=Proposal-Berlin pfs-group=ecp521
/ip address
add address=2.2.2.1/24 interface=ether1 network=2.2.2.0
add address=192.168.2.254/24 interface=ether2 network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=Berlin.crt match-by=certificate peer=Peer-London remote-certificate=Berlin.crt
/ip ipsec policy
add dst-address=192.168.1.0/24 level=unique peer=Peer-London proposal=Proposal-Berlin src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-London proposal=Proposal-Berlin src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-London proposal=Proposal-Berlin src-address=192.168.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=2.2.2.2
/system identity
set name=Berlin
[/code]

Rome Configuration
Rome > export
# may/22/2023 14:37:06 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-Rome
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=Peer-London profile=Profile-Rome send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=4h name=Proposal-Rome pfs-group=ecp521
/ip address
add address=3.3.3.1/24 interface=ether1 network=3.3.3.0
add address=192.168.2.254/24 interface=ether2 network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=Rome.crt match-by=certificate peer=Peer-London remote-certificate=Rome.crt
/ip ipsec policy
add dst-address=192.168.1.0/24 level=unique peer=Peer-London proposal=Proposal-Rome src-address=192.168.3.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=Peer-London proposal=Proposal-Rome src-address=192.168.3.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=Peer-London proposal=Proposal-Rome src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=3.3.3.2
/system identity
set name=Rome
[/code]

Paris Configuration
Paris > export
# may/22/2023 14:37:32 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Profile-Paris
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=Peer-London profile=Profile-Paris send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=4h name=Proposal-Paris pfs-group=ecp521
/ip address
add address=4.4.4.1/24 interface=ether1 network=4.4.4.0
add address=192.168.3.254/24 interface=ether2 network=192.168.3.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=Paris.crt match-by=certificate peer=Peer-London remote-certificate=Paris.crt
/ip ipsec policy
add dst-address=192.168.1.0/24 level=unique peer=Peer-London proposal=Proposal-Paris src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=Peer-London proposal=Proposal-Paris src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.3.0/24 level=unique peer=Peer-London proposal=Proposal-Paris src-address=192.168.4.0/24 tunnel=yes
/ip route
add distance=1 gateway=4.4.4.2
/system identity
set name=Paris
[/code]

Internet Configuration
Internet > export
# may/22/2023 14:31:22 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=1.1.1.2/24 interface=ether1 network=1.1.1.0
add address=2.2.2.2/24 interface=ether2 network=2.2.2.0
add address=100.100.100.100/24 interface=ether8 network=100.100.100.0
add address=200.200.200.100/24 interface=ether7 network=200.200.200.0
/ip dhcp-client
add disabled=no interface=ether1
/system identity
set name=Internet
[/code]

Interne-Nat Configuration
Internet-Nat > export
# may/22/2023 14:30:43 by RouterOS 6.49.7
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=3.3.3.2/24 interface=ether3 network=3.3.3.0
add address=4.4.4.2/24 interface=ether4 network=4.4.4.0
add address=100.100.100.200/24 interface=ether8 network=100.100.100.0
add address=200.200.200.200/24 interface=ether7 network=200.200.200.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8
add action=masquerade chain=srcnat out-interface=ether7
/ip route
add distance=100 gateway=200.200.200.100 routing-mark=Phoebe-Routes
add distance=1 gateway=100.100.100.100
/ip route rule
add action=lookup-only-in-table src-address=4.4.4.1/32 table=Phoebe-Routes
/system identity
set name=Internet-Nat
[/code]

Thanks in advance.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple Nat Clients in IPsec

Tue May 23, 2023 9:55 am

If one of the peers is behind a NAT, the way to go is to set the other peer to passive (i.e. responder-only) mode (passive=yes) and let it accept IKE connections from anywhere (address=0.0.0.0/0) - you've already done that.

If you weren't using certificates, you would also you have to set my-id on the /ip ipsec identity row on each of the remote peers to a distinctive value rather than keeping it at auto, and set the remote-id on each identity row representing a particular remote peer accordingly. As you do use certificates, it is easier to just set match-by=certificate on the identity rows like you've already done, so the DN of the received certificate will be used to match the proper row.

Now as on the passive peer (the hub), you cannot link a manually configured policy to a particular remote peer in this setup, because all the remote peers match to the same /ip ipsec peer row, you have to set generate-policy on the identity row representing each "dynamic" remote peer to port-strict (or port-override). The passive peer will then create a policy and link it to the corresponding active-peer object dynamically, using a local policy template and the traffic selector(s) proposed by the initiator (the remote peer behind NAT). To avoid trouble caused by eventual misconfiguration of the initiators, it is a good idea to create a dedicated policy template group for each initiator at the hub, and put your current statically configured policies as templates into these groups. On each identity row, you have to set policy-template-group to the corresponding group name.

So something like

/ip ipsec policy group
add name=Rome
add name=Paris

/ip ipsec policy
add dst-address=192.168.3.0/24 group=Rome level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.1.0/24 template=yes tunnel=yes
add dst-address=192.168.3.0/24 group=Rome level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.2.0/24 template=yes tunnel=yes
add dst-address=192.168.3.0/24 group=Rome level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.4.0/24 template=yes tunnel=yes
add dst-address=192.168.4.0/24 group=Paris level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.1.0/24 template=yes tunnel=yes
add dst-address=192.168.4.0/24 group=Paris level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.2.0/24 template=yes tunnel=yes
add dst-address=192.168.4.0/24 group=Paris level=unique peer=Peer-NAT proposal=Proposal-London src-address=192.168.3.0/24 template=yes tunnel=yes
/ip ipsec identity
add auth-method=digital-signature certificate=Rome.crt generate-policy=port-strict match-by=certificate peer=Peer-NAT policy-template-group=Rome remote-certificate=Rome.crt
add auth-method=digital-signature certificate=Paris.crt generate-policy=port-strict match-by=certificate peer=Peer-NAT policy-template-group=Paris remote-certificate=Paris.crt
 
chuckiviper
just joined
Topic Author
Posts: 3
Joined: Mon May 22, 2023 4:47 am

Re: Multiple Nat Clients in IPsec

Tue May 23, 2023 10:21 am

Thank you for explain this very clearly. Works perfectly now.

I do have one more question to just clarify, what should I have the send-initial-contact set to on both the hub and spokes? For what I can understand in the manual is that I should have it set to no on the hub and possibly yes on the spoke.

Cheers Chucki
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple Nat Clients in IPsec

Tue May 23, 2023 10:30 am

Reverse. Setting send-initial-contact to yes on a spoke would mean that each time that spoke would establish a new connection, the hub would drop all connections from other spokes connected from behind the same public IP. The meaning of the "initial contact" notification is "drop all previous connections from my IP address", and indeed nothing else but the source address of the connection is checked.
 
chuckiviper
just joined
Topic Author
Posts: 3
Joined: Mon May 22, 2023 4:47 am

Re: Multiple Nat Clients in IPsec

Tue May 23, 2023 10:37 am

Ah okay that make sense. Thank you for all your help.

Cheers Chucki

Who is online

Users browsing this forum: ameliask, Bing [Bot], miks and 80 guests