I am struggling to understand IPSEC in Mikrotik. There is a wiki article but it is very incomplete. Does anybody know where can I find information HOW EXACTLY mikrotik uses each part of configuration (profile, proposal, policy, policy group, peer, identity etc.). I understand how IPSEC works, but I struggle to match parts of configuration to what they define and when they are exactly used, and what is relation between them. For instance what is a relation betwen policy group and other parts of configuration. which parts of configuratoin are defining the group to be used, and which parts of configuration is later matched by policy group.
For instance: which part of configuratioin is used during IKE_SA_INIT? There is a mismatch between common sense and mikrotik wiki. Common sense would be that proposal is used during this phase but wiki states "Phase 1 (...)This phase should match following settings: authentication method DH group encryption algorithm exchange mode hash alorithm NAT-T DPD and lifetime (optional)" and those parameters are defined in policy not in the proposal. WTF?
I would like information like: for instance: policy is used (at which stage)(for what) and mikrotik is trying to match xxxx with yyy from policy definition, if matches than yyyy otherwise zzz etc.
As far as I understand there are main phases of IPSEC like IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA.
Can anybody point me to a good description of those things or correct the below text generated by partly halucinating AI:
WARNING !!!!! THE BELOW TEXT MIGHT CONTAIN SERIOUS ERRORS AND MISUNDERSTANDINGS:
IKE_SA_INIT:
The router sends a packet with the initial SA proposal, including AES encryption and SHA-256 hashing algorithms, and a Diffie-Hellman group.
Initiator: Sends the initial packet containing the SA proposal, including encryption and hash algorithms, Diffie-Hellman group, and nonces.
Responder: Replies with its own SA proposal, including its chosen encryption and hash algorithms, Diffie-Hellman group, and nonces.
Packet Content: Contains the initial security association (SA) proposal, including encryption and hash algorithms, Diffie-Hellman group, and nonces.
Configuration match:
. PROBABLY WRONG!!! It is profile and NOT proposal. proposal settings in the router’s configuration: Encryption Algorithms, Authentication Algorithms, PFS Group. Lifetime not used now.?
. Encryption Algorithms: Used to establish the initial secure channel.
. Authentication Algorithms: Used to ensure the integrity and authenticity of the initial messages.
. PFS Group: Specifies the Diffie-Hellman group for the key exchange to generate the shared secret.
. Are peers and identities used at this stage?
IKE_AUTH:
The router sends a packet with the Diffie-Hellman public value, authentication data (e.g., a pre-shared key), and identity information.
o Initiator: Sends a packet with the Diffie-Hellman public value, authentication data, and identity information.
o Responder: Replies with its own Diffie-Hellman public value, authentication data, and identity information.
o Packet Content: Contains the Diffie-Hellman public value, authentication data, and identity information.
o Configuration Match:
1. Identity: Used to authenticate the peers (pre-shared key or certificates).
Is this true?: Identiy contains policy goup name which will be remembered by the router and later used to select proper encryption policy.
2. Peers? In summary, peers are configured first to establish the connection parameters, followed by identities to authenticate the connection. Both are crucial in Phase 1 of the IPsec packet flow, ensuring a secure and authenticated channel for data transmission.
3. Mode Config: If used, this can include configuration parameters like IP addresses assigned to the client.
4. Proposal again? Is it consulted at this stage? Or the option taken from proposal are just used by existing packet exchange?
1. Authentication Algorithms: Used again to authenticate the peers and ensure the integrity of the messages.
2. Encryption Algorithms: Used to secure the communication channel for the exchange of identity and authentication data.
3. Lifetime: Specifies the duration for which the IKE SA is valid.
CREATE_CHILD_SA:
The router sends a packet with the IPsec SA proposal, including AES encryption and SHA-256 hashing algorithms, and traffic selectors.
o Initiator: Sends a packet with the proposal for the IPsec SA, including encryption and authentication algorithms, and traffic selectors.
o Responder: Replies with its own proposal for the IPsec SA, including its chosen encryption and authentication algorithms, and traffic selectors.
o Configuration Match:
1. Proposal: Defines the encryption and authentication algorithms for the IPsec SA.
2. Policy: Specifies the traffic selectors (source and destination addresses, protocols, and ports).
3. Policy Group Consultation: At this stage, the router consults the policy group to determine which policies apply to the traffic selectors being proposed. The policy group helps in identifying the relevant policies that define the source and destination addresses, protocols, and ports that should be encrypted.
4. Traffic Selector Exchange: The router sends a packet with the traffic selectors, specifying the source and destination addresses and protocols.
o Initiator: Sends a packet with the traffic selectors that define which traffic will be protected by the IPsec SA.
o Responder: Replies with its own traffic selectors, confirming the traffic to be protected.
o Configuration Match:
1. Policy: Matches the traffic selectors defined in the policy configuration.
2. Policy Group Consultation: Again, the router consults the policy group to ensure that the traffic selectors match the policies defined within the group. This ensures that the correct traffic is selected for encryption based on the policies grouped together.