Community discussions

MikroTik App
 
arisk
just joined
Topic Author
Posts: 19
Joined: Wed Aug 01, 2018 12:56 pm

IPsec - set multiple mobile users

Mon Apr 01, 2019 12:47 pm

Hello there!
I'm trying to set 3 mobile users through IPsec VPN.
The strange thing is, that my configuration works like a charm, but only for one peer.
To explain further, in the "Peers" tab, the 1st peer is reachable while 2nd and 3rd are unreachable. If i disable the 1st peer, the 2nd one is reachable while the 3rd is unreachable. If i disable the 1st and the 2nd peer, the 3rd peer is now reachable.
To give one more clue, i've set up two identities for the 1st peer. They connect simultaneously with no problems. So, simultaneous identities work fine - simultaneous peers seems to be the problem.
I'm confused, any ideas?
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteAdminVPN.peer \
    policy-template-group=remoteAdminVPN secret="xxxxxxxxx" xauth-login=\
    xxxxxxx xauth-password="xxxxxxxxx"
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteAdminVPN.peer \
    policy-template-group=remoteAdminVPN secret="xxxxxxxxxx" xauth-login=\
    xxxxxxx xauth-password=xxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.PapatheodorouVPN.mobile peer=PapatheodorouVPN.peer \
    policy-template-group=PapatheodorouVPN secret="xxxxxxxxxx" xauth-login=\
    xxxxxxxxxx xauth-password="xxxxxxxxxxxx"
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.KampaniVPN.mobile peer=KampaniVPN.peer policy-template-group=\
    KampaniVPN secret="xxxxxxxxxx" xauth-login=xxxxxxxxxx xauth-password=\
    xxxxxxxxxxx
/ip ipsec policy
add dst-address=30.30.30.0/24 group=remoteAdminVPN proposal=\
    remoteAdminVPN.proposal src-address=192.168.0.0/24 template=yes
add dst-address=40.40.40.0/24 group=PapatheodorouVPN proposal=\
    PapatheodorouVPN.proposal src-address=192.168.0.0/24 template=yes
add dst-address=40.40.40.0/24 group=KampaniVPN proposal=KampaniVPN.proposal \
    src-address=192.168.0.0/24 template=yes
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: IPsec - set multiple mobile users

Mon Apr 01, 2019 1:00 pm

You are missing the IPsec peer export. Also you can not have two peers with the same "address" and "exchange-mode" parameters. That is why there are Identities. You assign different authentication methods for the same peer configuration.
 
arisk
just joined
Topic Author
Posts: 19
Joined: Wed Aug 01, 2018 12:56 pm

Re: IPsec - set multiple mobile users

Mon Apr 01, 2019 6:28 pm

I'm sorry! Here are the missing parts:
/ip ipsec policy group
add name=remoteAdminVPN
add name=PapatheodorouVPN
add name=KampaniVPN

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=remoteAdminVPN.profile
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=PapatheodotouVPN.profile
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=KampaniVPN.profile

/ip ipsec peer
add name=KampaniVPN.peer passive=yes profile=KampaniVPN.profile
# This entry is unreachable
add name=PapatheodorouVPN.peer passive=yes profile=PapatheodotouVPN.profile
# This entry is unreachable
add name=remoteAdminVPN.peer passive=yes profile=remoteAdminVPN.profile

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    remoteAdminVPN.proposal pfs-group=modp2048
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    PapatheodorouVPN.proposal pfs-group=modp2048
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    KampaniVPN.proposal pfs-group=modp2048

I'll try implementing another aproach using your tip and i'll post back.
 
arisk
just joined
Topic Author
Posts: 19
Joined: Wed Aug 01, 2018 12:56 pm

Re: IPsec - set multiple mobile users

Mon Apr 01, 2019 7:47 pm

So, here i made only 2 peers: remoteUserVPN.peer and remoteAdminVPN.peer . Each one with two identities.
One peer uses DHCP for its identities. The other one uses static IP addresses, because i wanted to make different use of "split include" for each identity.
Again, first peer is reachable, second peer is unreachable. If i disable the first peer, the second one becpmes reachable.
Any thoughts please?
/ip ipsec mode-config
add address=20.200.200.201 name=IPsec.PapatheodorouVPN.mobile split-include=\
    192.168.0.200/32,192.168.0.159/32 system-dns=no
add address=20.200.200.200 name=IPsec.KampaniVPN.mobile split-include=\
    192.168.0.200/32 system-dns=no
    
    /ip ipsec mode-config
add address-pool=pool.ADMIN.vpn name=IPsec.remoteAdminVPN.mobile \
    split-include=192.168.0.0/24 system-dns=no

/ip ipsec policy group
add name=remoteAdminVPN
add name=remoteUserVPN

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=remoteAdminVPN.profile
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=remoteUserVPN.profile

/ip ipsec peer
add name=remoteUserVPN.peer passive=yes profile=remoteUserVPN.profile
# This entry is unreachable
add name=remoteAdminVPN.peer passive=yes profile=remoteAdminVPN.profile

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    remoteAdminVPN.proposal pfs-group=modp2048
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    remoteUserVPN.proposal pfs-group=modp2048


/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteAdminVPN.peer \
    policy-template-group=remoteAdminVPN secret="xxxxxxxxxxx" xauth-login=\
    aristeidis xauth-password="xxxxxxxxxxxx"
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteAdminVPN.peer \
    policy-template-group=remoteAdminVPN secret="xxxxxxxxxx" xauth-login=\
    corebit xauth-password=xxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.PapatheodorouVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN secret="xxxxxxxxxxx" xauth-login=\
    i.kampani xauth-password=xxxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.PapatheodorouVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN secret="xxxxxxxxxxx" xauth-login=\
    j.papatheodorou xauth-password="xxxxxxxxxxx"

/ip ipsec policy
add dst-address=10.100.100.0/24 group=remoteAdminVPN proposal=\
    remoteAdminVPN.proposal src-address=192.168.0.0/24 template=yes
add dst-address=20.200.200.0/24 group=remoteUserVPN proposal=\
    remoteUserVPN.proposal src-address=192.168.0.0/24 template=yes
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: IPsec - set multiple mobile users  [SOLVED]

Tue Apr 02, 2019 8:33 am

Again - you CAN NOT have two identical IPsec peers. Simply assign all the identities to a single peer and remove the duplicate.
 
arisk
just joined
Topic Author
Posts: 19
Joined: Wed Aug 01, 2018 12:56 pm

Re: IPsec - set multiple mobile users

Tue Apr 02, 2019 4:06 pm

Emils, it worked thanks to your advice.
Finally, I created one peer with four identities. One common proposal, one profile, one policy. I just used different mode configs to implement access restrictions.
Thank you very much!

For anyone who is interested i leave the configuration below:

/ip ipsec policy group
add name=remoteUserVPN

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=remoteUserVPN.profile

/ip ipsec peer
add name=remoteUserVPN.peer passive=yes profile=remoteUserVPN.profile

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    remoteUserVPN.proposal pfs-group=modp2048

/ip ipsec mode-config
add address-pool=pool.ADMIN.vpn name=IPsec.remoteAdminVPN.mobile \
    split-include=192.168.0.0/24 system-dns=no
add address-pool=pool.EMPLOYEES.vpn name=IPsec.PapatheodorouVPN.mobile \
    split-include=192.168.0.200/32,192.168.0.159/32 system-dns=no
add address-pool=pool.EMPLOYEES.vpn name=IPsec.KampaniVPN.mobile \
    split-include=192.168.0.200/32 system-dns=no

/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN xauth-login=xxxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN xauth-login=xxxxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.KampaniVPN.mobile peer=remoteUserVPN.peer policy-template-group=\
    remoteUserVPN xauth-login=xxxxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.PapatheodorouVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN xauth-login=xxxxxxxxxxxxxx

/ip ipsec policy
add dst-address=10.100.100.0/24 group=remoteUserVPN proposal=\
    remoteUserVPN.proposal src-address=192.168.0.0/24 template=yes
 
ZupoLlask
just joined
Posts: 11
Joined: Mon Jan 26, 2015 1:26 pm

Re: IPsec - set multiple mobile users

Wed Oct 13, 2021 2:48 pm

I'll reuse this topic as it's exactly my use case but I want to clarify one detail that may be useful to other users with the same use case.

@emils, is this kind of configuration supposed to work if we create multiple identities for the same peer with different secrets using PSK (not PSK XAuth) as authentication method?

Thanks.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Rahl and 13 guests