Community discussions

MikroTik App
 
ski1123
just joined
Topic Author
Posts: 3
Joined: Sat Apr 11, 2020 10:47 pm

Mikrotik vpn with ikev1 set up

Sat Apr 11, 2020 10:51 pm

I am new to mikrotik and having issues setting up a vpn on mikrotik to an unknow equipment manufacturer, They had sent me the configs for it but I am having issues finding where in winbox to actually use and set those configs. I have gone through the tutorial and not much making sense at the moment. Any quick easy set up guides out there?
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Mikrotik vpn with ikev1 set up

Sat Apr 11, 2020 11:18 pm

Any quick easy set up guide for a generic IKEv1 setup? Good luck finding one! IKEv1 is so versatile it's impossible to write a guide that would cover all and every case possible. Once you know how IPsec works, it becomes pretty straightforward to configure an arbitrary tunnel. But you need to spent literally months to learn and understand how the damn thing works.

Anyways, I'd suggest you post all the details/requirements you have. This way you may find someone here who will be willing to help you with your specific configuration.
 
ski1123
just joined
Topic Author
Posts: 3
Joined: Sat Apr 11, 2020 10:47 pm

Re: Mikrotik vpn with ikev1 set up

Sun Apr 12, 2020 1:02 am

Thanks,
I am setting up a laptop that needs to connect via vpn to a system running the server side of the software package. I bought mikrotik to set up the vpn. The only config given to me is follows minus confidential information:

IKE Version 1
WAN IP x.x.x.x
Main Mode
Any peer
Pre-shared key XXXXXXXXX

Phase 1
AES128 SHA256
DH Group 5,14
Key life 86400

Phase 2
AES128 SHA256
DH Group 5,14
Key life 43200
Remote network x.x.x.x/32

After setting up the VPN the IT guy from the distant end is suppose to configure the software on the laptop to connect. No other details given and it seems as I go through the wiki it asks for more information than given and not sure if this is set up under ipsec or pptp?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik vpn with ikev1 set up

Sun Apr 12, 2020 1:32 am

I would advise you to take a look at this site-to-site IPsec tunnel... Make the first steps and come here with questions...
https://wiki.mikrotik.com/wiki/Manual:I ... n_Examples
 
ski1123
just joined
Topic Author
Posts: 3
Joined: Sat Apr 11, 2020 10:47 pm

Re: Mikrotik vpn with ikev1 set up

Sun Apr 12, 2020 3:36 am

I have been all through the wiki and tried a few different of the examples and haven't been able to get it to work which is why i am asking here. Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik vpn with ikev1 set up

Sun Apr 12, 2020 9:15 am

as I go through the wiki it asks for more information than given and not sure if this is set up under ipsec or pptp?
Only IPsec. Nothing related to PPTP in the values given, so if they eventually explicitly asked for PPTP over IPsec, they have to provide username and password for the PPTP part. But it would be a surprise so I assume no one has mentioned PPTP.

The translation of the parameters you got from them is as follows:

Phase 1 - /ip ipsec profile add name=phase1-companyX - this is a profile item to which an /ip ipsec peer item refers, so it is best to create it before the peer
AES128 SHA256 - /ip ipsec profile set phase1-companyX enc-algorithm=aes-128 hash-algorithm=sha256
DH Group 5,14 - /ip ipsec profile set phase1-companyX dh-group=modp1536,modp2048 - uncle Google helps here to understand what the pythic group numbers really mean
Key life 86400 - /ip ipsec profile set phase1-companyX lifetime=1d
So in a single step (or when ticking choices in Winbox/WebFig):
/ip ipsec profile add name=phase1-companyX enc-algorithm=aes-128 hash-algorithm=sha256 dh-group=modp1536,modp2048 lifetime=1d

Phase 2 - /ip ipsec proposal add name=phase2-companyX - this is a profile item to which an /ip ipsec policy item refers, so it is best to create it before the policy
AES128 SHA256 - /ip ipsec proposal set phase2-company enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm auth-algorithms=sha256
DH Group 5,14 - /ip ipsec proposal set phase2-company pfs-group=modp2048 (here Mikrotik allows to choose only one so we take the stronger one)
Key life 43200 - /ip ipsec proposal set phase2-company lifetime=12h
So in a single step (or when ticking choices in Winbox/WebFig):
/ip ipsec proposal add name=phase2-companyX enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm auth-algorithms=sha256 pfs-group=modp2048 lifetime=12h

IKE Version 1 - this is expressed implicitly by the /ip ipsec peer exchange-mode being set to any of (main, aggressive, base)
WAN IP x.x.x.x - /ip ipsec peer add name=peer-companyX profile=phase1-companyX address=x.x.x.x
Main Mode - /ip ipsec peer set peer-companyX exchange-mode=main
Any peer - no idea what they mean
So in a single step (or when ticking choices in Winbox/WebFig):
/ip ipsec peer add name=peer-companyX profile=phase1-companyX address=x.x.x.x exchange-mode=main

Pre-shared key XXXXXXXXX - /ip ipsec identity add peer=peer-companyX secret=XXXXXXXXX

Remote network y.y.y.y/32 (I've changed your original x.x.x.x to y.y.y.y here because it most likely differs from the WAN IP x.x.x.x in the peer settings).

This one needs more data because it depends on the network topology at your end and the network topology at their end.

An /ip ipsec policy item includes a so-called traffic selector which defines a single local subnet and a single remote subnet to be interconnected using that policy (both may be as small as a single address). However, if one of these is a private (RFC1918) subnet, you never know whether it is not used at the opposite end for another purpose, so activating such policy can cause trouble on the opposite end as it steals the traffic between the subnets there, because an active policy always wins over regular routing (and even if it doesn't, if two policies at one end have at least partially overlapping local subnets and at least partially overlapping remote subnets, there is also a conflict). So unless you own a public IP you can assign to your laptop for that purpose (which should be globally unique and thus not conflict with anything), you have to agree with them whether the private IP you choose doesn't conflict with one in their network; also, check whether the y.y.y.y/32 they gave you as the remote network at their end doesn't conflict with a private IP in your own network which the laptop needs to talk to.

No idea where else the laptop is going to be connected except to the Mikrotik, but the Mikrotik must have a route to the laptop's IP or they must share a subnet, and the laptop must have a route via the Mikrotik to the "remote network" (y.y.y.y) provided by that company. So in the simplest case, the Mikrotik will have a LAN interface with an IP address and a DHCP server providing a default gateway, and the laptop will be connected as a DHCP client to this Mikrotik's LAN and nowhere else. This will allow you to freely choose the IP subnet between the two as a non-conflicting one with that company's network and create a static lease for the laptop for address L.L.L.L (local). If so, the /ip ipsec policy item will look as follows:

/ip ipsec policy add peer=peer-companyX src-address=L.L.L.L/32 dst-address=y.y.y.y/32 proposal=phase2-companyX tunnel=yes
Last edited by sindy on Sun Apr 12, 2020 7:16 pm, edited 2 times in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik vpn with ikev1 set up

Sun Apr 12, 2020 7:04 pm

Always a nice explaination from @sindy when it comes to VPN Tunnels... :o
 
mariuskf
just joined
Posts: 4
Joined: Fri Jul 10, 2020 1:49 am

Re: Mikrotik vpn with ikev1 set up

Fri Jul 10, 2020 3:06 am

Thanks @sindy I took much advantage of your great explanation. Sorry I use google translator. Regarding the possibility of overlapping that you describe, I am presented with a case where I have two subnets 172.16.1.0/24 and 172.16.2.0/24 on my side that overlap others that are being used for another purpose on the other side of the vpn tunnel. So they ask me to do a nat to 10.10.10.0/24 before vpn. Doing some research I was thinking of doing a NAT with action = "netmap" but can I do nat of only one of my subnets? Or can I do it for the two subnets and the mikrotik is in charge of differentiating the traffic? If that is not possible could I do something with action = "same"? What would the commands be like? Thank you very much to anyone who can make suggestions.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik vpn with ikev1 set up

Sat Jul 11, 2020 11:55 am

First, you cannot do a 1:1 NAT between two /24 on one side and a single /24 on the other side. So you'll need one more alias subnet like the 10.10.10.0/24.
Second, there is no magic about netmap, just bear in mind you must use it in both chain=srcnat and chain=dstnat to obtain a full transparency between the subnets, i.e. that clients at one end of the VPN tunnel could initiate connections to servers at the other end and vice versa. If there is no need for full transparency and all the clients are at your end, there is no need for netmap and you can use plain src-nat at your side, hiding both subnets behind a single address.
Third, the rule's action only takes place if the packet matches all the match conditions, so you can netmap each subnet selectively, and only if the remote end of the connection is in some subnet reachable via the VPN:

/ip firewall nat
add chain=srcnat src-address=172.16.1.0/24 dst-address-list=remote-vpn-subnets action=netmap to-addresses=10.10.10.0/24
add chain=srcnat src-address=172.16.2.0/24 dst-address-list=remote-vpn-subnets action=netmap to-addresses=10.10.33.0/24
add chain=dstnat dst-address=10.10.10.0/24 src-address-list=remote-vpn-subnets action=netmap to-addresses=172.16.1.0/24
add chain=dstnat dst-address=10.10.33.0/24 src-address-list=remote-vpn-subnets action=netmap to-addresses=172.16.2.0/24


I intentionally refer to src-address-list/dst-address-list rather than in-interface/out-interface because we talk about bare IPsec here. The rules above have to be at proper positions in their respective chains so that they wouldn't be shadowed by some more generic ones.
 
mariuskf
just joined
Posts: 4
Joined: Fri Jul 10, 2020 1:49 am

Re: Mikrotik vpn with ikev1 set up

Mon Jul 13, 2020 1:42 am

I understand clearly. I need full transparency between the subnets on each side of the tunnel, so the listed commands are exactly what I need. And I will have to ask the other party for another subnet to do the netmap with each one.
Your help is invaluable, thank you very much.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik vpn with ikev1 set up

Mon Jul 13, 2020 10:59 am

I understand clearly. I need full transparency between the subnets on each side of the tunnel, so the listed commands are exactly what I need. And I will have to ask the other party for another subnet to do the netmap with each one.Your help is invaluable, thank you very much.
What I did not write initially is that the netmap settings above only allow the remote side to talk with your 172.16.1.0/24 and 172.16.2.0/24. But if your side needs to talk to 172.16.1.0/24 and 172.16.2.0/24 on their side, another set of netmap rules must be used, in addition to those already shown, to assign some aliases to remote 172.16.1.0/24 and 172.16.2.0/24 that do not conflict with anything at your end. It can be done at your end, but it is much more complex than if it is done at the remote one, because the dst-nat is only done when the packet enters the router, and src-nat is only done when the packet leaves the router. So you have to use policy routing (which has nothing to do with IPsec policies) to prevent packets from your LAN to be routed back to LAN after getting dst-nated to 172.16.[12].0/24 immediately when entering the router, and the IPsec policies must be restricted to particular remote destinations, otherwise your local traffic may be stolen by the policies.
 
mariuskf
just joined
Posts: 4
Joined: Fri Jul 10, 2020 1:49 am

Re: Mikrotik vpn with ikev1 set up

Wed Jul 15, 2020 1:07 am

Fortunately, my side doesn't need to talk to 172.16.1.0/24 and 172.16.2.0/24 on their side. Anyway thanks for the warning and the explanation!
Returning to the operation of the case presented, with netmap in both srcnat and dstnat, just a clarification to see if I understood correctly how it would work. A host on my side, ex. 172.16.1.5, can talk to a remote host by pointing to their ip, ex. 192.168.1.22, now the remote host to respond must do so to the netmapped ip, ex. 10.10.10.5, isn't it?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik vpn with ikev1 set up

Wed Jul 15, 2020 1:16 am

A host on my side, ex. 172.16.1.5, can talk to a remote host by pointing to their ip, ex. 192.168.1.22, now the remote host to respond must do so to the netmapped ip, ex. 10.10.10.5, isn't it?
Yes, but in this scenario (the host on your side is an initiator/client and the host on the remote side is the responder/server), the action=netmap rule in chain=srcnat at your side will make sure that the responder/sender will see the request as coming from the 10.10.10.5. So the remote host just doesn't know anything about the 172.16.1.5 at your side, it can only see the 10.10.10.5.

I don't know whether you are aware of how the NAT works, the src-nat and dst-nat chains of the NAT table are only consulted for the very first packet of each connection, and if a rule in a respective table matches and orders a NAT action, the required handling (src-nat, dst-nat or both) is noted down to the context associated to that tracked connection, so all subsequent packets belonging to that connection are handled the same (or mirror, depending on their direction) way. So responses to src-nated requests are "un-src-nated" automatically.
 
mariuskf
just joined
Posts: 4
Joined: Fri Jul 10, 2020 1:49 am

Re: Mikrotik vpn with ikev1 set up

Wed Jul 15, 2020 3:01 am

Okay. These are not tasks that I usually do, so I wanted to confirm if I understood. Thank you very much again!
 
emanuelp
just joined
Posts: 2
Joined: Wed May 25, 2022 4:11 pm

Re: Mikrotik vpn with ikev1 set up

Wed May 25, 2022 4:26 pm

Hello,

I had to setup the same type of VPN and I also need to NAT the local IPs to a 10.x.x.x class because our local IPs are are already in use. I only need to NAT 5 IP addresses not the whole subnet (to give access to the respective PCs only).
We've got the tunnel working however the other side cannot ping any of the NATed IPs. I created 10 different NAT rules, for each local IP declaring a srcnat and dstnat rule. My question is: what do I add in the "dst-address-list=remote-vpn-subnets" field you mentioned above? Can I put something like dst-address-list=192.a.a.a/29? (where 192.a.a.a/29 is the list of IPs that will access the NATed ones)
I also created a NAT rule on the srcnat chain with the action "accept" for the src-address = 10.x.x.x with dst-address=192.a.a.a/29.
When I created the IPSec policies I used as src-addresses the NAT-ed ones and as dst-addesses (10.x.x.x) the remote subnet (92.a.a.a/29). Is this OK?

Later edit: there is also a L2TP VPN connection defined on the router and when I am connected remotely to this L2TP I can ping the NAT-ed IPs 10.x.x.x - could this have an impact?

Thank you!
Last edited by emanuelp on Wed May 25, 2022 8:05 pm, edited 3 times in total.

Who is online

Users browsing this forum: tinodj and 59 guests