Community discussions

MikroTik App
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

IPSEC Site to Site between Mikrotiks with GRE and Firewall

Tue Mar 21, 2023 2:12 am

Hi

so I've been working in my lab on configuring a site to site IKEv2 VPN with GRE between two Mikrotiks, where both peers have static IPs, so no dynamic policies either. Also, I wanted basic NAT Router and firewall rules to be in place.
I had to adapt the example from the documentation a bit and everything seems to work just fine but what I was mostly curious about, is whether I really need routes for the underlying IPSEC policy/tunnel to work or whether I've made something wrong:
/ip route
add disabled=no distance=1 dst-address=192.168.99.1/32 gateway=loopback \
    pref-src=192.168.36.30 routing-table=main scope=30 suppress-hw-offload=no \
When having policy templates and dynamically created policies, you don't need routes like this, they seem to be created dynamically as well...

The topology is so that I have three routers: Router LAB35RT14 <-> "Fake Internet router" <-> LAB36RT14.
LAB35RT14 and LAB36RT14 are the IPSEC/GRE peers and Fake Internet router is just a CHR which connects the two as a router, so that I can simulate and sniff like I was some stranger on the internet.

ether1 and ether2 are LAN networks on both routers and ether3 connect to the "Fake Internet Router" which connects the two routers.

LAB35RT14 config:
# mar/20/2023 23:52:20 by RouterOS 7.8
# software id = 
#
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
/interface gre
add local-address=192.168.99.1 name=GRE-LAB36 remote-address=192.168.99.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp8192 enc-algorithm=aes-256 hash-algorithm=sha512 name=LAB36 \
    nat-traversal=no prf-algorithm=sha512 proposal-check=strict
/ip ipsec peer
add address=192.168.37.34/32 exchange-mode=ike2 name=LAB36 profile=LAB36
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=LAB36 pfs-group=\
    modp8192
/port
set 0 name=serial0
set 1 name=serial1
/ip address
add address=192.168.35.14/28 interface=ether1 network=192.168.35.0
add address=192.168.35.30/28 interface=ether2 network=192.168.35.16
add address=192.168.37.18/28 interface=ether3 network=192.168.37.16
add address=192.168.99.1 interface=loopback network=192.168.99.1
add address=10.0.0.1/30 interface=GRE-LAB36 network=10.0.0.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=ether1 src-address=192.168.35.0/28
add action=accept chain=input in-interface=GRE-LAB36 src-address=\
    192.168.36.0/28
add action=accept chain=input in-interface=ether2 src-address=\
    192.168.35.16/28
add action=accept chain=input in-interface=GRE-LAB36 src-address=\
    192.168.36.16/28
add action=accept chain=input in-interface=ether3 protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.25.0/24
add action=drop chain=input log=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log=yes protocol=!gre
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether3 log=yes
add action=accept chain=forward comment="IPSEC: in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSEC: out" ipsec-policy=out,ipsec
add action=accept chain=forward src-address=192.168.36.16/28
add action=accept chain=forward connection-state=new in-interface=ether1 \
    src-address=192.168.35.0/28
add action=accept chain=forward connection-state=new in-interface=ether2 \
    src-address=192.168.35.16/28
add action=drop chain=forward log=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3 \
    src-address=192.168.35.0/28
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3 \
    src-address=192.168.35.16/28
/ip ipsec identity
add my-id=key-id:LAB35 peer=LAB36 remote-id=key-id:LAB36
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.99.2/32 peer=LAB36 proposal=LAB36 src-address=\
    192.168.99.1/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=192.168.36.16/28 gateway=GRE-LAB36 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.99.2/32 gateway=loopback \
    pref-src=192.168.35.30 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.37.17 \
    pref-src=192.168.37.18 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.36.0/28 gateway=GRE-LAB36 routing-table=\
    main suppress-hw-offload=no
/system logging
add topics=ipsec
LAB36RT14 config:
# mar/20/2023 23:52:29 by RouterOS 7.8
# software id = 
#
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
/interface gre
add local-address=192.168.99.2 name=GRE-LAB35 remote-address=192.168.99.1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp8192 enc-algorithm=aes-256 hash-algorithm=sha512 name=LAB35 \
    nat-traversal=no prf-algorithm=sha512 proposal-check=strict
/ip ipsec peer
add address=192.168.37.18/32 exchange-mode=ike2 name=LAB35 profile=LAB35
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=LAB35 pfs-group=\
    modp8192
/port
set 0 name=serial0
set 1 name=serial1
/ip address
add address=192.168.36.14/28 interface=ether1 network=192.168.36.0
add address=192.168.36.30/28 interface=ether2 network=192.168.36.16
add address=192.168.37.34/28 interface=ether3 network=192.168.37.32
add address=10.0.0.2/30 interface=GRE-LAB35 network=10.0.0.0
add address=192.168.99.2 interface=loopback network=192.168.99.2
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=ether1 src-address=192.168.36.0/28
add action=accept chain=input in-interface=GRE-LAB35 src-address=\
    192.168.35.0/28
add action=accept chain=input in-interface=ether2 src-address=\
    192.168.36.16/28
add action=accept chain=input in-interface=GRE-LAB35 src-address=\
    192.168.35.16/28
add action=accept chain=input in-interface=ether3 protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.25.0/24
add action=drop chain=input log=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log=yes protocol=!gre
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether3 log=yes
add action=accept chain=forward comment="IPSEC: in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSEC: out" ipsec-policy=out,ipsec
add action=accept chain=forward src-address=192.168.35.16/28
add action=accept chain=forward connection-state=new in-interface=ether1 \
    src-address=192.168.36.0/28
add action=accept chain=forward connection-state=new in-interface=ether2 \
    src-address=192.168.36.16/28
add action=drop chain=forward log=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3 \
    src-address=192.168.36.0/28
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3 \
    src-address=192.168.36.16/28
/ip ipsec identity
add my-id=key-id:LAB36 peer=LAB35 remote-id=key-id:LAB35
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.99.1/32 peer=LAB35 proposal=LAB35 src-address=\
    192.168.99.2/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=192.168.35.16/28 gateway=GRE-LAB35 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.99.1/32 gateway=loopback \
    pref-src=192.168.36.30 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.37.33 \
    pref-src=192.168.37.34 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.35.0/28 gateway=GRE-LAB35 routing-table=\
    main suppress-hw-offload=no
/system logging
add topics=ipsec
As a next step I want to add a third site and fully mesh the three sites, and then I want to add a fourth, also fully meshed site, but this time it should have a dynamic IP and act as a "dialup" client, all with GRE because I have lots of networks on every site and I ultimately want to also use some dynamic routing protocol.

Who is online

Users browsing this forum: karlisi, patrikg, TeWe, VinceKalloe and 95 guests