Mikrotik is my favorite and I use it almost everywhere :)
software and hardware are pretty powerfull and they can handle even complex setup.

In this post I will try to show  easy to setup lan-to-lan IPSec connection for both locations and share the resources between.

Introduction

Introduction

Introduction1

This is a real life example and I'm using following hardware:

Location Model Public IP Subnet Bandwidth
Home 962UiGS-5HacT2HnT 83.xx.xx.xx 192.168.88.0/24 600/60 Mbit
Office RB962UiGS-5HacT2HnT 79.xx.xx.xx 192.168.99.0/24 150/20 Mbit 
    83.xx.xx.xx/32                                      79.xx.xx.xx/32
+-----------------+                                    +-----------------+
|                 <------------------------------------>                 |
|      HOME       |             IPSec tunnel           |     OFFICE      |
|                 <------------------------------------>                 |
+--+-----+-----+--+                                    +--+-----+-----+--+
   |     |     |                                          |     |     |
   |     |     |                                          |     |     |
+--v-----v-----v--+                                    +--v-----v-----v--+
|                 |                                    |                 |
| 192.168.88.0/24 |                                    | 192.168.99.0/24 |
|                 |                                    |                 |
+-----------------+                                    +-----------------+

Things worth mention but not nessesry changin anything - just to claryfi the wider picture:

  • both routers are  acting as default gateways
  • both routers are  running DHCP server for LAN and WLAN clients
  • both routers are having static IP (in the next post will show how to make it work for dybamic IPs)
  • I'm using RouterOS 6.47.x CLI to configure both devices. (ssh connection or terminal in webfig)
  • IPSec connection will be configured to use shared keys  and IKE protocol (in future posts I will show how to move to certificates)

Setup

To be able to setup a stable and secure tunnel there is couple things to add. Profiles on both sides need to be identical otherwise the conection will not establish so keep in mind to doublecheck confguration if something dont work.

Profile

Profiles defines a set of parameters that will be used for IKE negotiation during Phase 1. These parameters may be common with other peer configurations.

router1 & router2

/ip ipsec profile add dh-group=modp2048,modp1024 enc-algorithm=aes-192,aes-128 name=ike2

Proposals

Proposal information that will be sent by IKE daemons to establish SAs for certain policy and its used while defining identity.

router1 & router2

/ip ipsec proposal 
add auth-algorithms="" enc-algorithms=aes-128-gcm name=ike2-gre pfs-group=none

Peers

Peer configuration settings are used to establish connections between IKE daemons. This connection then will be used to negotiate keys and algorithms for SAs. Exchange mode is the only unique identifier between the peers, meaning that there can be multiple peer configurations with the same remote-address as long as different exchange-mode is used.

router1 - home - adding remote peer - office

/ip ipsec peer
add address=79.xx.xx.xx/32 exchange-mode=ike2 name=office passive=yes profile=ike2

router2 - office - adding remote peer - home

/ip ipsec peer
add address=83.xx.xx.xx/32 exchange-mode=ike2 name=home passive=yes profile=ike2

Identities

Identities are configuration parameters that are specific to the remote peer. Main purpose of an identity is to handle authentication and verify peer's integrity.
To connect two peers together they need to share the same secret.

router1 - home - adding identity - office

/ip ipsec identity
add peer=office policy-template-group=ike2-gre secret=SECRET

router2 - office - adding identity - home

/ip ipsec identity
add peer=home policy-template-group=ike2-gre secret=SECRET

Policies

Policy table is used to determine whether security settings should be applied to a packet.

Finally we have everything to establish a connection between those peers.

router1 - home - adding policy - office

/ip ipsec policy
add dst-address=192.168.99.0/24 peer=office proposal=ike2-gre sa-dst-address=79.xx.xx.xx sa-src-address=83.xx.xx.xx src-address=192.168.88.0/24 tunnel=yes

router2 - office - adding policy - home

/ip ipsec policy
add dst-address=192.168.88.0/24 peer=home proposal=ike2-gre sa-dst-address=83.xx.xx.xx sa-src-address=79.xx.xx.xx src-address=192.168.99.0/24 tunnel=yes

Checking the connection

Assuming the above config was done witout errors you should see Acrive tunnel on both sides!

tunnel

router1 - home

[admin@home] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
#      PEER      TUNNEL    SRC-ADDRESS        DST-ADDRESS       PROTOCOL    ACTION      LEVEL       PH2-COUNT
0   A  office    yes       192.168.88.0/24    192.168.99.0/24     all       encrypt     require         1

router2 - office

[admin@office] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
#      PEER      TUNNEL    SRC-ADDRESS        DST-ADDRESS       PROTOCOL    ACTION      LEVEL       PH2-COUNT
0   A  home       yes      192.168.99.0/24    192.168.88.0/24     all       encrypt     require         1

ping

~ >>> ping 192.168.99.1 
PING 192.168.99.1  (192.168.99.1 ) 56(84) bytes of data.
64 bytes from 192.168.99.1 : icmp_seq=1 ttl=62 time=19.5 ms
64 bytes from 192.168.99.1 : icmp_seq=2 ttl=62 time=13.1 ms
64 bytes from 192.168.99.1 : icmp_seq=3 ttl=62 time=18.1 ms
^C
--- 192.168.99.1  ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 13.146/16.901/19.465/2.713 ms