Mikrotik is my favorite and I use it almost everywhere :)
software and hardware are pretty powerfull and they can handle even complex setup.
In this post I will try to show easy to setup lan-to-lan IPSec connection for both locations and share the resources between.
Introduction
Introduction
Introduction1
This is a real life example and I'm using following hardware:
Location | Model | Public IP | Subnet | Bandwidth |
---|---|---|---|---|
Home | 962UiGS-5HacT2HnT | 83.xx.xx.xx | 192.168.88.0/24 | 600/60 Mbit |
Office | RB962UiGS-5HacT2HnT | 79.xx.xx.xx | 192.168.99.0/24 | 150/20 Mbit |
83.xx.xx.xx/32 79.xx.xx.xx/32
+-----------------+ +-----------------+
| <------------------------------------> |
| HOME | IPSec tunnel | OFFICE |
| <------------------------------------> |
+--+-----+-----+--+ +--+-----+-----+--+
| | | | | |
| | | | | |
+--v-----v-----v--+ +--v-----v-----v--+
| | | |
| 192.168.88.0/24 | | 192.168.99.0/24 |
| | | |
+-----------------+ +-----------------+
Things worth mention but not nessesry changin anything - just to claryfi the wider picture:
- both routers are acting as default gateways
- both routers are running DHCP server for LAN and WLAN clients
- both routers are having static IP (in the next post will show how to make it work for dybamic IPs)
- I'm using RouterOS 6.47.x CLI to configure both devices. (ssh connection or terminal in webfig)
- IPSec connection will be configured to use shared keys and IKE protocol (in future posts I will show how to move to certificates)
Setup
To be able to setup a stable and secure tunnel there is couple things to add. Profiles on both sides need to be identical otherwise the conection will not establish so keep in mind to doublecheck confguration if something dont work.
Profile
Profiles defines a set of parameters that will be used for IKE negotiation during Phase 1. These parameters may be common with other peer configurations.
router1 & router2
/ip ipsec profile add dh-group=modp2048,modp1024 enc-algorithm=aes-192,aes-128 name=ike2
Proposals
Proposal information that will be sent by IKE daemons to establish SAs for certain policy and its used while defining identity.
router1 & router2
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm name=ike2-gre pfs-group=none
Peers
Peer configuration settings are used to establish connections between IKE daemons. This connection then will be used to negotiate keys and algorithms for SAs. Exchange mode is the only unique identifier between the peers, meaning that there can be multiple peer configurations with the same remote-address as long as different exchange-mode is used.
router1 - home - adding remote peer - office
/ip ipsec peer
add address=79.xx.xx.xx/32 exchange-mode=ike2 name=office passive=yes profile=ike2
router2 - office - adding remote peer - home
/ip ipsec peer
add address=83.xx.xx.xx/32 exchange-mode=ike2 name=home passive=yes profile=ike2
Identities
Identities are configuration parameters that are specific to the remote peer. Main purpose of an identity is to handle authentication and verify peer's integrity.
To connect two peers together they need to share the same secret.
router1 - home - adding identity - office
/ip ipsec identity
add peer=office policy-template-group=ike2-gre secret=SECRET
router2 - office - adding identity - home
/ip ipsec identity
add peer=home policy-template-group=ike2-gre secret=SECRET
Policies
Policy table is used to determine whether security settings should be applied to a packet.
Finally we have everything to establish a connection between those peers.
router1 - home - adding policy - office
/ip ipsec policy
add dst-address=192.168.99.0/24 peer=office proposal=ike2-gre sa-dst-address=79.xx.xx.xx sa-src-address=83.xx.xx.xx src-address=192.168.88.0/24 tunnel=yes
router2 - office - adding policy - home
/ip ipsec policy
add dst-address=192.168.88.0/24 peer=home proposal=ike2-gre sa-dst-address=83.xx.xx.xx sa-src-address=79.xx.xx.xx src-address=192.168.99.0/24 tunnel=yes
Checking the connection
Assuming the above config was done witout errors you should see Acrive tunnel on both sides!
tunnel
router1 - home
[admin@home] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 A office yes 192.168.88.0/24 192.168.99.0/24 all encrypt require 1
router2 - office
[admin@office] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 A home yes 192.168.99.0/24 192.168.88.0/24 all encrypt require 1
ping
~ >>> ping 192.168.99.1
PING 192.168.99.1 (192.168.99.1 ) 56(84) bytes of data.
64 bytes from 192.168.99.1 : icmp_seq=1 ttl=62 time=19.5 ms
64 bytes from 192.168.99.1 : icmp_seq=2 ttl=62 time=13.1 ms
64 bytes from 192.168.99.1 : icmp_seq=3 ttl=62 time=18.1 ms
^C
--- 192.168.99.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 13.146/16.901/19.465/2.713 ms