IPSec VPN’s are fast and secure VPN’s that do not use traditional routing but rather policies to route data between networks. IPSec VPN’s are also natively supported across most major operating systems and routers
IPSec works by establishing a connection between tow endpoints using either certificate exchange or a preshared key (PSK) the initial connection is known as Phase1 of the VPN connection
After the initial connection is made a policy is shared (and matched) using a different authentication mechanism this is know as Phase2 authentication.
Once Phase1 and Phase2 have been successfully established the VPN connection is completed and the two remote networks are able to communicate with each other (provided firewall rules are in place)
In part one of this post we will look at connecting two mikrotik devices using IPSec
Lets us consider that router 1 has a static public IP of 1.2.3.4(this works just as well for dynamic WAN IP’s using mirkotik DDNS) and private range of 10.0.1.0/24 router 2 has a static public IP of 5.6.7.8 and a private range of 10.0.2.0/24 our end goal is to allow both LAN’s to communicate with each other.
Step 1: Upgrade both routerboards to the latest version
/system package update install
the routerboards will reboot to complete the upgrade process once the routerboard has rebooted upgrade the firmware as well
/system routerboard upgrade /system reboot
Next we create an IPSec profile on both routerboards, these profiles must match in order to get the Phase1 connection to establish
/ip ipsec profile add name=IPSecProfile hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 proposal-check=obey lifetime=1d nat-traversal=yes dpd-interval=120 dpd-maximum-failures=5
on RB1 we create a peer to RB2
/ip ipsec peer add name=RB2 address=5.6.7.8 profile=IPSecProfile exchange-mode=ike2
Similarly on RB2 we create a peer to RB1
/ip ipsec peer add name=RB2 address=1.2.3.4 profile=IPSecProfile exchange-mode=ike2
Next we create an identity for PSK authentication on both routerboards (remember to change to your own PSK below)
/ip ipsec identity add peer=RB2 auth-method=pre-shared-key secret="Some Super Secure Secret" policy-template-group=default notrack-chain=prerouting my-id=auto remote-id=auto match-by=remote-id generate-policy=port-override
Once this is done on both routerboards there should now be a connection listed under Active peers
/ip ipsec active-peers print Flags: R - responder, N - natt-peer # ID STATE UPTIME PH2-TOTAL 0 5.6.7.8 established 11m55s 1
Now for phase 2 we create a profile for our IPSec policy
/ip ipsec proposal add name=RB2 auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048
Then we create the policy to allow traffic between two LAN’s
on RB1:
/ip ipsec policy add peer=RB2 tunnel=yes src-address=10.0.1.0/24 dst-address=10.0.2.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp proposal=RB2
On RB2
/ip ipsec policy add peer=RB1 tunnel=yes src-address=10.0.2.0/24 dst-address=10.0.1.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp proposal=RB1
Once both policies are in place we should now have active phase2 connections inplace</p>
/ip ipsec policy print Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default # TUN SRC-ADDRESS 0 T * ::/0 1 A yes 10.0.2.0/24
Notice the “A” for active
Next we need to allow the IP’s access through the firewall we do this in the RAW table to save resources on the RB as we should “trust” both networks<
On RB1 we add the following rule
/ip firewall raw add src-address=10.0.1.0/24 dst-address=10.0.2.0/24 action=notrack chain=prerouting
and on RB2 we add the following rule
/ip firewall raw add src-address=10.0.2.0/24 dst-address=10.0.1.0/24 action=notrack chain=prerouting
One final “trick” to use in order to be able to use netwatch to monitor the VPN is to add a route to the routing table to force traffic from the RB over the VPN to originate from the LAN interface (ether2 in our setup)
For RB1
/ip route add dst-address=10.0.2.0/24 gateway=ether2
For RB2
/ip route add dst-address=10.0.1.0/24 gateway=ether2
if all has gone well you should be able to ping devices on the remote LAN
In the next part of this series I will show how to create an IPSec tunnel between Mikrotik and pfSense another popular firewall used by many others
