quarta-feira, 19 de abril de 2017

Mikrotik - VPN IPSEC

If you did not hear yet about Mikrotik I can’t say I blame you. Not exactly something you’ll find in SOHO network shops next to brand like TP-Link, Linksys or Netgear. Mikrotik is a company
in Latvia that produce network hardware under the name of RouterBOARD. The devices are excellent and the RouterOS support an amazing amount of feature for a SOHO product.
As recently I did develop a small VPN network based on IPsec and using Mikrotik RB951G-2HnD platform, I had the idea to put together a short how to for the enthusiast out there who wants to try these products. Now, I’m not saying that this is the best or the only approach, but it’s a start from which you can develop your own fine tuned solution.
Let’s assume that we have the following topology:
The idea is to build a VPN using IPsec technology between the two routers. The RouterOS version is 6.23, so earlier versions may not support all features described here, but I’ll try to point this where is the case.
As some people are more comfortable with GUI and others with CLI, I’ll describe both methods. If you are following this blog post, I assume that you are already a bit familiar with RouterOS and your Mikrotik device is connected at least to Internet.
In this example I’ll focus on the left side of the diagram. The right side is configured in the same way.
Before going into the real IPsec configuration, please be sure to have the following ports open on your Mikrotik firewall:
You may not use these protocols after following this blog post, but it’s OK to have them open if you want to experiment. They can be closed later after you decide what to use, but we don’t want this as a blocking point and force us into troubleshooting.
You can allow the following ports into Mikrotik firewall as follow into CLI:
The place-before=0 is to force the rule on the top of your Input table.
On GUI, check the
IP > Firewall > Filter Rules > Input table
Another thing to remember if you’re using NAT like in the picture above is that the LAN subnets have to be allowed to communicate directly, before they are pass to masquerade rule.
IP > Firewall > NAT
Let’s start now with the IPsec configuration part.
First let’s define a new IPsec Proposal policy. There is a default one which comes preconfigured but I would like to use my own.
IP > IPsec > Proposals
As mentioned earlier in this post, depending on your RouterOS version, you can have here different options. Just pick what suits your needs.
Next we need to define an IPsec Policy.
IP > IPsec > Policies
I think that settings are obvious, just be careful to correctly pick the sources (SRC ADDR and SA SRC). The SRC values are from local site while the DST part has to be the remote site.
Last we need to define a least one IPsec Peer
IP > IPsec > Peers
Be careful that if you are on version RouterOS 5.xx (just as an example) the Encryptions Algorithm field supports only one value and not multiple like configured above. I did especially to highlight that there are differences depending on the RouterOS version. Nevertheless the baseline for IPsec VPN configuration remains the same.

fonte: https://firstdigest.com/2014/12/mikrotik-ipsec-vpn/

0 comentários: