Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

IPsec tunnel configuration

Locked
 
marko1303
newbie
Topic Author
Posts: 33
Joined: Mon Apr 23, 2012 10:51 am

IPsec tunnel configuration

Sun Sep 02, 2012 10:47 pm

Image
Shot at 2012-09-02

This is my network and I need to do IPsec tunnel between side1 an side 2. Users from side 2 (192.168.2.0/24) must communicate with server (172.16.1.10) on side 2 or with subnet 172.16.1.0/24. How can I configure IP sec tunel?

side 2:
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.2.1/24 192.168.2.0 bridge LAN - WLAN1
1 192.168.20.1/30 192.168.20.0 management link (not important)
2 D 93.138.77.119/32 172.29.252.64 INTERNET

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 172.29.252.64 1
1 ADC 172.29.252.64/32 93.138.77.119 INTERNET 0
2 ADC 192.168.2.0/24 192.168.2.1 bridge LAN - WLAN1 0
3 ADC 192.168.20.0/30 192.168.20.1 management link 0

Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 management link ether 1500 1598 4074
1 R LAN ether 1500 1598 4074
2 X ether3-slave-local ether 1500 1598 4074
3 X ether4-slave-local ether 1500 1598 4074
4 R LAN-net ether 1500 1598 4074
5 wlan1 wlan 1500 2290
6 R bridge LAN - WLAN1 bridge 1500 1598
7 R INTERNET pppoe-out 1480

Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address-list=LAN out-interface=INTERN


side 1:

Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; default configuration
172.16.0.254/30 172.16.0.252 172.16.0.255 LAN

1 192.168.10.1/24 192.168.10.0 192.168.10.255 management link

2 D 78.0.208.170/32 172.29.252.58 0.0.0.0 INTERNET


Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 172.29.252.58 1
1 ADC 172.16.0.252/30 172.16.0.254 LAN 0
2 A S 172.16.1.0/24 172.16.0.253 1
3 ADC 172.29.252.58/32 78.0.208.170 INTERNET 0
4 ADC 192.168.10.0/24 192.168.10.1 management link 0


Flags: X - disabled, I - invalid, D - dynamic
0 ;;; exit to internet
chain=srcnat action=masquerade src-address-list=LAN
out-interface=INTERNET
Top
 
User avatar
lordcoke
newbie
Posts: 29
Joined: Thu Jun 10, 2010 10:11 am
Location: Germany
Contact:
Contact lordcoke

Re: IPsec tunnel configuration

Tue Sep 04, 2012 2:57 pm

Hello,

you may try this, if you have static ip-addresses on your pppoe-client interfaces

# on side1
Code: Select all
/ip ipsec peer add addr=93.138.77.119 secret="your_very_strong_secret" nat-traversal=yes
/ip ipsec policy add src-addr=172.16.1.0/24 dst-addr=192.168.2.0/24 sa-src-addr=78.0.208.170 sa-dst-addr=93.138.77.119 tunnel=yes
/ip firewall nat add place-before=0 chain=srcnat action=accept src-addr=172.16.1.0/24 dst-addr=192.168.2.0/24 out-interface=INTERNET comment="NAT bypass for IPsec"
# on side2
Code: Select all
/ip ipsec peer add addr=78.0.208.170 secret="your_very_strong_secret" nat-traversal=yes
/ip ipsec policy add src-addr=192.168.2.0/24 dst-addr=172.16.1.0/24 sa-src-addr=93.138.77.119 sa-dst-addr=78.0.208.170 tunnel=yes
/ip firewall nat add place-before=0 chain=srcnat action=accept src-addr=192.168.2.0/24 dst-addr=172.16.1.0/24 out-interface=INTERN comment="NAT bypass for IPsec"
Top
 
marko1303
newbie
Topic Author
Posts: 33
Joined: Mon Apr 23, 2012 10:51 am

Re: IPsec tunnel configuration

Wed Sep 05, 2012 9:14 am

It works, but I haven't static IP addresses.
Thank you.
Top
 
marko1303
newbie
Topic Author
Posts: 33
Joined: Mon Apr 23, 2012 10:51 am

Re: IPsec tunnel configuration

Thu Dec 06, 2012 10:10 pm

I don't have a static IP address.

On booth sides is script which resolves DDNS:
Code: Select all
name="Resolve DDNS" owner="admin" 
     policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,
       sensitive,api 
     last-started=dec/06/2012 20:53:02 run-count=10 
     source=
       :global newr1 [:resolve xxx.dyndns.org]
       :global newr2 [:resolve xxx.dyndns.org]
       /ip ipsec policy set 0 sa-dst-address=$newr1
       /ip ipsec peer set 0 address=$newr1
       /ip ipsec policy set 0 sa-src-address=$newr2
       :log info "resolve IP for Ipsec"

IPsec settings:
Code: Select all
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=172.16.0.0/16 src-port=any dst-address=192.168.2.0/24 
     dst-port=any protocol=all action=encrypt level=require 
     ipsec-protocols=esp tunnel=yes sa-src-address=93.136.224.249 
     sa-dst-address=93.136.52.220 proposal=default priority=0
Code: Select all
Flags: X - disabled 
 0   address=93.139.39.81/32 port=500 auth-method=pre-shared-key 
     secret="test" generate-policy=no exchange-mode=main 
     send-initial-contact=yes nat-traversal=yes my-id-user-fqdn="" 
     proposal-check=obey hash-algorithm=md5 enc-algorithm=3des 
     dh-group=modp1024 lifetime=1d lifebytes=0 
     dpd-interval=disable-dpd dpd-maximum-failures=1
Netwach:
Code: Select all
Flags: X - disabled 
 #   HOST                 TIMEOUT              INTERVAL           
 0   192.168.2.1          1s                   1m30s
If netwach ping, run script:
Code: Select all
name="DisaSched_1" owner="admin" 
     policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,
       sensitive,api 
     last-started=dec/06/2012 20:54:00 run-count=1 
     source=system scheduler disable "IPsec"
,
if not ping, run script
Code: Select all
name="DisaSched_1" owner="admin" 
     policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,
       sensitive,api 
     last-started=dec/06/2012 20:54:00 run-count=1 
     source=system scheduler disable "IPsec"
Top
Locked
  4. RouterOS
  5. Beginner Basics