Anyone have a good example of IPSEC/L2TP with RSA keys?

lorsungcu · Sat Dec 07, 2013 7:46 pm

I am looking for a good working example of site to site VPN using IPSEC/L2TP, using RSA keys for IPSEC authentication. I've looked through the wiki and manuals, and can't find anything complete, or that actually seems to work. Both sides of the VPN are routerboards. I'll post what i've got as far as a configuration later today, but any help in the mean time would be appreciated.

Thanks!

patrikg · Sat Dec 07, 2013 8:40 pm

Start at this page, to get a grip how vpn works.

Visit Greg's homepage.
Lots of good video's and step by step.

http://gregsowell.com/?p=1290

http://gregsowell.com/?p=787

lorsungcu · Sun Dec 08, 2013 8:59 pm

Thanks, I have a good grip on how VPN works. Neither of the links covered what I asked for clarification on. I have no issue getting it working with PSK. I am looking for info on getting RSA key auth working for IPSEC between two routerboards.

efaden · Sun Dec 08, 2013 9:03 pm

Thanks, I have a good grip on how VPN works. Neither of the links covered what I asked for clarification on. I have no issue getting it working with PSK. I am looking for info on getting RSA key auth working for IPSEC between two routerboards.

Basically do this...

ros code

/ip ipsec key generate-key name="Site1" key-size=1024
/ip ipsec key export-pub-key file-name="Site1.pub" key=Site1

Go download the files and upload them to the other sites... Then run...

ros code

/ip ipsec key import file-name=Site2.pub
/ip ipsec peer set 0 auth-method=rsa-key key=Site1 remote-key=Site2

... pretty much it. I have it running for my site to site tunnels.

lorsungcu · Mon Dec 09, 2013 5:20 am

Is it possible to use the same key with multiple remote peers? If I have 10 connections I need to make, for instance, can I just distribute the router1 public key? Below is my current config; I am unable to get L2TP connected with this configuration.

Router 01:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des,aes-256 lifetime=0s name=default pfs-group=modp1024
    
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main-l2tp generate-policy=yes hash-algorithm=md5 key=default_2048.priv lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=500 remote-key=remote_2048.pub send-initial-contact=no

Router 02:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc

/ip ipsec peer
add address=1.1.1.1/32 auth-method=rsa-key dpd-interval=disable-dpd  enc-algorithm=3des exchange-mode=main hash-algorithm=md5 key= remote_2048.priv remote-key=default_2048.pub

/ip ipsec policy
add dst-address=1.1.1.1/32 sa-dst-address=1.1.1.1  sa-src-address=2.2.2.2 src-address=2.2.2.2/32

This actually seems to connect, as I get an established remote peer. L2TP does not, however. Below is all I see from the L2TP log:

dec/08 21:10:32 l2tp,debug,packet l2tp =>: sent control message to 1.1.1.1:1701 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     tunnel-id=0, session-id=0, ns=0, nr=0 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     (M) Message-Type=SCCRQ 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     (M) Protocol-Version=0x01:00 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     (M) Framing-Capabilities=0x1 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     (M) Bearer-Capabilities=0x0 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     Firmware-Revision=0x1 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     (M) Host-Name="remote" 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     Vendor-Name="MikroTik" 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     (M) Assigned-Tunnel-ID=4843 
dec/08 21:10:32 l2tp,debug,packet l2tp =>:     (M) Receive-Window-Size=4 
dec/08 21:10:40 l2tp,debug l2tp =>: tunnel 4843 received no replies, disconnecting 
dec/08 21:10:40 l2tp,debug l2tp =>: tunnel 4843 entering state: dead 
dec/08 21:10:40 l2tp,debug l2tp =>: session 1 entering state: dead

The relevant firewall rules:

2   chain=input action=jump jump-target=filter_105 dst-address=2.2.2.2 in-interface=pppoe-centurylink 
 3   chain=filter_105 action=accept protocol=ipsec-esp 
 4   chain=filter_105 action=accept protocol=udp dst-port=4500 
 5   chain=filter_105 action=accept protocol=udp dst-port=1701 
 6   chain=filter_105 action=accept protocol=udp dst-port=500 
 7   chain=filter_105 action=accept protocol=icmp 
 8   chain=filter_105 action=accept connection-state=established 
 9   chain=filter_105 action=accept connection-state=related 
10   chain=filter_105 action=drop

On the other side, this is what I see in the logs:

21:15:39 l2tp,debug,packet L2TP =>: rcvd control message from 2.2.2.2:1701 
21:15:39 l2tp,debug,packet L2TP =>:     tunnel-id=0, session-id=0, ns=0, nr=0 
21:15:39 l2tp,debug,packet L2TP =>:     (M) Message-Type=SCCRQ 
21:15:39 l2tp,debug,packet L2TP =>:     (M) Protocol-Version=0x01:00 
21:15:39 l2tp,debug,packet L2TP =>:     (M) Framing-Capabilities=0x1 
21:15:39 l2tp,debug,packet L2TP =>:     (M) Bearer-Capabilities=0x0 
21:15:39 l2tp,debug,packet L2TP =>:     Firmware-Revision=0x1 
21:15:39 l2tp,debug,packet L2TP =>:     (M) Host-Name="remote" 
21:15:39 l2tp,debug,packet L2TP =>:     Vendor-Name="MikroTik" 
21:15:39 l2tp,debug,packet L2TP =>:     (M) Assigned-Tunnel-ID=4852 
21:15:39 l2tp,debug,packet L2TP =>:     (M) Receive-Window-Size=4 
21:15:39 l2tp,debug,packet L2TP =>: sent control message (ack) to 2.2.2.2:1701 
21:15:39 l2tp,debug,packet L2TP =>:     tunnel-id=4852, session-id=0, ns=1, nr=1 
21:15:39 l2tp,debug L2TP =>: tunnel 14319 received no replies, disconnecting 
21:15:39 l2tp,debug L2TP =>: tunnel 14319 entering state: dead

Any ideas? In case you're wondering, the goals is to be able to use RSA keys, get L2TP/IPSEC working between many peers and a central router, and distribute routes using OSPF between them. This is the only piece I'm stuck on; I had it working using PSK, can't seem to now that I'm not.

tomaskir · Mon Dec 09, 2013 10:57 am

How are your IP addresses setup up on the L2TP concentrator?

Any chance you are getting hit by this bug http://forum.mikrotik.com/viewtopic.php ... 19#p398319

efaden · Mon Dec 09, 2013 4:03 pm

How are your IP addresses setup up on the L2TP concentrator?

Any chance you are getting hit by this bug http://forum.mikrotik.com/viewtopic.php ... 19#p398319

Not sure why it isn't working... I run L2TP/IPsec for mine works fine. And yes... you can just distribute the public keys.

lorsungcu · Mon Dec 09, 2013 5:04 pm

IPs are set up just as they are anywhere else, and I have a NAT rule to force them out the correct address. I'm going to review/rebuild everything again today, I'm sure I missed something somewhere.

lorsungcu · Mon Dec 09, 2013 6:31 pm

Removing the IPSEC policy restores L2TP service. One thing I noticed was that a remote peer on the client side (2.2.2.2) gets configured for an the gateway address at my ISP. Below is an example:

/ip ipsec remote-peers> print 
 0 local-address=2.2.2.2 remote-address=1.1.1.1 state=message-3-sent side=initiator 

 1 local-address=2.2.2.3 remote-address=1.1.1.1 state=message-3-sent side=initiator 

 2 local-address=2.2.2.2 remote-address=1.1.1.1 state=established side=initiator established=1m56s

2.2.2.3 is provisioned by my ISP when the PPPoE link is negotiated; it's used as the gateway address. I have no firewall rules or source NAT for this address. Is the problem that once the L2TP packets hit the IPSEC policy, they are out of the standard routing flow? Where in this diagram should I be looking?

http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

Both routers are on 6.7, might trying bringing them back to 5.6, but wanted to see if the improved ppp stuff had any effect.

lorsungcu · Mon Dec 09, 2013 7:23 pm

Changing to PSK, and everything came right up. I must be screwing the key configuration up...

Steps to set up IPSEC with RSA:

Generate key on Router01 (r1_key)
Export public key (r1_key.pub)
Set Router01 IPSEC peer key=r1_key remote-key=r1_key.pub
Generate key on Router02 (r2_key)
Import Router01 public key
Set Router02 IPSEC peer key=r2_key remote-key=r1_key.pub

Where am I messing it up, or where can I find documentation that goes through this?

Thanks for all your help!

efaden · Mon Dec 09, 2013 9:16 pm

Changing to PSK, and everything came right up. I must be screwing the key configuration up...

Steps to set up IPSEC with RSA:

Generate key on Router01 (r1_key)
Export public key (r1_key.pub)
Set Router01 IPSEC peer key=r1_key remote-key=r1_key.pub
Generate key on Router02 (r2_key)
Import Router01 public key
Set Router02 IPSEC peer key=r2_key remote-key=r1_key.pub

Where am I messing it up, or where can I find documentation that goes through this?

Thanks for all your help!

Not really sure if there is good documentation on it... I may have some time tomorrow if you want to give me remote access.

norpan · Mon Dec 09, 2013 10:31 pm

Changing to PSK, and everything came right up. I must be screwing the key configuration up...

Steps to set up IPSEC with RSA:

Generate key on Router01 (r1_key)
Export public key (r1_key.pub)
Set Router01 IPSEC peer key=r1_key remote-key=r1_key.pub
Generate key on Router02 (r2_key)
Import Router01 public key
Set Router02 IPSEC peer key=r2_key remote-key=r1_key.pub

Where am I messing it up, or where can I find documentation that goes through this?

Thanks for all your help!

Hi,
Shouldn't you have :
Set Router01 IPSEC peer key=r1_key remote-key=r2_key.pub

lorsungcu · Fri Dec 27, 2013 2:06 am

yeah, you're right. How would the third router work, then? Anyone willing to post their configuration?

Thanks again.

efaden · Fri Dec 27, 2013 4:16 pm

yeah, you're right. How would the third router work, then? Anyone willing to post their configuration?

Thanks again.

Just extend it out... Create a key on each site.... then exchange them so each site has Site1, Site2, and Site3 keys...

Site 1 will have Site 1 Pub/Priv and Site 2 and Site 3 Pub... Site 2 will have Site 2 Pub/Priv and Site1 and Site 3 Pub... etc...

Then site 1 will have two connections ...
1) key=site1 remote-key=site2
2) key=site1 remote-key=site3

etc.

lorsungcu · Fri Dec 27, 2013 5:43 pm

Right, but it doesn't seem like this could work for dynamic peers. is that correct?

efaden · Fri Dec 27, 2013 7:55 pm

Right, but it doesn't seem like this could work for dynamic peers. is that correct?

I'm not actually certain, but I would assume it would get messed up if you had multiple peers with 0.0.0.0/0 address. I have never actually tested it though.

lorsungcu · Sat Dec 28, 2013 5:00 am

That is what I thought. I was hoping to be able to just distribute a single key to a bunch of remote users, but dont think thats possible. Is there a way to do something like that with certificates? I will look more into that as well.

efaden · Sat Dec 28, 2013 3:29 pm

That is what I thought. I was hoping to be able to just distribute a single key to a bunch of remote users, but dont think thats possible. Is there a way to do something like that with certificates? I will look more into that as well.

Why do you want to do that?... then it is hard to lock out a single user, etc... Why not use something like x-auth?

lorsungcu · Sun Dec 29, 2013 7:35 am

I have had trouble with the versions of routerOS that support xauth. Not completely clear on how that would resolve the question of using a single set of keys with many remote, dynamic-ip'ed sites, though, can you clarify?