IPsec VPN for road warrior with IKEv2 on version 6.44

mweidner · Thu Dec 19, 2019 9:38 pm

Hi all,

in the manual I found an example road warrior setup using IKEv2 and certificates that I could use with `auth-method=pre-shared-key-xauth` on version 6.43. With `ip ipsec user ...`I was able to predetermine the address that the VPN clients got from the pool.

Now that 6.44 is the long term version I'm struggling with the configuration for this version.
So far I got it working with certificates, the client gets a configuration with an address from the pool.

But I didn't manage to predetermine the address that the client gets when it's connecting.
Can anyone help me out here?

The server configuration from my test setup (in GNS3, no license) looks like this:

> ip ex
# dec/19/2019 19:12:34 by RouterOS 6.44.5
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-profile
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-proposal pfs-group=ecp256
/ip pool
add name=ike2-pool ranges=10.107.252.3-10.107.252.254
/ip ipsec mode-config
add address-pool=ike2-pool name=ike2-conf split-include=10.107.252.2/32
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=10.107.252.2 interface=loopback network=10.107.252.2
/ip ipsec identity
add auth-method=rsa-signature certificate=mpg-rz3-vpn05 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=10.107.252.0/24 group=ike2-policies proposal=ike2-proposal src-address=10.107.252.2/32 template=yes
/ip route
add distance=1 dst-address=10.107.252.0/24 gateway=192.168.1.2

The client side looks like this:

> ip ex
# dec/19/2019 19:12:14 by RouterOS 6.44.5
/ip ipsec mode-config
add name=ike2-conf responder=no
/ip ipsec policy group
add name=ike2-policy
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-profile
/ip ipsec peer
add address=192.168.1.1/32 exchange-mode=ike2 name=mpg-rz3-vpn05 profile=ike2-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-proposal pfs-group=ecp256
/ip address
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=10.107.252.249 disabled=yes interface=loopback network=10.107.252.249
/ip ipsec identity
add auth-method=rsa-signature certificate=mpg-de-ess-vpn01.crt_0 generate-policy=port-strict mode-config=ike2-conf peer=mpg-rz3-vpn05 policy-template-group=ike2-policy
/ip ipsec policy
add group=ike2-policy proposal=ike2-proposal template=yes

Currently the client gets the last address from the pool (10.107.252.3-10.107.252.254) but I want to use this for more than one client and need to predetermine the addresses because I want to put a GRE tunnel on top of IPsec.

Any help is appreciated.

Thanks,
Mathias

manyyy · Thu Dec 19, 2019 10:47 pm

Hi Mathias,
you can determine what IP client will receive by using my-id in /ip ipsec identity and config-mode like below:
Server:

[admin@VPN-Server] /ip ipsec identity> pr
Flags: D - dynamic, X - disabled 
 0    peer=ikev2 auth-method=pre-shared-key mode-config=client1 
      remote-id=user-fqdn:client1@domain secret="12345" generate-policy=port-strict
[admin@VPN-Server] /ip ipsec identity> .. mode-config pr
Flags: * - default, R - responder 
 0 *  name="request-only" responder=no 

 1  R name="client2" system-dns=no static-dns="" address=172.16.0.3 address-prefix-length=24

Client:

[admin@IKE-Client1] /ip ipsec identity> pr
Flags: D - dynamic, X - disabled 
 0    peer=ikev2 auth-method=pre-shared-key 
      mode-config=request-only my-id=user-fqdn:client1@domain
      secret="12345" generate-policy=port-strict

Hope it helps.
Cheers

mweidner · Fri Dec 20, 2019 7:50 pm

Thanks manyyy, this helped me.

I ditched the address pool and configured the peer address using `ip ipsec identity` and `ip ipsec mode-config`.

The server config now looks like this:

[admin@MPG-RZ3-VPN05] > ip ex
# dec/20/2019 17:36:28 by RouterOS 6.44.5
/ip ipsec mode-config
add address=10.107.252.249 name=mpg-de-ess-vpn01
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-profile
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-proposal pfs-group=ecp256
/ip address
...
add address=10.107.252.2 interface=loopback network=10.107.252.2
/ip ipsec identity
add auth-method=rsa-signature certificate=mpg-rz3-vpn05 generate-policy=port-strict mode-config=mpg-de-ess-vpn01 peer=ike2 policy-template-group=ike2-policies remote-certificate=mpg-de-ess-vpn01
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ike2-policies proposal=ike2-proposal src-address=0.0.0.0/0 template=yes
...

And the client config looks like this:

[admin@MPG-DE-ESS-VPN01] > ip ex   
# dec/20/2019 17:26:16 by RouterOS 6.44.5
/ip ipsec mode-config
add name=ike2-conf responder=no
/ip ipsec policy group
add name=ike2-policy
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-profile
/ip ipsec peer
add address=192.168.1.1/32 exchange-mode=ike2 name=mpg-rz3-vpn05 profile=ike2-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-proposal pfs-group=ecp256
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip ipsec identity
add auth-method=rsa-signature certificate=mpg-de-ess-vpn01.crt_0 generate-policy=port-strict mode-config=request-only peer=mpg-rz3-vpn05 policy-template-group=ike2-policy
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ike2-policy proposal=ike2-proposal src-address=0.0.0.0/0 template=yes

From the server I can do `ping 10.107.252.249` and from the client `ping 10.107.252.2` and get answers.

Basically the client IP address is determined with an appropriate combination of `ip ipsec mode-config` and `ip ipsec identity`.

I have made I diagram to get a better understanding of what is configured where.
Please correct me if I'm wrong.

+-------------------+
| policy (template) |
+-+-+---------------+
  | |
  | +---------------+
  |                 |
  V                 V
+--------------+  +-------------------+
| policy group |  | proposal (phase2) |
+-+------------+  | ----------------- |
  ^               | enc algorithms    |
  |               | auth algorithms   |
  |               | pfs group         |
  |               | lifetime          |
  |               +-------------------+
  |
+-+------------------+
| identity           |
| ------------------ |
| auth method        |
| certificate        |
| remote certificate |
+-+-+-+--------------+
  | |
  | +------------------+
  |                    |
  V                    V
+-+----------------+ +---------------+
| mode-config      | | peer          |
| -----------      | | ----          |
| name (cert)      | | exchange-mode |
| (remote) address | | passive       |
+------------------+ +---------------+
                       |
                       V
                     +------------------+
                     | profile (phase1) |
                     | ---------------- |
                     | enc algorithm    |
                     | hash algorithm   |
                     | dh group         |
                     +------------------+

BTW: You can convert the diagram to PNG with ditaa.

IPsec VPN for road warrior with IKEv2 on version 6.44 [SOLVED]

IPsec VPN for road warrior with IKEv2 on version 6.44

Re: IPsec VPN for road warrior with IKEv2 on version 6.44

Re: IPsec VPN for road warrior with IKEv2 on version 6.44 [SOLVED]

Who is online