i would like to create an IPsec VPN for my Mikrotik routers but i am stuck since none of the sites have a static IP and one is behind a CGNAT (4G network). the VPN will consist:
-one central point which has dynamic dns. Mikrotik router
-one remote point which has dynamic dns. Mikrotik router
-one remote point which has CGNAT. Mikrotik router
-3 remote users. Windows laptops.
any guide on how to create something like this?
Re: IPsec between nodes without static IP and CGNAT
I’m pretty sure you’d want to model it on the “road warrior” configuration [1] with hub side generating dynamic policies.
If the hub device can’t have a static address, it gets a lot more annoying. RouterOS cannot natively use DNS names in place of IP address entries so you’ll have to live with something like a periodic update script that [:resolve]s the DNS name and if it’s changed, updates the address in the IPsec configuration.
[1] https://help.mikrotik.com/docs/display/ROS/IPsec
If the hub device can’t have a static address, it gets a lot more annoying. RouterOS cannot natively use DNS names in place of IP address entries so you’ll have to live with something like a periodic update script that [:resolve]s the DNS name and if it’s changed, updates the address in the IPsec configuration.
[1] https://help.mikrotik.com/docs/display/ROS/IPsec
Re: IPsec between nodes without static IP and CGNAT
thanks for the reply. i have seen this page, but i got confused from the tons of info. i would like to ask if you are aware of any guide on how to configure it, since the wiki has so many options.
Re: IPsec between nodes without static IP and CGNAT
There are a number of scenarios and probably “Site to Site GRE tunnel over IPsec (IKEv2) using DNS” is closest to what you’re trying to configure. Frankly now that I’m looking at it, this use case does seem to use a client remote-address that is derived directly from DNS. It’s been a while since I’ve done testing on this exact situation and if RouterOS can now periodically re-resolve DNS names in this circumstance, that is definitely the way to go.
Re: IPsec between nodes without static IP and CGNAT
i am facing issues as it does not connect. Here is my setup.
site A (server)
-pppoe to the ITSP and it has an ip>cloud. i am giving a fake one for security reasons.
-It has 2 different VLANs 172.16.5.1/24 and 10.0.0.1/24 on different ports.
config:
site B (client)
-eth1 has the IP 192.168.2.202/24
-eth2 has the IP 192.168.2.202/24
i cannot get it connected
site A (server)
-pppoe to the ITSP and it has an ip>cloud. i am giving a fake one for security reasons.
-It has 2 different VLANs 172.16.5.1/24 and 10.0.0.1/24 on different ports.
config:
Code: Select all
[i]/interface bridge
add name=bridge1
add name=bridge2
add name=loopback
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password= service-name=otenet use-peer-dns=yes user=\
whatever@isp.net
/interface gre
add local-address=192.168.99.1 name=gre-tunnel1 remote-address=192.168.99.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=192.168.99.2 address-prefix-length=32 name=ike2-gre \
split-include=192.168.99.1/32 system-dns=no
/ip ipsec policy group
add name=ike2-gre
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm name=ike2-gre pfs-group=\
none
/ip pool
add name=dhcp_pool0 ranges=172.16.5.150-172.16.5.199
add name=pool2 ranges=10.0.0.100-10.0.0.149
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=pool2 disabled=no interface=bridge2 name=dhcp2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge2 interface=ether4
add bridge=bridge2 interface=ether5
/ip address
add address=172.16.5.1/24 interface=bridge1 network=172.16.5.0
add address=10.0.0.1/24 interface=bridge2 network=10.0.0.0
add address=192.168.99.1 interface=loopback network=192.168.99.1
add address=172.16.1.1/30 interface=gre-tunnel1 network=172.16.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=11m
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8,9.9.9.9 gateway=10.0.0.1
add address=172.16.5.0/24 dns-server=8.8.8.8,9.9.9.9 gateway=172.16.5.1
/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" \
in-interface=pppoe-out1 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
dst-port=500,1701,4500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add generate-policy=port-strict mode-config=ike2-gre peer=ike2 \
policy-template-group=ike2-gre secret=test
/ip ipsec policy
add dst-address=192.168.99.2/32 group=ike2-gre proposal=ike2-gre src-address=\
192.168.99.1/32 template=yes
/ip route
add distance=1 dst-address=10.1.202.0/24 gateway=172.16.1.2
add distance=1 dst-address=192.168.2.0/24 gateway=172.16.1.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/London
[/i]site B (client)
-eth1 has the IP 192.168.2.202/24
-eth2 has the IP 192.168.2.202/24
Code: Select all
[i]/interface gre
add local-address=192.168.99.2 name=gre-tunnel1 remote-address=192.168.99.1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ike2-gre responder=no
/ip ipsec policy group
add name=ike2-gre
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 name=ike2-gre
/ip ipsec peer
add address=3xyz12302bncvgatux.sn.mynetname.net exchange-mode=ike2 name=p1.ez \
profile=ike2-gre
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm name=ike2-gre pfs-group=\
none
/ip address
add address=192.168.1.202/24 interface=ether1 network=192.168.1.0
add address=192.168.2.202/24 interface=ether2 network=192.168.2.0
add address=172.16.1.2/30 interface=gre-tunnel1 network=172.16.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add generate-policy=port-strict mode-config=ike2-gre peer=p1.ez \
policy-template-group=ike2-gre secret=test
/ip ipsec policy
add dst-address=192.168.99.1/32 group=ike2-gre proposal=ike2-gre src-address=\
192.168.99.2/32 template=yes
/ip route
add distance=1 dst-address=10.1.101.0/24 gateway=172.16.1.1
/system identity
set name=siteB[/i]
Re: IPsec between nodes without static IP and CGNAT
The configuration seems fine to me, so it is time for debugging.
At both devices, what does /ip firewall connection print interval=1s where dst-address~":4500" and /ip ipsec active-peers print interval=1s show if you let each run for a minute?
At both devices, what does /ip firewall connection print interval=1s where dst-address~":4500" and /ip ipsec active-peers print interval=1s show if you let each run for a minute?