Hello,

I have recently migrated my routing setup from OPNsense to a RB4011, which went super smooth and works like a charm.

Now comes the challenge (for me at least):

I know that the OpenVPN-support in Mikrotik is not good, so I want to go with IPSec.
My plan is to connect the RB4011 to a IPSec-server running in the cloud and then connect mobile clients (laptops, phones) to the same server and reach my home network via this vpn.
The server is setup with algo (https://github.com/trailofbits/algo), but I can use anything else really.

How would I approach this setup?
I use the routeros cli for everything I have to configure.
But as I mainly worked with OpenVPN so far, setting up IPSec is rather hard to grasp for me.

Also, if my plan is not possible with IPSec:
Can OpenVPN be an alternative?
I do not have to transfer a lot of data via this vpn. I just use it to connect to my servers via ssh and maybe tell the robots to vacuum the rooms via http.
If OpenVPN suffices for that (even via tcp), I can still use that.

Any help is very much appreciated.

I have Q is this setup Site to Site or you just need to connect to your network through VPN wiche provided by your router?

Hi,
thanks for asking.
I basically want to connect to my home network Form anywhere.
No classic site-to-site.

Hi,
thanks for asking.
I basically want to connect to my home network Form anywhere.
No classic site-to-site.

So I'm sure there is many more certified person in this forum, As far as I know, Mikrotik Supports OpenVPN TCP only. But it doesn't mean that you cant use it if you wish to.
For IPsec, IKEv2 is one of the good options but it's more complicated than something like L2TP PSK it's a kinda easy config with less security. either way, you need Static IP on your router or you can use the Cloud option in RouterOS. personally, when I use GUI for config I understand better what I'm doing or what I missed trying out Winbox may help you through the config.
IPsec Road Warrior config
https://help.mikrotik.com/docs/display/ROS/IPsec
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

And also you can use port forwarding too, and for making sure your SSH is secure use strong crypto with a private key required for ssh login,

Hi,

so a public IP in my router is out of the picture.
Portforwarding is also not what I want.

The idea is to have my router connect to a ipsec-server in the internet and then have other clients usw my router (who is a client to) as a gateway to my home network.

That is possible with openvpn.
It should be possible with ipsec too, but how do I set this up?

Hi,

so a public IP in my router is out of the picture.
Portforwarding is also not what I want.

The idea is to have my router connect to a ipsec-server in the internet and then have other clients usw my router (who is a client to) as a gateway to my home network.

That is possible with openvpn.
It should be possible with ipsec too, but how do I set this up?

So why another IPsec server in the picture when your own router can easily handle it. And even have a chip for encryption and decryption don't quote me on this :D I think if you Config VPN on your own router is better than unnecessary traffic. You can use Mikrotik Cloud service it's like DDNS if you don't have static IP.

I've wrote several guides - you might find some guidance there. :)

• viewtopic.php?f=23&t=169538
• viewtopic.php?f=23&t=169273
• viewtopic.php?f=23&t=175656

@raboof678

coming back to your topic.

"I know that the OpenVPN-support in Mikrotik is not good, so I want to go with IPSec."
i really what to know where have you found this?

What kind of device are you trying to connect?
Let say you got windows machine. OpenVPN is the best scenario for that.
- You can push the traffic to your clinet.
- You can choose the protocol. (v7)
- You can do tun or tap, dependence what you need

Whith IPsec can you push the traffic on windows? can you bridget if you don't use l2tp?

everything is dependence of you scenario.

With IOS i want to play with IPsec, on windows OVPN

that's my choice:)

@own3r1138
I do not want to use ddns. So I have to build my own vpnserver on the internet.

@erkexzcx
I will look into your guides when I come home.
Just scrolled over them and they seem helpful. Thanks!
Do you know if I have to configure anything on the clients to make them use my router as a gateway to my home network when connected to the vpn?
Like a "push-route" in openvpn.

@nichky
I am using the stable release at the moment, which limits me to using tcp with openvpn.
That should have an impact on performance. But I do not know if it matters that much.
I think the most performance intensive thing I would do over the vpn is logging into the ipmi of one of my servers at home.

So, to reiterate on the openvpn-support:
Sha1 as a auth-algorithm? Did not see that one for almost a decade.
Does the v7 beta support secure algorithms?

Hi,
so before resorting to using the beta of routeros, I wanted to give IPsec a try.

@erkexzcx
Thank your very much for writing your guides.
They are very good.
I sort of frankensteined them together.

I used this one to setup RouterOS in the cloud and then connect my router at home to that CHR:
viewtopic.php?f=23&t=169538

I also used the steps from that guide to generate the config for another client (my notebook).

Then I looked into this guide, to setup strongswan on Linux:
viewtopic.php?f=23&t=169538

And that is where I am failing right now.
My notebook does not want to connect to the vpn. My router at home connects just fine and can reach the CHR via the VPN-IPs.

The log of network-manager gives me the following error:
11[IKE] failed to establish CHILD_SA, keeping IKE_SA
This happens after the authentication is successful.

In the logs of the CHR I can see this:
ipsec,error no policy found/generated

Any idea what is going wrong there?

ipsec,error no policy found/generated

Can you elaborate on your OS/vpn client? Did you perform client steps as per instructions? viewtopic.php?f=23&t=175656 :)

Maybe someone could comment on ROS part - I do have a feeling that it has something to do with either misconfigured policies or misconfigured mode-config in ROS ip->ipsec settings.

ipsec,error no policy found/generated

Can you elaborate on your OS/vpn client? Did you perform client steps as per instructions? viewtopic.php?f=23&t=175656 :)

Maybe someone could comment on ROS part - I do have a feeling that it has something to do with either misconfigured policies or misconfigured mode-config in ROS ip->ipsec settings.

I sure can.
OS is Fedora 34 with KDE.
I installed the necessary dependencies, so that I could setup the vpn via via NetworkManager.
List of dependencies:
But, I could not set all of the parameters your guide mentions.


I mainly did not set the cipher-settings, because I used your other guide to setup the server and so the ciphers would be different.

Regarding the mode-config or policy:
I would guess that those are correct, because as I've mentioned, my router can connect to the CHR without any problems.
But then again, I do not know a lot about ipsec, so I could be wrong.

I will double check the mode-config and policy later today. I keep my own log in a textfile of stuff I enter via the shell when setting up systems I do not know very good yet.

So, I did not get it to work with IPsec and switched to OpenVPN.
The performance via tcp is sufficient for my use case.

Thanks to everyone who tried to help.