Page 1 of 1
IPSEC tunnel instructions
Posted: Tue Jul 13, 2021 10:03 pm
by ohara
Hi, I have finally a broadband modem in two locations from my ISP.
- Location A: hEX S, default configuration, 192.168.1.0/24, ROS 6.48.3
- Location B: hAP ac, default configuration, 192.168.0.0/24, ROS 6.48.3
Each mikrotik has NAT enabled and masquerade. The good thing about the ISP modems is that I do not have double NAT.
Could you please recommend a most up to date or most recent manual/tutorial how to enable a proper IPSEC tunnel between both devices? I was always struggling with setting up IPSEC, most probably because double NAT, and ended up using PPTP/SSTP. However now that I have two broadband modems I would like to try IPSEC and use the full encryption potential of the mikrotik hardware. I would appreciate any advice you may have, as I haven't been around on this forum for quite a while. Many thanks.
Re: IPSEC tunnel instructions
Posted: Tue Jul 13, 2021 10:13 pm
by Dude2048
Re: IPSEC tunnel instructions
Posted: Tue Jul 13, 2021 10:32 pm
by ohara
In that instruction 192.168.80.1 would be my public IP from my ISP, correct?
Re: IPSEC tunnel instructions
Posted: Tue Jul 13, 2021 11:19 pm
by Dude2048
Jup
Re: IPSEC tunnel instructions
Posted: Tue Jul 13, 2021 11:36 pm
by ohara
ok, thanks. Already working on it. Keep fingers crossed please :)
Re: IPSEC tunnel instructions
Posted: Wed Jul 14, 2021 12:08 am
by ohara
Do you know if these firewall rules are supposed to be added on both routers?
It is very important that bypass rule is placed at the top of all other NAT rules.
Another issue is if you have IP/Fasttrack enabled, packet bypasses IPsec policies. So we need to add accept rule before FastTrack.
/ip firewall filter
add chain=forward action=accept place-before=1
src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related
add chain=forward action=accept place-before=1
src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,related
Re: IPSEC tunnel instructions
Posted: Thu Jul 15, 2021 11:30 am
by Husky
HI,
Yes, those firewall rules must be in place on both routers. But further down the tutorial, it mentions replacing those rules with Raw firewall rules instead for better performance (bypasses connection tracking). Just remember that if you need any port-forwarding stuff through the IPsec tunnel (example, port forward from router 1 to server behind router 2) to work properly through the tunnel that you must rather not do this and instead stick with the regular Filter rules so that connection tracking works.
In addition, you might notice that after a while (also after restarting both routers) that the tunnel comes up but you cannot ping or get traffic through them, you need to add another firewall filter rule to allow input for protocol ipsec-esp. If still not working, remember to add your routes.
Re: IPSEC tunnel instructions
Posted: Thu Jul 15, 2021 11:47 am
by pe1chl
I would advise not to use direct IPsec tunnels but to use a GRE (or IPIP) tunnel with the IPsec secret.
That will setup a GRE/IPsec or IPIP/IPsec tunnel which will give you a tunnel interface at each end.
You can then put a /30 address on each end of the tunnel (e.g. 192.168.2.1/30 and 192.168.2.2/30) and set routes to the other subnet via that address as a gateway.
This is much easier to understand and manage in the firewall, both for filtering and NAT.
Re: IPSEC tunnel instructions
Posted: Thu Jul 15, 2021 5:22 pm
by erkexzcx
viewforum.php?f=23 CTRL+F "VPN". I've written at least 3 VPN guides, 1 of them is mostly what you are asking - connecting 2 mikrotik routers.
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 1:07 am
by ohara
Thank for you comments. I will give it a try and browse through you links/manuals. Probably I will need to set up a GRE tunnel.
I have successfully established connection via IPSEC, my problem is now that the connection stops in the evening when there is no traffic. Restarting any of the routers does not help. I cannot ping the other end. I read that flushing SA on both routers at the same time would help. Strange.
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 1:01 pm
by pe1chl
IPsec can sometimes run into trouble when there are NAT routers (or other routers keeping a stateful firewall) inbetween.
With GRE you can enable keepalive to guarantee some traffic.
I normally use BGP over the GRE tunnels to set the routes between the networks (even when it is a simple network), and the BGP traffic also keeps the tunnel alive when there is no user data (so GRE keepalive kan be kept off).
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 1:58 pm
by ohara
IPsec can sometimes run into trouble when there are NAT routers (or other routers keeping a stateful firewall) inbetween.
With GRE you can enable keepalive to guarantee some traffic.
I normally use BGP over the GRE tunnels to set the routes between the networks (even when it is a simple network), and the BGP traffic also keeps the tunnel alive when there is no user data (so GRE keepalive kan be kept off).
I set up GRE+IPSEC, disabled fastpath, added no track prerouting rules because of default fasttrack. So far so good. Could you possibly share a manual/instructions how to set it up - BGP over GRE on mikrotik, or any other resources you find useful. I dont know where to start with BGP? Many thanks.
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 4:53 pm
by pe1chl
BGP is really easy.
Under BGP->Instances, set the Router ID of each router to its primary IP address on the LAN. Set the AS to a different number on each router, you can use numbers like the default 65530, then 65531 on another, 65532 on a 3rd, etc. Numbers 64512 – 65534 are available for your use.
Under BGP->Peers, on each route add a peer entry for the neighboring router, with the peer's IP (from the /30 you put on the tunnel), the AS number of the neighboring router, and the following settings: nexthop choice = force self, hold time = 15s, ttl = 1.
Under BGP->Networks, on each router add the network addresses of your local networks (the /24 networks, usually).
That is all. Once you have done that, you should see the peer entries becoming "established" and the routes to the other side appear in the table.
There will now be traffic every 5 seconds (1/3 of the hold time you configured, can set that higher as well e.g. 30s)
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 6:24 pm
by ohara
I set that up as you explained, but BGP state remains: connect, instead of established. Do you see a flaw on the screenshots? The GRE tunnel is established and ping is ok between both routers. The AS route in IP>ROUTES was manually added by me for the GRE tunnel to work. Only later did I set up BGP as advised by you. Any advise would be appreciated. Do I need to add anything to the firewall? It's GRE over IPSEC just in case. Thanks.
ROUTER 1 - 10.0.1.1
-------------------------------------------------------------------
ROUTER 2 - 10.0.0.1
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 6:55 pm
by ohara
added this rule
add action=accept chain=input comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
it works, how crazy, I can go ahead and add another location easily. Super
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 6:57 pm
by ohara
Do I need to put all networks in BGP on all routers like seen on the screenshot?
10.0.0.0/24 and 10.0.1.0/24 on both routers?
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 7:13 pm
by pe1chl
no, on each router you only add the networks that are local to that router and that you want other routers to know about.
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 7:15 pm
by pe1chl
added this rule
add action=accept chain=input comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
Yes you need to allow input to port 179 tcp, of course not disabled like shown above. you can limit the src-address to the range you use on the GRE tunnels.
Re: IPSEC tunnel instructions
Posted: Fri Jul 16, 2021 11:32 pm
by ohara
Thank you for your advice. Everything is working fine with BGP GRE+IPSec. This setup simplifies tunnel management a lot.
Could you please advise how I can accomplish the following: a workstation (for example local IP 10.0.1.199) is in location A. I would like to route the trafic of that workstation (10.0.1.199) through the ISP in location B. I would appreciate any advice, that I could use to start researching over the weekend. Thanks.