Answer the question
In order to leave comments, you need to log in
B
B
by_EL2020-02-16 22:24:55
by_EL, 2020-02-16 22:24:55
How to create site to site between Mikrotik ipsec in tunnel mode in Mikrotik?
and please explain describe the differences creating İpsec in both transport and tunnel mode what is the difference Thank you in advance
3 answer(s)
@CityCat4
It's in google.
I will describe the order of creation tomorrow - if someone else does not write earlier :)
Let's take the simplest case - authentication by PSK (Pre-Shared Keys, that is, a simple text password). The password text is "
123456 " ( it is clear that if you implement this option, the password should be more serious) in paired locales: system A - 10.1.1.1 system B - 10.2.2.1 masks for both networks - /24 (255.255.255.0) so let's go. RouterOS 6.45.7 no default values specified
System A (on system B everything will be the same, only inverted mirror)
Step 0 - create an offer
This step is optional
The very first thing is to create a proposal. This is our proposal to the other party about what ciphers we support and what methods of signing packages. We choose the strongest AES256 encryption with a Galois counter, a separate package signature is not required. Here we set the lifetime of the tunnel until an incomplete reset - 1 hour.
This step is optional, it is needed only to strengthen the protection of the tunnel. Without it, there will be a set of simpler ciphers like AES128 CBC with SHA1 as the packet signature algorithm
Step 1 - create a connection profile
We disable DPD - it only causes problems, we install encryption and hashing algorithms that are more powerful than the default (default encrypt can be 3DES, default hash - SHA1), set the tunnel lifetime to 2 hours (after - a complete reinstallation of the connection with a reset of encryption keys), turn off NAT Travesal, specify the processing of strict offers (a very important parameter! If the tunnel lifetime requested by that side is more than set from us - send, if less or equal - accept)
Step 2 - create a partner (data about the remote system)
There is no need to explain anything here, everything is self-evident
Step 3 - create a policy
A very important step. It is here that we indicate to Mikrotik which packets will be encrypted. And turn on the tunnel mode
Step 4 - create identifiers (identity). Previously, in IPSec, Mikrotik had fewer entities and the explanation was simpler...
Naturally, the question arises - how does Mikrotik know where to put the packages? And this is written in his settings - all packets from the network 10.1.1.0/24 to 10.2.2.0/24 are encrypted and sent to 170.70.70.1, all packets from 170.70.70.1 of the ESP protocol must be decrypted and reprocessed.
In general, in order to understand how packets go in IPSec, there is an excellent Packet Flow in Netfilter and General Networking scheme
@ky0
@Wernisag
C
CityCat4, 2020-02-16 @CityCat4
difference...İpsec and in transport and tunnel mode
It's in google.
I will describe the order of creation tomorrow - if someone else does not write earlier :)
Let's take the simplest case - authentication by PSK (Pre-Shared Keys, that is, a simple text password). The password text is "
123456 " ( it is clear that if you implement this option, the password should be more serious) in paired locales: system A - 10.1.1.1 system B - 10.2.2.1 masks for both networks - /24 (255.255.255.0) so let's go. RouterOS 6.45.7 no default values specified
System A (on system B everything will be the same, only inverted mirror)
Step 0 - create an offer
This step is optional
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=1h name=proposal1The very first thing is to create a proposal. This is our proposal to the other party about what ciphers we support and what methods of signing packages. We choose the strongest AES256 encryption with a Galois counter, a separate package signature is not required. Here we set the lifetime of the tunnel until an incomplete reset - 1 hour.
This step is optional, it is needed only to strengthen the protection of the tunnel. Without it, there will be a set of simpler ciphers like AES128 CBC with SHA1 as the packet signature algorithm
Step 1 - create a connection profile
/ip ipsec profile
add dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=2h name=profile1 \
nat-traversal=no proposal-check=strictWe disable DPD - it only causes problems, we install encryption and hashing algorithms that are more powerful than the default (default encrypt can be 3DES, default hash - SHA1), set the tunnel lifetime to 2 hours (after - a complete reinstallation of the connection with a reset of encryption keys), turn off NAT Travesal, specify the processing of strict offers (a very important parameter! If the tunnel lifetime requested by that side is more than set from us - send, if less or equal - accept)
Step 2 - create a partner (data about the remote system)
/ip ipsec peer
add address=170.70.70.1/32 comment="Main VPN" name=RB2011 profile=profile1There is no need to explain anything here, everything is self-evident
Step 3 - create a policy
/ip ipsec policy
add dst-address=10.2.2.0/24 peer=RB2011 proposal=proposal1 src-address=10.1.1.0/24 tunnel=yesA very important step. It is here that we indicate to Mikrotik which packets will be encrypted. And turn on the tunnel mode
Step 4 - create identifiers (identity). Previously, in IPSec, Mikrotik had fewer entities and the explanation was simpler...
/ip ipsec identity
add peer=RB2011 secret=123456Naturally, the question arises - how does Mikrotik know where to put the packages? And this is written in his settings - all packets from the network 10.1.1.0/24 to 10.2.2.0/24 are encrypted and sent to 170.70.70.1, all packets from 170.70.70.1 of the ESP protocol must be decrypted and reprocessed.
In general, in order to understand how packets go in IPSec, there is an excellent Packet Flow in Netfilter and General Networking scheme
K
ky0, 2020-02-16 @ky0
https://lmgtfy.com/?q=ipsec+transport+vs+tunnel
I leave the question from the title for training by analogy.
R
Roman Kulakovich, 2020-02-17 @Wernisag
Please write in your native language.
1. Interfaces -> IP Tunnel, create a tunnel
2. IP -> IPsec, configure the parameters one by one (check the default ones) Policies, Proposals, Peers, Identities, Profiles
3. If everything is ok, then in the Active Peers tabs, Installed SAs, the corresponding items will be displayed
4. IP -> Addresses, assign a network address to our ipsec interface
5. IP -> Routes, set the route to the tunnel interface so that the router knows where to send packets.
Similarly, through cli
/interface ipip
add disabled=no dscp=0 local-address=88.88.88.2 mtu=1260 name=ipip1 \
remote-address=77.77.77.226
add address=192.168.88.1/24 comment="default configuration" disabled=no \
interface=ether2-master-local network=192.168.88.0
add address=88.88.88.2/30 disabled=no interface=ether1-gateway network=\
62.5.248.248
add add-default-route=yes comment="default configuration" \
default-route-distance=1 disabled=no interface=ether1-gateway \
use-peer-dns=yes use-peer-ntp=yes
/ip ipsec peer
add address=77.77.77.226/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main generate-policy=yes hash-algorithm=md5 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
obey secret=MyPassWord send-initial-contact=yes
/ip route
add comment="Default routing" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=88.88.88.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=10.192.0.0/22 gateway=ipip1 scope=30 \
target-scope=10
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no
add action=accept chain=output disabled=no
/system logging
add action=memory disabled=no prefix="" topics=ipsec
Similar questions
S
A
A
B
P
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question