IPSec between two Mikrotik?

V

VMCLOUD2014-10-04 02:59:57

Mikrotik

VMCLOUD, 2014-10-04 02:59:57

Hello!
Actually the problem, or rather, not understanding how IPSec should work in Mikrotik. Well, let's start with the introductory, what we have:
1. Mikrotik # 1 - 77.77.77.77 - 1WAN interface, it is in the DC, other interfaces are not involved.
2. Mikrotik#2 - 88.88.88.88 - RB2011UiAS - is in the office, LAN 172.16.0.1/24
The task is to raise IPSec between Mikrotiks and wrap all traffic in the IPSec tunnel. Well, that is, it's stupid to organize access to the Internet through the DC.
So, now the fun begins, I can’t figure out how to do it ?! In a simple version, this is to raise the ipip tunnel, terminate it at 172.16.254.0/30 (1 and 2, respectively, at the ends of the tunnels), register a route on the microtic in the DC about what to look for the network 172.16.0.0/24 behind the ipip tunnel, hang nat. On the office Mikrotik, mark the traffic, hang the route 0.0.0.0/0 on the ipip tunnel indicating the marking.
In this version, the traffic runs, pages open and all that ...
And now I actually want to encrypt the traffic in the tunnel.
To do this, he turned to IPSec, and eventually received the following commands on mikrotiks
:
/ip ipsec peer add address=172.16.254.2 secret=eucdcag generate-policy=port-strict
# 2 Router Office
/ip ipsec policy add sa-src-address=172.16.254.2 sa-dst-address=172.16.254.1 action=encrypt
/ip ipsec peer add address=172.16.254.1 secret=eucdcag generate-policy=port-strict
# On both
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept comment="Allow IKE" disabled= no
/ip firewall filter add chain=input protocol=ipsec-esp action=accept comment="Allow IPSec-esp" disabled=no
/ip firewall filter add chain=input protocol=ipsec-ah action=accept comment="Allow IPSec- ah" disabled=no
IPSec rises, probably, at least there are not zeros in the statistics.
What's next?! As I understand it, somehow it is necessary to send traffic through the created IPSec tunnel, but it's not clear how... It will not work with interfaces or addresses... Or will it work?!
I appeal to the collective mind for help in enlightening me, a dull-witted one...

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

C

Cool Admin, 2014-10-04
@ifaustrue

So, you need to raise it in the transport, the settings will be as follows
1. At both ends in the peers, specify the white external addresses of the opposite side.
2. Policies are not in tunnel mode, where on each side they look like this
/ip ipsec policy src-address=WHITE_IP_1/32 src-port=any dst-address=WHITE_IP_2/32
dst-port=any protocol=all action=encrypt level =require
ipsec-protocols=esp tunnel=no sa-src-address=WHITE_IP_1
sa-dst-address=WHITE_IP_2 proposal=tunnel priority=1
and vice versa. You set up proporsals and peers just symmetrically, there is nothing special.
If everything is correct, then the IPIP tunnel continues to work for you, and then it simply becomes encrypted.
Those. The error is in your policies. There you are now encrypting inside the tunnel, but you need to outside.

M

Maxim Chornopolsky, 2014-10-04
@Voiddancer

nixman.info/?p=2308