Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
localsnet2016-11-30 16:02:58
VPN
localsnet, 2016-11-30 16:02:58

Mikrotik IPsec: white IP ---- gray IP?

There are 2 Mikrotiks: one with a white IP (let's call it: the server) and the second with a gray IP (let's call it: the client, which is also the initiator).
Is it possible to organize an IPsec tunnel between them (without resorting to L2TP and others)?
I've been fighting for the second week already, I tried to use the manual from here wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrio... (only instead of the inaccessible Ikev2, I used main), but unfortunately it did not give positive results, the logs are rather meager, did not find out a problem.
In a network a set of manuals on IPsec/L2TP but practically insignificant results on "pure" IPsec.
I would be very grateful if you point me in the right direction.
UPD. Current settings:
On the server side:
External interface:1.1.1.1
LAN: 192.168.88.0/24

ip pool print 
 # NAME                                                RANGES                         
 0 dhcp                                                192.168.88.10-192.168.88.20    
 1 rw-pool                                             192.168.77.2-192.168.77.254

 ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.77.0/24 protocol=all 
       proposal=default template=yes

 ip ipsec mode-config print 
Flags: * - default 
 0 * name="request-only" send-dns=yes 

 1   name="cfg1" send-dns=yes address-pool=rw-pool address-prefix-length=32 

ip ipsec peer print 
Flags: X - disabled, D - dynamic 
 0    address=::/0 local-address=:: passive=no port=500 auth-method=rsa-signature 
      certificate=srv2n remote-certificate=none generate-policy=port-strict 
      policy-template-group=default exchange-mode=main mode-config=cfg1 
      send-initial-contact=yes nat-traversal=yes proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d 
      lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 

ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024

ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.99.0/24 log=yes log-prefix="vpn_nat" 

 1    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway

On the client side:
External interface: gray dynamic IP (from the provider; public IP is apparently also dynamic): 10.200.1.1
LAN: 192.168.99.0/24
ip ipsec peer print  
Flags: X - disabled, D - dynamic 

 1    address=1.1.1.1/32 local-address=:: passive=no port=500 auth-method=rsa-signature certificate=cert_export_client1.crt_0 
      remote-certificate=none generate-policy=port-strict policy-template-group=default exchange-mode=main mode-config=request-only 
      send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 
      lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 

ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
 
ip ipsec mode-config print 
Flags: * - default 
 0 * name="request-only" send-dns=yes 

ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 XI  chain=srcnat action=accept src-address-list=10.200.1.1 dst-address-list=1.1.1.1 log=yes log-prefix="ipsec_nat" 

 1    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

I generated certificates according to the above manual (with the only difference that I specified email and not IP in the subject-alt-name= parameter), then I exported it to the client.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
K
Kirill Vasiliev, 2016-12-05
@vasilevkirill

make policy templates and don’t worry,
on Mikrotik where is the white IP, set the peer address 0.0.0.0/0, passive mode, turn on NAT-T, and turn on policy generation. on the other hand, you prescribe
all the necessary policies using your local address, and these policies are generated on the server side .

/ip ipsec policy group
add name=gre
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=Pr-aes128
add enc-algorithms=null name=Pr-Null pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 generate-policy=port-strict local-address=1.1.1.2 passive=yes policy-template-group=gre secret=12345!
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 group=gre proposal=Pr-Null src-address=192.168.254.0/24 template=yes
add dst-address=0.0.0.0/0 group=gre proposal=Pr-aes128 src-address=192.168.255.0/24 template=yes

Private IP
/ip ipsec policy group
add name=gre
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=Pr-aes128
add enc-algorithms=null name=Pr-Null pfs-group=none
/ip ipsec peer
add address=1.1.1.2/32 local-address=10.10.10.2 policy-template-group=gre secret=12345!
/ip ipsec policy
add dst-address=192.168.254.1/32 level=unique proposal=Pr-Null sa-dst-address=1.1.1.2 sa-src-address=10.10.10.2  src-address=192.168.254.2/32 tunnel=yes
add dst-address=192.168.255.1/32 level=unique proposal=Pr-aes128 sa-dst-address=1.1.1.2 sa-src-address=10.10.10.2 src-address=192.168.255.2/32 tunnel=yes

Report
C
CityCat4, 2016-11-30
@CityCat4

When linking two Mikrotiks, there are several non-obvious moments that are not described in any documentation
1. When forming policies, gray IPs must be specified.
2. SHA256 encryption works only when two Mikrotiks are linked together.
Setting example:
(Mikrotik with IP 1.2.3.4 communicates with Mikrotik with address 172.16.1.1, in front of which there is a router with address 4.3.2.1. Behind the first Mikrotik is a grid with the address 10.1.1.0/24, behind the second - 192.168.1.0/24)
Mikrotik side with gray IP

/ip ipsec peer
add address=1.2.3.4/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-128,aes-192,aes-256 hash-algorithm=sha256 proposal-check=strict
/ip ipsec policy
add dst-address=10.1.1.0/24 sa-dst-address=1.2.3.4 sa-src-address=\
    172.16.1.1 src-address=192.168.1.0/24 tunnel=yes

From the Mikrotik side with white IP:
/ip ipsec peer
add address=4.3.2.1/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-128,aes-192,aes-256 hash-algorithm=sha256 passive=yes proposal-check=strict
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=4.3.2.1 sa-src-address=\
    1.2.3.4 src-address=10.1.1.0/24 tunnel=yes

An example of course without certificates, only for PSK, but the presence or absence of certificates does not affect the setting

Similar questions
B
bbaggins2016-01-01 21:30:01
Does anyone play pokerstars from Russia? 2Reply
G
Gregory2021-01-25 19:54:29
Problems with remote desktop via VPN - something opens and something doesn't, how to fix it? 1Reply
F
freeman02042017-01-12 01:14:59
The distribution of "adult films" is prohibited, but how can you tell if a person is watching a video on a site or uploading it to a hosting? 3Reply
R
Roman Blagov2015-01-14 17:38:04
What is the advantage of VPN over SSH? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question