Site-to-Server IKEv2 IPsec?

B

brar2019-11-14 14:07:29

linux

brar, 2019-11-14 14:07:29

Debian as vpn server. strongswan. Fixed white address.

ipsec.conf

config setup
uniqueids=no
conn ikev2-vpn-mikrotik
auto=add
authby = ecdsasig
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=120s
rekey=no
left=%any
leftid2=%bla_address
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightsourceip=10.10.10.0/24
rightsendcert=never

ipsec.secrets

: RSA "server-key.pem"

Microt, as a client. Gray dynamic address, behind the provider's natom.

ip ipsec export

/ip ipsec mode-config
add name=ike2-rw responder=no
/ip ipsec policy group
add name=ike2-rw
/ip ipsec profile
set [ find default=yes ] dh-group=modp4096,modp2048,modp1024
add name=ike2-rw
/ip ipsec peer
add address=SERVER_ADDRESS/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw
/ip ipsec proposal
add name=ike2-rw pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=server-cert.pem_0 generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client \
policy-template-group=ike2-rw
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ike2-rw proposal=ike2-rw src-address=0.0.0.0/0 template=yes

Vpn rises between them. Mikrotik is assigned IP address 10.10.10.1 on ether1 (wan).
A small digression: In principle, for the android, I also made a setting in ipsec.conf via EAP. Everything works, all traffic from the phone goes through VPN.
I do exactly the same settings on the second mikrotik (the same cert, key and ca). It gets the same IP address 10.10.10.1. Both Mikrotiks alternately begin to "knock" each other out of the server.
And the second question according to this scheme: how now to connect local subnets behind mikrotiks without resorting to ppp? Given that "Routing when using IPsec "in its purest form" cannot be used, because IPsec does not create a virtual interface that can be assigned an IP address and add an entry to the routing table" (c).

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2019-11-14
@brar

IPSec does not require routing. The basis of IPSec is SPD (Security Policy Database) and SAD (Security Associations Database). SPD is built on the basis of policies that you set yourself (in Mikrotik) or build a shwan (in Linux). SAD is built automatically based on peer connections.
It is enough to describe the policies normally - and Mikrotik will figure out where to send packets to. The only point is that packets go through netfilter twice - in encrypted form and in decrypted form. And he must allow them in both cases.
There is a great picture showing the fullpackage path, including the places where they are encrypted/decrypted (xfrm encode/xfrm decode). I think it's worth looking at it - and it will immediately become clear why routing is not needed in IPSec.