User Tools
IPIP tunnel with IPsec transport [Mikrotik to Mikrotik]
Assumptions:
| First location | Mikrotik Router1 | ———————– | Second location | Mikrotik Router2 |
|---|---|---|---|---|
| Private network address | 192.168.0.0/24 | Private network address | 192.168.1.0/24 | |
| Private interface address | 192.168.0.254 | Private interface address | 192.168.1.254 | |
| Public interface address | 1.1.1.1 | Public interface address | 2.2.2.2 | |
| IPIP interface address | 10.10.1.21/30 | IPIP interface address | 10.10.1.22/30 | |
| IPIP interface name | tunnel_test | IPIP interface name | tunnel_test | |
| IPsec secret | 12345678 | IPsec secret | 12345678 |
Router 1 configuration
1. Create IPIP tunnel interface:
/interface ipip add local-address=1.1.1.1 mtu=1480 name=tunnel_test remote-address=2.2.2.2 comment="" disabled=no
2. Add IP address to IPIP interface:
/ip address add address=10.10.1.21/30 broadcast=10.10.1.23 comment="" disabled=no interface=tunnel_test network=10.10.1.20
3. Add route:
/ip route add distance=1 dst-address=192.168.0.0/24 gateway=10.10.1.22 scope=30 target-scope=10 comment="" disabled=no
At this point we have s functional IPIP tunnel between two routers (assuming that first three configuration steps are performed
on the second router too), and now we are going to add IPsec transport.
4. IPsec step 1 - Create IPsec peer:
/ip ipsec peer add address=2.2.2.2/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \ dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \ lifetime=1d nat-traversal=no proposal-check=obey secret=12345678 send-initial-contact=yes
5. IPsec step 2 - Create IPsec policy:
/ip ipsec policy add action=encrypt disabled=no dst-address=2.2.2.2/32:any ipsec-protocols=esp level=require priority=0 proposal=\ default protocol=all sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=1.1.1.1/32:any tunnel=no
6. IPsec step 3 - Create / Modify proposal:
/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
Router 2 configuration
1. Create IPIP tunnel interface:
/interface ipip add local-address=2.2.2.2 mtu=1480 name=tunnel_test remote-address=1.1.1.1 comment="" disabled=no
2. Add IP address to IPIP interface:
/ip address add address=10.10.1.22/30 broadcast=10.10.1.23 comment="" disabled=no interface=tunnel_test network=10.10.1.20
3. Add route:
/ip route add distance=1 dst-address=192.168.1.0/24 gateway=10.10.1.21 scope=30 target-scope=10 comment="" disabled=no
——————————————— IPIP Tunnel configured ! ————————————————–
4. IPsec step 1 - Create IPsec peer:
/ip ipsec peer add address=1.1.1.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \ dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \ lifetime=1d nat-traversal=no proposal-check=obey secret=12345678 send-initial-contact=yes
5. IPsec step 2 - Create IPsec policy:
/ip ipsec policy add action=encrypt disabled=no dst-address=1.1.1.1/32:any ipsec-protocols=esp level=require priority=0 proposal=\ default protocol=all sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32:any tunnel=no
6. IPsec step 3 - Create / Modify proposal:
/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
You should be able to ping 192.168.1.1 (private IP of the Router 2) from Router 1, and 192.168.0.1 (private IP of the Router 1) from Router 2.
