The Book

User Tools

Site Tools

Trace: ipsec_tunnel_mikrotik_to_linksys_befvp41
networking:mikrotik:ipsec_tunnel_mikrotik_to_linksys_befvp41

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
networking:mikrotik:ipsec_tunnel_mikrotik_to_linksys_befvp41 [2016/02/18 12:23] rpleckonetworking:mikrotik:ipsec_tunnel_mikrotik_to_linksys_befvp41 [2016/03/08 12:11] (current) rplecko
Line 6: Line 6:
 == Assumptions: == == Assumptions: ==
  
-{{mikrotik:ipsec_tunnel.png?700}}\\+{{ networking:mikrotik:ipsec_tunnel:ipsec_tunnel.png?700 }}\\
  
-^ First location             ^ Mikrotik Router1 ^ ^ Second location            ^ Mikrotik Router2 ^ ^ Third location             ^ Linksys BEFVP41  ^  +^ First location             ^ Mikrotik RB1000 ^ ^ Second location            ^ Mikrotik RB1000 ^ ^ Third location             ^ Linksys BEFVP41  ^  
 | Private network address    |      10.10.1.0/24| | Private network address    |      10.10.2.0/24| | Private network address    |      10.10.3.0/24|   | Private network address    |      10.10.1.0/24| | Private network address    |      10.10.2.0/24| | Private network address    |      10.10.3.0/24|  
 | Private interface address  |       10.10.1.254| | Private interface address  |       10.10.2.254| | Private interface address  |       10.10.3.254|   | Private interface address  |       10.10.1.254| | Private interface address  |       10.10.2.254| | Private interface address  |       10.10.3.254|  
Line 14: Line 14:
 | IPsec secret                        12345678| | IPsec secret                        12345678| | IPsec secret                        12345678| | IPsec secret                        12345678| | IPsec secret                        12345678| | IPsec secret                        12345678|
  
 +Internet router RB450 is faking Internet connection and does the basic routing between public networks 1.1.1.0, 2.2.2.0 and 3.3.3.0.
 +NAT is configured on all routers and they also provide DHCP for respective networks.
 + 
 +=== Internet router configuration ===
 +
 +<code>
 +/ip address
 +add address=1.1.1.254/24 disabled=no interface=ether1 network=1.1.1.0
 +add address=2.2.2.254/24 disabled=no interface=ether2 network=2.2.2.0
 +add address=3.3.3.254/24 disabled=no interface=ether3 network=3.3.3.0
 +</code>
 +=== First router configuration ===
 +1.IP addressess
 +<code>
 +/ip address
 +add address=10.10.1.254/24 disabled=no interface=ether1 network=10.10.1.0
 +add address=1.1.1.1/24 disabled=no interface=ether4 network=1.1.1.0
 +</code>
 +2.Default route
 +<code>
 +/ip route
 +add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.254 scope=30 \
 +    target-scope=10
 +</code>
 +3.NAT - Note that NAT bypass for IPsec tunnels rule is on the top of the list !!! It is set for all 10.10.x.x networks but you can specify subnets individually.
 +<code>
 +/ip firewall nat
 +add action=accept chain=srcnat disabled=no dst-address=10.10.0.0/16 src-address=\
 +   10.10.1.0/24
 +add action=masquerade chain=srcnat disabled=no out-interface=ether4
 +</code>
 +4.IPsec
 +<code>
 +/ip ipsec proposal
 +set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=\
 +   default pfs-group=modp1024
 +/ip ipsec peer
 +add address=2.2.2.2/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
 +   dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \
 +   generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn=\
 +   "" nat-traversal=yes port=500 proposal-check=obey secret=!secret! \
 +   send-initial-contact=yes
 +/ip ipsec policy
 +add action=encrypt disabled=no dst-address=10.10.2.0/24 dst-port=any \
 +   ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
 +   sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=10.10.1.0/24 \
 +   src-port=any tunnel=yes
 +</code>
 +
 +=== Second router configuration ===
 +
 +1.IP address
 +<code>
 +/ip address
 +add address=10.10.2.254/24 disabled=no interface=ether1 network=10.10.2.0
 +add address=2.2.2.2/24 disabled=no interface=ether4 network=2.2.2.0
 +</code>
 +2.Default route
 +<code>
 +/ip route
 +add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.254 scope=30 \
 +   target-scope=10
 +</code>
 +3.Note that NAT bypass for IPsec tunnels rule is on the top of the list !!! It is set for all 10.10.x.x networks but you can specify subnets individually.
 +<code>
 +/ip firewall nat
 +add action=accept chain=srcnat disabled=no dst-address=10.10.0.0/16 src-address=\
 +   10.10.2.0/24
 +add action=masquerade chain=srcnat disabled=no out-interface=ether4
 +</code>
 +4.IPsec
 +<code>
 +/ip ipsec proposal
 +set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
 +   name=default pfs-group=modp1024
 +</code>
 +4.1.First tunnel - to Mikrotik router at 1.1.1.1
 +<code>
 +/ip ipsec peer
 +add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
 +   dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \
 +   generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
 +   my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey secret=\
 +   !secret! send-initial-contact=yes
 +</code>
 +4.2.Second tunnel - to Linksys router at 3.3.3.3
 +<code>
 +/ip ipsec peer
 +add address=3.3.3.3/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
 +   dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \
 +   generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
 +   my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey secret=\
 +   !secret! send-initial-contact=yes
 +</code>
 +4.3. IPsec policy
 +<code>
 +/ip ipsec policy
 +add action=encrypt disabled=no dst-address=10.10.1.0/24 dst-port=any \
 +   ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
 +   sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=10.10.2.0/24 \
 +   src-port=any tunnel=yes
 +add action=encrypt disabled=no dst-address=10.10.3.0/24 dst-port=any \
 +   ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
 +   sa-dst-address=3.3.3.3 sa-src-address=2.2.2.2 src-address=10.10.2.0/24 \
 +   src-port=any tunnel=yes
 +add action=masquerade chain=srcnat disabled=no out-interface=ether4
 +</code>
 +5.Keep alive for Linksys router
 +<code>
 +/system scheduler
 +add disabled=no interval=30s name="Ping remote" on-event=\
 +   "ping 10.10.3.254 src-address=10.10.2.254 count=1" policy=\
 +   ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
 +   start-date=nov/25/2011 start-time=00:00:00
 +</code>
 +When the tunnel is dropped on Mikrotik side, Linksys is unable to bring it up again even if the "keep alive" check box is properly checked. To circumvent this bug, the simplest way is to send a single ping from Mikrotik every 30 seconds. If the tunnel was droped in the meantime, this ping will bring it up again.
 +Be carefull what you are pinging and from which IP. Ping must be sourced from local private interface to remote private interface which can communicate only if the tunnel is established, and if it isn't, this ping will initiate it. Better way would be to engage NetWatch for this task, but problem is that you cannot specify ping source (AFAIK).
 +
 +=== Third router (BEFVP41) configuration ===
 +{{ networking:mikrotik:ipsec_tunnel:01.png?700 }}\\
 +{{ networking:mikrotik:ipsec_tunnel:02.png?700 }}\\
 +{{ networking:mikrotik:ipsec_tunnel:03.png?700 }}\\
 +{{ networking:mikrotik:ipsec_tunnel:04.png?700 }}\\
 +
 +This configuration was tested live on real equipment, and if it doesn't work for you, it is because of potential error in this document or mistake you made copying to your environment.
 +If you think that there is the better way to do this, please feel free to comment.
 +Best of luck. 
networking/mikrotik/ipsec_tunnel_mikrotik_to_linksys_befvp41.1455798215.txt.gz · Last modified: 2016/02/18 12:23 (external edit)