After writing the Mikrotik IPsec VPN article and I got some questions about how Mikrotik will work with a Linux device to build an IPsec VPN. I did notice that the questions were more oriented for a copy / paste solution, so I’ll provide one that it’s working. If you need more details about why the solution is like it this, please let me know.
Also don’t forget to customize the solution as you need.
I’ll start with the same topology like in the last post, just that the right side now it’s a Linux device.
Please consider the minimum ports needed to be open on your firewall from my earlier article. Just don’t forget to open these ports also on the Linux device.
First let’s configure the Mikrotik.
The IPsec Proposal
CLI
ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none
GUI
IP > IPsec > Proposals
Name: MyProposal Auth. Algorithm: sha1 Encr. Algorithm: aes-256 cbc PFS Group: none
The IPsec Policy
CLI
ip ipsec policy add src-address=192.168.0.0/24 dst-address=172.30.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=11.11.11.11 sa-dst-address=22.22.22.22 proposal=MyProposal
GUI
IP > IPsec > Policies
SRC ADDR: 192.168.0.0/24 DST ADDR: 172.30.0.0/24 Protocol: all Action: Encrypt Level: require IPsec protocols: esp Tunnel: check SA SRC: 11.11.11.11 SA DST: 22.22.22.22 Proposal: MyProposal
The IPsec Peer
CLI
ip ipsec peer add address=22.22.22.22 port=500 auth-method=pre-shared-key secret=my_preshared_key exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128 dh-group=modp1024 generate-policy=no
GUI
IP > IPsec > Peers
Address: 22.22.22.22 Port: 500 Auth. Method: pre shared key Passive: not checked Secret: my_preshared_key Policy Template Group: default Exchange mode: main Send Initial Contact: checked NAT Traversal: checked My ID: Auto - empty Proposal Check: obey Hash Algorithm: sha1 Encryptions Algorithm: 3des aes-128 DH Group: modp1024 Generate policy: no
Now, the Linux part. I’m using Ubuntu, but I’m not going to advocate here for one flavour or another. So, just use any device with Linux or you try solutions such as Amazon AWS. Install Openswan (compile it from source or install via your Linux flavour package system).
The main file for Openswan is ipsec.conf. For me this file is in /etc, but I assume it can reside in another location.
For the above example, the ipsec.conf file looks like this:
version 2.0 # basic configuration config setup nat_traversal=yes oe=off protostack=netkey force_keepalive=yes keep_alive=60 #nhelpers=0 # Add connections here conn mikrotik-to-linux authby=secret auto=start type=tunnel left=22.22.22.22 leftid=22.22.22.22 leftsourceip=172.30.0.1 leftsubnet=172.30.0.0/24 right=11.11.11.11 rightsubnet=192.168.0.0/24 rightid=11.11.11.11 pfs=no forceencaps=yes ike=aes256-sha1;modp1024 phase2=esp phase2alg=aes256-sha1
You need to associate the keyword “left” with “local” and “right” with “remote” and it will be easier to read the configuration above.
Also in the /etc location I have another file called ipsec.secrets which has the pre-shared secret key:
22.22.22.22 11.11.11.11 : PSK "my_preshared_key"
This is the minimal configuration that I need to apply to have the IPsec VPN up and running. I’m sure that it can be fine tuned to add more security or features, but that is not in scope of this post.
As always if you have problems please let me know in Comments.
Is it possible/simple to do it the other way around e.g linux to mikrotik? Where linux is the “client”
once you have the tunnel up, is there any routing to do?
Thank you, C?lin, for this useful procedure! But, one more question: is it possible to use Strongswan and IKEv2 for the GNU/Linux part, in order to have the most recent protocols? Do you have a Strongswan config for this?
What to do if a topology is a little bit different? If Mikrotik has an LTE modem in its USB port an gets only dynamic “grey” IP address (11.11.11.11) from mobile internet provider and, I do not know how to say it correctly, this “grey” IP is behind mobile internet provider NAT. What and where do I have to write instead of 11.11.11.11?