If you did not hear yet about Mikrotik I can’t say I blame you. Not exactly something you’ll find in SOHO network shops next to brand like TP-Link, Linksys or Netgear. Mikrotik is a company
in Latvia that produce network hardware under the name of RouterBOARD. The devices are excellent and the RouterOS support an amazing amount of feature for a SOHO product.
As recently I did develop a small VPN network based on IPsec and using Mikrotik RB951G-2HnD platform, I had the idea to put together a short how to for the enthusiast out there who wants to try these products. Now, I’m not saying that this is the best or the only approach, but it’s a start from which you can develop your own fine tuned solution.
Let’s assume that we have the following topology:
The idea is to build a VPN using IPsec technology between the two routers. The RouterOS version is 6.23, so earlier versions may not support all features described here, but I’ll try to point this where is the case.
As some people are more comfortable with GUI and others with CLI, I’ll describe both methods. If you are following this blog post, I assume that you are already a bit familiar with RouterOS and your Mikrotik device is connected at least to Internet.
In this example I’ll focus on the left side of the diagram. The right side is configured in the same way.
Before going into the real IPsec configuration, please be sure to have the following ports open on your Mikrotik firewall:
500/UDP - Internet Key Exchange (IKE) 4500/UDP - NAT Traversal, when NAT it's in use IP Proto 50 - Encapsulating Security Payload (ESP) IP Proto 51 - Authentication Header (AH)
You may not use these protocols after following this blog post, but it’s OK to have them open if you want to experiment. They can be closed later after you decide what to use, but we don’t want this as a blocking point and force us into troubleshooting.
You can allow the following ports into Mikrotik firewall as follow into CLI:
ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0 ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0 ip firewall filter add chain=input proto=udp port=500 action accept place-before=0 ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0
The place-before=0 is to force the rule on the top of your Input table.
On GUI, check the
IP > Firewall > Filter Rules > Input table
Another thing to remember if you’re using NAT like in the picture above is that the LAN subnets have to be allowed to communicate directly, before they are pass to masquerade rule.
ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=172.30.0.0/24 action=accept place-before=0
IP > Firewall > NAT
Let’s start now with the IPsec configuration part.
First let’s define a new IPsec Proposal policy. There is a default one which comes preconfigured but I would like to use my own.
ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none
IP > IPsec > Proposals
Name: MyProposal Auth. Algorithm: sha1 Encr. Algorithm: aes-256 cbc PFS Group: none
As mentioned earlier in this post, depending on your RouterOS version, you can have here different options. Just pick what suits your needs.
Next we need to define an IPsec Policy.
ip ipsec policy add src-address=192.168.0.0/24 dst-address=172.30.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=18.104.22.168 sa-dst-address=22.214.171.124 proposal=MyProposal
IP > IPsec > Policies
SRC ADDR: 192.168.0.0/24 DST ADDR: 172.30.0.0/24 Protocol: all Action: Encrypt Level: require IPsec protocols: esp Tunnel: check SA SRC: 126.96.36.199 SA DST: 188.8.131.52 Proposal: MyProposal
I think that settings are obvious, just be careful to correctly pick the sources (SRC ADDR and SA SRC). The SRC values are from local site while the DST part has to be the remote site.
Last we need to define a least one IPsec Peer
ip ipsec peer add address=184.108.40.206 port=500 auth-method=pre-shared-key secret=my_preshared_key exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128 dh-group=modp1024 generate-policy=no
IP > IPsec > Peers
Address: 220.127.116.11 Port: 500 Auth. Method: pre shared key Passive: not checked Secret: my_preshared_key Policy Template Group: default Exchange mode: main Send Initial Contact: checked NAT Traversal: checked My ID: Auto - empty Proposal Check: obey Hash Algorithm: sha1 Encryptions Algorithm: 3des aes-128 DH Group: modp1024 Generate policy: no
Be careful that if you are on version RouterOS 5.xx (just as an example) the Encryptions Algorithm field supports only one value and not multiple like configured above. I did especially to highlight that there are differences depending on the RouterOS version. Nevertheless the baseline for IPsec VPN configuration remains the same.
If you have questions or something does not work as explained please let me know in Comments.
3 thoughts on “Mikrotik IPsec VPN”
I followed your step.
It didn’t work for me.
I am getting “No tunnels up” when i ran the “service ipsec status” command on my linux machine.
Use “protocol” instead of “proto”.
ip firewall filter add chain=input protocol=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input protocol=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input protocol=udp port=500 action accept place-before=0
ip firewall filter add chain=input protocol=udp port=4500 action accept place-before=0