Mikrotik IPsec VPN

If you did not hear yet about Mikrotik I can’t say I blame you. Not exactly something you’ll find in SOHO network shops next to brand like TP-Link, Linksys or Netgear. Mikrotik is a company
in Latvia that produce network hardware under the name of RouterBOARD. The devices are excellent and the RouterOS support an amazing amount of feature for a SOHO product.

As recently I did develop a small VPN network based on IPsec and using Mikrotik RB951G-2HnD platform, I had the idea to put together a short how to for the enthusiast out there who wants to try these products. Now, I’m not saying that this is the best or the only approach, but it’s a start from which you can develop your own fine tuned solution.

Let’s assume that we have the following topology:

Mikrotik-IPsec-VPN

The idea is to build a VPN using IPsec technology between the two routers. The RouterOS version is 6.23, so earlier versions may not support all features described here, but I’ll try to point this where is the case.

As some people are more comfortable with GUI and others with CLI, I’ll describe both methods. If you are following this blog post, I assume that you are already a bit familiar with RouterOS and your Mikrotik device is connected at least to Internet.

In this example I’ll focus on the left side of the diagram. The right side is configured in the same way.

Before going into the real IPsec configuration, please be sure to have the following ports open on your Mikrotik firewall:

500/UDP - Internet Key Exchange (IKE)

4500/UDP - NAT Traversal, when NAT it's in use

IP Proto 50 - Encapsulating Security Payload (ESP)

IP Proto 51 - Authentication Header (AH)

You may not use these protocols after following this blog post, but it’s OK to have them open if you want to experiment. They can be closed later after you decide what to use, but we don’t want this as a blocking point and force us into troubleshooting.

You can allow the following ports into Mikrotik firewall as follow into CLI:

ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input proto=udp port=500 action accept place-before=0
ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0

The place-before=0 is to force the rule on the top of your Input table.

On GUI, check the

IP > Firewall > Filter Rules > Input table

Another thing to remember if you’re using NAT like in the picture above is that the LAN subnets have to be allowed to communicate directly, before they are pass to masquerade rule.

CLI

ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=172.30.0.0/24 action=accept place-before=0

GUI

IP > Firewall > NAT

Let’s start now with the IPsec configuration part.

First let’s define a new IPsec Proposal policy. There is a default one which comes preconfigured but I would like to use my own.

CLI

ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none

GUI

IP > IPsec > Proposals

Name: MyProposal
Auth. Algorithm: sha1
Encr. Algorithm: aes-256 cbc
PFS Group: none

As mentioned earlier in this post, depending on your RouterOS version, you can have here different options. Just pick what suits your needs.

Next we need to define an IPsec Policy.

CLI

ip ipsec policy add src-address=192.168.0.0/24 dst-address=172.30.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=11.11.11.11 sa-dst-address=22.22.22.22 proposal=MyProposal

GUI

IP > IPsec > Policies

SRC ADDR: 192.168.0.0/24
DST ADDR: 172.30.0.0/24
Protocol: all
Action: Encrypt
Level: require
IPsec protocols: esp
Tunnel: check
SA SRC: 11.11.11.11
SA DST: 22.22.22.22
Proposal: MyProposal

I think that settings are obvious, just be careful to correctly pick the sources (SRC ADDR and SA SRC). The SRC values are from local site while the DST part has to be the remote site.

Last we need to define a least one IPsec Peer

CLI

ip ipsec peer add address=22.22.22.22 port=500 auth-method=pre-shared-key secret=my_preshared_key exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128 dh-group=modp1024 generate-policy=no

GUI

IP > IPsec > Peers

Address: 22.22.22.22
Port: 500
Auth. Method: pre shared key
Passive: not checked
Secret: my_preshared_key
Policy Template Group: default
Exchange mode: main
Send Initial Contact: checked
NAT Traversal: checked
My ID: Auto - empty
Proposal Check: obey
Hash Algorithm: sha1
Encryptions Algorithm: 3des aes-128
DH Group: modp1024
Generate policy: no

Be careful that if you are on version RouterOS 5.xx (just as an example) the Encryptions Algorithm field supports only one value and not multiple like configured above. I did especially to highlight that there are differences depending on the RouterOS version. Nevertheless the baseline for IPsec VPN configuration remains the same.

If you have questions or something does not work as explained please let me know in Comments.