CREATIVE CHAOS   ▋ blog

Mikrotik Site-to-Site IPSEC VPN Tunnel

PUBLISHED ON 16/05/2019 — EDITED ON 11/12/2023 — SYSOPS

This knowledge was brought to you by Guru.

Intro

This is a rough draft for personal reference, maybe something will be made of it one day…

RouterOS version 6.44 and later.

Encryption

Proposal

  • Auth. Algorithms: sha256
  • Encr. Algorithms: aes-256-cbc
  • Lifetime 30m
  • PFS Group mod 2048

Peers

  • Exchange mode: IKEv2

IPsec Profile

  • Hash Algorithm: sha256
  • Encryption Algorithm: aes-256
  • DH Group: modp2048
  • Lifetime: 1d

Site (static IP) to site (static IP)

Site (static IP) to site (dynamic IP)

Site (dynamic IP) to site (dynamic IP)

Router 1 and 2

tert IP Cloud is used as a dynamic DNS system for lookup of remote site’s public IP. This step can be skipped if different DDNS system is used. Time update via IP Cloud is disabled for a case when NTP is used, however you can enable it if necessary.

Afterwards, you can use following command to get dns-name value of a local router, which will be used in configuration of script on remote router.

/ip cloud set ddns-enabled=yes update-time=no
/ip cloud print

Router 1

/ip ipsec
profile add name="secure-profile" hash-algorithm=sha512 enc-algorithm=aes-256,aes-128 dh-group=modp4096
peer add name="vpn01" comment="vpn01" address=127.99.99.99/32 exchange-mode=ike2 profile=secure-profile
identity add comment="vpn01" auth-method=pre-shared-key secret=REPLACE_THIS_WITH_RANDOM_SECRET peer=vpn01
proposal add name="secure-proposal" auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp4096
policy add comment="vpn01" dst-address=10.10.20.0/24 src-address=10.10.10.0/24 tunnel=yes proposal=secure-proposal sa-dst-address=127.99.99.99 sa-src-address=0.0.0.0

Router 2

/ip ipsec
profile add name="secure-profile" hash-algorithm=sha512 enc-algorithm=aes-256,aes-128 dh-group=modp4096
peer add name="vpn01" comment="vpn01" address=127.99.99.99/32 exchange-mode=ike2 profile=secure-profile
identity add comment="vpn01" auth-method=pre-shared-key secret=REPLACE_THIS_WITH_RANDOM_SECRET peer=vpn01
proposal add name="secure-proposal" auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp4096 
policy add comment="vpn01" dst-address=10.10.10.0/24 src-address=10.10.20.0/24 tunnel=yes proposal=secure-proposal sa-dst-address=127.99.99.99 sa-src-address=0.0.0.0

Firewall

Router 1

/ip firewall
nat add comment="vpn01" action=accept chain=srcnat dst-address=10.10.20.0/24 src-address=10.10.10.0/24 place-before=0
nat add comment="vpn01" action=accept chain=dstnat dst-address=10.10.10.0/24 src-address=10.10.20.0/24 place-before=0
filter add comment="ipsec-ike-natt" chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp
filter add comment="vpn01" chain=forward dst-address=10.10.10.0/24 in-interface=ether1-gateway ipsec-policy=in,ipsec src-address=10.10.20.0/24

TODO FW rules

Router 2

/ip firewall
nat add comment="vpn01" action=accept chain=srcnat dst-address=10.10.10.0/24 src-address=10.10.20.0/24 place-before=0
nat add comment="vpn01" action=accept chain=dstnat dst-address=10.10.20.0/24 src-address=10.10.10.0/24 place-before=0
filter add comment="ipsec-ike-natt" chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp
filter add comment="vpn01" chain=forward dst-address=10.10.20.0/24 in-interface=ether1-gateway ipsec-policy=in,ipsec src-address=10.10.10.0/24

IP update script

Router 1 and 2

/system script add name="ipsec-peer-update-vpn01" policy=read,write source=":local peerid    \"vpn01\"\
    \n:local peerhost  \"0123456789.sn.mynetname.net\"\
    \n:local peerip    [:resolve \$peerhost]\
    \n:local peeruid\
    \n:set peeruid     [/ip ipsec peer   find comment=\"\$peerid\" and address!=\"\$peerip/32\"]\
    \n:local policyuid\
    \n:set policyuid   [/ip ipsec policy find comment=\"\$peerid\" and sa-dst-address!=\"\$peerip\"]\
    \n:if (\$peeruid != \"\") do={\
    \n  /ip ipsec peer set \$peeruid address=\"\$peerip/32\"\
    \n  :log info \"Script ipsec-peer-update updated peer '\$peerid' with address '\$peerip'\"\
    \n}\
    \n:if (\$policyuid != \"\") do={\
    \n  /ip ipsec policy set \$policyuid sa-dst-address=\"\$peerip\"\
    \n  :log info \"Script ipsec-peer-update updated policy '\$peerid' with address '\$peerip'\"\
    \n}"

Scheduler

Router 1 and 2

/system scheduler
add disabled=yes interval=1m name=ipsec-peer-update-vpn01 on-event="/system script run ipsec-peer-update-vpn01" policy=read,write
add disabled=yes interval=10m name=ip-cloud-forceupdate on-event="/ip cloud force-update" policy=read,write

Netwatch

Router 1

/ip route add comment="vpn01" distance=1 dst-address=10.10.20.0/24 gateway=bridge-local
/tool netwatch add comment=ipsec-peer-update-vpn01 down-script="/system scheduler enable ipsec-peer-update-vpn01\
    \n/system scheduler enable ip-cloud-forceupdate" host=10.10.20.1 up-script="/system scheduler disable ip-cloud-forceupdate\
    \n/system scheduler disable ipsec-peer-update-vpn01"

Router 2

/ip route add comment="vpn01" distance=1 dst-address=10.10.10.0/24 gateway=bridge-local
/tool netwatch add comment=ipsec-peer-update-vpn01 down-script="/system scheduler enable ipsec-peer-update-vpn01\
    \n/system scheduler enable ip-cloud-forceupdate" host=10.10.10.1 up-script="/system scheduler disable ip-cloud-forceupdate\
    \n/system scheduler disable ipsec-peer-update-vpn01"

Speed test

Client at 100 / 5 Mbps.

C:\Users\b4d\Downloads\iperf-3.1.3-win64>iperf3.exe -c 192.168.101.15
Connecting to host 192.168.101.15, port 5201
[  4] local 10.10.10.11 port 52573 connected to 192.168.101.15 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec   256 KBytes  2.10 Mbits/sec
[  4]   1.00-2.00   sec  0.00 Bytes  0.00 bits/sec
[  4]   2.00-3.00   sec   384 KBytes  3.15 Mbits/sec
[  4]   3.00-4.00   sec   384 KBytes  3.14 Mbits/sec
[  4]   4.00-5.00   sec   512 KBytes  4.20 Mbits/sec
[  4]   5.00-6.00   sec   512 KBytes  4.20 Mbits/sec
[  4]   6.00-7.00   sec   256 KBytes  2.09 Mbits/sec
[  4]   7.00-8.00   sec   384 KBytes  3.14 Mbits/sec
[  4]   8.00-9.00   sec   512 KBytes  4.20 Mbits/sec
[  4]   9.00-10.00  sec   512 KBytes  4.19 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  3.62 MBytes  3.04 Mbits/sec                  sender
[  4]   0.00-10.00  sec  3.43 MBytes  2.87 Mbits/sec                  receiver

iperf Done.

C:\Users\b4d\Downloads\iperf-3.1.3-win64>iperf3.exe -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 192.168.101.15, port 50219
[  5] local 10.10.10.11 port 5201 connected to 192.168.101.15 port 50220
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-1.00   sec  7.67 MBytes  64.2 Mbits/sec
[  5]   1.00-2.00   sec  6.35 MBytes  53.3 Mbits/sec
[  5]   2.00-3.00   sec  7.11 MBytes  59.7 Mbits/sec
[  5]   3.00-4.00   sec  8.21 MBytes  68.8 Mbits/sec
[  5]   4.00-5.00   sec  9.26 MBytes  77.7 Mbits/sec
[  5]   5.00-6.00   sec  9.28 MBytes  77.7 Mbits/sec
[  5]   6.00-7.00   sec  9.55 MBytes  80.2 Mbits/sec
[  5]   7.00-8.00   sec  9.29 MBytes  77.9 Mbits/sec
[  5]   8.00-9.00   sec  6.22 MBytes  52.1 Mbits/sec
[  5]   9.00-10.00  sec  4.47 MBytes  37.5 Mbits/sec
[  5]  10.00-10.04  sec   124 KBytes  26.4 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.04  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.04  sec  77.5 MBytes  64.8 Mbits/sec                  receiver
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
iperf3: interrupt - the server has terminated

C:\Users\b4d\Downloads\iperf-3.1.3-win64>

SW vs HW encryption.

Upload from the client the same.

Download from server to client was 21.0 Mbit/sec, now it is 64.8 Mbit/sec.

Sources

  1. MikroTik IPSec Tunnel with DDNS and NAT on Peesoft blog
TAGS: HOWTO, IPSEC, MIKROTIK, TUTORIAL, VPN