Mikrotik. IPSEC vpn over NAT as client
Good day to all!
It so happened that in our company over the past two years, we are gradually turning to microtics. The main nodes are built on the CCR1072, and the local connection points for computers on devices are simpler. Of course, there is also an association of networks via IPSEC tunnel, in this case the setup is quite simple and does not cause any difficulties, since there are a lot of materials on the network. But with the mobile connection of clients there are certain difficulties, the manufacturer’s wiki tells you how to use the Shrew soft VPN client (everything seems clear for this setup) and this particular client uses 99% of remote access users, and 1% is me, I was just too lazy once I entered my username and password into the client and I wanted a lazy location on the sofa and a convenient connection to the work networks. There are no instructions for setting up Mikrotik for situations where it is not even behind a gray address, but completely behind a black one and maybe even a few NATs on the network. Therefore I had to improvise, and therefore I propose to look at the result.
There is:
')
The main feature of the setting is that the PC and Mikrotik must be in the same network with the same addressing, as issued by the core 1072.
Go to the setting:
1. Of course we turn on Fasttrack, but since fasttrack is not compatible with the VPN, we have to cut its traffic.
2. Add network probes from / to home and work
3. Create a user connection description
4. Create IPSEC Proposal
5. Create IPSEC Policy
6. Create an IPSEC profile
7. Create IPSEC peer
And now some simple magic. Since I didn’t really like to change the settings on all devices in my home network, I had to somehow hang up DHCP on the same network, but it is reasonable that Mikrotik does not allow hanging more than one address pool on one bridge, so I found a workaround option, namely for a laptop, he simply created DHCP Lease with the manual indication of parameters, and since netmask, gateway & dns also have option numbers in DHCP, I specified them manually.
1. DHCP Option
2. DHCP Lease
At the same time, setting 1072 is practically basic, only when issuing an IP address to a client, in the settings, it is indicated that it is to give it an IP address entered manually, and not from a pool. For regular clients from personal computers, the subnet is the same as in the configuration with Wiki 192.168.55.0/24.
And I’ll add a little, on the primary connection server 1072, you must also add to the IP-Firewall-RAW rules for symmetric forwarding of networks. When adding a new network probros, you need to add rules to the IPSEC-Policy on the client, server, and also on the IP-Firewall-RAW server and the clipping list from NAT.
Such a setting allows the PC not to connect through third-party software, and the tunnel itself is raised by the router as needed. Client CAP ac load is almost minimal, 8-11% at a speed of 9-10MB / s in the tunnel.
All settings were made via Winbox, although with the same success can be carried out through the console.
It so happened that in our company over the past two years, we are gradually turning to microtics. The main nodes are built on the CCR1072, and the local connection points for computers on devices are simpler. Of course, there is also an association of networks via IPSEC tunnel, in this case the setup is quite simple and does not cause any difficulties, since there are a lot of materials on the network. But with the mobile connection of clients there are certain difficulties, the manufacturer’s wiki tells you how to use the Shrew soft VPN client (everything seems clear for this setup) and this particular client uses 99% of remote access users, and 1% is me, I was just too lazy once I entered my username and password into the client and I wanted a lazy location on the sofa and a convenient connection to the work networks. There are no instructions for setting up Mikrotik for situations where it is not even behind a gray address, but completely behind a black one and maybe even a few NATs on the network. Therefore I had to improvise, and therefore I propose to look at the result.
There is:
')
- CCR1072 as the main device. version 6.44.1
- CAP ac as a home connection point. version 6.44.1
The main feature of the setting is that the PC and Mikrotik must be in the same network with the same addressing, as issued by the core 1072.
Go to the setting:
1. Of course we turn on Fasttrack, but since fasttrack is not compatible with the VPN, we have to cut its traffic.
/ip firewall mangle add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=\ in,ipsec new-connection-mark=ipsec passthrough=yes add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=\ out,ipsec new-connection-mark=ipsec passthrough=yes /ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec 2. Add network probes from / to home and work
/ip firewall raw add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=\ 10.7.76.0/24 add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=\ 10.7.98.0/24 add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=\ 192.168.33.0/24 add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=\ 192.168.33.0/24 add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=\ 192.168.33.0/24 add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=\ 10.7.77.0/24 3. Create a user connection description
/ip ipsec identity add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=\ xauth-login=username xauth-password=password 4. Create IPSEC Proposal
/ip ipsec proposal add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none 5. Create IPSEC Policy
/ip ipsec policy add dst-address=10.7.76.0/24 level=unique proposal="prop1" \ sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=\ 192.168.33.0/24 tunnel=yes add dst-address=10.7.77.0/24 level=unique proposal="prop1" \ sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=\ 192.168.33.0/24 tunnel=yes 6. Create an IPSEC profile
/ip ipsec profile set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=\ aes-192,aes-128,3des nat-traversal=no add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1 add name=profile_88 add dh-group=modp1024 lifetime=4h name=profile246 7. Create IPSEC peer
/ip ipsec peer add address=<white IP 1072>/32 local-address=< > name=CO profile=\ profile_88 And now some simple magic. Since I didn’t really like to change the settings on all devices in my home network, I had to somehow hang up DHCP on the same network, but it is reasonable that Mikrotik does not allow hanging more than one address pool on one bridge, so I found a workaround option, namely for a laptop, he simply created DHCP Lease with the manual indication of parameters, and since netmask, gateway & dns also have option numbers in DHCP, I specified them manually.
1. DHCP Option
/ip dhcp-server option add code=3 name=option3-gateway value="'192.168.33.1'" add code=1 name=option1-netmask value="'255.255.255.0'" add code=6 name=option6-dns value="'8.8.8.8'" 2. DHCP Lease
/ip dhcp-server lease add address=192.168.33.4 dhcp-option=\ option1-netmask,option3-gateway,option6-dns mac-address=<MAC > At the same time, setting 1072 is practically basic, only when issuing an IP address to a client, in the settings, it is indicated that it is to give it an IP address entered manually, and not from a pool. For regular clients from personal computers, the subnet is the same as in the configuration with Wiki 192.168.55.0/24.
And I’ll add a little, on the primary connection server 1072, you must also add to the IP-Firewall-RAW rules for symmetric forwarding of networks. When adding a new network probros, you need to add rules to the IPSEC-Policy on the client, server, and also on the IP-Firewall-RAW server and the clipping list from NAT.
Such a setting allows the PC not to connect through third-party software, and the tunnel itself is raised by the router as needed. Client CAP ac load is almost minimal, 8-11% at a speed of 9-10MB / s in the tunnel.
All settings were made via Winbox, although with the same success can be carried out through the console.
Source: https://habr.com/ru/post/448052/
All Articles