Mikrotik GRE IPSEC: Difference between revisions
(Created page with "==GRE Tunnel w/ IPSEC== ===Router 1 (SWKLS)=== First, we'll prep our router by adding a gre interface, ip address to that interface, and a route to the remote network. The ip...") |
No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<swkls_wan_ip> name=gre-tunnel-xyz remote-address=<member_wan_ip> | /interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<swkls_wan_ip> name=gre-tunnel-xyz remote-address=<member_wan_ip> | ||
/ip address add address=192.168.99.9/30 interface=gre-tunnel-xyz network=192.168.99.8 | /ip address add address=192.168.99.9/30 interface=gre-tunnel-xyz network=192.168.99.8 | ||
/ip route add distance=1 dst-address=192.168.12.0/24 gateway=192.168.99.10 | /ip route add distance=1 dst-address=192.168.12.0/24 gateway=192.168.99.10 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 13: | Line 15: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp | /ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp | ||
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp | /ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp | ||
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp | /ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 28: | Line 32: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<member_wan_ip> name=gre-tunnel-zyx remote-address=<swkls_wan_ip> | /interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<member_wan_ip> name=gre-tunnel-zyx remote-address=<swkls_wan_ip> | ||
/ip address add address=192.168.99.10/30 interface=gre-tunnel-swkls network=192.168.99.8 | /ip address add address=192.168.99.10/30 interface=gre-tunnel-swkls network=192.168.99.8 | ||
/ip route add distance=1 dst-address=10.0.0.0/24 gateway=192.168.99.9 | /ip route add distance=1 dst-address=10.0.0.0/24 gateway=192.168.99.9 | ||
/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp | /ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp | ||
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp | /ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp | ||
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp | /ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp | ||
</syntaxhighlight> | </syntaxhighlight> | ||
No need to add further traffic filter on remote site as we have filtering on our router. | No need to add further traffic filter on remote site as we have filtering on our router. | ||
[[Category:Mikrotik]] |
Latest revision as of 20:12, 26 March 2020
GRE Tunnel w/ IPSEC
Router 1 (SWKLS)
First, we'll prep our router by adding a gre interface, ip address to that interface, and a route to the remote network. The ip address assigned to the gre interface is a /30 meaning only two usable ip addresses (one local, one remote). This is a helper ip subnet and should always be unique and not already in use on either side of the connection.
/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<swkls_wan_ip> name=gre-tunnel-xyz remote-address=<member_wan_ip>
/ip address add address=192.168.99.9/30 interface=gre-tunnel-xyz network=192.168.99.8
/ip route add distance=1 dst-address=192.168.12.0/24 gateway=192.168.99.10
We also need to ensure that UDP ports 500 (for IKE, to manage encryption keys) and 4500 (for IPSEC NAT-Traversal mode) are open in the ip firewall filter (already done on our router):
/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp
Router 2 (Member Library)
First, make sure that the default IPSEC proposal is the same as ours (IP -> IPSEC -> Proposal). Should be:
Auth Algo: SHA1
Enc. Algo: AES-128 CBC
PFS Group: mod1024
Next, we do the same as Router 1 (ours) and swap ip addresses:
/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<member_wan_ip> name=gre-tunnel-zyx remote-address=<swkls_wan_ip>
/ip address add address=192.168.99.10/30 interface=gre-tunnel-swkls network=192.168.99.8
/ip route add distance=1 dst-address=10.0.0.0/24 gateway=192.168.99.9
/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp
No need to add further traffic filter on remote site as we have filtering on our router.