Mikrotik GRE IPSEC: Difference between revisions
No edit summary |
|||
Line 45: | Line 45: | ||
No need to add further traffic filter on remote site as we have filtering on our router. | No need to add further traffic filter on remote site as we have filtering on our router. | ||
[[Category:Mikrotik]] |
Latest revision as of 20:12, 26 March 2020
GRE Tunnel w/ IPSEC
Router 1 (SWKLS)
First, we'll prep our router by adding a gre interface, ip address to that interface, and a route to the remote network. The ip address assigned to the gre interface is a /30 meaning only two usable ip addresses (one local, one remote). This is a helper ip subnet and should always be unique and not already in use on either side of the connection.
/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<swkls_wan_ip> name=gre-tunnel-xyz remote-address=<member_wan_ip>
/ip address add address=192.168.99.9/30 interface=gre-tunnel-xyz network=192.168.99.8
/ip route add distance=1 dst-address=192.168.12.0/24 gateway=192.168.99.10
We also need to ensure that UDP ports 500 (for IKE, to manage encryption keys) and 4500 (for IPSEC NAT-Traversal mode) are open in the ip firewall filter (already done on our router):
/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp
Router 2 (Member Library)
First, make sure that the default IPSEC proposal is the same as ours (IP -> IPSEC -> Proposal). Should be:
Auth Algo: SHA1
Enc. Algo: AES-128 CBC
PFS Group: mod1024
Next, we do the same as Router 1 (ours) and swap ip addresses:
/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<member_wan_ip> name=gre-tunnel-zyx remote-address=<swkls_wan_ip>
/ip address add address=192.168.99.10/30 interface=gre-tunnel-swkls network=192.168.99.8
/ip route add distance=1 dst-address=10.0.0.0/24 gateway=192.168.99.9
/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp
No need to add further traffic filter on remote site as we have filtering on our router.