Mikrotik GRE IPSEC: Difference between revisions

From SWKLS WIKI
Jump to navigation Jump to search
No edit summary
 
Line 45: Line 45:


No need to add further traffic filter on remote site as we have filtering on our router.
No need to add further traffic filter on remote site as we have filtering on our router.
[[Category:Mikrotik]]

Latest revision as of 20:12, 26 March 2020

GRE Tunnel w/ IPSEC

Router 1 (SWKLS)

First, we'll prep our router by adding a gre interface, ip address to that interface, and a route to the remote network. The ip address assigned to the gre interface is a /30 meaning only two usable ip addresses (one local, one remote). This is a helper ip subnet and should always be unique and not already in use on either side of the connection.

/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<swkls_wan_ip> name=gre-tunnel-xyz remote-address=<member_wan_ip>

/ip address add address=192.168.99.9/30 interface=gre-tunnel-xyz network=192.168.99.8

/ip route add distance=1 dst-address=192.168.12.0/24 gateway=192.168.99.10

We also need to ensure that UDP ports 500 (for IKE, to manage encryption keys) and 4500 (for IPSEC NAT-Traversal mode) are open in the ip firewall filter (already done on our router):

/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp

/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp

/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp

Router 2 (Member Library)

First, make sure that the default IPSEC proposal is the same as ours (IP -> IPSEC -> Proposal). Should be:

Auth Algo: SHA1
Enc. Algo: AES-128 CBC
PFS Group: mod1024

Next, we do the same as Router 1 (ours) and swap ip addresses:

/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<member_wan_ip> name=gre-tunnel-zyx remote-address=<swkls_wan_ip>

/ip address add address=192.168.99.10/30 interface=gre-tunnel-swkls network=192.168.99.8

/ip route add distance=1 dst-address=10.0.0.0/24 gateway=192.168.99.9

/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp

/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp

/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp

No need to add further traffic filter on remote site as we have filtering on our router.