Mikrotik GRE IPSEC

From SWKLS WIKI
Revision as of 20:12, 26 March 2020 by Unknown user (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

GRE Tunnel w/ IPSEC

Router 1 (SWKLS)

First, we'll prep our router by adding a gre interface, ip address to that interface, and a route to the remote network. The ip address assigned to the gre interface is a /30 meaning only two usable ip addresses (one local, one remote). This is a helper ip subnet and should always be unique and not already in use on either side of the connection.

/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<swkls_wan_ip> name=gre-tunnel-xyz remote-address=<member_wan_ip>

/ip address add address=192.168.99.9/30 interface=gre-tunnel-xyz network=192.168.99.8

/ip route add distance=1 dst-address=192.168.12.0/24 gateway=192.168.99.10

We also need to ensure that UDP ports 500 (for IKE, to manage encryption keys) and 4500 (for IPSEC NAT-Traversal mode) are open in the ip firewall filter (already done on our router):

/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp

/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp

/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp

Router 2 (Member Library)

First, make sure that the default IPSEC proposal is the same as ours (IP -> IPSEC -> Proposal). Should be:

Auth Algo: SHA1
Enc. Algo: AES-128 CBC
PFS Group: mod1024

Next, we do the same as Router 1 (ours) and swap ip addresses:

/interface gre add allow-fast-path=no ipsec-secret=super!secret!here local-address=<member_wan_ip> name=gre-tunnel-zyx remote-address=<swkls_wan_ip>

/ip address add address=192.168.99.10/30 interface=gre-tunnel-swkls network=192.168.99.8

/ip route add distance=1 dst-address=10.0.0.0/24 gateway=192.168.99.9

/ip firewall filter add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp

/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether1-gateway protocol=udp

/ip firewall filter add action=accept chain=input dst-port=4500 in-interface=ether1-gateway protocol=udp

No need to add further traffic filter on remote site as we have filtering on our router.