Mikrotik. IPSEC vpn for NAT as a client
Good day to all!
It so happened that in our company over the past two years, we are slowly moving to microtics. The main nodes are built on CCR1072, and local connection points for computers on devices are simpler. Of course, there is a union of networks via IPSEC tunnel, in this case, the configuration is quite simple and does not cause any difficulties, since there are many materials on the network. But there are certain difficulties with the mobile connection of clients, the manufacturer’s wiki tells you how to use the Shrew soft VPN client (everything seems to be clear with this setting) and this particular client uses 99% of remote access users, and 1% is me, I just became lazy every just enter the username and password into the client and I wanted a lazy arrangement on the couch and convenient connection to work networks. Instructions for setting up Mikrotik for situations when it is not even behind the gray address, but completely behind the black one and maybe even several NATs on the network, I did not find. Because I had to improvise, and therefore I propose to look at the result.
There is:
The main feature of the setup is that the PC and Mikrotik must be on the same network with the same addressing, which is issued by the main 1072.
We proceed to the setup:
1. Of course, enable Fasttrack, but since fasttrack is not compatible, you have to cut its traffic.
2. Add network forwarding from / to home and work
3. Create a user connection description
4. Create IPSEC Proposal
5. Create an IPSEC Policy
6. Create an IPSEC profile
7. Create an IPSEC peer
And now a little simple magic. Since I didn’t really want to change the settings on all devices on the home network, I had to somehow hang up DHCP on the same network, but it is reasonable that Mikrotik does not allow hanging more than one address pool on one bridge, so I found a workaround, namely I simply created a DHCP Lease for the laptop with a manual indication of the parameters, and since netmask, gateway & dns also have option numbers in DHCP, it was also specified manually.
1. DHCP Option
2. DHCP Lease
At the same time, setting 1072 is almost basic, only when issuing an IP address to the client, the settings indicate that it should be given the IP address entered manually, and not from the pool. For ordinary clients using personal computers, the subnet is the same as in the configuration with Wiki 192.168.55.0/24.
And I’ll add a little, on the main connection server 1072, you also need to add rules for symmetric network forwarding to IP-Firewall-RAW. When adding a new network forwarding, it is necessary to add rules to IPSEC-Policy on the client, server, as well as on the IP-Firewall-RAW server and the list of NAT cuttings.
This setting allows you to not connect to the PC via third-party software, and the tunnel itself rises the router as needed. Client CAP ac load is almost minimal, 8-11% at a speed of 9-10MB / s in the tunnel.
All settings were made through Winbox, although with the same success it can be done through the console.
It so happened that in our company over the past two years, we are slowly moving to microtics. The main nodes are built on CCR1072, and local connection points for computers on devices are simpler. Of course, there is a union of networks via IPSEC tunnel, in this case, the configuration is quite simple and does not cause any difficulties, since there are many materials on the network. But there are certain difficulties with the mobile connection of clients, the manufacturer’s wiki tells you how to use the Shrew soft VPN client (everything seems to be clear with this setting) and this particular client uses 99% of remote access users, and 1% is me, I just became lazy every just enter the username and password into the client and I wanted a lazy arrangement on the couch and convenient connection to work networks. Instructions for setting up Mikrotik for situations when it is not even behind the gray address, but completely behind the black one and maybe even several NATs on the network, I did not find. Because I had to improvise, and therefore I propose to look at the result.
There is:
- CCR1072 as the main device. version 6.44.1
- CAP ac as a home connection point. version 6.44.1
The main feature of the setup is that the PC and Mikrotik must be on the same network with the same addressing, which is issued by the main 1072.
We proceed to the setup:
1. Of course, enable Fasttrack, but since fasttrack is not compatible, you have to cut its traffic.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=\
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=\
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Add network forwarding from / to home and work
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=\
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=\
10.7.98.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=\
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=\
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=\
192.168.33.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=\
10.7.77.0/24
3. Create a user connection description
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=\
общий ключ xauth-login=username xauth-password=password
4. Create IPSEC Proposal
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Create an IPSEC Policy
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1" \
sa-dst-address= sa-src-address=0.0.0.0 src-address=\
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1" \
sa-dst-address= sa-src-address=0.0.0.0 src-address=\
192.168.33.0/24 tunnel=yes
6. Create an IPSEC profile
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=\
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Create an IPSEC peer
/ip ipsec peer
add address=/32 local-address=<ваш адрес роутера> name=CO profile=\
profile_88
And now a little simple magic. Since I didn’t really want to change the settings on all devices on the home network, I had to somehow hang up DHCP on the same network, but it is reasonable that Mikrotik does not allow hanging more than one address pool on one bridge, so I found a workaround, namely I simply created a DHCP Lease for the laptop with a manual indication of the parameters, and since netmask, gateway & dns also have option numbers in DHCP, it was also specified manually.
1. DHCP Option
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2. DHCP Lease
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=\
option1-netmask,option3-gateway,option6-dns mac-address=At the same time, setting 1072 is almost basic, only when issuing an IP address to the client, the settings indicate that it should be given the IP address entered manually, and not from the pool. For ordinary clients using personal computers, the subnet is the same as in the configuration with Wiki 192.168.55.0/24.
And I’ll add a little, on the main connection server 1072, you also need to add rules for symmetric network forwarding to IP-Firewall-RAW. When adding a new network forwarding, it is necessary to add rules to IPSEC-Policy on the client, server, as well as on the IP-Firewall-RAW server and the list of NAT cuttings.
This setting allows you to not connect to the PC via third-party software, and the tunnel itself rises the router as needed. Client CAP ac load is almost minimal, 8-11% at a speed of 9-10MB / s in the tunnel.
All settings were made through Winbox, although with the same success it can be done through the console.