Site-to-site IPSec VPN between VPNaaS (SIM-Cloud) and MikroTik router (remote office)

• Description
• Initial conditions
• Site A configuration (VPNaaS)
• Site B configuration (MikroTik)
• Tunnel function check

Description

Consider the configuration of the IPSec site-to-site VPN connection between the VPNaaS, on the cloud infrastructure side, and the MikroTik -based router on the side of the remote office.

Both routers have real IP addresses on WAN interfaces, i.e. they do not use NAT.

This chapter contains configuration examples using a management interface (GUI) and the equivalent methods using a command line interface (CLI)

Initial conditions

• Both nodes between which the VPN tunnel is to be built have real IP addresses.
• Site A is the cloud-based VPNaaS provided by SIM-Cloud
• Site B is the client’s infrastructure, based on MikroTik.
• Each site has its own private subnetwork:
  • Site “A” - 10.5.4.0/24
  • Site “B” - 192.168.255.0/24
• VPNaaS version: 12.0.5
• MikroTik version: 6.45.3

Warning

Depending on the OS version of the router or software, subsequent configuring may vary.

Note

To set up a VPN connection, the following required conditions must be satisfied:

• Network availability between routers:

  • Protocol: UDP, port 500 (for IKE, to manage encryption keys).
  • Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode).
  • Protocol: ESP, value 50 (for IPSEC).
  • Protocol: AH, value 51 (for IPSEC).

• The firewall rules must not block network traffic between the routers and the private subnetworks.

• Private subnetworks that will be connected by means of IPSec must be different and must not include each other.

“Summary table”

VPN Router	VPN Peer IP	Private Network	Private Network GW IP	Private Network Host IP
Site “A” (VPNaaS)	156.67.54.218	10.5.4.0/24	10.5.4.1/32	10.5.4.7
Site “B” (MikroTik)	156.67.53.178	192.168.255.0/24	192.168.255.23/32	192.168.255.29

In this example the initial configuration of the secure IPsec site-to-site VPN connection is carried out. To do this, we link the private networks 10.5.4.0/24 and 192.168.255.0/24, situated behind the routers.

Site A configuration (VPNaaS)

The VPNaaS is configured in accordance with the instructions given in the documentation:

A1. Configure IKE Policy. For this step the following parameters are used:

“IKE Policy”

Name	ikepolicy
Authorization algorithm	sha1
Encryption algorithm	aes-128
IKE version	v1
Lifetime value for IKE keys	86400
Perfect Forward Secrecy	group5
IKE Phase1 negotiation mode	main

A2. Configure IPSec Policy. For this step the following parameters are used:

“IPsec Policy”

Name	ipsecpolicy
Authorization algorithm	sha1
Encapsulation mode	tunnel
Encryption algorithm	aes-128
Lifetime value for IKE keys	3600
Perfect Forward Secrecy	group5
Transform Protocol	esp

A3. Configure VPN service. For this step the following parameters are used:

“VPN service”

Name	VPNservice
Router	Select from list of cloud project routers

A4. Configure Endpoint Groups. For this step the following parameters are used:

“Endpoint Groups”

Endpoint group name	Type	Value
local_epg	SUBNET	10.5.4.0/24
remote_epg	CIDR	192.168.255.0/24

A5. Configure IPsec site connection. For this step the following parameters are used:

“IPsec site connection”

Name	ipsecsiteconn
VPN service associated with this connection	VPNservice
Endpoint group for local subnet(s)	local_epg
IKE policy associated with this connection	ikepolicy
IPsec policy associated with this connection	ipsecpolicy
Peer gateway public IPv4/IPv6 Address or FQDN	156.67.53.178
Peer router identity for authentication (Peer ID)	156.67.53.178
Endpoint group for remote peer CIDR(s)	remote_epg
Pre-Shared Key (PSK) string	Baejii9ahwoo
MTU	1500

A6. . Once all these changes have been made, it can be seen that the IPsec site connection has been successfully created and has the status ‘Down’. When the tunnel is configured at the other end and successfully established, this status changes to ‘Active’.

Site B configuration (MikroTik)

Guidance for configuring the VPN on the MikroTik software is taken from the original chapter from the software manufacturer: “Site to Site IPsec tunnel”.

The configuration procedure for each point is described for both a graphical web interface and a command line interface (CLI).

B1. Create profile for ‘Phase 1‘.

To create the profile with a web interface, go to the ‘IP:IPsec’ menu and in the ‘Profiles‘ tab click ‘Add New‘.

The following parameters are to be used:

new profile

Name	VPNaaS
Hash Algorithms	sha1	Should match the value set in the VPNaaS
Encryption Algorithm	aes-128	Should match the value set in the VPNaaS
DH Group	modp1536	Should match the value set in the VPNaaS
Lifetime	1d	Should match the value set in the VPNaaS

Save changes by clicking the OK button

To create the profile via the CLI, execute the command:

/ip ipsec profile
add enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=1d name=VPNaaS

B2. Create the record “proposal” for ‘Phase 2‘.

To create the profile with a web interface, go to the ‘IP:IPsec’ menu and in the ‘Proposals‘ tab click ‘Add New‘.

The following parameters are to be used:

new proposal

Name	VPNaaS
Auth. Algorithms	sha1	Should match the value set in the VPNaaS
Encr. Algorithms	aes-128 cbc	Should match the value set in the VPNaaS
Lifetime	01:00:00	Should match the value set in the VPNaaS
PFS Group	modp1536	Should match the value set in the VPNaaS

Save changes by clicking the OK button

To create the profile via the CLI, execute the command:

/ip ipsec proposal
add enc-algorithms=aes-128-cbc auth-algorithms=sha1 pfs-group=modp1536 lifetime=1h name=VPNaaS

B3 Describe the parameters of the remote peer

To create the profile with a web interface, go to the ‘IP:IPsec’ menu and in the ‘Peers‘ tab click ‘Add New‘.

The following parameters are to be used:

new peer

Name	VPNaaS
Address	156.67.54.218/32	VPNaaS IP service
Profile	VPNaaS	Profile previously created
Exchange Mode	main	Should match the value set in the VPNaaS

Save changes by clicking the OK button

To create the profile via the CLI, execute the command:

/ip ipsec peer
add address=156.67.54.218/32 exchange-mode=main profile=VPNaaS name=VPNaaS

B4 Specify identification mechanism

To create the profile with a web interface, go to the ‘IP:IPsec’ menu and in the ‘Identities‘ tab click ‘Add New‘.

The following parameters are to be used:

new identitie

Peer	VPNaaS	Peer created previously
Auth. Method	pre shared key
Secret	Baejii9ahwoo	Should match the value set in the VPNaaS

Save changes by clicking the OK button

To create the profile via the CLI, execute the command:

/ip ipsec identity
add auth-method=pre-shared-key peer=VPNaaS secret=Baejii9ahwoo

B5 B5 Create an ipsec rule that allows traffic from the local private network to the remote local network via the tunnel.

To create the profile with a web interface, go to the ‘IP:IPsec’ menu and in the ‘Policies‘ tab click ‘Add New‘.

The following parameters are to be used:

new policie

Peer	VPNaaS	Peer created previously
Tunnel	checked	Enable tunnelling
Src. Address	192.168.255.0/24	Local network on MikroTik side
Dst. Address	10.5.4.0/24	Local network on VPNaaS side
Action	encrypt
IPsec Protocols	esp	Should match the value set in the VPNaaS
Proposal	VPNaaS	Proposal created previously

Save changes by clicking the OK button

To create the profile via the CLI, execute the command:

/ip ipsec policy
add src-address=192.168.255.0/24 src-port=any dst-address=10.5.4.0/24 dst-port=any tunnel=yes action=encrypt proposal=VPNaaS ipsec-protocols=esp peer=VPNaaS

B6 At this stage, if traffic is sent via the IPsec tunnel, it will not work; packets from the MikroTik side will be lost.

This is because the router has the NAT masquerading rule, which changes the source address before the packet is encrypted. The router cannot encrypt the packet since the source address does not correspond to the address specified in the policy configuration. For further information on this see Example protocol for IPsec packets.

To correct this situation, add the NAT bypass rule to the MikroTik router.

To create the profile with a web interface, go to the ‘IP:Firewall’ menu and in the NAT tab click Add New.

The following parameters are to be used:

new nat rule

Chain	srcnat
Src. Address	192.168.255.0/24	Local network on MikroTik side
Dst. Address	10.5.4.0/24	Local network on VPNaaS side
action	accept

Save changes by clicking the OK button. Having created the rule, drag it with the mouse to the very top of the list.

To create the profile via the CLI, execute the command:

/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.255.0/24 dst-address=10.5.4.0/24

Tunnel function check

When these changes are complete the VPN tunnel should be established and traffic between the local networks should be able to flow through it.

This can be verified with a ping command between the hosts on opposite local networks.

Note

If the tunnel is not established, restart the VPN service from both sides.

• View tunnel status in MikroTik:

  To see the status through the graphical web interface, go to the ‘IP:IPsec’ menu

  • The ‘Installed SAs’ tab should show two lines containing properties of connections between the peers
  • In the ‘Policies’ tab, point ‘PH2 State’ should have the variable ‘established’
  
  

  To see the status via the CLI, execute the command

  /ip ipsec
  
  installed-sa print
    (you should see two lines of properties of connections between the peers)
  
  active-peers print
    (the  STATE of the connection should have the value established)
  

• The status of the IPsec site connection in the VPNaaS has changed to Active.