Mikrotik Video Tutorial – Creating an IPSEC LAN to LAN Tunnel
So you have multiple sites that all have internet connections. You want to securely connect the internal subnets together…how would one accomplish this? You would use an IPSEC tunnel. Imagine it as a nice secure pipe that connects one site to the other. This tutorial will show you just how this configuration is accomplished. Use the below diagram as a reference to the video.
Lan to Lan Diagram...that rhymes 😉
Click the link below to see the VIDEO!
NOTE: Don’t use NAT-T with the Mikrotiks unless you absolutely have to…this command seems to be somewhat buggy.
When terminating tunnels to Linksys RV042s, set your peer to aggressive mode.
Great tutorial,
but i’m stacked a bit…
from both miktoik i can ping successful all my hosts from both private network, but
how can i access a remote host (ex. 192.168.1.20) from my private network (ex. 192.168.2.20)?
Maybe routing will helping me? not sure… pls help xD
Ex:
need rdp connection from 192.168.1.10 to 192.168.2.20
Dineck,
You should be able to just RDP to the 192.168.2.20 host. As long as your default route points traffic toward the ISP interface, your traffic should get encrypted and sent across the tunnel. From your private hosts you can ping each other; 192.168.1.10 can ping 192.168.2.20? If so, you should be able to RDP. I would check my windows firewalls to make sure they aren’t blocking anything…try disabling them temporarily.
Greg
Great tutorial. Just what I was looking for. Thanks
Pito,
Great, glad I could help!
I tried it step by step on v 4.2 but did not work 🙁
I couldn’t ping from 1 side to the other
The only ipsec i found to work is this:
http://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco
Also can u pls tell me which is the way to make a vpn between a cisco and a mikrotik (i have dynamic ip on cisco so i cannot add a peer in mikrotik for ipsec) can’t make pptp work either between mikrotik – cisco only from windows/linux ->cisco
Thanks
Well, I’ve yet to move anything to V4. I’m not moving until they hit 4.10 or if they release a feature that I have to have.
If I get a little time, I’ll load up a couple of V4 VMs and test.
What you want to do for your second problem is to create a peer in the MTK with ip of 0.0.0.0 and check the generate policy box. This will allow an unknown peer to join and automatically create a policy.
Thx alot for the reply. I will have to test with 0.0.0.0 when i get home.
I am certainly glad I found your website! I just picked up my first Routerboard last week and turned it on yesterday. I just finished upgrading the OS to 4.3 using your tutorial for that. I am going to really enjoy learning using your tutorials. Time to order more Routerboards and have some more fun.
Cisco and Juniper have their place, but no more pricey hardware for what I can do with Mikrotik!
Thanks so much for your contribution to the community.
Stan,
I’m glad you found them useful. If you are just getting started in Mikrotik or even networking for that matter, I would recommend my video class series I’ve started. Have a look here: http://gregsowell.com/?page_id=951
Thanks for dropping me a comment sir!
I have been having random issues with my network which is based on this “how to” http://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco.
I noticed yours is slightly different and fixed one of my problem locations. Maybe someone can shed some light on this. Here are the differences between the video and the cisco article.
1. / ip ipsec policy
cisco article – src-address=LocalPublicIP/32:any
dst-address=RemotePublicIP/32:any
tunnel=no
nat-traversal=no
your article –
src-address=LocalNetwork/24
dst-address=RemoteNetwork/24
tunnel=yes
nat-traversal=yes
Also in the Cisco “howto” and my config, you have to create an IPIP interface (with IPIP tunnel IP) but not in your article. Can someone shed some light on this?
I am also using OSPF for dynamic routing using the network address on the IPIP interface. The IPIP interface looks like the following at each location (with diff IPs of course) –
example –
10.0.0.0/30 = network
10.0.0.1/30 = IP at central router
10.0.0.2/30 = IP at remote location
10.0.0.3/30 = broadcast
Jeremy,
The difference between mine and theirs is that they are doing an ipip tunnel and I’m doing a straight IPSec tunnel.
Their configuration attempts to just encrypt the ipip traffic moving between routers. The ipip option is your best option if you have multiple wan connections, since this will allow you to route your encrypted traffic via multiple connections.
A straight IPSec tunnel is a good option for hub and spoke connections that don’t have multiple WAN connections.
On a side note, DO NOT use NAT traversal unless you absolutely have to.
For your trouble shooting, first create the IPIP tunnel and test. If you can ping across the tunnel, move on.
Add your dynamic routing and test. If this works, then move on to encryption.
Maybe I should clarify my issue. With my current setup as described, I have some locations that cannot ping the central router (and visa versa) as soon as the Policy is enabled. But when I changed
src-address=LocalPublicIP/32:any
dst-address=RemotePublicIP/32:any
tunnel=no
TO
src-address=LocalNetwork/24
dst-address=RemoteNetwork/24
tunnel=yes
in the policy, the connection was fine. I am by no means an IPSec expert and was hoping you might be able to explain the difference or have an idea why I am experiencing this issue. Thanks for the responses, they have been very helpful.
Jeremy,
My way is a straight IPSec tunnel. Their way is an IPIP tunnel with the IPIP tunnel traffic encapsulated in IPSec.
In my way, when traffic specified in the policy attempts to leave the router(also called “interesting” traffic), it will grab that and encrypt it. This is simple to configure and will work with pretty much any vendor. There is no tunnel interface associated with this kind of connection.
The IPIP method allows you to route traffic dynamically while still being IPSec encapsulated. This works best if you have multiple WAN connections, or if the subnets that need to be encrypted change frequently.
The IPIP method creates an tunnel interface between two devices. You then encrypt that tunnel interface.
Clear as mud?
Greg,
Took me a couple of times, walking away from the computer a couple of times, and I have an IPSec link up between my home and work !! Turns out, it’s really not that hard thanks to the way you have explained it. Some parts I’m a little ify on understanding why, such as the NATing in the beginning, but I’ll get there.
Thanks again.. !!!
Greg,
Can you show the procedure to generate and use certificates ?
Thanks,
-tp
Figured out how to use certificates. Good Youtube presentation at this location, http://www.youtube.com/watch?v=KbInXaFbC8g. Had it up and running in no time at all.
Tim,
Thanks for the link. Looks like an OpenVPN cert config. Nice dude!
Sorry for the lack of response lately, I just got back from my xmas vacation 🙂
Dear Greg,
First of all thanks a lot for your great tutorials. It helps me to learn a lot about tunnels.
I have an Issue. I did similar things exactly like your tutorials(PDF manual page 15-20). At the final step when i use advance ping to ping remote site i have 3 Packet reject and after that the tunnel stablished successfully. But after tunel established i have request time out. I download version 3.3 x86 pc from mikrotik.
What’s your Idea about that ? Is it something wrong with PC version ?
(I’ve also tried version 2.97 – 3.20 – 3.22 – 4.5
But nothing changed)
Thanks for your attention.
Masud,
When you enable IPSec logging, what additional details do you get?
Plug in PCs to either end and see if these machines ping each other. If you run torch on the inside interfaces, do you see the ICMP traffic hitting the PC and coming back?
Dear Greg,
I used VMware for testing and try to do this test with two routers (MK1,MK2).The connectivity is O.K.
I could fix this issue ! I tried to conncet 3 routers and simulate exactly what you did in this page and it works for me. The 3rd router just route between network 1.1.1.0 and 2.2.2.0
Maybe VMware on single machine is not good idea for testing such things. And again maybe when I tried to use 3 routers it(3rd one) isolate the trafic between two routers (MK1,MK2) up to layer 3.
Anyway Dear master Greg many thanks for your attention and step by step tutorials and manuals. They showed me the way !
Rock and roll bud!
tanx
hi i’m newbie here. I’ve just follow all of your tuts here, but when i tried to ping router1 to router2, i’ve got this message = ‘no route to host’
can you help me please? I want to build a secure VPN to connect 2 site via internet with mikrotik router as gateway, could you please help me from where do i must start (step by step)?
Thx for your help
Alien,
Sounds like you are labbing this stuff. You have to have a route for the destination in your route table or at least a default route.
so what should i do? i’m really new on this mikrotik thing 😀
would you please help me step by step from the begining?
thx for your kindness
Hi Greg,
Firstly, thanks for the great tutorials!
I’ve managed to get an IPSec tunnel between my RB750 and a Billion 7402R2 ADSL router working. My only issue is the following:
1. My RB750 is using a fixed public IP address. Yay!!
2. My Billion 7402R2 is using a dynamic public IP.
I can get the tunnel working if I use the IP address in aaa.bbb.ccc.ddd notation but it only lasts until my Billion is rebooted or my home is load shedded.
The Billion router can find the RB750 very easily, but I need just a small script on the RB750 to do the dns resolution to find the Billion’s public IP. I am using dyndns on the Billion.
Keep up the great work, you are helping many!
Mike, on the fixed IP side, use the generate policy option. I’ve got an example in my VPN training: http://gregsowell.com/?p=1290. Check the slides.
Alien,
Watch my VPN training or consult the slides. These pretty much walk you through step by step: http://gregsowell.com/?p=1290
Hi Greg,
I followed the slides but get stuck.
On RB750 (Site1 with fixed public IP) I create a IPSec policy with SA Src Address = Site1’s public IP and SA Dst Address = 0.0.0.0
I create a peer with address 0.0.0.0 and enable generate policy but the tunnel never comes up. I have waited up to 20 minutes, still nothing.
To test I use the current dynamic IP of site 2 (Billion router) in the format 41.185.xxx.yyy as the SA Dst Address in the IPSec policy and also in the address for the IPSec peer and then the tunnel works within 10 seconds of clicking apply.
So at this stage I think all I need to do is get the RB750 to resolve a dyndns address into the SA Dst Address and IPSec peer address fields and my tunnel should always work.
Please can you help. I have read the slides 10 times now and rebooted 11 times without winning.
Appreciate you hard work.
ok, thx i will watch it 😀
Mike,
On the site1 router, don’t add a policy. On the site1 peer with address 0.0.0.0, hit the checkbox that says generate policy.
Site2, try this script(Be sure to set your proper interface and the policy # in your script):
/system script add name=DHCP-VPN-UPDATE policy= ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source=":local WANip _[/ip address get [find interface="ether5"] address]r nr n:log info "Interface IP is $WANip"r nr n:local WANip [:pick "$WANip" 0 ([:len $WANip] - 3)]r nr n:log info "IP sans the slash notation is $WANip"r nr n/ip ipsec policy set 0 sa-src-address=$WANip"Easier to read it like this:
You should have this script run every 5 mins or so.
Greg,
I appreciate the feedback but I think we are both a little confused now.
Site 1 is a RB750 directly connected to the internet with static public IP.
Site 2 is a Billion VPN ADSL router that gets the dynamic public IP, so no RB750 at site 2.
Image of network here:
http://www.bridgeconference.co.za/VPN.htm
Basically I think Site 1 needs to resolve the dyndns address of the Billion VPN router on the far side of the tunnel.
I dont need to touch or change any configs at site 2 as the IPSec VPN function is built into the Billion router.
I am sure I should be running some sort of script at site 1 (RB750) to resolve site 2’s (Billion VPN) dyndns address.
Is there a way to put “mysite.dyndns.org” into the SA Dst Address and the Peer IP address at site1(RB750)?
Thanks for all your help.
Ahh, my bad. I only half read the post 😛 You should be able to setup the peer 0.0.0.0 with generate policy. That should take care of everything. What happens is the clients connects and matches the 0.0.0.0 peer. Then the 750 will automatically generate a policy for that client. If you insist on doing it with the dns resolution you can use:
Greg,
Lotsa kudos to you!
Scripts work and tunnel is built very easily, even after a few reboots on the dynamic end!
I figured I just need to watch for the durations the keys are active for from both ends otherwise the tunnel closes at times when u not watching.
This had me confused for a while….
Thanks for all your help buddy!
Mike,
I’m glad it got you fixed up. 🙂
Heya Greg,
I have been IPSec tunneling between my house and my office for a while now and it’s great thanks to your tutorials! I am a Mikrotik newb.
Only issue is that the tunnel breaks down and requires the Resolve script to run to rebuild the tunnel to the dynamic IP side.
Now if the script runs every 10 minutes on the RB750 I have a tunnel broken for 3 minutes out of every 10.
I use logmein and remotely tell the RB750 to run my Resolve script and the tunnel is instantly rebuilt.
Is there a script I can run every minute that checks if the far site dyndns address has changed from what it was to something new, and only then runs the Resolve script to rebuild the tunnel?
Here’s my Resolve Script:
:log info “–Starting Resolve Script…”
:global RemoteSite [:resolve mydynamichomeip.dyndns.org]
:log info $RemoteSite
/ip ipsec policy set 0 sa-dst-address=$RemoteSite
/ip ipsec peer set 0 address=”$RemoteSite:500″
:log info “–Ending Resolve Script…”
From what I can see this script above resolves the dyndns address and puts it into the policy and peer fields. If I set it to run every hour, sometimes I need to wait an hour before the tunnel opens.
Somehow I think I need to put an IF statement here somewhere that does a dyndns check and compares it to the new dyndns and if there is a change then resolves and puts the new values into the policy and peer fields.
Does this make sense to you? It’s kinda hard to explain from my newbie perspective.
As always, your perpetual tunneler.
Mike
Mike,
I did a dyndns article here: http://gregsowell.com/?p=1523. See if that doesn’t answer your questions 🙂
I used Netwatch to check if the far side is there.
If not then the Resolve script runs.
Thanks for your help.
Mike
Hi Greg,
Thanks for the IPSEC tutorial. I made 14 tunnels to 14 Linksys RV016 from my one MikrTik RB493 the way you prescribed in the video.
I made Nat rules like yours for every subnet example,
MT interior src 192.168.16.0/24 Linksys interior dst 192.168.18.1 action=accept
I did this 14 times each with the Src being x.x.16.0 and the dst 192.168.xx.0 for each tunnel’s interior.
I have SA’s popping up for each tunnel when pinged FROM the MT’s interior with a PC, in a DOS cmd window with the ping command. All INTERIORS CAN BE PINGED.
But, from the same machine that can ping them with a DOS cmd line, I cannot BROWSE to the interior IP devices on the remote tunnels. I can ping but cannot browse…….
What am I doing wrong? Do I need to make a route table or route rules?
I have a 0.0.0.0/0 route to my Exterior IP’s Gateway on the MT with it’s preferred source as the IP itself.
Am I missing something obvious?
BTW, if I get this to work, the end game is to switch out ALL of the Linksys RV016’s one at a time. They all have tunnels to each other , 14 at each router, and can browse to the interior IP’s of each router.
The next step would be IPIP IPSEC with failover and multicast. But, I need to get this simple tunnel setup correct first, with MT’s replacing the Linksys.
I am close, but need to get the MT to browse like the Linksys first.
Can you help?
Mike
I
Hi Greg,
I have RB750G with 4.5 build on 12/Jan/2010. I configured my router as is shown in your video tutorial, but IPsec in tunnel mode is not working – SA is installed, but trafic is not routed – I cannot ping remote computer (for example 10.99.88.77). IPsec SA is installed succesfuly, so I think there is routing problems. My configuration (example): LAN (192.168.10.0/24)->RB750G (in 192.168.10.1, out 195.10.10.10)->Intenet->Router (out 195.8.8.8)->remote LAN (10.99.0.0/16). Maybe is there some bugs in 4.5 version?
Thanks for your help
Sen
Senux,
Do you have Mikrotiks on both sides? Are their configs opposites? Did you enable ipsec logging? Did you add the nat bypass? Do you see the packet count incrementing on the SA? Need more information.
Mike,
You are trying to browse from your PC across the tunnel to another device or are you trying to browse from your PC to the inside IP address of the Mikrotik?
If you are trying to browse to the IP address of the linksys, does he have a route pointing to your MTK for the source address of the traffic?
Thank You Greg for yours replay and especialy for tutorial.
Yours video tutorial is great and is the one that works for IPsec tunneling . I can reach computer in another network from computers in my network. Problem was remote router (Redhat or similar) configuration – antispoofing rule droped my incoming trafic.
P.S.: I bought Mikrotik router RB750G because I had a lot of stability problems with Linksys BEFVP41-EU (all time rebooting when IPsec was configured) .
NP Senux 🙂 Glad it helped.
Setting peer=0.0.0.0 doesn’t work for me, at least using v4.11 (I have not tried other versions).
Has ANYONE been able to get this to work?
Answering my own question here…it works!
You have to specify “0.0.0.0/0” for the peer address note the added “/0” after the 0.0.0.0 address.
Woo Hoo!
Greg rocks!
Nice tutorial mate. BIG thanks !!!
Great tutorial, simple and objective … Thanks
Hi,
that was a piece of nice tute, but what I really need is setting up a redundant & resilient (HA) IPSEC router with MIKROTIK (Both net to net and net to IPSEC clients). What redundancy protocol should I use? VRRP?
Is anybody able to help? Greg, maybe?
Thx a lot in advance