IPSEC between Mikrotik router and a Shrew client: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
← Older editNewer edit →
Line 21: Line 21:


{{Note | RouterOS does not support modecfg and xauth. We need to disable every dynamic option in shew}}
{{Note | RouterOS does not support modecfg and xauth. We need to disable every dynamic option in shew}}
* On the first configuration tab ("General") we simply specify server's IP address.
* On the second tab ("Client") disable any features that you do not want to use. In this case we are not using NAT-T, DPD, etc. So all of them are disabled.
[[file:shew1-2.png | center]]
* On the third tab ("Name Resolution") we disable everything since these options are used by modecfg, which is not supported on ROS.
* On the fourth tab In our case we are using pre shared key, so choose Mutual PSK and enter pre shared key.
[[file:shew3-4.png | center]]
[[file:shew5-6.png | center]]
[[file:shew7.png | center]]




Revision as of 14:14, 27 September 2012

Overview

This article shows how to connect Shew Ipsec client to RouterOS Ipsec server.

RouterOS Configuration

IPSec configuration

/ip ipsec peer 
  add address=10.5.101.20/32 auth-method=pre-shared-key exchange-mode=main\
  secret=123 hash-algorithm=md5 enc-algorithm=3des generate-policy=yes

Since we assume that it is Road-Warrior setup, we do not know from where client will be connecting, so generate-policy=yes should be set.


Shew client configuration

Now we need to match configuration on Shew client. And assume that we want to reach remote network 99.77.77.0/24 located behind router from Shew client

Note: RouterOS does not support modecfg and xauth. We need to disable every dynamic option in shew


  • On the first configuration tab ("General") we simply specify server's IP address.
  • On the second tab ("Client") disable any features that you do not want to use. In this case we are not using NAT-T, DPD, etc. So all of them are disabled.


  • On the third tab ("Name Resolution") we disable everything since these options are used by modecfg, which is not supported on ROS.
  • On the fourth tab In our case we are using pre shared key, so choose Mutual PSK and enter pre shared key.



Here is the whole Shew config, you can import it in your client 

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:0
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
s:network-host:10.5.101.3
s:client-auto-mode:pull
s:client-iface:direct
s:network-natt-mode:disable
s:network-frag-mode:disable
s:auth-method:mutual-psk
s:ident-client-type:address
s:ident-server-type:address
s:ident-client-data:10.5.101.20
s:ident-server-data:10.5.101.3
b:auth-mutual-psk:MTIz
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-3des
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:require
s:policy-list-include:99.77.77.0 / 255.255.255.0

Check Connectivity

[admin@MikroTik] /ip ipsec remote-peers> print 
 0 local-address=10.5.101.3 remote-address=10.5.101.20 state=established 
   side=responder established=44m3s
  • IPSec should show intalled-sa,
[admin@MikroTik] /ip ipsec installed-sa> print 
Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0x476464 src-address=10.5.101.20 dst-address=10.5.101.3 
      auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature 
      auth-key="fae8bc2918fea03dac0b7c8b6db57c60" 
      enc-key="15627d42163ad1fd58ee7cdc80d971d334883dbd2d81c42c" 
      addtime=sep/27/2012 13:51:07 expires-in=15m32s add-lifetime=48m/1h 
      current-bytes=240 

 1 E  spi=0x5D4BF3B9 src-address=10.5.101.3 dst-address=10.5.101.20 
      auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature 
      auth-key="728b19191d2a111673298c07d1f459c2" 
      enc-key="c944c45447df5429860d3999e674e1689bb41527ec941c9a" 
      addtime=sep/27/2012 13:51:07 expires-in=15m32s add-lifetime=48m/1h 
      current-bytes=240


  • And dynamically created policies
[admin@MikroTik] /ip ipsec policy> print 
Flags: X - disabled, D - dynamic, I - inactive 
 
 1 D src-address=10.5.101.20/32 src-port=any dst-address=99.77.77.0/24 
     dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=10.5.101.3 sa-dst-address=10.5.101.20 
     proposal=default priority=2 

 2 D src-address=10.5.101.20/32 src-port=any dst-address=99.77.77.0/24 
     dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=10.5.101.3 sa-dst-address=10.5.101.20 
     proposal=default priority=2 

 3 D src-address=99.77.77.0/24 src-port=any dst-address=10.5.101.20/32 
     dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=10.5.101.20 sa-dst-address=10.5.101.3 
     proposal=default priority=2
Retrieved from "https://wiki.mikrotik.com/index.php?title=IPSEC_between_Mikrotik_router_and_a_Shrew_client&oldid=24244"