IPSEC between Mikrotik router and a Shrew client

From MikroTik Wiki
Revision as of 14:14, 27 September 2012 by Marisb (talk | contribs) (Shew client configuration)
Jump to: navigation, search

Overview

This article shows how to connect Shew Ipsec client to RouterOS Ipsec server.

RouterOS Configuration

IPSec configuration

/ip ipsec peer 
  add address=10.5.101.20/32 auth-method=pre-shared-key exchange-mode=main\
  secret=123 hash-algorithm=md5 enc-algorithm=3des generate-policy=yes

Since we assume that it is Road-Warrior setup, we do not know from where client will be connecting, so generate-policy=yes should be set.


Shew client configuration

Now we need to match configuration on Shew client. And assume that we want to reach remote network 99.77.77.0/24 located behind router from Shew client

Icon-note.png

Note: RouterOS does not support modecfg and xauth. We need to disable every dynamic option in shew


  • On the first configuration tab ("General") we simply specify server's IP address.
  • On the second tab ("Client") disable any features that you do not want to use. In this case we are not using NAT-T, DPD, etc. So all of them are disabled.
Shew1-2.png


  • On the third tab ("Name Resolution") we disable everything since these options are used by modecfg, which is not supported on ROS.
  • On the fourth tab In our case we are using pre shared key, so choose Mutual PSK and enter pre shared key.
Shew3-4.png


Shew5-6.png
Shew7.png


Here is the whole Shew config, you can import it in your client

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:0
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
s:network-host:10.5.101.3
s:client-auto-mode:pull
s:client-iface:direct
s:network-natt-mode:disable
s:network-frag-mode:disable
s:auth-method:mutual-psk
s:ident-client-type:address
s:ident-server-type:address
s:ident-client-data:10.5.101.20
s:ident-server-data:10.5.101.3
b:auth-mutual-psk:MTIz
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-3des
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:require
s:policy-list-include:99.77.77.0 / 255.255.255.0

Check Connectivity

[admin@MikroTik] /ip ipsec remote-peers> print 
 0 local-address=10.5.101.3 remote-address=10.5.101.20 state=established 
   side=responder established=44m3s 

  • IPSec should show intalled-sa,
[admin@MikroTik] /ip ipsec installed-sa> print 
Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0x476464 src-address=10.5.101.20 dst-address=10.5.101.3 
      auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature 
      auth-key="fae8bc2918fea03dac0b7c8b6db57c60" 
      enc-key="15627d42163ad1fd58ee7cdc80d971d334883dbd2d81c42c" 
      addtime=sep/27/2012 13:51:07 expires-in=15m32s add-lifetime=48m/1h 
      current-bytes=240 

 1 E  spi=0x5D4BF3B9 src-address=10.5.101.3 dst-address=10.5.101.20 
      auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature 
      auth-key="728b19191d2a111673298c07d1f459c2" 
      enc-key="c944c45447df5429860d3999e674e1689bb41527ec941c9a" 
      addtime=sep/27/2012 13:51:07 expires-in=15m32s add-lifetime=48m/1h 
      current-bytes=240 


  • And dynamically created policies
[admin@MikroTik] /ip ipsec policy> print 
Flags: X - disabled, D - dynamic, I - inactive 
 
 1 D src-address=10.5.101.20/32 src-port=any dst-address=99.77.77.0/24 
     dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=10.5.101.3 sa-dst-address=10.5.101.20 
     proposal=default priority=2 

 2 D src-address=10.5.101.20/32 src-port=any dst-address=99.77.77.0/24 
     dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=10.5.101.3 sa-dst-address=10.5.101.20 
     proposal=default priority=2 

 3 D src-address=99.77.77.0/24 src-port=any dst-address=10.5.101.20/32 
     dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=10.5.101.20 sa-dst-address=10.5.101.3 
     proposal=default priority=2