IPSec VPN / Mikrotik and Linksys BEFVP41
Purpose of this document is to provide help with configuring IPsec tunnels between Mikrotik and Linksys BEFVP41 router, but will also cover IPsec tunnel configuration between two Mikrotik routers which was already explained several times.
Greg Sowell made an excelent video on Mikrotik to Mikrotik IPsec topic which can be found at:
http://gregsowell.com/?p=787
This document is based on it.
Contents
Assume the following:
We are working with three routers on three different locations connected to Internet.
| First location | Router RB1000 |
| Private network address | 10.10.1.0./24 |
| Router local address on ethernet1 | 10.10.1.254 |
| Public network address | 1.1.1.0/24 |
| Router public address on ethernet4 | 1.1.1.1 |
| Second location | Router RB1000 |
| Private network address | 10.10.2.0./24 |
| Router local address on ethernet1 | 10.10.2.254 |
| Public network address | 2.2.2.0/24 |
| Router public address on ethernet4 | 2.2.2.2 |
| Third location | Router Linksys BEFVP41 |
| Private network address | 10.10.3.0./24 |
| Router local address on LAN interface | 10.10.3.254 |
| Public network address | 3.3.3.0/24 |
| Router public address on WAN interface | 3.3.3.3 |
| "Internet" | Router RB450 |
| First network address | 1.1.1.0/24 |
| IP address on ethernet1 | 1.1.1.254 |
| Second network address | 2.2.2.0/24 |
| IP address on ethernet2 | 2.2.2.254 |
| Third network address | 3.3.3.0/24 |
| IP address on ethernet3 | 3.3.3.254 |
Internet router RB450 is faking Internet connection and does the basic routing between public networks 1.1.1.0, 2.2.2.0 and 3.3.3.0.
NAT is configured on all routers and they also provide DHCP for respective networks.
Internet router configuration
/ip address add address=1.1.1.254/24 disabled=no interface=ether1 network=1.1.1.0 add address=2.2.2.254/24 disabled=no interface=ether2 network=2.2.2.0 add address=3.3.3.254/24 disabled=no interface=ether3 network=3.3.3.0
First router configuration
1.IP addresses
/ip address add address=10.10.1.254/24 disabled=no interface=ether1 network=10.10.1.0 add address=1.1.1.1/24 disabled=no interface=ether4 network=1.1.1.0
2.Default route
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.254 scope=30 \
target-scope=10
3.NAT - Note that NAT bypass for IPsec tunnels rule is on the top of the list !!! It is set for all 10.10.x.x networks but you can specify subnets individually.
/ip firewall nat add action=accept chain=srcnat disabled=no dst-address=10.10.0.0/16 src-address=\ 10.10.1.0/24 add action=masquerade chain=srcnat disabled=no out-interface=ether4
4.IPsec
/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=\ default pfs-group=modp1024 /ip ipsec peer add address=2.2.2.2/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \ dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \ generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn=\ "" nat-traversal=yes port=500 proposal-check=obey secret=tuturutu \ send-initial-contact=yes /ip ipsec policy add action=encrypt disabled=no dst-address=10.10.2.0/24 dst-port=any \ ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \ sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=10.10.1.0/24 \ src-port=any tunnel=yes
Second router configuration
1.IP address
/ip address add address=10.10.2.254/24 disabled=no interface=ether1 network=10.10.2.0 add address=2.2.2.2/24 disabled=no interface=ether4 network=2.2.2.0
2.Default route
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.254 scope=30 \ target-scope=10
3.NAT
/ip firewall nat add action=accept chain=srcnat disabled=no dst-address=10.10.0.0/16 src-address=\ 10.10.2.0/24
4.IPsec
/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \ name=default pfs-group=modp1024
4.1.First tunnel /ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \ dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \ generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \ my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey secret=\ tuturutu send-initial-contact=yes
4.2.Second tunnel
add address=3.3.3.3/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \ dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \ generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \ my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey secret=\ tuturutututurutututurutu send-initial-contact=yes
4.3. IPsec policy
/ip ipsec policy add action=encrypt disabled=no dst-address=10.10.1.0/24 dst-port=any \ ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \ sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=10.10.2.0/24 \ src-port=any tunnel=yes add action=encrypt disabled=no dst-address=10.10.3.0/24 dst-port=any \ ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \ sa-dst-address=3.3.3.3 sa-src-address=2.2.2.2 src-address=10.10.2.0/24 \ src-port=any tunnel=yes add action=masquerade chain=srcnat disabled=no out-interface=ether4
5.Keep alive for Linksys router
/system scheduler add disabled=no interval=30s name="Ping remote" on-event=\ "ping 10.10.3.254 src-address=10.10.2.254 count=1" policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-date=nov/25/2011 start-time=00:00:00
When the tunnel is dropped on Mikrotik side, Linksys is unable to bring it up again even if the "keep alive" check box is properly checked. To circumvent this bug, the simplest way is to sent a ping from Mikrotik every 30 seconds. If the tunnel was droped in the meantime, this ping will bring it up again.
Third router (BEFVP41) configuration
This configuration was tested live on real equipment, and if it doesn't work for you, it is because of potential error in this document or mistake you made copying to your environment.
If you think that there is the better way to do this, please feel free to comment.
Best of luck.
