Sunday, October 16, 2016

how to configure ipsec between mikrotik and strongswan, linux

*** network diagram

subnet1  --------------- -strongswan--------------------------------mikrotik-------------------subnet2
        10.0.0.0/24        192.168.202.242        192.168.202.34             10.0.1.0/24
 

*** on strongswan

1- install package
$ sudo apt-get install strongswan

2- update ipsec configuration file, /etc/ipsec.conf, with something like below, make sure the indent is like what is shown
config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
    keyexchange=ikev2
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

conn tunnel
    rightsendcert=never
    left=192.168.202.242
    leftsubnet=10.0.0.0/24
    right=192.168.202.34
    rightsubnet=10.0.1.0/24
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    authby=secret
    auto=start
    keyexchange=ikev1
    type=tunnel





3- update pre shared key, by update file /etc/ipsec.secrets with the following content
192.168.202.242 192.168.202.34 : PSK 'topsecret'

4- restart ipsec and startup the connection named tunnel
$ sudo ipsec restart
$ sudo ipsec up tunnel

*** on mikrotik
 /ip ipsec proposal set 0 auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=1h pf
s-group=none 


/ip ipsec peer add address=192.168.202.242/32 port=500 auth-method=pre-shared-key secret="topsecret" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no  proposal-check=obey      hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

/ip ipsec  policy add src-address=10.0.1.0/24 src-port=any dst-address=10.0.0.0/24 dst-port=any protocol=all action=encrypt      level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.168.202.34
sa-dst-address=192.168.202.242 proposal=default priority=0



**** check status
- check ipsec status on strongswan
$ sudo ipsec status
Security Associations (1 up, 0 connecting):
      tunnel[1]: ESTABLISHED 17 minutes ago, 192.168.202.242[192.168.202.242]...192.168.202.34[192.168.202.34]
      tunnel{1}:  REKEYED, TUNNEL, reqid 1, expires in 7 hours
      tunnel{1}:   10.0.0.0/24 === 10.0.1.0/24
      tunnel{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c06f1edd_i 0461387b_o
      tunnel{2}:   10.0.0.0/24 === 10.0.1.0/24
      tunnel{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cec570ac_i 075d598f_o
      tunnel{3}:   10.0.0.0/24 === 10.0.1.0/24







now the connection is ready for running.


- snapshot of strongswan successfully bring up connection tunnel


- snapshot of SAs installed on mikrotik router, after ipsec connection is brought up






1 comment:

  1. Below are the 15 best Minecraft mods everyone should try. Optifine. No matter if it's your first time playing Minecraft or you've been playing it for a long time now. 9minecraftmods

    ReplyDelete