Scribd
Upload
499 views167 pages

IKE2 VPN Setup Guide for MikroTik

Here are the steps to configure the WAN IP address and DNS servers on the RouterOS device acting as the IKE2 VPN server: 1. IP -> Addresses - Add the WAN IP address that will be used for the VPN server - Set it as the default gateway 2. IP -> DNS - Add the DNS server IP addresses to use for name resolution 3. Save the configuration This configures the WAN IP address and DNS servers so that the VPN server has a public IP to listen on for VPN clients and can perform DNS lookups for clients.

Uploaded by

Fernanda Adhipramana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
499 views167 pages

IKE2 VPN Setup Guide for MikroTik

Here are the steps to configure the WAN IP address and DNS servers on the RouterOS device acting as the IKE2 VPN server: 1. IP -> Addresses - Add the WAN IP address that will be used for the VPN server - Set it as the default gateway 2. IP -> DNS - Add the DNS server IP addresses to use for name resolution 3. Save the configuration This configures the WAN IP address and DNS servers so that the VPN server has a public IP to listen on for VPN clients and can perform DNS lookups for clients.

Uploaded by

Fernanda Adhipramana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

MikroTik IPSec ike2

VPN server

Easy and clear step-by-step guide


Nikita Tarikin / nikita@[Link]
Nikita
Tarikin
Certified network engineer
MikroTik PRO, Russia

Nikita Tarikin / nikita@[Link]


Nikita Tarikin
MTCNA 90%
Nikita MTCRE 93%
Tarikin MTCWE 84%
MTCTCE 76%
Certified network engineer
MikroTik PRO, Russia MTCUME 90%
Since 2016

Nikita Tarikin / nikita@[Link]


Nikita Tarikin
MikroTik network engineering
for your business
MTCNA 90%
1. Designing enterprise class network
infrastructure
MTCRE 93%
2. Building high-performance, reliable, protected
networks MTCWE 84%
3. Security and performance audit of existing
network configurations MTCTCE 76%
4. Monitoring and maintaining critical infrastructure
5. Troubleshooting and consulting
6. Remote support 24 / 7 / 365
MTCUME 90%
7. Advanced MikroTik certified trainings in Asia
(coming soon)

Nikita Tarikin / nikita@[Link]


Nikita Tarikin
E-mail me your ideas:
nikita@[Link]

Add me to your Facebook:


Please Nikita Tarikin

contact me Follow me on Instagram:


@tarikin

Start private conversation:


Telegram [Link]/tarikin
Messenger Nikita Tarikin

Nikita Tarikin / nikita@[Link]


Nikita Tarikin
Please
contact me

Nikita Tarikin
nikita@[Link]

Nikita Tarikin / nikita@[Link]


Nikita Tarikin
Why IKE2?

Nikita Tarikin / nikita@[Link]


Compare VPN types (RouterOS)
L2TP L2TP/IPSEC + psk OpenVPN PPTP SSTP IPSec IKE2

Protocol UDP UDP over UDP/ESP TCP GRE TCP UDP, ESP

Performance Fast Medium Slow Fast Slow Very fast

Connection
Medium Slow Slow Medium Medium Very fast
establishment
Requires strong
CPU for No Yes Yes No Yes Yes
encryption
Multicore CPU
Yes Yes No Yes Yes Yes
load balance

Security Low Strong Strong Low Strong Very strong

Push routes No No Yes No No Yes

Bypass NAT Yes Yes Yes Yes Yes Yes

Has interface Yes Yes Yes Yes Yes No

OS popularity High Very high High Very high Low High

Nikita Tarikin / nikita@[Link]


1. Blazing fast throughput performance
2. Instant connection establishment
3. Military grade security standards
Why IKE2? 4.
5.
Supported by most modern OS’s
Can push routes to clients
6. Bypasses any NAT
7. Mobile friendly

Nikita
Nikita Tarikin / nikita@[Link]
Network diagram

Nikita Tarikin / nikita@[Link]


Networking for dummies 😃

My laptop

Magic
Internet

Nikita Tarikin / nikita@[Link]


Networking for advanced users 😎

My laptop

My router
Internet

Nikita Tarikin / nikita@[Link]


Networking for IT juniors #

LAN
WAN WAN

MikroTik

Router
WAN

DNS
WAN Apache
Wordpress

Nikita Tarikin / nikita@[Link]


Networking for network engineers 😈 FTP

WWW
DNS https
WAN IPSec
Ethernet LTE
IP EoIP
TCP IPv6 OpenVPN
vlan OSPF GRE
OSPF
MTU vrrp MPLS
RSTP PPPoE BGP WAN
LACP
QoS VPLS
IPv4
IPSec
PPTP WAN ssh DNS
SSTP
WWW
IKE2
https
Nikita Tarikin / nikita@[Link]
WAN
VPN clients
[Link]/24

NAT

RouterOS VPN
Router

LAN
[Link]/24

Network diagram
Nikita Tarikin / nikita@[Link]
WAN
VPN clients
[Link]/24

NAT

IPSec ike2
VPN RouterOS VPN
RouterOS Router
Router Head office
Branch office

LAN branch LAN head office


[Link]/24 [Link]/24

Network diagram
Nikita Tarikin / nikita@[Link]
Configure RouterOS

Nikita Tarikin / nikita@[Link]


1. Before you start
Configure 2. General system settings
3. Generate SSL certificates
RouterOS 4.
5.
Setting up IPSec
Setting up Firewall
6. Setting up NAT
7. Setting up MTU/MSS

Nikita
Nikita Tarikin / nikita@[Link]
1. MTCNA knowledge (recommended)
Before you 2. RouterOS 6.44 or newer
start 3.
4.
Lab environment (recommended)
Default configuration 6.41+
5. Aware of IPSec changes since 6.43
Checklist for your
demo lab

Nikita
Nikita Tarikin / nikita@[Link]
Upgrade RouterOS to 6.44+

3. System -> Reboot

1. Download package from


[Link]/download
2. Upload package to / of
your RouterBoard

Nikita Tarikin / nikita@[Link]


Reset RouterBoard to default v6.44+ configuration

This will apply new default firewall


rules, interface lists, basic security
settings etc..

System -> Reset configuration

Nikita Tarikin / nikita@[Link]


General Agenda for next slides:

system 1. WAN IP/DNS addresses

settings 2.
3.
Timezone
NTP
4. Loopback bridge
5. IP pool

Nikita
Nikita Tarikin / nikita@[Link]
WAN IP and DNS addresses for IKE2 VPN server

Check DNS records:


Name: [Link]
Address: [Link]

* Set DNS records with your domain name registrar


control panel

[Link] is on WAN interface

Nikita Tarikin / nikita@[Link]


Impor
Setup correct timezone tant

/system clock set time-zone-name=Asia/


Kuala_Lumpur

System -> Clock

Nikita Tarikin / nikita@[Link]


Impor
Setup auto date/time tant

/system ntp client set enabled=yes


server-dns-names=[Link],
[Link],[Link]

Activate NTP client

Nikita Tarikin / nikita@[Link]


Add new loopback bridge

/interface bridge add


name=bridge-loopback

Nikita Tarikin / nikita@[Link]


Set loopback bridge IP address

/ip address add


address=[Link]/24
interface=bridge-loopback
network=[Link]

Nikita Tarikin / nikita@[Link]


Add new IP Pool for ike2 VPN clients

/ip pool add name="pool


[Link]"
ranges=[Link]-[Link]

Nikita Tarikin / nikita@[Link]


Generate
Agenda for next slides
SSL 1. Generate CA
certificates 2. Generate server SSL
3. Generate client SSL
4. Export client SSL

Nikita
Nikita Tarikin / nikita@[Link]
Generate CA SSL certificate

/certificate add name=[Link]


country=MY state=Selangor
locality=Cyberjaya
organization=[Link] common-
name=[Link] subject-alt-
name=DNS:[Link] key-size=2048
days-valid=3650 trusted=yes key-
usage=digital-signature,key-
encipherment,data-encipherment,key-
cert-sign,crl-sign

Nikita Tarikin / nikita@[Link]


Self-sign CA SSL certificate (Certificate Authority)

/certificate sign [Link]

Nikita Tarikin / nikita@[Link]


Generate server SSL certificate

/certificate add name=[Link]


country=MY state=Selangor
locality=Cyberjaya
organization=[Link] unit=VPN
common-name=[Link] subject-
alt-name=DNS:[Link] key-
size=2048 days-valid=1095
trusted=yes key-usage=tls-server

Nikita Tarikin / nikita@[Link]


Sign server SSL certificate with [Link] authority

/certificate sign [Link]


ca=[Link]

Nikita Tarikin / nikita@[Link]


Client certificate template

/certificate add name=~client-


template@[Link] country=MY
state=Selangor locality=Cyberjaya
organization=[Link] common-
name=~client-template@[Link]
subject-alt-name=email:~client-
template@[Link] key-size=2048
days-valid=365 trusted=yes key-
usage=tls-client

Nikita Tarikin / nikita@[Link]


Generate client SSL certificate from template

/certificate add copy-from=~client-


template@[Link]
name=c1@[Link] common-
name=c1@[Link] subject-alt-
name=email:c1@[Link]

Nikita Tarikin / nikita@[Link]


Sign client SSL certificate with [Link] authority

/certificate sign
c1@[Link] ca=[Link]

Nikita Tarikin / nikita@[Link]


Export client SSL certificate + private key to .p12 file

/certificate export-certificate
c1@[Link] type=pkcs12
export-passphrase=keepinsecret

Nikita Tarikin / nikita@[Link]


Export CA SSL certificate .crt file

/certificate
export-certificate [Link]

Nikita Tarikin / nikita@[Link]


Download exported SSL certificates

Nikita Tarikin / nikita@[Link]


Agenda for next slides

1. Setup Mode Configs


Setting up 2. Setup Peer Profiles

IPSec 3.
4.
Setup Proposals
Setup Peers
5. Setup Policy Groups
6. Setup Policies
7. Setup Identities

Nikita
Nikita Tarikin / nikita@[Link]
IPSec mode config

/ip ipsec mode-config


add address-pool="pool
[Link]" address-prefix-
length=32 name="modeconf
[Link]" split-
include=[Link]/0 static-
dns=[Link] system-dns=no

Nikita Tarikin / nikita@[Link]


IPSec proposal (phase 2)

/ip ipsec proposaladd auth-


algorithms=sha512,sha256,sha1
enc-algorithms=aes-256-
cbc,aes-256-ctr,aes-256-
gcm,aes-192-ctr,aes-192-
gcm,aes-128-cbc,aes-128-
ctr,aes-128-gcm lifetime=8h
name="proposal [Link]"
pfs-group=none

Nikita Tarikin / nikita@[Link]


IPSec peer profile

/ip ipsec profile add dh-


group=modp2048,modp1536,modp102
4 enc-
algorithm=aes-256,aes-192,aes-1
28 hash-algorithm=sha256
name="profile [Link]"
nat-traversal=yes proposal-
check=obey

Nikita Tarikin / nikita@[Link]


IPSec policy group

/ip ipsec policy group


add name="group [Link]"

Nikita Tarikin / nikita@[Link]


IPSec policy template

/ip ipsec policy add dst-


address=[Link]/24 group="group
[Link]" proposal="proposal
[Link]" src-address=[Link]/0
template=yes sa-src-address=[Link]
sa-dst-address=[Link] ipsec-
protocols=esp level=require
protocol=all action=encrypt

Nikita Tarikin / nikita@[Link]


IPSec peer

/ip ipsec peer add exchange-


mode=ike2 address=[Link]/0
local-address=[Link]
name="peer [Link]"
passive=yes send-initial-
contact=yes profile="profile
[Link]"

Nikita Tarikin / nikita@[Link]


IPSec identities (RouterOS 6.44)

/ip ipsec identity add auth-method=rsa-signature


certificate=[Link] remote-
certificate=c1@[Link] generate-
policy=port-strict match-by=certificate mode-
config="modeconf [Link]" peer="peer
[Link]" policy-template-group="group
[Link]" remote-id=user-fqdn:c1@[Link]

/ip ipsec identity add auth-method=rsa-signature


certificate=[Link] remote-
certificate=c2@[Link] generate-
policy=port-strict match-by=certificate mode-
config="modeconf [Link]" peer="peer
[Link]" policy-template-group="group
[Link]" remote-id=user-fqdn:c2@[Link]

Nikita Tarikin / nikita@[Link]


IPSec identities (RouterOS 6.45+)
What's new in 6.45
*) ipsec - renamed "rsa-signature" authentication method
to "digital-signature";

/ip ipsec identity


add auth-method=digital-signature
certificate=[Link] remote-
certificate=c1@[Link] generate-
policy=port-strict match-by=certificate mode-
config="modeconf [Link]" peer="peer
[Link]" policy-template-group="group
[Link]" remote-id=user-fqdn:c1@[Link]

Nikita Tarikin / nikita@[Link]


Setting up Agenda for next slides

Firewall 1. Default firewall overview


2. IPSec traffic rules
3. VPN traffic rules

Nikita
Nikita Tarikin / nikita@[Link]
Setting up Firewall
Understanding the default firewall filter

Nikita Tarikin / nikita@[Link]


RouterOS 6.41+ default configuration firewall overview

Nikita Tarikin / nikita@[Link]


#Input Chain Rules
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked comment="DEFAULT:
Accept established, related, and untracked traffic."
add action=drop chain=input connection-state=invalid comment="DEFAULT: Drop invalid traffic."
add action=accept chain=input protocol=icmp comment="DEFAULT: Accept ICMP traffic."
add action=drop chain=input in-interface-list=!LAN comment="DEFAULT: Drop all other traffic not
coming from LAN."

#Forward Chain Rules


/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec comment="DEFAULT: Accept In IPsec policy."
add action=accept chain=forward ipsec-policy=out,ipsec comment="DEFAULT: Accept Out IPsec policy."
add action=accept chain=forward connection-state=established,related,untracked comment="DEFAULT:
Accept established, related, and untracked traffic."
add action=drop chain=forward connection-state=invalid comment="DEFAULT: Drop invalid traffic."
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-
list=WAN comment="DEFAULT: Drop all other traffic from WAN that is not DSTNATed."

#Output (defconf: empty filter)

Nikita Tarikin / nikita@[Link]


Default firewall overview WAN

Setting up ALLOW
D
DENY AR

Firewall FO
RW

UT
UT

P
TP

IN
OU
src-nat

D
AR
RW
[Link]/24

FO
1. Default firewall overview
2. IPSec traffic rules RouterOS Router
OUTPUT
3. VPN traffic rules [Link]/24
PUT
4. Testing IN

LAN
[Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Default FROM LAN WAN

Firewall D
AR

overview FO
RW

src-nat

[Link]/24
a. From LAN
RouterOS Router
b. To LAN
[Link]/24
c. From RouterOS PUT
IN
d. To RouterOS
e. From WAN
LAN
f. To WAN [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Default To LAN WAN

Firewall
overview
src-nat

D
AR
RW
[Link]/24

FO
a. From LAN
RouterOS Router
b. To LAN OUTPUT
[Link]/24
c. From RouterOS
d. To RouterOS
e. From WAN
LAN
f. To WAN [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Default From RouterOS WAN

Firewall
overview

UT
TP
OU
src-nat

[Link]/24
a. From LAN
RouterOS Router
b. To LAN OUTPUT
[Link]/24
c. From RouterOS
d. To RouterOS
e. From WAN
LAN
f. To WAN [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Default To RouterOS WAN

Firewall
overview

UT
P
IN
src-nat

[Link]/24
a. From LAN
RouterOS Router
b. To LAN
[Link]/24
c. From RouterOS PUT
IN
d. To RouterOS
e. From WAN
LAN
f. To WAN [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Default FROM WAN WAN

Firewall
overview

UT
P
IN
src-nat

D
AR
RW
[Link]/24

FO
a. From LAN
RouterOS Router
b. To LAN
[Link]/24
c. From RouterOS
d. To RouterOS
e. From WAN
LAN
f. To WAN [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Default TO WAN WAN

Firewall D
AR

overview FO
RW

UT
TP
OU
src-nat

[Link]/24
a. From LAN
RouterOS Router
b. To LAN
[Link]/24
c. From RouterOS
d. To RouterOS
e. From WAN
LAN
f. To WAN [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
RouterOS 6.41+ default configuration firewall overview

Nikita Tarikin / nikita@[Link]


Default configuration firewall: INPUT chain

Short summary

1. Accept ALL input


packets for
established
connections
2. Accept ALL input ICMP
packets
3. DROP ALL input
packets (except LAN)
4. Allow everything else

DROP ALL !LAN = Accept only LAN

Nikita Tarikin / nikita@[Link]


Default TO RouterOS WAN

Firewall ALLOW
DENY
overview ALLOW ONLY ICMP

UT
P
IN
src-nat

[Link]/24
a. From LAN
RouterOS Router
b. To LAN
[Link]/24
c. From RouterOS PUT
IN
d. To RouterOS ICMP
e. From WAN
LAN
f. To WAN [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Default FROM WAN WAN

Firewall ALLOW
DENY
overview ALLOW ONLY ICMP

UT
DST-NAT

P
IN
src-nat

D
AR
RW
[Link]/24

FO
a. From LAN
RouterOS Router
b. To LAN
[Link]/24
c. From RouterOS
d. To RouterOS
e. From WAN
LAN
f. To WAN [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
RouterOS default firewall WAN

Setting up ALLOW
D
DENY AR

Firewall FO
RW
ICMP

UT
UT
DST-NAT

P
TP

IN
OU
src-nat

D
AR
RW
[Link]/24

FO
1. Default firewall overview
2. IPSec traffic rules RouterOS Router
OUTPUT
3. VPN traffic rules [Link]/24
PUT
4. Testing IN

LAN
[Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Empty FIREWALL ALLOW
DENY WAN

D
AR
RW
FO

UT
UT

P
TP

IN
OU
src-nat

D
AR
RW
[Link]/24

FO
rta nt OUTPUT
RouterOS Router

Impo [Link]/24
PUT
IN

LAN
[Link]/24

Nikita Tarikin / nikita@[Link]


Setting up Firewall
IPSec traffic rules

Nikita Tarikin / nikita@[Link]


WAN

IPSec traffic
rules VPN clients
Disconnected

UT
P
src-nat

IN
[Link]/24

RouterOS Router

[Link]/24
PUT
IN

LAN
[Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
WAN

IPSec traffic
rules INPUT:
+ IPSec-esp
+ UDP 500
+ UDP 4500
src-nat

[Link]/24

RouterOS Router

[Link]/24

LAN
[Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Firewall filter rules for IPSec ike2 packets (defconf)
INPUT chain

+ UDP 500
+ UDP 4500

/ip firewall filter add place-


before=[ find where comment~"defconf:
drop all not coming from LAN" ]
protocol=udp dst-port=500,4500 dst-
address=[Link] action=accept
chain=input comment="Allow UDP 500,4500
IPSec for [Link]"

Nikita Tarikin / nikita@[Link]


Firewall filter rules for IPSec ike2 packets (defconf)
INPUT chain

+ IPSec-esp

/ip firewall filter add place-


before=[ find where comment~"defconf:
drop all not coming from LAN" ]
protocol=ipsec-esp dst-
address=[Link] action=accept
chain=input comment="Allow IPSec-esp
for [Link]"

Nikita Tarikin / nikita@[Link]


Firewall filter rules for IPSec ike2 packets (defconf)
INPUT chain

Move allow rules before drop

Nikita Tarikin / nikita@[Link]


WAN [Link] %

VPN clients [Link] &

Connected [Link] '

IPSec-esp

UDP 500

UDP 4500 [Link]

IPSec traffic RouterOS Router


[Link]/24

rules LAN
[Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Setting up Firewall
VPN traffic rules

Nikita Tarikin / nikita@[Link]


WAN
VPN clients
Setting up [Link]/24
Connected AR
D
RW

Firewall FO

UT
UT

P
TP

IN
OU
src-nat

D
AR
RW
[Link]/24

FO
1. Default firewall overview
RouterOS Router
2. IPSec traffic rules OUTPUT
[Link]/24
3. VPN traffic rules
PUT
4. Testing IN

LAN
[Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
Default ipsec rules (defconf)
FORWARD chain

FROM ANY to ANY ipsec-in accept

FROM ANY to ANY ipsec-out accept

D
FO

AR
RW
AR

RW
D

FO
ipsec-in ipsec-out
FO

D
RW

AR
AR

RW
D

FO
Nikita Tarikin / nikita@[Link]
Traffic rules from VPN hosts to RouterOS
INPUT chain WAN

src-nat

VPN clients [Link]/24


[Link]/24
[Link]/24 RouterOS Router

[Link]/24

INPUT

FROM VPN to RouterOS accept LAN


VPN = [Link]/24 [Link]/24

Nikita Tarikin / nikita@[Link]


Traffic rules from VPN hosts to RouterOS
INPUT chain

FROM VPN to RouterOS accept


VPN = [Link]/24

/ip firewall filter add chain=input


src-address=[Link]/24 ipsec-
policy=in,ipsec action=accept place-
before=[ find where comment~"defconf:
drop all not coming from LAN" ]
disabled=no comment="IKE2: Allow ALL
incoming traffic from [Link]/24 to
this RouterOS"

Nikita Tarikin / nikita@[Link]


Traffic rules from VPN hosts to LAN network
FORWARD chain WAN

src-nat
FORWARD
VPN clients [Link]/24
[Link]/24
[Link]/24 RouterOS Router

[Link]/24

FORWARD

FROM VPN to LAN accept


LAN
VPN = [Link]/24 [Link]/24
LAN = [Link]/24
Nikita Tarikin / nikita@[Link]
Traffic rules from VPN hosts to LAN network
FORWARD chain

FROM VPN to LAN accept

VPN = [Link]/24
LAN = [Link]/24

/ip firewall filter add chain=forward


src-address=[Link]/24 dst-
address=[Link]/24 ipsec-
policy=in,ipsec action=accept place-
before=[ find where comment~"defconf:
drop all from WAN not DSTNATed" ]
disabled=no comment="IKE2: Allow ALL
forward traffic from [Link]/24 to
OFFICE network"

Nikita Tarikin / nikita@[Link]


Traffic rules from VPN hosts to WAN
WAN
FORWARD chain

[Link]/0

src-nat
FORWARD
VPN clients [Link]/24
[Link]/24
[Link]/24 RouterOS Router
[Link]/24
FORWARD

FROM VPN to WAN accept


LAN
VPN = [Link]/24 [Link]/24
WAN = [Link]/0
Nikita Tarikin / nikita@[Link]
Traffic rules from VPN hosts to WAN
FORWARD chain

FROM VPN to WAN accept

VPN = [Link]/24
WAN = [Link]/0

/ip firewall filter add chain=forward


src-address=[Link]/24 dst-
address=[Link]/0 ipsec-policy=in,ipsec
action=accept place-before=[ find where
comment~"defconf: drop all from WAN
not DSTNATed" ] disabled=no
comment="IKE2: Allow ALL forward
traffic from [Link]/24 to ANY
network"

Nikita Tarikin / nikita@[Link]


Setting up NAT

Nikita Tarikin / nikita@[Link]


Where is ?!

[Link]
PING [Link]
WAN
src-address:

[Link]
 [Link]/0

Setting up dst-address:

[Link]

NAT 123.45.67.
RouterOS Router
192.168.88.
1. Default src-nat
overview
LAN
2. SRC-NAT VPN [Link]/24
traffic to WAN
[Link]

Nikita
Nikita Tarikin / nikita@[Link]
PING [Link]
WAN
src-address:

[Link]/24


 [Link]/0
dst-address:

[Link]

Setting up
[Link]/24
NAT SRC-NAT RouterOS Router

[Link]/24

1. Default src-nat
overview
2. SRC-NAT VPN src-address:

traffic to WAN [Link]


dst-address:
 LAN
[Link] [Link]/24

Nikita
Nikita Tarikin / nikita@[Link]
PING [Link] WAN

src-address:

[Link]/0
[Link]/24


dst-address:

[Link]

Setting up ipsec-out: none

NAT SRC-NAT [Link]/24

RouterOS Router

1. Default src-nat
overview
src-address:

2. SRC-NAT VPN *.*.*.*

traffic to WAN 

dst-address:

[Link]

Nikita
Nikita Tarikin / nikita@[Link]
Masquerade non-IPSec WAN traffic (defconf)

ipsec-out: none

Nikita Tarikin / nikita@[Link]


SRC-NAT VPN traffic to WAN
WAN

[Link]/0
src-address:

PING [Link] [Link]/24

SRC-NAT 

dst-address:

[Link]

[Link]/24

[Link]/24 RouterOS Router


src-address:

[Link]


dst-address:

[Link]
VPN clients
[Link]/24

LAN
[Link]/24

Nikita Tarikin / nikita@[Link]


Masquerade VPN traffic

/ip firewall nat add place-before=0


chain=srcnat src-address=[Link]/24
out-interface-list=WAN ipsec-
policy=out,none action=masquerade
comment="MSQRD IKE2:[Link]/24 -->
WAN traffic"

Nikita Tarikin / nikita@[Link]


SRC-NAT VPN traffic (recommended) 👍

/ip firewall nat add place-before=0


chain=srcnat src-address=[Link]/24
out-interface=ether1 ipsec-
policy=out,none action=src-nat to-
addresses=[Link] comment="SRC-NAT
IKE2:[Link]/24 --> ether1 traffic"

Nikita Tarikin / nikita@[Link]


Place SRC-NAT or MSQRD NAT rules on top

Nikita Tarikin / nikita@[Link]


Agenda for next slides

1. Understanding MTU and IP fragmentation


2. Understanding IPSec MTU
3. Understanding TCP MSS
Setting up 4. Setting up TCP MSS over IKE2

TCP MSS

Nikita
Nikita Tarikin / nikita@[Link]
IP Understanding MTU
TCP
HTTPS (simplified)
Ethernet
MTU 1500

Ethernet
MTU 1500 WAN Asia
Ethernet
MTU 1500

Ethernet WAN
PPPoE MTU 1500 Europe Ethernet
MTU 1492 MTU 1500

Ethernet
MTU 1500
WAN
Africa WWW

Nikita Tarikin / nikita@[Link]


Understanding MTU
IP
TCP (simplified)
HTTPS

IP PACKET SIZE
1500 bytes 1500 bytes

1500 bytes WAN Asia

1500 bytes

Ethernet WAN
PPPoE MTU 1500 Europe
MTU 1492 1500 bytes

Ethernet
MTU 1500
WAN
Africa WWW

Nikita Tarikin / nikita@[Link]


Understanding IP fragmentation
(simplified)
IP
TCP IP PACKET SIZE
HTTPS 1500 bytes

1500 bytes IP PACKET


(fragment)
WAN Asia

PPPoE
1500 bytes MTU 1492 WAN
Europe Ethernet
Ethernet MTU 1500
MTU 1500
48 bytes
1492 bytes
1492
1492
IP PACKET WAN 48
FRAGMENTATION Africa 48 WWW

Nikita Tarikin / nikita@[Link]


MTU missmatch —> IP fragmentation

48 bytes
1500 1492 bytes

Ethernet
MTU 1500 IPSec tunnel
MTU 1400

1500
48 bytes
1400 bytes
PPPoE 132 bytes
MTU 1492

48 bytes
1492 bytes
WWW
Ethernet
MTU 1500

Nikita Tarikin / nikita@[Link]


Understanding IPSec MTU (simplified)

IP packet

IP DATA

20 bytes 1492 bytes

IPSec ESP packet (tunnel mode)

NEW IP IPSec DATA

20 bytes ESP IP DATA ESP auth

1400 bytes

1500 bytes

Nikita Tarikin / nikita@[Link]


Understanding IPSec MTU (simplified)

IPSec ESP packet (tunnel mode)

NEW IP IPSec DATA

20 bytes ESP IP DATA ESP auth

1400 bytes

IPSec ESP packet with NAT-T (tunnel mode)


UDP
NEW IP 4500 IPSec DATA

20 8 ESP IP DATA ESP auth


bytes bytes

1400 bytes

1500 bytes
Nikita Tarikin / nikita@[Link]
Understanding IPSec MTU (simplified)

IPSec ESP packet with NAT-T (tunnel mode)


UDP
NEW IP 4500 IPSec DATA

20 8 ESP IP IP DATA ESP auth


bytes bytes
20 TCP TCP SEGMENT
bytes 20 1360
bytes bytes

1400 bytes

Nikita Tarikin / nikita@[Link]


Understanding TCP MSS (simplified)

TCP Segment size = MTU - 40 bytes

20
IP IP DATA
bytes
20 bytes
TCP SEGMENT
TCP

1360 bytes
TCP Segment size

1400 bytes

Nikita Tarikin / nikita@[Link]


Understanding TCP Maximum Segment size (MSS)
(simplified)

— Hey! I can transfer TCP 1460


maximum segment size messages!

TCP syn 1460

Ethernet
MTU 1500

— Hey, Foxy!
1400 I can transfer you TCP 1460 MSS!
IPSec
MTU 1400 TCP syn ack 1460

WAN
— Sorry, guys! ¯\_(ツ)_/¯ Ethernet
MTU 1500 WWW
TCP syn 1360

Nikita Tarikin / nikita@[Link]


Understanding TCP Maximum Segment size (MSS)
(simplified)

TCP syn 1360

IP Packet size = 1400 bytes


TCP Segment size = 1360 bytes

1400 IPSec
MTU 1400
WAN

TCP syn 1360


WWW
TCP syn 1360

Nikita Tarikin / nikita@[Link]


Understanding TCP Maximum Segment size (MSS)
(simplified)

TCP syn 1360


IPSec ESP
packet size
1500 bytes IP Packet size = 1400 bytes
TCP Segment size = 1360 bytes

1400 IPSec
MTU 1400
WAN

TCP syn 1360


WWW
TCP syn 1360

Nikita Tarikin / nikita@[Link]


Understanding TCP Maximum Segment size (MSS)
(simplified)

IPSec ike2
MTU 1400
IP Packet size = 1400 bytes
TCP Segment size = 1360 bytes

1400

Ethernet
MTU 1500
WAN

IF TCP syn > 1360


then set new Ethernet
TCP mss 1360 MTU 1500
WWW

Nikita Tarikin / nikita@[Link]


Adjust TCP MSS from IPSec IKE2 addresses

/ip firewall mangle add action=change-


mss chain=forward new-mss=1360 src-
address=[Link]/24 protocol=tcp tcp-
flags=syn tcp-mss=!0-1360 ipsec-
policy=in,ipsec passthrough=yes
comment="IKE2: Clamp TCP MSS from
[Link]/24 to ANY"

Nikita Tarikin / nikita@[Link]


Adjust TCP MSS to IPSec IKE2 addresses

/ip firewall mangle add action=change-


mss chain=forward new-mss=1360 dst-
address=[Link]/24 protocol=tcp tcp-
flags=syn tcp-mss=!0-1360 ipsec-
policy=out,ipsec passthrough=yes
comment="IKE2: Clamp TCP MSS from ANY
to [Link]/24"

Nikita Tarikin / nikita@[Link]


Demo lab

Nikita
Nikita Tarikin / nikita@[Link]
Demo lab 1. Request certificate via form
2. Receive certificates
Free live demo is 3. Connect to VPN server
available 4. Access via Winbox

Nikita
Nikita Tarikin / nikita@[Link]
Request your certificate via form
[Link]

Demo lab

1. Request certificate
via form
2. Receive certificates
3. Connect to VPN
server
4. Access via Winbox

Nikita
Nikita Tarikin / nikita@[Link]
Demo lab
Wait for your certificate
1. Request certificate via Manual processing for this LAB, sorry :)
form
2. Receive certificates
3. Connect to VPN
server
4. Access via Winbox

Nikita
Nikita Tarikin / nikita@[Link]
Demo lab
IKE2 VPN Server address
1. Request certificate via <check your email>
form
2. Receive certificates
3. Connect to VPN
server
4. Access via Winbox

Nikita
Nikita Tarikin / nikita@[Link]
Demo lab Access LAB router via Winbox

Address
1. Request certificate via [Link]
form
Login lab
2. Receive certificates
Password lab
3. Connect to VPN
server
4. Access via Winbox

Nikita
Nikita Tarikin / nikita@[Link]
Configure clients

Nikita
Nikita Tarikin / nikita@[Link]
Agenda for next slides

Windows 10 1. Import SSL certificate


2. Setup IKEv2 connection
3. Testing IKEv2 VPN routing

Nikita
Nikita Tarikin / nikita@[Link]
Windows 10: Import SSL certificates

Download .p12 certificate

Nikita Tarikin / nikita@[Link]


Windows 10: Import SSL certificates

Select Local Machine store location


—> Next

Nikita Tarikin / nikita@[Link]


Windows 10: Import SSL certificates

File name already selected


—> Next

Nikita Tarikin / nikita@[Link]


Windows 10: Import SSL certificates

Type your
SSL certificate password
—> Next

Nikita Tarikin / nikita@[Link]


Windows 10: Import SSL certificates

Automatic
—> Next

Nikita Tarikin / nikita@[Link]


Windows 10: Import SSL certificates

SSL Certificate
imported successfully
—> OK

Nikita Tarikin / nikita@[Link]


Windows 10: Setup IKEv2 VPN connection

—> Control panel


—> Network and Internet
—> Network and Sharing Center

Set up a new connection or network

Nikita Tarikin / nikita@[Link]


Windows 10: Setup IKEv2 VPN connection —> Connect to a workspace
—> Use my Internet connection (VPN)
—> Next

Internet address:
[Link]
Destination name:
c1@[Link]

—> Create

Nikita Tarikin / nikita@[Link]


Windows 10: Setup IKEv2 VPN connection

—> Change adapter settings


c1@[Link]
—> Properties

Nikita Tarikin / nikita@[Link]


Windows 10: Setup IKEv2 VPN connection

Properties -> Security tab

Type of VPN:
IKEv2

Nikita Tarikin / nikita@[Link]


Windows 10: Setup IKEv2 VPN connection

Properties -> Security tab

Data encryption:
Maximum strength
encryption

Authentication:
Use machine
certificates

—> OK

Nikita Tarikin / nikita@[Link]


Windows 10: Testing IKEv2 VPN connection

Nikita Tarikin / nikita@[Link]


Windows 10: Testing IKEv2 VPN routes

route -4 print

Destination
[Link]/0 (default)

Gateway:
On-link

Interface:
[Link]

Metric (distance):
26

Nikita Tarikin / nikita@[Link]


Windows 10: Testing IKEv2 VPN routes

Nikita Tarikin / nikita@[Link]


Windows 10: Testing IKEv2 VPN routes

— [Link]/0 ???

Nikita Tarikin / nikita@[Link]


Windows 10: Disable IKEv2 VPN default gateway

Properties -> Networking tab

✔ TCP/IPv4
—> Properties

Nikita Tarikin / nikita@[Link]


Windows 10: Disable IKEv2 VPN default gateway

Properties -> Networking tab

TCP/IPv4 Properties
✔ Obtain an IP address automatically
✔ Obtain DNS address automatically

—> Advanced

Advanced TCP/IP Settings
Use default gateway on remote network

Nikita Tarikin / nikita@[Link]


Apple Agenda for next slides

Mac OS 1. Import SSL certificate


2. Setup IKEv2 VPN connection
3. Check IKEv2 VPN routes
≥ 10.11 El Capitan

Nikita
Nikita Tarikin / nikita@[Link]
MacOS: Import SSL certificates

Download .p12 certificate

Nikita Tarikin / nikita@[Link]


MacOS: Import SSL certificates

Keychain:
login (default)

—> Add
Type your
SSL certificate password
—> OK

Nikita Tarikin / nikita@[Link]


MacOS: Manage SSL certificates

Keychain access

1. Launch keychain access


2. Find [Link] root certificate authority

Nikita Tarikin / nikita@[Link]


Impor
MacOS: Manage SSL certificates tant

Keychain access

Verify CA certificate details

Nikita Tarikin / nikita@[Link]


Impor
MacOS: Manage SSL certificates tant

Keychain access

Compare CA certificate
fingerprints

Nikita Tarikin / nikita@[Link]


Impor
MacOS: Manage SSL certificates tant

Keychain access

✅ IP Security (IPSec)

❌ Everything else

Nikita Tarikin / nikita@[Link]


Impor
MacOS: Manage SSL certificates tant

Keychain access

Type your
MacOS password
—> Update settings

Nikita Tarikin / nikita@[Link]


Impor
MacOS: Manage SSL certificates tant

Keychain access

Type your
MacOS password
—> Update settings

Nikita Tarikin / nikita@[Link]


MacOS: Setup IKEv2 VPN connection

System preferences ->


Network

Nikita Tarikin / nikita@[Link]


MacOS: Setup IKEv2 VPN connection

Unlock to make changes

Nikita Tarikin / nikita@[Link]


MacOS: Setup IKEv2 VPN connection

Create new connection

Interface:
VPN
VPN Type:
IKEv2
Service name:
c2@[Link]

—> Create

Nikita Tarikin / nikita@[Link]


MacOS: Setup IKEv2 VPN connection

Nikita Tarikin / nikita@[Link]


MacOS: Setup IKEv2 VPN connection

Create new connection

Server Address:
[Link]
Remote ID:
[Link]
Local ID:
c2@[Link]

✔ Show VPN status in menu bar


—> Apply

Nikita Tarikin / nikita@[Link]


MacOS: Setup IKEv2 VPN connection

Authentication Settings

Authentication Settings:
None
Certificate:
—> Select

Nikita Tarikin / nikita@[Link]


MacOS: Setup IKEv2 VPN connection

Authentication Settings

Select machine auth certificate:


c2@[Link]

—> Continue

Nikita Tarikin / nikita@[Link]


MacOS: Connecting IKEv2 VPN

Don’t forget
💡 to lock settings

Nikita Tarikin / nikita@[Link]


MacOS: Check IKEv2 VPN routes

Nikita Tarikin / nikita@[Link]


MacOS: Check IKEv2 VPN routes

Nikita Tarikin / nikita@[Link]


Apple Agenda for next slides

iOS 1. Import SSL certificates


2. Setup IKEv2 VPN connection

≥ version 9

Nikita
Nikita Tarikin / nikita@[Link]
iOS: Import SSL certificates

Download CA certificate .crt

Download client certificate .p12

Nikita Tarikin / nikita@[Link]


iOS: Import CA SSL certificate

Nikita Tarikin / nikita@[Link]


iOS: Import CA SSL certificate

Nikita Tarikin / nikita@[Link]


iOS: Import CA SSL certificate

Nikita Tarikin / nikita@[Link]


iOS: Import client SSL certificate

Nikita Tarikin / nikita@[Link]


iOS: Setup IKEv2 VPN connection

Nikita Tarikin / nikita@[Link]


iOS: Connect IKEv2 VPN

Nikita Tarikin / nikita@[Link]


Agenda for next slides

Android 1. Install 3rd party app StrongSwan


2. Import SSL certificates
3. Setup IKEv2 VPN connection

Nikita
Nikita Tarikin / nikita@[Link]
Android: Install StrongSwan

Find StrongSwan app on the Google Play

Nikita Tarikin / nikita@[Link]


Android: Import SSL certificates

Download and install

user certificate .p12

Nikita Tarikin / nikita@[Link]


Android: Setup IKEv2 VPN connection

Nikita Tarikin / nikita@[Link]


Android: Connect IKEv2 VPN

Nikita Tarikin / nikita@[Link]


The end ¯\_(ツ)_/¯

Nikita Tarikin / nikita@[Link]


YouTube video for this presentation in available

[Link]

Nikita Tarikin / nikita@[Link]


E-mail me:
nikita@[Link]

Add me to your Facebook:


Please Nikita Tarikin

contact me Follow me on Instagram:


@tarikin

Start private conversation:


Telegram [Link]/tarikin
Messenger Nikita Tarikin

Nikita Tarikin / nikita@[Link]


Nikita Tarikin
Please
contact me

Nikita Tarikin
nikita@[Link]

Nikita Tarikin / nikita@[Link]


Nikita Tarikin
Request your certificate via form
[Link]

Demo lab

Nikita
Nikita Tarikin / nikita@[Link]

You might also like