{"id":1633,"date":"2021-01-13T14:58:40","date_gmt":"2021-01-13T12:58:40","guid":{"rendered":"https:\/\/helia.ee\/koolitus\/?page_id=1633"},"modified":"2021-01-13T14:58:40","modified_gmt":"2021-01-13T12:58:40","slug":"mikrotik-ipsec-tunnel-mikrotik-to-pfsense","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=1633","title":{"rendered":"Mikrotik – IPSec Tunnel : Mikrotik to pfSense"},"content":{"rendered":"
\n

IPSec Tunnel : Mikrotik to pfSense<\/h1>\n
<\/div>\n
\n<\/header>\n
\n
\"\"<\/figure>\n

Introduction<\/h2>\n

I recently began working with a Mikrotik router OS based device for use in small business. I thought this was the perfect time to try out some cross platform configurations between Mikrotik and pfSense which are both very popular in the hobbyist and small business space.<\/p>\n

This post will show the steps I used to configure an IPSec tunnel between a Mikrotik router and a pfSense firewall. This is a basic tunnel configuration so traffic will flow freely through the tunnel based on the phase 2 configuration. This is a great configuration if you want to tunnel some traffic between two trusted networks.<\/p>\n

The tunnel shown in this configuration is an IPv4 tunnel only, but IPv6 traffic could be added with minor tweaks. A Mutal PSK authentication is used to simplify the configuration.<\/p>\n

This configuration has not been audited for maximum security and has not been tested for performance.<\/p>\n

Requirements<\/h2>\n

This configuration is based on the following systems:<\/p>\n

    \n
  • pfSense version 2.4.4<\/li>\n
  • Mikrotik version 6.46.6<\/li>\n<\/ul>\n

    The systems must be able to reach each other over a WAN interface and should have unique LAN IP address ranges. You will also need to add a rule on pfSense to accept the ISAKMP connection on port 500. To be most secure you can create this rule to only allow the peer IP\/host.<\/p>\n

    Configure Phase 1 \u2013 pfSense<\/h2>\n

    Of the two platforms pfSense is probably the most logical of the two in how it lays out the configuration. The configuration entries are neat and tidy and nested in the GUI.<\/p>\n

    Navigate to\u00a0VPN -> IPSec -> Tunnel<\/em><\/strong>. Then click the\u00a0Add P1<\/em><\/strong>\u00a0button to start adding the new phase 1 entry. Then begin filling in the\u00a0General Information<\/em><\/strong>\u00a0as shown.<\/p>\n

      \n
    • Key Exchange Version: IKEv2<\/li>\n
    • Internet Protocol: IPv4<\/li>\n
    • Interface: WAN (or other if applicable)<\/li>\n
    • Remote Gateway: IP or hostname of the Mikrotik router (I used a hostname)<\/li>\n<\/ul>\n
      \"\"<\/figure>\n

      Then fill in the following for the\u00a0Phase 1 Proposal (Authentication)<\/strong><\/em><\/p>\n

        \n
      • Authentication Method: Mutual PSK<\/li>\n
      • My identifier: My IP Address<\/li>\n
      • Peer identifier: Peer IP Address<\/li>\n
      • Pre-Shared Key: Click the\u00a0Generate new Pre-Shared Key<\/em><\/strong>\u00a0button to create a key for this tunnel<\/li>\n<\/ul>\n
        \"\"<\/figure>\n

        Next, create\/update a\u00a0Phase 1 Proposal (Encryption Algorithm)<\/strong>. You should be able to get by with a single correct entry here.<\/p>\n

          \n
        • Algorithm: AES<\/li>\n
        • Key length: 128 bits (I\u2019m sure you can go larger as dictated by your requirements)<\/li>\n
        • Hash: SHA256<\/li>\n
        • DH Group: 14 (2048 bit)<\/li>\n<\/ul>\n
          \"\"<\/figure>\n

          The final step in phase 1 is to go over the advanced options. The defaults should be fine. Then click\u00a0Save<\/em><\/strong>.<\/p>\n

          \"\"<\/figure>\n

          Configure Phase 1 \u2013 Mikrotik<\/h2>\n

          Configuration of the Mikrotik router is shown through the web GUI that runs on port 80 of the device. Login to your router and navigate to\u00a0IP -> IPSec<\/em><\/strong>. There will be multiple configurations that need created or adjusted.<\/p>\n

          First, we can configure the peer by going to\u00a0IP -> IPSec -> Peers<\/em><\/strong>\u00a0and clicking\u00a0Add New<\/em><\/strong>. Then fill in the following:<\/p>\n

            \n
          • Name: This can be the hostname or other identified you want to use<\/li>\n
          • Address: This can be an IP address or hostname<\/li>\n
          • Port and Local address can be left as default<\/li>\n
          • Profile can be left as default<\/li>\n
          • Exchange mode: IKE2<\/li>\n
          • Passive: Disabled<\/li>\n
          • Send INITIAL_CONTACT: Enabled<\/li>\n<\/ul>\n
            \"\"<\/figure>\n

            Next we need to update the default profile to match our pfSense settings. Head over to\u00a0IP -> IPSec -> Profiles<\/em><\/strong>\u00a0and click on\u00a0default<\/em><\/strong>\u00a0and change the settings as follows. When you are done click\u00a0OK<\/em><\/strong>. Settings not mentioned can remain at default.<\/p>\n

              \n
            • Hash Algorithms: SHA256<\/li>\n
            • Encryption Algorithm: aes-128<\/li>\n
            • DH Group: modp2048<\/li>\n<\/ul>\n
              \"\"<\/figure>\n

              Finally, go over to\u00a0IP -> IPSec -> Identities<\/em><\/strong>\u00a0and click\u00a0Add New<\/em><\/strong>\u00a0to create an identity for this tunnel.<\/p>\n

                \n
              • Enabled: Checked<\/li>\n
              • Peer: The peer you created earlier<\/li>\n
              • Auth. Method: pre shared key<\/li>\n
              • Secret: The key generated in pfSense<\/li>\n
              • My ID Type: auto<\/li>\n
              • Remote ID Type: auto<\/li>\n
              • Match by: remote id<\/li>\n<\/ul>\n
                \"\"<\/figure>\n

                Verify Phase 1<\/h2>\n

                Verifying phase 1 will show us that the the devices have connectivity to one another and no firewall rules are blocking the session from being established.<\/p>\n

                In pfSense go to\u00a0Status -> IPSec<\/em><\/strong>\u00a0and look for your IPSec session to be\u00a0Established<\/em><\/strong>.<\/p>\n

                In Mikrotik you can verify the Phase 1 session under\u00a0IP -> IPSec -> Active Peers<\/em><\/strong>. You should see an increasing uptime for the configured session.<\/p>\n

                Configure Phase 2 \u2013 pfSense<\/h2>\n

                Phase 2 is where we tell the firewall how to identify which packets need encrypted and sent to the remote peer. It also contains the configuration of the encryption algorithms to use in transit. To begin adding your phase 2 entry go to\u00a0VPN -> IPSec -> Tunnels<\/em><\/strong>. Find the Phase 1 entry you just created and click the\u00a0+ Show Phase 2 Entries<\/em><\/strong>. There shouldn\u2019t be any yet. Then click the\u00a0Add P2<\/em><\/strong>\u00a0button.<\/p>\n

                Fill in the General Information as follows:<\/p>\n

                  \n
                • Mode: Tunnel IPv4<\/li>\n
                • Local Network: LAN Subnet (most likely)<\/li>\n
                • Remote Network: Fill in the LAN subnet behind the Mikrotik that you want to reach from pfSense<\/li>\n<\/ul>\n
                  \"\"<\/figure>\n

                  Next fill in the Phase 2 Proposal (SA\/Key Exchange) as follows:<\/p>\n

                    \n
                  • Protocol: ESP<\/li>\n
                  • Encryption Algorithms\n
                      \n
                    • AES128-GCM \u2013 128 Bits<\/li>\n
                    • AES192-GCM \u2013 Auto<\/li>\n
                    • AES256-GCM \u2013 Auto<\/li>\n<\/ul>\n<\/li>\n
                    • Hash Algorithms\n
                        \n
                      • SHA256<\/li>\n<\/ul>\n<\/li>\n
                      • PFS Key Group: 14 (2048 bit)<\/li>\n<\/ul>\n
                        \"\"<\/figure>\n

                        When you are done click\u00a0Save<\/em><\/strong>.<\/p>\n

                        Configure Phase 2 \u2013 Mikrotik<\/h2>\n

                        First we need to configure the Mikrotik Phase 2 proposal to match pfSense. Go to\u00a0IP -> IPSec -> Proposals<\/em><\/strong>\u00a0and click on the default proposal to edit it.<\/p>\n

                          \n
                        • Auth Algorithms:\n
                            \n
                          • sha256<\/li>\n<\/ul>\n<\/li>\n
                          • Encr. Algorithms\n
                              \n
                            • aes-192 ctr<\/li>\n
                            • aes-128 gcm<\/li>\n
                            • aes-256 gcm<\/li>\n<\/ul>\n<\/li>\n
                            • PFS Group: modp2048<\/li>\n<\/ul>\n
                              \"\"<\/figure>\n

                              The final step for phase 2 on the Mikrotik is to create a policy. Navigate to\u00a0IP -> IPSec -> Policies<\/em><\/strong>\u00a0and click\u00a0Add New<\/em><\/strong>. The fill in the settings as follows:<\/p>\n

                                \n
                              • Enabled: Checked<\/li>\n
                              • Peer: The peer you created<\/li>\n
                              • Tunnel: Checked (If you don\u2019t check this you might lose your remote management, be careful)<\/li>\n
                              • Src Address: Subnet and mask of local subnet to tunnel<\/li>\n
                              • Dst. Address: Subnet and mask of remote subnet to tunnel<\/li>\n
                              • Protocol: 255 (all)<\/li>\n
                              • Action: encrypt<\/li>\n
                              • Level: require<\/li>\n
                              • IPSec Protocols: esp<\/li>\n
                              • Proposal: default<\/li>\n<\/ul>\n
                                \"\"<\/figure>\n

                                Testing the Configuration<\/h2>\n

                                There are two ways to test the tunnel. The most obvious is probably to have a host on one LAN ping a host on the other LAN, this assumes though that you have hosts in both LANs that can ping which might not be the case if one side is remote or a new deployment. You can still test the tunnel though from Mikrotik.<\/p>\n

                                To test from Mikrotik go to\u00a0Tools -> Ping<\/em><\/strong>\u00a0and setup a ping to the LAN gateway on the pfSense system. In my case the far end LAN is 192.168.1.1. I was able to test it by using the Mikrotik bridge interface as the source interface.<\/p>\n

                                \"\"<\/figure>\n

                                To test from pfSense it\u2019s the same idea, go to\u00a0Diagnostics -> Ping<\/em><\/strong>\u00a0and use the LAN as the Source address.<\/p>\n

                                \"\"<\/figure>\n

                                Statistics are available on both platforms. In pfSense go to\u00a0Status -> IPSec<\/em><\/strong>, in Mikrotik take a look under\u00a0IP -> IPSec -> Active Peers<\/em><\/strong>.<\/p>\n

                                Conclusion<\/h2>\n

                                Configuring a secure IPSec tunnel between Mikrotik and pfSense was not as hard as I expected. Both platforms have plenty of configuration options allowing a secure tunnel to be established with ease. The drawback to this configuration is that there is no logical interface for the connection on either platform, meaning the tunneled traffic is basically assumed to be in a protected zone as it exits the tunnel. This is great if both sides are more or less the same traffic level, but not sufficient if you want to make rules for traffic as it enters on one side or the other. For that reason I am intending on switching to a GRE tunnel with IPSec which will be shown in a later post.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

                                IPSec Tunnel : Mikrotik to pfSense Introduction I recently began working with a Mikrotik router OS based device for use in small business. I thought this was the perfect time to try out some cross platform configurations between Mikrotik and pfSense which are both very popular in the hobbyist and small business space. This post […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":612,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-1633","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1633"}],"version-history":[{"count":1,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1633\/revisions"}],"predecessor-version":[{"id":1634,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1633\/revisions\/1634"}],"up":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/612"}],"wp:attachment":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}