Blog
Dive deep into MikroTik's RouterBoards and RouterOS. We keep you informed and up-to-date, always.
Blog
Dive deep into MikroTik's RouterBoards and RouterOS. We keep you informed and up-to-date, always.
Author
Every post is penned by our certified MikroTik engineers, ensuring relevance and accuracy in every word.
Feedback
Your insights drive our content. Sharing knowledge, we elevate the MikroTik community in Canada together.
Consider setup as illustrated below. Office router "MikroTik RouterOS" and Amazon Web Services "AWS" are connected to internet and office workstations are behind NAT.
The Office has its own local subnet, 192.168.0.0/24.
Amazon has its own local subnet, 172.16.0.0/16
Both remote office and AWS needs secure tunnel to local networks behind routers.
At this time this configuration has only been tested for RouterOS 6.36, but may work with other versions.
This configuration uses the Winbox utility to configure the IPsec VPN connection. Winbox is a small utility that allows administration of
#1: IPSec Proposal Configuration
An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.
Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
groups like 2, 14-18, 22, 23, and 24.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
a. Click on "+" button
#ANY NAME"
b. Name: ipsec-vpn-xxxxxxxx-x
c. Auth. Algorithms: sha1
d. Encr. Algorithms: aes-128-cbc
e. Lifetime: 01:00:00
f. PFS Group: modp1024
g. Select Apply and Ok
A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
The address of the external interface for your customer gateway must be a static address.
Your customer gateway may reside behind a device performing network address translation (NAT). To ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".
Create an IKE policy permitting traffic from your local subnet to the VPC subnet. Go to IP Tab --> IPsec --> Policies
1) Click on "+" button and select the General Tab
a. Src. Address: local subnet/mask
b. Dst. Address: AWS VPC subnet/mask
2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: xxx.xxx.xxx.xxx "MikroTik Public IP Address"
c. SA Dst. Address: yyy.yyy.yyy.yyy " AWS Public IP Address"
#"ANY NAME"
d. Proposal: ipsec-vpn-xxxxxxxx-x
e. Select Apply and Ok
There are two policies configured in IPsec Policy, one for a /30 private IP Address provided by AWS and one for MikroTik local IP Address/AWS local IP Address
Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.
Go to IP Tab --> IPsec --> Policies
3) Click on "+" button and select the General Tab
a. Src. Address: aaa.aaa.aaa.aaa "Local private IP Address provided by AWS"
b. Dst. Address: bbb.bbb.bbb.bbb "Remote private IP Address provided by AWS"
4) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: xxx.xxx.xxx.xxx "MikroTik Public IP Address"
c. SA Dst. Address: yyy.yyy.yyy.yyy "AWS Public IP Address"
d. Proposal: ipsec-vpn-xxxxxxxx-x "Any name"
e. Select Apply and Ok
Go to IP Tab --> IPsec --> Peers
5) Click on "+" button
a. Address: yyy.yyy.yyy.yyy "AWS Public IP Address"
b. Local Address: xxx.xxx.xxx.xxx "MikroTik Public IP Address"
c. Secret: !@#$%^&*()1234567890ASDFGHJKL
d. Hash Algorith: sha1
e. Encryption Algorithm: aes-128
d. DH Group: modp1024
f. Lifetime: 08:00:00
g. DPD Interval: 10
h. DPD Maximum Failures: 3
i. Select Apply and Ok
#3: Tunnel Interface Configuration
A tunnel interface is configured to be the logical interface associated with the tunnel. All traffic routed to the tunnel interface will be encrypted and transmitted to the VPC. Similarly, traffic from the VPC will be logically received on this interface.
The address of the interface is configured with the setup for your
Customer Gateway. If the address changes, the Customer Gateway and VPN
Connection must be recreated with Amazon VPC.
Go to IP Tab --> Addresses
a. Click on "+" button
b. Address: aaa.aaa.aaa.aaa/30 "This IP Address provides by AWS"
b. Interface: Select the WAN/Outside interface
c. Select Apply and Ok
#4 Static Route Configuration
Your Customer Gateway needs to set a static route for the prefix corresponding to your
VPC to send traffic over the tunnel interface.
An example for a VPC with a subnet/mask of 172.16.0.0/16 is provided below:
Go to IP Tab --> Routes
a. Click on "+" button and select the General Tab
b. Dst. Address: 172.16.0.0/16
c. Gateway: bbb.bbb.bbb.bbb/30 "AWS Remote IP Address, a private IP Address provided by AWS"
d. Select Apply and Ok
#5: NAT Exemption
If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.
This example rule permits all traffic from the local subnet to the VPC subnet.
Go to IP Tab --> Firewall --> NAT
1) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: local subnet/mask
c. Dst. Address: AWS VPC subnet/mask
2) Click on Action Tab
a. Action = accept
b. Select Apply and Ok
Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.
3) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: aaa.aaa.aaa.aaa
c. Dst. Address: bbb.bbb.bbb.bbb
4) Click on Action Tab
a. Action = accept
b. Select Apply and Ok
Note that there may be multiple firewall rules configured on your Customer Gateway. These rules may be conflicting with the nat exemption rule.
It is recommended to position the nat exemption rules such that they are evaluated in an order before any other conflicting policy.
MikroTik News