Blog

 

Dive deep into MikroTik's RouterBoards and RouterOS. We keep you informed and up-to-date, always.

Author

 

Every post is penned by our certified MikroTik engineers, ensuring relevance and accuracy in every word.

Feedback

 

Your insights drive our content. Sharing knowledge, we elevate the MikroTik community in Canada together.

MikroTik RouterOS and AWS Site-to-Site VPN

Site to Site IPsec tunnel, MikroTik <--> AWS

Consider setup as illustrated below. Office router "MikroTik RouterOS" and Amazon Web Services "AWS" are connected to internet and office workstations are behind NAT.

The Office has its own local subnet, 192.168.0.0/24.

Amazon has its own local subnet, 172.16.0.0/16

Both remote office and AWS needs secure tunnel to local networks behind routers.

 

 

VPN Connection Configuration

  • AWS utilizes unique identifiers to manipulate the configuration a VPN Connection. Each VPN Connection is assigned an identifier and is associated with two other identifiers, namely the
  • Customer Gateway Identifier and Virtual Private Gateway Identifier.
  • Your VPN Connection ID : vpn-xxxxxxxx
  • Your Virtual Private Gateway ID : vgw-yyyyyyyy
  • Your Customer Gateway ID : cgw-zzzzzzzz
    • This configuration consists of two tunnels. Both tunnels must be configured on your Customer Gateway, but only one of those tunnels should be up at any given time.

Note that Mikrotik RouterOs does not support Active/Active or Active/Standby setup with AWS hosted VPN solution.

At this time this configuration has only been tested for RouterOS 6.36, but may work with other versions.

 

This configuration uses the Winbox utility to configure the IPsec VPN connection. Winbox is a small utility that allows administration of

 

Mikrotik RouterOS using a fast and simple GUI.
You can download this utility from: https://mikrotik.com/download


! IPSec Tunnel #1
 

#1: IPSec Proposal Configuration

An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.
Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
groups like 2, 14-18, 22, 23, and 24.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".

Go to IP Tab --> IPsec --> Proposals

a. Click on "+" button

#ANY NAME"
b. Name: ipsec-vpn-xxxxxxxx-x
c. Auth. Algorithms: sha1
d. Encr. Algorithms: aes-128-cbc
e. Lifetime: 01:00:00
f. PFS Group: modp1024
g. Select Apply and Ok


Internet Key Exchange


A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.

You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.

Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
The address of the external interface for your customer gateway must be a static address.
Your customer gateway may reside behind a device performing network address translation (NAT). To ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".

Create an IKE policy permitting traffic from your local subnet to the VPC subnet. Go to IP Tab --> IPsec --> Policies

 

1) Click on "+" button and select the General Tab
a. Src. Address: local subnet/mask
b. Dst. Address: AWS VPC subnet/mask

 

2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: xxx.xxx.xxx.xxx "MikroTik Public IP Address"
c. SA Dst. Address: yyy.yyy.yyy.yyy " AWS Public IP Address"

 

#"ANY NAME"
d. Proposal: ipsec-vpn-xxxxxxxx-x
e. Select Apply and Ok

There are two policies configured in IPsec Policy, one for a /30 private IP Address provided by AWS and one for MikroTik local IP Address/AWS local IP Address

Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.

Go to IP Tab --> IPsec --> Policies

3) Click on "+" button and select the General Tab
a. Src. Address: aaa.aaa.aaa.aaa "Local private IP Address provided by AWS"
b. Dst. Address: bbb.bbb.bbb.bbb "Remote private IP Address provided by AWS"

4) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: xxx.xxx.xxx.xxx "MikroTik Public IP Address"
c. SA Dst. Address: yyy.yyy.yyy.yyy "AWS Public IP Address"
d. Proposal: ipsec-vpn-xxxxxxxx-x "Any name"
e. Select Apply and Ok

Go to IP Tab --> IPsec --> Peers

5) Click on "+" button
a. Address: yyy.yyy.yyy.yyy "AWS Public IP Address"
b. Local Address: xxx.xxx.xxx.xxx "MikroTik Public IP Address"
c. Secret: !@#$%^&*()1234567890ASDFGHJKL
d. Hash Algorith: sha1
e. Encryption Algorithm: aes-128
d. DH Group: modp1024
f. Lifetime: 08:00:00
g. DPD Interval: 10
h. DPD Maximum Failures: 3
i. Select Apply and Ok

 #3: Tunnel Interface Configuration
A tunnel interface is configured to be the logical interface associated with the tunnel. All traffic routed to the tunnel interface will be encrypted and transmitted to the VPC. Similarly, traffic from the VPC will be logically received on this interface.
The address of the interface is configured with the setup for your
Customer Gateway. If the address changes, the Customer Gateway and VPN
Connection must be recreated with Amazon VPC.

 

Go to IP Tab --> Addresses

a. Click on "+" button
b. Address: aaa.aaa.aaa.aaa/30 "This IP Address provides by AWS"
b. Interface: Select the WAN/Outside interface
c. Select Apply and Ok


#4 Static Route Configuration

Your Customer Gateway needs to set a static route for the prefix corresponding to your
VPC to send traffic over the tunnel interface.
An example for a VPC with a subnet/mask of 172.16.0.0/16 is provided below:

Go to IP Tab --> Routes

a. Click on "+" button and select the General Tab
b. Dst. Address: 172.16.0.0/16
c. Gateway: bbb.bbb.bbb.bbb/30 "AWS Remote IP Address, a private IP Address provided by AWS"
d. Select Apply and Ok

#5: NAT Exemption

If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.
This example rule permits all traffic from the local subnet to the VPC subnet.

Go to IP Tab --> Firewall --> NAT

1) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: local subnet/mask
c. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab
a. Action = accept
b. Select Apply and Ok

Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.

3) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: aaa.aaa.aaa.aaa
c. Dst. Address: bbb.bbb.bbb.bbb

4) Click on Action Tab
a. Action = accept
b. Select Apply and Ok

Note that there may be multiple firewall rules configured on your Customer Gateway. These rules may be conflicting with the nat exemption rule.
It is recommended to position the nat exemption rules such that they are evaluated in an order before any other conflicting policy.

MikroTik News