I needed a VPN from one house to another for running the Ubiquiti Unifi AP’s I’m setting up at RMB’s house… I used to have mikrotik’s at each end so that was a fairly simple setup. This time it was from Mikrotik at one end to OPNsense at the other. IPSEC is … fun sometimes.
Here’s a diagram of the layout. A /16 at each house, connected over the internet.
+---------------+ +---------+ +----------+ +---------+ +---------------+
| Local Network +---+ House 1 +---+ Internet | | House 2 | | Local Network |
| 10.0.0.0/16 | | 5.5.5.5 | | +---+ 9.9.9.9 +---+ 10.1.0.0/16 |
+---------------+ +---------+ +----------+ +---------+ +---------------+
Configuring OPNsense
There’s a few steps to this one.
Phase 1
This is the authentication stage for working out how to talk to each other.
- VPN -> IPSEC -> Tunnel settings
- Create a new config
- General information
- Connection method: default
- Key Exchange Version: v2
- Internet Protocol: v4 (depending on what connectivity you have)
- Interface: WAN (your external interface)
- Remote gateway: 9.9.9.9
- Phase 1 proposal (Authentication)
- Authentication method: Mutual PSK
- My identifier: IP Address (5.5.5.5)
- Peer identifier: IP Address (9.9.9.9)
- Pre-shared key:
- Phase 1 proposal (Algorithms)
- Encryption algorithm: AES (256)
- Hash algorithm: SHA256
- DH key group: 14 (2048 bits)
- Lifetime 28800
- Advanced options
- NAT Traversal: disabled
- Install policy: ticked
- Dead peer detection: Enabled (10 seconds delay, 5 retries, restart the tunnel)
- Everything else: disabled
- Hit save
Phase 2
This is the actual “traffic encryption” stage. From the Tunnel settings page, next to the newly created phase 1 configuration, there should be a button to add a phase 2 entry. Click that.
- Mode: Tunnel IPv4
- Local Network
- Type: Network
- Address: 10.0.0.0/16
- Remote Network
- Type: Network
- Address 10.1.0.0/16
- Phase 2 Proposal (SA/Key exchange)
- Protocol: ESP
- Encryption Algorithms
- AES (256 bits in the dropdown)
- Hash algorithms: SHA256
- PFS key group: 14 (2048 bits)
- Lifetime: 28800 seconds (8 hours)
Hit save
Other bits
Make sure you tick “Enable IPsec” on the tunnel config screen and ensure you hit apply, otherwise it won’t start the tunnels…
Sometimes it’ll make the right firewall rules, but double check your WAN interface actually has a rule that lets ESP traffic from 9.9.9.9 on UDP/500 and ESP.
You’ll need to configure appropriate firewall rules for traffic traversing the IPsec link in the “ipsec” firewall rules section. You can be lazy and just any/any/any it, or make more specific ones.
Configuring the Mikrotik
Here’s the config from the Mikrotik, suffice it to say there was a lot of clicking and swearing and trying to edit things in the console to make this work. You should be able to copy, edit and update this to suit your needs.
You’ll need to create the firewall rules to allow the traffic. Note that this connection uses PPPoE, so your in-interface may differ.
/ip firewall filter
add action=accept chain=forward dst-address=9.9.9.9 dst-port=500 in-interface=all-ppp protocol=udp src-address=5.5.5.5
add action=accept chain=forward dst-address=9.9.9.9 in-interface=all-ppp protocol=ipsec-esp src-address=5.5.5.5
And here’s the config for the IPSEC side of things:
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h nat-traversal=no proposal-check=strict
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=8h pfs-group=modp2048
/ip ipsec peer
add address=5.5.5.5/32 exchange-mode=ike2 generate-policy=port-strict my-id=address:9.9.9.9 port=500 secret=<superlongpasswordhere>
/ip ipsec policy
add dst-address=10.0.0.0/16 sa-dst-address=5.5.5.5 sa-src-address=9.9.9.9 src-address=10.1.0.0/16 tunnel=yes
In a few weeks I’ll have to change it all over again, as the house is changing to NBN FTTC and won’t have a static IP. Urgh.