I needed a VPN from one house to another for running the Ubiquiti Unifi AP’s I’m setting up at RMB’s house… I used to have mikrotik’s at each end so that was a fairly simple setup. This time it was from Mikrotik at one end to OPNsense at the other. IPSEC is … fun sometimes.
Here’s a diagram of the layout. A
/16 at each house, connected over the internet.
+---------------+ +---------+ +----------+ +---------+ +---------------+ | Local Network +---+ House 1 +---+ Internet | | House 2 | | Local Network | | 10.0.0.0/16 | | 18.104.22.168 | | +---+ 22.214.171.124 +---+ 10.1.0.0/16 | +---------------+ +---------+ +----------+ +---------+ +---------------+
There’s a few steps to this one.
This is the authentication stage for working out how to talk to each other.
- VPN -> IPSEC -> Tunnel settings
- Create a new config
- General information
- Connection method: default
- Key Exchange Version: v2
- Internet Protocol: v4 (depending on what connectivity you have)
- Interface: WAN (your external interface)
- Remote gateway: 126.96.36.199
- Phase 1 proposal (Authentication)
- Authentication method: Mutual PSK
- My identifier: IP Address (188.8.131.52)
- Peer identifier: IP Address (184.108.40.206)
- Pre-shared key:
- Phase 1 proposal (Algorithms)
- Encryption algorithm: AES (256)
- Hash algorithm: SHA256
- DH key group: 14 (2048 bits)
- Lifetime 28800
- Advanced options
- NAT Traversal: disabled
- Install policy: ticked
- Dead peer detection: Enabled (10 seconds delay, 5 retries, restart the tunnel)
- Everything else: disabled
- Hit save
This is the actual “traffic encryption” stage. From the Tunnel settings page, next to the newly created phase 1 configuration, there should be a button to add a phase 2 entry. Click that.
- Mode: Tunnel IPv4
- Local Network
- Type: Network
- Address: 10.0.0.0/16
- Remote Network
- Type: Network
- Address 10.1.0.0/16
- Phase 2 Proposal (SA/Key exchange)
- Protocol: ESP
- Encryption Algorithms
- AES (256 bits in the dropdown)
- Hash algorithms: SHA256
- PFS key group: 14 (2048 bits)
- Lifetime: 28800 seconds (8 hours)
Make sure you tick “Enable IPsec” on the tunnel config screen and ensure you hit apply, otherwise it won’t start the tunnels…
Sometimes it’ll make the right firewall rules, but double check your WAN interface actually has a rule that lets ESP traffic from 220.127.116.11 on UDP/500 and ESP.
You’ll need to configure appropriate firewall rules for traffic traversing the IPsec link in the “ipsec” firewall rules section. You can be lazy and just any/any/any it, or make more specific ones.
Configuring the Mikrotik
Here’s the config from the Mikrotik, suffice it to say there was a lot of clicking and swearing and trying to edit things in the console to make this work. You should be able to copy, edit and update this to suit your needs.
You’ll need to create the firewall rules to allow the traffic. Note that this connection uses PPPoE, so your
in-interface may differ.
/ip firewall filter add action=accept chain=forward dst-address=18.104.22.168 dst-port=500 in-interface=all-ppp protocol=udp src-address=22.214.171.124 add action=accept chain=forward dst-address=126.96.36.199 in-interface=all-ppp protocol=ipsec-esp src-address=188.8.131.52
And here’s the config for the IPSEC side of things:
/ip ipsec peer profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h nat-traversal=no proposal-check=strict /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=8h pfs-group=modp2048 /ip ipsec peer add address=184.108.40.206/32 exchange-mode=ike2 generate-policy=port-strict my-id=address:220.127.116.11 port=500 secret=<superlongpasswordhere> /ip ipsec policy add dst-address=10.0.0.0/16 sa-dst-address=18.104.22.168 sa-src-address=22.214.171.124 src-address=10.1.0.0/16 tunnel=yes
In a few weeks I’ll have to change it all over again, as the house is changing to NBN FTTC and won’t have a static IP. Urgh.