MikroTik IKEV2 IPSEC + GRE Certificate
MikroTik IKEV2 IPSEC + GRE Certificate
Posted inCertificates IPSec Tutorials VPN

Introduction to IPsec and GRE Tunnel Configuration (Using Certificates)

IPsec (Internet Protocol Security) is a suite of protocols that provides secure communication over an IP network by encrypting and authenticating the packets between devices. It is widely used for setting up secure VPNs, ensuring data integrity, confidentiality, and authenticity.

On the other hand, a GRE (Generic Routing Encapsulation) tunnel is a simple, point-to-point connection that encapsulates a wide variety of network layer protocols inside IP packets. GRE is often used to connect remote networks as though they were directly connected to the same physical network.

When combined, GRE over IPsec provides the benefits of both secure communication and the flexibility of GRE. This setup is ideal for scenarios where you need to pass routing protocols (such as OSPF or BGP) or non-IP traffic over a secure connection between two sites.

Benefits of Using GRE over IPsec

  1. Encryption and Security: IPsec ensures data confidentiality and integrity.
  2. Protocol Flexibility: GRE supports multiple protocols (not just IP).
  3. Dynamic Routing: GRE allows the use of dynamic routing protocols, which simplifies network management.
  4. Traffic Separation: GRE can encapsulate traffic, keeping it isolated and organised.

Site A: CHR-AU

Certificates – Generation

System > Certificates

CA (Certificate Authority)

Client Certificate

Certificate Signing – CA

Certificate Signing – Client

Client Certificate Exporting

Bridge

/interface bridge
add name=vpn_bridge protocol-mode=none
/ip address
add address=10.1.254.1/24 interface=vpn_bridge network=10.1.254.0

IPSec Tunnel

Profile

Go to IP > IPsec and on the Profile tab add a new profile, using the following settings, leaving the rest default:

Name: profile-ipsec
Hash Algorithms: sha256
Encryption Algorithm: aes-256
DH Group: modp2048 (14)
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=profile-ipsec

Peer

Next click on the Peer tab, add the following:

Name: chr-uk
Address: 18.132.39.216 (the IP address of the remote end)
Profile: profile-ipsec
Exchange Mode: IKE2
/ip ipsec peer
add address=18.132.39.216/32 exchange-mode=ike2 name=chr-au profile=profile-ipsec

Proposal

Then the Proposal:

Name: proposal-ipsec
Auth. Algorithms: sha256
Encr. Algorithms: aes-256 cbc
PFS Group: modp2048
/ip ipsec proposal
add auth-algorithms=sha256 name=proposal-ipsec pfs-group=modp2048

Identity

Then the Identity:

Name: chr-uk
Auth. Method: digital signature
Certificate: cert-ca
Remote Certificate: cert-site
Match By: certificate
/ip ipsec identity
add auth-method=digital-signature certificate=cert-ca match-by=certificate peer=chr-uk remote-certificate=cert-site

Finally the Policy:

GeneralAction
Peer: chr-uk
Tunnel: yes
Src. Address: 10.1.254.0/24
Dst. Address: 10.2.254.0/24		Level: unique
/ip ipsec policy
add dst-address=10.2.254.0/24 level=unique peer=chr-uk proposal=proposal-ipsec src-address=10.1.254.0/24 tunnel=yes

No-NAT

IP > Firewall > NAT

GeneralAction
Src. Address: 10.1.254.0/24
Dst. Address: 10.2.254.0/24		Action: accept
/ip firewall nat
add action=accept chain=srcnat dst-address=10.2.254.0/24 src-address=10.1.254.0/24

GRE Tunnel

Interface + GRE Tunnel

/interface gre
add local-address=10.2.254.1 name=gre-tunnel1 remote-address=10.1.254.1
/ip address
add address=10.1.1.1/30 interface=gre-tunnel1 network=10.1.1.0

Site B: CHR-UK

Certificates

Upload

Import

Bridge

add name=vpn_bridge protocol-mode=none
/ip address
add address=10.2.254.1/24 interface=vpn_bridge network=10.2.254.0

IPSec Tunnel

Profile

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=profile-ipsec

Peer

/ip ipsec peer
add address=54.66.163.58/32 exchange-mode=ike2 name=chr-au profile=profile-ipsec

Proposal

/ip ipsec proposal
add auth-algorithms=sha256 name=proposal-ipsec pfs-group=modp2048

Identity

/ip ipsec identity
add auth-method=digital-signature certificate=cert-ca match-by=certificate peer=chr-au remote-certificate=cert-sit

Policy

/ip ipsec policy
add dst-address=10.1.254.0/24 level=unique peer=chr-au proposal=proposal-ipsec src-address=10.2.254.0/24 tunnel=yes

No-NAT

/ip firewall nat
add action=accept chain=srcnat dst-address=10.1.254.0/24 src-address=10.2.254.0/24

GRE Tunnel

/interface gre
add local-address=10.2.254.1 name=gre-tunnel1 remote-address=10.1.254.1
/ip address
add address=10.1.1.2/30 interface=gre-tunnel1 network=10.1.1.0

Testing

Bridge

CHR-AU

/interface bridge
add name=lan_bridge protocol-mode=none

CHR-UK

/interface bridge
add name=lan_bridge protocol-mode=none

Address

CHR-AU
CHR-UK

CHR-AU

/ip address
add address=192.168.2.1/24 interface=lan_bridge network=192.168.2.0

CHR-UK

/ip address
add address=192.168.2.1/24 interface=lan_bridge network=192.168.2.0

Static Routes

CHR-AU
CHR-UK

CHR-AU

/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=10.1.1.1

CHR-UK

/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=10.1.1.1

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *