IPSec Between OPNSense and Mikrotik
This time it was from Mikrotik at one end to OPNsense at the other.
Here’s a diagram of the layout. A /16 at each house, connected over the internet.
+---------------+ +---------+ +----------+ +---------+ +---------------+ | Local Network +---+ House 1 +---+ Internet | | House 2 | | Local Network | | 10.0.0.0/16 | | 5.5.5.5 | | +---+ 9.9.9.9 +---+ 10.1.0.0/16 | +---------------+ +---------+ +----------+ +---------+ +---------------+ OPNSense Mikrotik
Configuring OPNsense
There’s a few steps to this one.
Phase 1
This is the authentication stage for working out how to talk to each other.
- VPN -> IPSEC -> Tunnel settings
- Create a new config
- General information
- Connection method: default
- Key Exchange Version: v2
- Internet Protocol: v4 (depending on what connectivity you have)
- Interface: WAN (your external interface)
- Remote gateway: 9.9.9.9
- Phase 1 proposal (Authentication)
- Authentication method: Mutual PSK
- My identifier: IP Address (5.5.5.5)
- Peer identifier: IP Address (9.9.9.9)
- Pre-shared key:
- Phase 1 proposal (Algorithms)
- Encryption algorithm: AES (256)
- Hash algorithm: SHA256
- DH key group: 14 (2048 bits)
- Lifetime 28800
- Advanced options
- NAT Traversal: disabled
- Install policy: ticked
- Dead peer detection: Enabled (10 seconds delay, 5 retries, restart the tunnel)
- Everything else: disabled
- Hit save
Phase 2
This is the actual “traffic encryption” stage. From the Tunnel settings page, next to the newly created phase 1 configuration, there should be a button to add a phase 2 entry. Click that.
- Mode: Tunnel IPv4
- Local Network
- Type: Network
- Address: 10.0.0.0/16
- Remote Network
- Type: Network
- Address 10.1.0.0/16
- Phase 2 Proposal (SA/Key exchange)
- Protocol: ESP
- Encryption Algorithms
- AES (256 bits in the dropdown)
- Hash algorithms: SHA256
- PFS key group: 14 (2048 bits)
- Lifetime: 28800 seconds (8 hours)
Hit save
Other bits
Make sure you tick “Enable IPsec” on the tunnel config screen and ensure you hit apply, otherwise it won’t start the tunnels…
Sometimes it’ll make the right firewall rules, but double check your WAN interface actually has a rule that lets ESP traffic from 9.9.9.9 on UDP/500 and ESP.
You’ll need to configure appropriate firewall rules for traffic traversing the IPsec link in the “ipsec” firewall rules section. You can be lazy and just any/any/any it, or make more specific ones.
In summary, the NAT device will use the following ports with NAT Traversal is enabled:
- Encapsulated Security Protocol (ESP): IP Protocol 50; UDP port 4500
- Authentication Header (AH): IP Protocol 51 ; UDP port 4500
- ISAKMP IKE Negotiations UDP port 500 -> UDP port 4500
Configuring the Mikrotik
Here’s the config from the Mikrotik, suffice it to say there was a lot of clicking and swearing and trying to edit things in the console to make this work. You should be able to copy, edit and update this to suit your needs.
You’ll need to create the firewall rules to allow the traffic. Note that this connection uses ether1 so your in-interface may differ.
/ip firewall filter add action=accept chain=forward dst-address=9.9.9.9 dst-port=500 in-interface=ether1 protocol=udp src-address=5.5.5.5 add action=accept chain=forward dst-address=9.9.9.9 in-interface=ether1 protocol=ipsec-esp src-address=5.5.5.5
And here’s the config for the IPSEC side of things:
/ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h nat-traversal=no proposal-check=strict /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=8h pfs-group=modp2048 /ip ipsec peer add name="peer" address=5.5.5.5/32 local-address=9.9.9.9 port=500 profile=default exchange-mode=ike2 send-initial-contact=yes /ip/ipsec/identity add peer=peer auth-method=pre-shared-key secret="superlongpasswordhere" generate-policy=port-strict /ip/ipsec/policy add dst-address=10.0.0.0/16 sa-dst-address=5.5.5.5 sa-src-address=9.9.9.9 src-address=10.1.0.0/16 tunnel=yes peer=peer
Recent Comments