How to setup ipsec Site to Site VPN between mikrotik and OpenWrt

sagar_jain · August 19, 2019, 7:04am

can anyone tell me how to setup ipsec site to site ipsec vpn by luci (GUI). i am unable to connect ipsec site to site vpn by CLI. here is the topology

here is my configuration

# cat /etc/config/ipsec
config 'ipsec'
  list listen ''

config 'remote' 'nesecure'
  option 'enabled' '1'
  option 'gateway' 'IP Of SERVER'
  option 'pre_shared_key' 'key'
  option authentication_method 'psk'
  option 'exchange_mode' 'main'
  list   'p1_proposal' 'neprposal'
  list   'tunnel' 'nesecure_lan'

config 'p1_proposal' 'neproposal'
  option 'encryption_algorithm' 'des'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' 'modp1024'

config 'tunnel' 'nesecure_lan'
  option 'local_subnet' '192.168.2.0/24'
  option 'remote_subnet' '10.234.152.176/28'
 option 'p2_proposal' 'neproposal2'

config 'p2_proposal' 'neproposal2'
  option 'pfs_group' '2'
  option 'encryption_algorithm' 'des'
  option 'authentication_algorithm' 'sha1'

# firewall config
# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option drop_invalid '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 dongle wan2'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'ah'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option subnet '10.234.152.176/28'
	option extra_src '-m policy --dir in --pol ipsec --proto esp'
	option extra_dest '-m policy --dir out --pol ipsec --proto esp'
	option mtu_fix '1'

config rule
	option name 'Allow-IKE-input'
	option src 'wan'
	option proto 'udp'
	option dest_port '500 4500'
	option target 'ACCEPT'

config rule
	option name 'Allow-ESP-input'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '80'
	option name 'AllowWANWeb'

onix · March 27, 2023, 9:35pm

Any luck? We are now at OpenWRT 22.0.3 in 2023.

mk24 · March 27, 2023, 11:05pm

I'm working on this same setup; I'll try to write something up in the next few days.

IPSec is cool when it works but it's not for beginners.

mk24 · April 1, 2023, 9:27pm

@onix I can confirm that yes it is possible, could make a write-up if you're still needing it.

sagar_jain · April 2, 2023, 6:31am

Checkout my solution.

onix · April 2, 2023, 4:12pm

Hi @mk24, it would be helpful / instructive to see your solution, esp if you used something other than strongswan.

onix · April 2, 2023, 7:24pm

Hi @sagar_jain, the vtiv4 package is not found under new software packages in LuCI.

More importantly, strongswan-full (+4.0MB), ip-full (+0.4MB), and kmod-ip-vti (+0.1M) would need an additional ~4.6MB on my currently configured Archer C7v5, which is about 50% full and has only 4.7MB of space left, leaving minimal headroom and space for anything else. So this is not an acceptable solution.

mk24 · April 3, 2023, 2:54am

The set of packages for strongswan that I've tried to minimize to only essential are these:

strongswan strongswan-charon strongswan-mod-kernel-netlink strongswan-mod-nonce strongswan-mod-openssl
strongswan-mod-pem strongswan-mod-pubkey strongswan-mod-random
strongswan-mod-sha2 strongswan-mod-socket-default strongswan-mod-vici strongswan-swanctl

strongswan-mod-openssl seems to be needed for anything involving certificates, but it depends on the openssl library, which is very large. Perhaps if only RSA is involved, the pem module is sufficient by itself.

Note that RouterOS does not support EC certificates, only RSA. I spent a lot of time trying to import EC certificates only to have them silently ignored.

onix · April 5, 2023, 7:44pm

I suspect all those packages you listed have co-dependent packages. Summing the space each one requires separately, would probably not be accurate of the total storage needed. Do you know what they would be in combination?

mk24 · April 5, 2023, 8:33pm

Since the ipk files are compressed, not all the data in the ipk is actually installed to disk, and the jffs is also compressed, there is no good way to know how much physical flash space will be required by packages other than to test installing them.

I have not tried to run this on a router with small RAM or flash so I don't know.

A considerable amount could be saved by using psk instead of pubkey authentication, as x509 and ssl supporting packages will not be required. But it is markedly less secure.

Is there a reason you need IPSec instead of wireguard?

onix · April 17, 2023, 12:03am

Hi @mk24,

Regarding wireguard, I have some old remote Mikrotik routers on RouterOS 6.x that have not been upgraded to 7.x It may be time to, based on the tremendous positives of wireguard -- security, speed, install size and cross-platform compatibility. Doing this is a bit of an undertaking for me with distributed routers, clients, their software, and re-configuring the firewalls. Nevertheless, your question is a good one.