This document will outline how to create a site-to-site VPN using an IPsec Tunnel through OneView. This will guide the user through the commands need to configure the MikroTik Router though OneView.
You will not require access the the MikroTik GUI to complete this set up.
In this example the following addresses are:
Local Private - X.X.X.X /16 Other Private - Y.Y.Y.Y /24
Local Public - A.A.A.A Other Public - B.B.B.B
Step 1: Access Router Config Page on OneView
Navigate to Config > Advanced Settings > Router
Go to 'Create new modify command':
Step 2: Modify Default IPsec Profile
Enter the following command into the 'Create New Modify Command' - Command Bar:
/ip/ipsec/profile/set dh-group=modp2048 hash-algorithm=sha256 enc-algorithm=aes-128,aes-256,aes-192,3des
Enter the following command into the 'Create New Modify Command' - Filter Bar:
/ip/ipsec/profile/print name=default
It should look like this when you click 'create':
Step 3: Create IPsec Proposal
Go to 'Create new add / other command':
Enter the following command into the 'Create New Add / Other Command'.
/ip/ipsec/proposal/add auth-algorithms=sha1,sha256 enc-algorithms=aes-256-cbc name=vpn-tunnel pfs-group=modp2048
Step 4: Create IPsec Peer
Enter the following command into the 'Create New Add / Other Command'.
/ip/ipsec/peer/add address=B.B.B.B/32 name=vpn-tunnel local-address=A.A.A.A profile=default exchange-mode=ike2 send-initial-contact=yes passive=no
Step 4: Create IPsec Policy Group
Enter the following command into the 'Create New Add / Other Command'.
/ip/ipsec/policy/group/add name=vpn-group
You may receive a warning "Unable to confirm cmd in router: /ip/ipsec/policy/group/add name=von-group". You can ignore this.
Step 5: Create IPsec Identity
Enter the following command into the 'Create New Add / Other Command'.
/ip/ipsec/identity/add peer=vpn-tunnel auth-method=pre-shared-key secret=password match-by=remote-id remote-id=auto my-id=auto generate-policy=no policy-template-group=vpn-group
Step 6: Create IPsec Policy
Enter the following command into the 'Create New Add / Other Command'.
/ip/ipsec/policy/add src-address=X.X.0.0/16 src-port=any dst-address=Y.Y.Y.0/24 dst-port=any tunnel=yes action=encrypt proposal=vpn-tunnel peer=vpn-peer
Note that only the network portion of the address is used for both IPs.
Step 7: Create NAT Rule
Enter the following command into the 'Create New Add / Other Command'.
/ip/firewall/nat/add chain=srcnat action=accept src-address=X.X.0.0/16 dst-address=Y.Y.Y.0/24
Step 8: Create Firewall Rule
Enter the following command into the 'Create New Add / Other Command'.
/ip/firewall/filter/add chain=input protocol=udp dst-port=500,1701,4500
Comments
0 comments
Please sign in to leave a comment.