Self Learner | Information Technology Enthusiast | Hamba Allah

My photo
Pribadi yang berdzikir itu : kalau bicara, bicaranya dakwah, diamnya berdzikir, nafasnya tasbih, matanya penuh ramat Allah, telinganya terjaga, pikirannya baik sangka, tidak suka sinis, pesimis dan tak suka memvonis. . dia tidak sibuk mencari kesalahan orang lain dan asik memperbaiki dirinya . . (Ust.Muhammad Arifin Ilham)

Monday, September 29, 2014

Configuring VPN IPsec vShield Edge to Mikrotik


Not like with another common router platform, configuring VPN IPsec of vShield Edge (vCloud Director) tunneling with mikrotik Router is not easy, because the VPN parameters on vShield Edge are so limited. so we have to do adjustment for VPN Ipsec parameters which exist provided by peering devices; such as DH-Group, lifetime, PFS Group, etc which exist on Mikrotik, Cisco ASA, Checkpoint, pfSense, Vyatta, and another Routers platform.

For this LAB, i will perform setup VPN connection between vShield Edge on vCloud Director with Mikrotik RouterOS based on the topology below :




Based on any sources from internet about compatibility configuration VPN on vShield Edge, actually there are some parameters which being template configuration that have to applied on peer devices (mikrotik)



Configuration on vShield Edge

For the first, I have to setup VPN configuration on vShield Edge (cloud site) with the configuration below :


  • Name    : VPN to Office (name of VPN Profile) and then check enable button
  • Description    : Put the description of VPN Profile*
  • Tunnel to    : a Remote Network
Peer Settings
  • Peer IP Address    : 202.179.188.32 (IP Public or IP WAN of Mikrotik)
  • Peer Gateway    : 172.16.0.1 (IP address which attached on interface LAN Mikrotik and acts as a gateway)
  • Peer Subnet Mask    : 255.255.255.0 (Subnet mask for LAN/internal Network Mikrotik)
Tunnel Settings
  • Encryption Protocol    : 3DES
  • Shared Secret    : 123KarenaAllahlahKitaKuatDanKitaMampu (at least minimum 32 character, and must be same in both site)
  • Show key    : Optional to ensure the shared-key which typed is correct 
  • MTU    : 1500 (use default value)


Configuration on Mikrotik Router

We have to configure VPN IPsec on Mikrotik Router which adjusted with suitable parameter on vShield Edge. i have found the fix parameters for this Mikrotik and already tested too with the success result and stable connection.

All of the scripts below are adjusted with the topology above, so you can just copy this command that already fixed to Mikrotik Console and change the parameters which highlighted with underline, and then adjust it with your network details.



/ip ipsec proposal add name=VPN_Cloud auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=none


/ip ipsec policy add dst-address=192.168.0.0/24 proposal=VPN_Cloud sa-dst-address=103.7.0.3 sa-src-address=202.179.188.32 src-address=172.16.10.0/24 tunnel=yes protocol=255 action=encrypt level=require ipsec-protocols=esp priority=0


/ip ipsec peer add address=103.7.0.3/32 port=500 enc-algorithm=3des lifetime=8h nat-traversal=yes secret=123KarenaAllahlahKitaKuatDanKitaMampu passive=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=sha1 dh-group=modp1024 generate-policy=no dpd-interval=120 dpd-maximum-failures=5


/ip firewall filter

add chain=forward dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept

add chain=forward dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept



/ip firewall nat

add chain=srcnat dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept

add chain=srcnat dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept


=================================================
type /ip ipsec export in console from mikrotik, then check and verify all of parameters, is it already input correctly.

So, let's perform testing in both side by test ping from LAN user in Cloud (vShield Edge) site to LAN user in another (Mikrotik) site and do the opposite. why ? because tipically the IPsec will be up soon after triggered by flowing traffic between site (in this case is trigger by ping)

I have ran these steps in my LAB, and tunneling between vShield Edge to Mikrotik success established.

Let try my steps and let me know if you get the problem.

Please give your input, comment, or anything that would be improve me :)

Regards,
Donny Achmadi
(at Night on 29 September 2014) 

6 comments:

  1. Hi,

    You have "/ip ipsec proposal add name=VPN_Group", but your "/ip ipsec policy" indicates "proposal=VPN_Cloud". These need to be the same name.

    Otherwise, good doc.

    ReplyDelete
    Replies
    1. Hi too,

      Ok, many thanks ya for your correction :)

      Delete
  2. mas bro
    itu di settingan firewall actionnya = accept kn?

    ReplyDelete
    Replies
    1. Hi bro,

      Wah, thank you udah di koreksi, ternyata actionnya terpotong.
      untuk rule firewall dan nat yang lengkapnya sebagai berikut:

      /ip firewall filter
      add chain=forward dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept
      add chain=forward dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept


      /ip firewall nat

      add chain=srcnat dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept
      add chain=srcnat dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept

      Delete
    2. ga ada mas masquerade ya bro
      ini pasti bisa yak :D

      Delete
    3. "Masquerade" atau juga srcnat biasanya ada supaya user bisa akses ke internet, nah justru rule /ip firewall nat yang ane share diatas itu dibuat untuk exception, supaya traffic ke dst-address gak di translate ke Public IP.

      dijamin bisa deh, kalo gk bisa japri aja :p

      Delete