Configuring VPN IPsec vShield Edge to Mikrotik
Not like with another common router platform, configuring VPN IPsec of vShield Edge (vCloud Director) tunneling with mikrotik Router is not easy, because the VPN parameters on vShield Edge are so limited. so we have to do adjustment for VPN Ipsec parameters which exist provided by peering devices; such as DH-Group, lifetime, PFS Group, etc which exist on Mikrotik, Cisco ASA, Checkpoint, pfSense, Vyatta, and another Routers platform.
For this LAB, i will perform setup VPN connection between vShield Edge on vCloud Director with Mikrotik RouterOS based on the topology below :
Based on any sources from internet about compatibility configuration VPN on vShield Edge, actually there are some parameters which being template configuration that have to applied on peer devices (mikrotik)
Configuration on vShield Edge
For the first, I have to setup VPN configuration on vShield Edge (cloud site) with the configuration below :
Configuration on Mikrotik Router
We have to configure VPN IPsec on Mikrotik Router which adjusted with suitable parameter on vShield Edge. i have found the fix parameters for this Mikrotik and already tested too with the success result and stable connection.
All of the scripts below are adjusted with the topology above, so you can just copy this command that already fixed to Mikrotik Console and change the parameters which highlighted with underline, and then adjust it with your network details.
=================================================
type /ip ipsec export in console from mikrotik, then check and verify all of parameters, is it already input correctly.
So, let's perform testing in both side by test ping from LAN user in Cloud (vShield Edge) site to LAN user in another (Mikrotik) site and do the opposite. why ? because tipically the IPsec will be up soon after triggered by flowing traffic between site (in this case is trigger by ping)
I have ran these steps in my LAB, and tunneling between vShield Edge to Mikrotik success established.
Let try my steps and let me know if you get the problem.
Please give your input, comment, or anything that would be improve me :)
Regards,
Donny Achmadi
(at Night on 29 September 2014)
For this LAB, i will perform setup VPN connection between vShield Edge on vCloud Director with Mikrotik RouterOS based on the topology below :
Configuration on vShield Edge
For the first, I have to setup VPN configuration on vShield Edge (cloud site) with the configuration below :
- Name : VPN to Office (name of VPN Profile) and then check enable button
- Description : Put the description of VPN Profile*
- Tunnel to : a Remote Network
- Peer IP Address : 202.179.188.32 (IP Public or IP WAN of Mikrotik)
- Peer Gateway : 172.16.0.1 (IP address which attached on interface LAN Mikrotik and acts as a gateway)
- Peer Subnet Mask : 255.255.255.0 (Subnet mask for LAN/internal Network Mikrotik)
- Encryption Protocol : 3DES
- Shared Secret : 123KarenaAllahlahKitaKuatDanKitaMampu (at least minimum 32 character, and must be same in both site)
- Show key : Optional to ensure the shared-key which typed is correct
- MTU : 1500 (use default value)
Configuration on Mikrotik Router
We have to configure VPN IPsec on Mikrotik Router which adjusted with suitable parameter on vShield Edge. i have found the fix parameters for this Mikrotik and already tested too with the success result and stable connection.
All of the scripts below are adjusted with the topology above, so you can just copy this command that already fixed to Mikrotik Console and change the parameters which highlighted with underline, and then adjust it with your network details.
/ip ipsec proposal add name=VPN_Cloud auth-algorithms=sha1
enc-algorithms=3des lifetime=1h pfs-group=none
/ip ipsec policy add dst-address=192.168.0.0/24
proposal=VPN_Cloud sa-dst-address=103.7.0.3
sa-src-address=202.179.188.32 src-address=172.16.10.0/24 tunnel=yes
protocol=255 action=encrypt level=require ipsec-protocols=esp priority=0
/ip ipsec peer add address=103.7.0.3/32 port=500
enc-algorithm=3des lifetime=8h nat-traversal=yes
secret=123KarenaAllahlahKitaKuatDanKitaMampu passive=no exchange-mode=main
send-initial-contact=yes proposal-check=obey hash-algorithm=sha1
dh-group=modp1024 generate-policy=no dpd-interval=120 dpd-maximum-failures=5
/ip firewall filter
add chain=forward
dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept
add chain=forward
dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept
/ip firewall nat
add chain=srcnat
dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept
add chain=srcnat
dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept
=================================================
type /ip ipsec export in console from mikrotik, then check and verify all of parameters, is it already input correctly.
So, let's perform testing in both side by test ping from LAN user in Cloud (vShield Edge) site to LAN user in another (Mikrotik) site and do the opposite. why ? because tipically the IPsec will be up soon after triggered by flowing traffic between site (in this case is trigger by ping)
I have ran these steps in my LAB, and tunneling between vShield Edge to Mikrotik success established.
Let try my steps and let me know if you get the problem.
Please give your input, comment, or anything that would be improve me :)
Regards,
Donny Achmadi
(at Night on 29 September 2014)
Hi,
ReplyDeleteYou have "/ip ipsec proposal add name=VPN_Group", but your "/ip ipsec policy" indicates "proposal=VPN_Cloud". These need to be the same name.
Otherwise, good doc.
Hi too,
DeleteOk, many thanks ya for your correction :)
mas bro
ReplyDeleteitu di settingan firewall actionnya = accept kn?
Hi bro,
DeleteWah, thank you udah di koreksi, ternyata actionnya terpotong.
untuk rule firewall dan nat yang lengkapnya sebagai berikut:
/ip firewall filter
add chain=forward dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept
add chain=forward dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept
/ip firewall nat
add chain=srcnat dst-address=192.168.0.0/24 src-address=172.16.10.0/24 action=accept
add chain=srcnat dst-address=172.16.10.0/24 src-address=192.168.0.0/24 action=accept
ga ada mas masquerade ya bro
Deleteini pasti bisa yak :D
"Masquerade" atau juga srcnat biasanya ada supaya user bisa akses ke internet, nah justru rule /ip firewall nat yang ane share diatas itu dibuat untuk exception, supaya traffic ke dst-address gak di translate ke Public IP.
Deletedijamin bisa deh, kalo gk bisa japri aja :p