MikroTik Router OS V3.0 User Manual

							  	  
 	
 	  	

 

 
 
 	
  
 

 
 
 


 
 		  	 
 	 	  F


  

 
 
  
1.3	
 	 $$$ 


 

 
  KI6   
 
 (
[admin@Our_GW] interface pptp-server> /ppp secret add name=joe service=pptp \\... password=top_s3 local-address=10.0.0.1 remote-address=10.0.0.2[admin@Our_GW] interface pptp-server> add name=from_remote user=joe[admin@Our_GW] interface pptp-server> server set enable=yes[admin@Our_GW] interface pptp-server> printFlags: X - disabled, D - dynamic, R - running# NAME USER MTU CLIENT-AD... UPTIME ENCODING0 from_remote joe[admin@Our_GW] interface pptp-server>
The Remote router will be the pptp client:
[admin@Remote] interface pptp-client> add name=pptp user=joe \\... connect-to=192.168.1.1 password=top_s3 mtu=1500 mru=1500[admin@Remote] interface pptp-client> enable pptp[admin@Remote] interface pptp-client> printFlags: X - disabled, R - running0 R name=pptp mtu=1500 mru=1500 connect-to=192.168.1.1 user=joepassword=top_s2 profile=default add-default-route=no
[admin@Remote] interface pptp-client> monitor pptpstatus: connecteduptime: 39m46sencoding: none
[admin@Remote] interface pptp-client>
! 
 $$$ *

	 	
	   
	 
 


  

 	


Page 180 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							2.3
 
 F*$ 


  	
 
  


 

	 	
 
 
 0 
  	 

 
 


 

	 
 
 
 	

 (	  
 F*$ 



[admin@Our_GW] interface eoip> add name=eoip-remote tunnel-id=0 \\... remote-address=10.0.0.2[admin@Our_GW] interface eoip> enable eoip-remote[admin@Our_GW] interface eoip> printFlags: X - disabled, R - running0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0[admin@Our_GW] interface eoip>
[admin@Remote] interface eoip> add name=eoip tunnel-id=0 \\... remote-address=10.0.0.1[admin@Remote] interface eoip> enable eoip-main[admin@Remote] interface eoip> printFlags: X - disabled, R - running0 name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=0
[Remote] interface eoip>
3.F
	 
 

 
 F*$ 	
 F


 

	 
 
 

 
 
  KI6
[admin@Our_GW] interface bridge> add[admin@Our_GW] interface bridge> printFlags: X - disabled, R - running0 R name=bridge1 mtu=1500 arp=enabled mac-address=00:00:00:00:00:00protocol-mode=none priority=0x8000 auto-mac=yesadmin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15stransmit-hold-count=6 ageing-time=5m[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth[admin@Our_GW] interface bridge> port printFlags: X - disabled, I - inactive, D - dynamic# INTERFACE BRIDGE PRIORITY PATH-COST0 eoip-remote bridge1 128 101 office-eth bridge1 128 10[admin@Our_GW] interface bridge>
+
 
 	  
 

[admin@Remote] interface bridge> add[admin@Remote] interface bridge> printFlags: X - disabled, R - running0 R name=bridge1 mtu=1500 arp=enabled mac-address=00:00:00:00:00:00protocol-mode=none priority=0x8000 auto-mac=yesadmin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15stransmit-hold-count=6 ageing-time=5m[admin@Remote] interface bridge> port add bridge=bridge1 interface=ether[admin@Remote] interface bridge> port add bridge=bridge1 interface=eoip-main[admin@Remote] interface bridge> port printFlags: X - disabled, I - inactive, D - dynamic# INTERFACE BRIDGE PRIORITY PATH-COST0 ether bridge1 128 101 eoip-main bridge1 128 10[admin@Remote] interface bridge>
4.+  
 	 

 	
   
 
 
   A+9 	
 
 
 
 A+9
Troubleshooting
Description
•#  
  
   
  
 845 
  
  
 $6
3 
 +3 	  
 F*$ 

	 7 
  

  
 	M
Page 181 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Page 182 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							IP Security
Document revision 3.6 (October 10, 2007, 12:17 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Specifications
Description
PolicySettings
Description
PropertyDescription
Notes
Example
Peers
Description
PropertyDescription
Notes
Example
RemotePeerStatistics
Description
PropertyDescription
Example
InstalledSAs
Description
PropertyDescription
Example
FlushingInstalledSATable
Description
PropertyDescription
Example
MikroTikRoutertoMikroTikRouter
IPsecBetweentwoMasqueradingMikroTikRouters
MikroTikroutertoCISCORouter
MikroTikRouterandLinuxFreeS/WAN
General Information
Specifications
Packages required:security
License required:level1
Home menu level:/ip ipsec
Standards and Technologies:IPsec
Hardware usage:consumes a lot of CPU time (Intel Pentium MMX or AMD K6 suggested as a
minimal configuration)
Page 183 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Description
*$ &*$ !
 
  &

 
	 
 
	

 ( *$ 


Encryption
+
 	
  7
	

 & 
 
  


 
 

 

	 8 *$  	
		 


 
 
 
  	
   

 !
 $ 5	
		 &!$5  	 
   
	
 	(

 	

•Packet matching- packet source/destination, protocol and ports (for TCP and UDP) are
compared to values in policy rules, one after another
•Action- if rule matches action specified in rule is performed:
••none- continue with the packet as if there was no IPsec
•discard- drop the packet
•encrypt- apply IPsec transformations to the packet
F	 !$5  	
  		
 
 (	 !
 +	

 &!+ 
	
 

 	
 



		
 & 	
 !$*
9
 
	
 	
 	
 
  

  
  	 	 !+    !	 !+ 	   


  
 	 
  	  ) 


 !$5  
 H(H  	



 	
 	
 
 
  
 (	 !+   
•use- if there is no valid SA, send packet unencrypted (like accept rule)
•require- drop packet, and ask IKE daemon to establish a new SA.
•unique- same as require, but establish a unique SA for this policy (i.e., this SA may not be
shared with other policy)
Decryption
6
 

 	
  (  	 
 &	


	



 
 		
 !+ 
  
 
 
 &
 	
  

	

 
 
 	
 !$* (	 * 
 !+  


 	
   * !+  
 	
  
 
 
 	
%  	 	 


   
	
 !+  
 
 * 
 	
  

 	
 
   
   * 
 	
 

 
 & 	


	
 
 
  H( 
 H 7 
  


	
 


& 
 
 	
 
  7 
 	  ( 	 		

9
 
	
 	$	


	 	
 	 	
 
	
 	 

 
 
 	 
 
	 
 !$5 (
 
 	

  * !$5 8 


 &
  (	 !+ 		
 

	

 !$5  
 	
     	 

  
Internet Key Exchange
 *



 L F	
 &*LF  	 
 
	
 ( 	


	
 
 	
	  *



!
 +	

 	
 L 	
	

 $
 &*!+L$ 	  	 
  	

 
	
  
 *!+L$ 
 *LF  
 
   
 
 
 ( 	
 
Page 184 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

								


	

  
 	
 	
	
 	
	

  
 		

 &!+

  
 
 *LF 	
  
 


  	 
  
	

 
 
  	
(	

•   
	 	
  	    
 
  

  	


	
 

  
%
 	( 	
 !+   

 *LF 	
 	
 
	
 	
 *LF 	
 

	





 
 
 

•*LF 	
 
 
 
 




*
 
 	  
	 



 	
 
 - 	
•Phase 1- The peers agree upon algorithms they will use in the following IKE messages and
authenticate. The keying material used to derive keys for all SAs and to protect following
ISAKMP exchanges between hosts is generated also.
•Phase 2- The peers establish one or more SAs that will be used by IPsec to encrypt data. All
SAs established by IKE daemon will have lifetime values (either limiting time, after which SA
will become invalid, or amount of data that can be encrypted by this SA, or both).
 	 
 
 (	 7 
 	
 	 6
 !+ 	 
% 
 
 
 
 *LF 	

( 	 

 	
 
	
 	

 	 - 	
 
 	 
 !+ 
  
 * !+ 	 	

 
  	
*LF 	
 

	 ( 	 $
 #	 ! &$#!   	 
   	
 
	
 



 	
  *LF 
	
 
 
 
 
 	 /   

 	 
 	 	
 	 
 	
*$ 	
	 
	
  

  !+ 
	 
 
 	 / *
 	
 	
 	

	 
 	
	
 
	
  	 	 -
I
	

  
 	
	  
	

	 ( 
(Exempli gratia 
   C/;-
 	
 
	 (	 
 (
 
 ( 	
 
 *
 	 
	 	 
  	 /
	
  	
 
 
 

 	
 
 	 	
 

  
  
 
 $#! 	 


( 	

 	 
 	 	 - 	

Diffie-Hellman Groups
57,	
 &5,  	
 
 	 
 	
 

 	
 

	 	 
 
 	
 

  
 	 F


	 & 5$ 	
 F
 3( &F3-9 57,	
 &	 

 	
H 	H I 	 

Diffie-Hellman GroupNameReference
Group 1768 bit MODP groupRFC2409
Group 21024 bits MODP groupRFC2409
Group 3EC2N group on GP(2^155)RFC2409
Group 4EC2N group on GP(2^185)RFC2409
Group 51536 bits MODP groupRFC3526
IKE Traffic
 	(  
 *LF 	
 
  !$5  	
 8 
 

 
 
 

 
 
	 !+
Page 185 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							&
	
 
 	
 	  

 
 
	 	 
	
 	
 
 05$  
 
						

							traffic. AH is applied after ESP, and in case of tunnel mode ESP will be applied in tunnel mode and
AH - in transport mode
level(unique|require|use; default:require) - specifies what to do if some of the SAs for this
policy cannot be found:
•use- skip this transform, do not drop packet and do not acquire SA from IKE daemon
•require- drop packet and acquire SA
•unique- drop packet and acquire a unique SA that is only used with this particular policy
manual-sa(name; default:none) - name of manual-sa template that will be used to create SAs for
this policy
•none- no manual keys are set
out-accepted(integer) - how many outgoing packets were passed through by the policy without an
attempt to encrypt
out-dropped(integer) - how many outgoing packets were dropped by the policy without an
attempt to encrypt
out-transformed(integer) - how many outgoing packets were encrypted (ESP) and/or signed (AH)
ph2-state(read-only: expired|no-phase2|established) - indication of the progress of key
establishing
•expired- there are some leftovers from previous phase2. In general it is similar to no-phase2
•no-phase2- no keys are estabilished at the moment
•estabilished- Appropriate SAs are in place and everything should be working fine
priority(integer; default:0) - policy ordering classificator (signed integer). Larger number means
higher priority
proposal(name; default:default) - name of proposal information that will be sent by IKE daemon
to establish SAs for this policy
protocol(nameinteger; default:all) - IP packet protocol to match
sa-dst-address(IP address; default:0.0.0.0) - SA destination IP address (remote peer)
sa-src-address(IP address; default:0.0.0.0) - SA source IP address (local peer)
src-address(IP addressnetmaskport; default:0.0.0.0/32:any) - source IP address
tunnel(yes | no; default:no) - specifies whether to use tunnel mode
Notes
+ 	
 	 *$*$ 
		
 
 


  	
 
 
 *$ 	%	


	 
 
	

(	  
  *   

  


  &id est
  
	

  

 
 	
   	
 

	

 	 	 
 	 	
	

	
    
  	

  	
 
  

	
 
	
 
	
 	
 	
 	 

  *$  &
 
	
 
	 
 		

 


 
	 

 

 & 	 

 	
 	 
  	( 
  


 
*
   
 	(
	
	 	 

 	
 	 		  
	
 
	 	


 
 	 
 	

	


*  	 
 *LF 
 
	 !+ 	
	
	 

  
 
 
 
 	
 	
 	

id est!%&%2%+&9
 
 
 	

!%&%2%+&(
 	

 
Page 187 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							

  ! 	 (	 
 
 
 0!  8	 
 

	

 	 (	 
 
 


 	
 ( (	
Example
 	 	  
 

 	 
 
	 

 
 
 &/.../DN 	
 /.../DC  
  



[admin@MikroTik] ip ipsec policy> add sa-src-address=10.0.0.147 \\... sa-dst-address=10.0.0.148 action=encrypt[admin@MikroTik] ip ipsec policy> printFlags: X - disabled, D - dynamic, I - inactive0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any protocol=allaction=encrypt level=require ipsec-protocols=esp tunnel=nosa-src-address=10.0.0.147 sa-dst-address=10.0.0.148 proposal=defaultmanual-sa=none priority=0
[admin@MikroTik] ip ipsec policy>

 ( 
  
	

  
 

[admin@MikroTik] ip ipsec policy> print statsFlags: X - disabled, D - dynamic, I - inactive0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:anyprotocol=all ph2-state=no-phase2 in-accepted=0 in-dropped=0out-accepted=0 out-dropped=0 encrypted=0 not-encrypted=0 decrypted=0not-decrypted=0
[admin@MikroTik] ip ipsec policy>
Peers
Home menu level:/ip ipsec peer
Description
$ 
	

 


 	  
 
	 



 

 *LF 	
 &	 / 
	


 



 

    
 

	
  	
 	
  !+
Property Description
address(IP addressnetmaskport; default:0.0.0.0/32:500) - address prefix. If remote peers address
matches this prefix, then this peer configuration is used while authenticating and establishing phase
1. If several peers addresses matches several configuration entries, the most specific one (i.e. the
one with largest netmask) will be used
auth-method(pre-shared-key|rsa-signature; default:pre-shared-key) - authentication method
•pre-shared-key- authenticate by a password (secret) string shared between the peers
•rsa-signature- authenticate using a pair of RSA certificates
certificate(name) - name of a certificate on the local side (signing packets; the certificate must
have private key). Only needed if RSA signature authentication method is used
dh-group(multiple choice: ec2n155|ec2n185|modp768|modp1024|modp1536; default:
modp1024) - Diffie-Hellman group (cipher strength)
enc-algorithm(multiple choice: des|3des|aes-128|aes-192|aes-256; default:3des) - encryption
algorithm. Algorithms are named in strength increasing order
Page 188 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							exchange-mode(multiple choice: main|aggressive|base; default:main) - different ISAKMP
phase 1 exchange modes according to RFC 2408. Do not use other modes then main unless you
know what you are doing
generate-policy(yes | no; default:no) - allow this peer to establish SA for non-existing policies.
Such policies are created dynamically for the lifetime of SA. This way it is possible, for example, to
create IPsec secured L2TP tunnels, or any other setup where remote peers IP address is not known
at the configuration time
hash-algorithm(multiple choice: md5|sha1; default:md5) - hashing algorithm. SHA (Secure
Hash Algorithm) is stronger, but slower
lifebytes(integer; default:0) - phase 1 lifetime: specifies how much bytes can be transferred before
SA is discarded
•0- SA expiration will not be due to byte count excess
lifetime(time; default:1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be
discarded after this time
nat-traversal(yes | no; default:no) - use Linux NAT-T mechanism to solve IPsec incompatibility
with NAT routers inbetween IPsec peers. This can only be used with ESP protocol (AH is not
supported by design, as it signes the complete packet, including IP header, which is changed by
NAT, rendering AH signature invalid). The method encapsulates IPsec ESP traffic into UDP
streams in order to overcome some minor issues that made ESP incompatible with NAT
proposal-check(multiple choice: claim|exact|obey|strict; default:strict) - phase 2 lifetime
check logic:
•claim- take shortest of proposed and configured lifetimes and notify initiator about it
•exact- require lifetimes to be the same
•obey- accept whatever is sent by an initiator
•strict- if proposed lifetime is longer than the default then reject proposal otherwise accept
proposed lifetime
remote-certificate(name) - name of a certificate for authenticating the remote side (validating
packets; no private key required). Only needed if RSA signature authentication method is used
secret(text; default:) - secret string (in case pre-shared key authentication is used). If it starts
with 0x, it is parsed as a hexadecimal value
send-initial-contact(yes | no; default:yes) - specifies whether to send initial IKE information or
wait for remote side
Notes
+F! &+(	
 F


 !
	
	 


 	
 	  	
 
	
 5F!  
  


  
 	
 	 
(  )
 +F!%   	 
 		 	 
 


	 	
 
	 	
   +F!7-