Good day to all!
It just so happens that at our company, we've been gradually switching to Mikrotik chips over the past two years. The main nodes are built on CCR1072, while local computer connection points are on simpler devices. Of course, we also offer network integration via IPSEC tunnels; in this case, setup is quite simple and straightforward, thanks to the abundance of resources available online. However, mobile client connections present certain challenges; the manufacturer's wiki explains how to use Shrew soft. VPN client (this setup seems self-explanatory), and this is the client used by 99% of remote access users, and the remaining 1% is me. I simply couldn't be bothered entering my login and password every time, and I wanted a more relaxed, more comfortable couch potato experience with convenient connections to work networks. I couldn't find any instructions for configuring Mikrotik for situations where it's located not even behind a private address, but behind a completely blacklisted one, and maybe even with multiple NATs on the network. So I had to improvise, and I suggest you take a look at the results.
There is:
- CCR1072 as main device. version 6.44.1
- CAP ac as home connection point. version 6.44.1
The main feature of the setting is that the PC and Mikrotik must be on the same network with the same addressing, which is issued by the main 1072.
Let's move on to the settings:
1. Of course we turn on Fasttrack, but since fasttrack is not compatible with vpn, we have to cut its traffic.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Add network forwarding from / to home and work
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Create a user connection description
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Create an IPSEC Proposal
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Create an IPSEC Policy
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Create an IPSEC profile
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Create an IPSEC peer
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Now for some simple magic. Since I didn’t really want to change the settings on all devices on my home network, I had to somehow hang DHCP on the same network, but it’s reasonable that Mikrotik doesn’t allow you to hang more than one address pool on one bridge, so I found a workaround, namely for a laptop, I just created DHCP Lease with manual parameters, and since netmask, gateway & dns also have option numbers in DHCP, I specified them manually.
1.DHCP Options
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP lease
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
At the same time, setting 1072 is practically basic, only when issuing an IP address to a client in the settings it is indicated that the IP address entered manually, and not from the pool, should be given to him. For regular PC clients, the subnet is the same as the Wiki configuration 192.168.55.0/24.
Such a setting allows you not to connect to the PC through third-party software, and the tunnel itself is raised by the router as needed. The load of the client CAP ac is almost minimal, 8-11% at a speed of 9-10MB / s in the tunnel.
All settings were made through Winbox, although with the same success it can be done through the console.
Source: habr.com
