KostyaEsmukov/Mikrotiks + StrongSwan.md

## Mikrotiks + StrongSwan.md

      
    Raw
  

              Mikrotiks + StrongSwan.md
            
          
    Lab: Mikrotiks + StrongSwan site-to-site IPsec


Goal: create a playground for experimenting with different IPsec settings
between 3 sites: 2 Mikrotiks and 1 StrongSwan node.


Requirements:

GNS3
VirtualBox (VMware or nested kvm
would be even better)


Prerequisites

We would need to install some appliances in GNS3:

Mikrotik https://docs.gns3.com/appliances/mikrotik-chr.html
Ubuntu Cloud nokvm [1] https://docs.gns3.com/appliances/ubuntu-cloud.html

[1]: Ubuntu Cloud appliance is already included to the GNS3 package.
However, it requires that the GNS VM supports kvm, which is not
the case when running it inside VirtualBox on Intel (it doesn't
currently support nested virtualization). So if the lab would be run
in VirtualBox on an Intel processor, you would have to download
the original Ubuntu Cloud appliance and change "kwm" from "require"
to "allow".
Setup

Network map


All routers are MikroTik CHR 6.44.2, workstations are Ubuntu Cloud Guest 18.04.
I also altered some VM configs:

GNS3 preferences -> GNS3 VM -> vCPUs: 3, RAM: 4096 MB.
Ubuntu Cloud nodes configuration -> RAM: 512 MB.

internet config

/ip pool
add name=dhcp1 ranges=192.168.121.10-192.168.121.11
add name=dhcp2 ranges=192.168.122.10-192.168.122.11
add name=dhcp3 ranges=192.168.123.10-192.168.123.11
/ip dhcp-server
add address-pool=dhcp1 authoritative=after-2sec-delay disabled=no interface=ether2
add address-pool=dhcp2 authoritative=after-2sec-delay disabled=no interface=ether3
add address-pool=dhcp3 authoritative=after-2sec-delay disabled=no interface=ether4
/ip address
add address=192.168.121.1/24 interface=ether2 network=192.168.121.0
add address=192.168.122.1/24 interface=ether3 network=192.168.122.0
add address=192.168.123.1/24 interface=ether4 network=192.168.123.0
/ip dhcp-server network
add address=192.168.121.0/24 gateway=192.168.121.1 dns-server=192.168.121.1 netmask=24
add address=192.168.122.0/24 gateway=192.168.122.1 dns-server=192.168.122.1 netmask=24
add address=192.168.123.0/24 gateway=192.168.123.1 dns-server=192.168.123.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall filter
add action=drop dst-address=10.10.0.0/16 chain=forward
add action=drop src-address=10.10.0.0/16 chain=forward

node1 config

/interface bridge
add name=bridge
add name=bridgeipsec
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridgeipsec interface=ether3
/ip pool
add name=dhcplan ranges=192.168.22.10-192.168.22.254
add name=dhcpipsec ranges=10.10.1.10-10.10.1.254
/ip dhcp-server option
add code=249 name=ipsec-ms-static-route value=0x100a0a0a0a0101
add code=121 name=ipsec-rfc3442-static-routes value=0x100a0a0a0a0101
/ip dhcp-server
add address-pool=dhcplan authoritative=after-2sec-delay disabled=no interface=bridge
add address-pool=dhcpipsec authoritative=after-2sec-delay disabled=no interface=bridgeipsec
/ip address
add address=192.168.22.1/24 interface=bridge network=192.168.22.0
add address=10.10.1.1/24 interface=bridgeipsec network=10.10.1.0
/ip dhcp-server network
add address=10.10.1.0/24 dhcp-option=ipsec-ms-static-route,ipsec-rfc3442-static-routes dns-none=yes gateway=10.10.1.1 netmask=24
add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip ipsec policy group
add name=groupnode2
add name=groupnode3
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 lifetime=1h name=profileipsec
/ip ipsec peer
add address=192.168.122.11/32 exchange-mode=ike2 name=node2.ipsec profile=profileipsec
add address=192.168.123.11/32 exchange-mode=ike2 name=node3.ipsec profile=profileipsec
add exchange-mode=ike2 name=responder passive=yes profile=profileipsec send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposalipsec pfs-group=modp1024
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add place-before=0 action=accept chain=srcnat dst-address=10.10.0.0/16 src-address=10.10.1.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add generate-policy=port-strict my-id=fqdn:node1.ipsec peer=node2.ipsec policy-template-group=groupnode2 remote-id=fqdn:node2.ipsec secret=VpftW2L4TEt6SmVf1sWSznSqzIKJCF7l
add generate-policy=port-strict my-id=fqdn:node1.ipsec peer=node3.ipsec policy-template-group=groupnode3 remote-id=fqdn:node3.ipsec secret=5dHFVvfZCvZpMMBJJNkcIvQU90P0lx2s
/ip ipsec policy
add dst-address=10.10.2.0/24 level=unique proposal=proposalipsec sa-dst-address=192.168.122.11 sa-src-address=0.0.0.0 src-address=10.10.1.0/24 tunnel=yes
add dst-address=10.10.3.0/24 level=unique proposal=proposalipsec sa-dst-address=192.168.123.11 sa-src-address=0.0.0.0 src-address=10.10.1.0/24 tunnel=yes
add dst-address=10.10.2.0/24 group=groupnode2 proposal=proposalipsec src-address=10.10.1.0/24 template=yes
add dst-address=10.10.3.0/24 group=groupnode3 proposal=proposalipsec src-address=10.10.1.0/24 template=yes

node2 config

/interface bridge
add name=bridge
add name=bridgeipsec
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridgeipsec interface=ether3
/ip pool
add name=dhcplan ranges=192.168.22.10-192.168.22.254
add name=dhcpipsec ranges=10.10.2.10-10.10.2.254
/ip dhcp-server option
add code=249 name=ipsec-ms-static-route value=0x100a0a0a0a0201
add code=121 name=ipsec-rfc3442-static-routes value=0x100a0a0a0a0201
/ip dhcp-server
add address-pool=dhcplan authoritative=after-2sec-delay disabled=no interface=bridge
add address-pool=dhcpipsec authoritative=after-2sec-delay disabled=no interface=bridgeipsec
/ip address
add address=192.168.22.1/24 interface=bridge network=192.168.22.0
add address=10.10.2.1/24 interface=bridgeipsec network=10.10.2.0
/ip dhcp-server network
add address=10.10.2.0/24 dhcp-option=ipsec-ms-static-route,ipsec-rfc3442-static-routes dns-none=yes gateway=10.10.2.1 netmask=24
add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip ipsec policy group
add name=groupnode1
add name=groupnode3
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 lifetime=1h name=profileipsec
/ip ipsec peer
add address=192.168.121.11/32 exchange-mode=ike2 name=node1.ipsec profile=profileipsec
add address=192.168.123.11/32 exchange-mode=ike2 name=node3.ipsec profile=profileipsec
add exchange-mode=ike2 name=responder passive=yes profile=profileipsec send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposalipsec pfs-group=modp1024
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add place-before=0 action=accept chain=srcnat dst-address=10.10.0.0/16 src-address=10.10.2.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add generate-policy=port-strict my-id=fqdn:node2.ipsec peer=node1.ipsec policy-template-group=groupnode1 remote-id=fqdn:node1.ipsec secret=VpftW2L4TEt6SmVf1sWSznSqzIKJCF7l
add generate-policy=port-strict my-id=fqdn:node2.ipsec peer=node3.ipsec policy-template-group=groupnode3 remote-id=fqdn:node3.ipsec secret=Yl8ro4buZw689ud7r8uSIx595AIoQ9iS
/ip ipsec policy
add dst-address=10.10.1.0/24 level=unique proposal=proposalipsec sa-dst-address=192.168.121.11 sa-src-address=0.0.0.0 src-address=10.10.2.0/24 tunnel=yes
add dst-address=10.10.3.0/24 level=unique proposal=proposalipsec sa-dst-address=192.168.123.11 sa-src-address=0.0.0.0 src-address=10.10.2.0/24 tunnel=yes
add dst-address=10.10.1.0/24 group=groupnode1 proposal=proposalipsec src-address=10.10.2.0/24 template=yes
add dst-address=10.10.3.0/24 group=groupnode3 proposal=proposalipsec src-address=10.10.2.0/24 template=yes

node3 config

apt update
apt install -yq strongswan

sysctl -w net.ipv4.ip_forward=1

cat >/etc/ipsec.secrets <<EOF
node3.ipsec node1.ipsec : PSK "5dHFVvfZCvZpMMBJJNkcIvQU90P0lx2s"
node3.ipsec node2.ipsec : PSK "Yl8ro4buZw689ud7r8uSIx595AIoQ9iS"
EOF

cat > /etc/ipsec.conf <<EOF
conn %default
    authby=secret
    type=tunnel
    keyexchange=ikev2
    compress=no
    auto=start
    rekey=yes
    reauth=no
    dpdaction=clear
    closeaction=none
    left=%defaultroute
    leftsubnet=10.10.3.0/24
    leftid=node3.ipsec
    ike=aes128-sha1-modp1024
    esp=aes128-sha1

conn node1.ipsec
    right=192.168.121.11/32
    rightid=node1.ipsec
    rightsubnet=10.10.1.0/24

conn node2.ipsec
    right=192.168.122.11/32
    rightid=node2.ipsec
    rightsubnet=10.10.2.0/24
EOF

ip addr add 10.10.3.1/24 dev lo

systemctl restart strongswan

w1/w2 config

sudo dhclient ens4

Experiment

Ensure that the tunnels work:
node3:
# ipsec status
Security Associations (2 up, 0 connecting):
 node1.ipsec[4]: ESTABLISHED 17 minutes ago, 192.168.123.11[node3.ipsec]...192.168.121.11[node1.ipsec]
 node1.ipsec{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c26ca07e_i 0a210cc3_o
 node1.ipsec{2}:   10.10.3.0/24 === 10.10.1.0/24
 node2.ipsec[3]: ESTABLISHED 17 minutes ago, 192.168.123.11[node3.ipsec]...192.168.122.11[node2.ipsec]
 node2.ipsec{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c51f6171_i 0b5994f6_o
 node2.ipsec{1}:   10.10.3.0/24 === 10.10.2.0/24

w1:
$ ip a | grep 10.10
    inet 10.10.1.10/24 brd 10.10.1.255 scope global ens4

$ ping -c 1 10.10.3.1
PING 10.10.3.1 (10.10.3.1) 56(84) bytes of data.
64 bytes from 10.10.3.1: icmp_seq=1 ttl=63 time=12.4 ms

w2:
$ ip a | grep 10.10
    inet 10.10.2.254/24 brd 10.10.2.255 scope global ens4

$ ping -c 1 10.10.3.1
PING 10.10.3.1 (10.10.3.1) 56(84) bytes of data.
64 bytes from 10.10.3.1: icmp_seq=1 ttl=63 time=4.21 ms

$ ping -c 1 10.10.1.10
PING 10.10.1.10 (10.10.1.10) 56(84) bytes of data.
64 bytes from 10.10.1.10: icmp_seq=1 ttl=62 time=6.14 ms

node3:
$ ping -c 1 10.10.1.10
PING 10.10.1.10 (10.10.1.10) 56(84) bytes of data.
64 bytes from 10.10.1.10: icmp_seq=1 ttl=63 time=4.93 ms

$ ping -c 1 10.10.2.254
PING 10.10.2.254 (10.10.2.254) 56(84) bytes of data.
64 bytes from 10.10.2.254: icmp_seq=1 ttl=63 time=6.07 ms

Start pings between the pairs: w1 -> w2; w2 -> node3; node3 -> w1.
w1: $ ping 10.10.2.254
w2: $ ping 10.10.3.1
node3: $ ping 10.10.1.10

Break the links between node2-internet and node3-internet.
The pings should start loosing packets. Return back the links.
It took ~5 seconds for the pings to restore since the links were returned back.
The ping stats:
w1:
--- 10.10.2.254 ping statistics ---
59 packets transmitted, 47 received, 20% packet loss, time 58405ms
rtt min/avg/max/mdev = 4.160/9.145/147.667/20.446 ms

w2:
--- 10.10.3.1 ping statistics ---
60 packets transmitted, 44 received, 26% packet loss, time 59554ms
rtt min/avg/max/mdev = 2.826/4.986/7.191/0.967 ms

node3:
--- 10.10.1.10 ping statistics ---
60 packets transmitted, 47 received, 21% packet loss, time 59414ms
rtt min/avg/max/mdev = 3.292/4.739/8.602/1.114 ms

Success, we got a working IPsec playground.