Site to Site IpSec Tunnel

最後更新: 2021-06-20

介紹

 

policy(/ip ipsec policy) notifies IKE daemon --> remote IKE daemon

以下設定必須雙方對應

Phase 1 (/ip ipsec peer) -IKE daemon 建立連線要的資料

  • authentication method (auth-method=pre-shared-key)
  • DH group (dh-group=modp2048)
  • encryption algorithm (enc-algorithm=aes-192)
  • exchange mode (aggressive | base | main | ike2; Default: main)
  • hash alorithm (hash-algorithm=sha256)
  • NAT-T (ignored by IKEv2)
  • DPD and lifetime (optional)

DPD(dead-peer-detection)[rfc3706]

DPD is used to reclaim the lost resources in case a peer is found dead and

it is also used to perform IKE peer failover.

防止

The SAs can remain until their lifetimes naturally expire, resulting in a "black hole" situation

運作

A device performs this verification by

  sending encrypted IKE Phase 1 notification payloads (R-U-THERE messages) to a peer and

  waiting for DPD acknowledgements (R-U-THERE-ACK messages) from the peer.

If there is no feedback from the peer, it will disconnect the IPsec tunnel.

  (刪除 ISAKMP SA 和相應的 IPSec SA)

Negotiation

Peer 各自有各自的 dpd-interval 及 dpd-maximun-failures

好處

a DPD exchange only occurs if an entity has not received traffic recently from its peer,

the number of IKE messages to be sent and processed is also reduced.

Default

dpd-interval 2m
dpd-maximum-failures 5

Phase 1 is not re-keyed if DPD is disabled when lifetime expires, only phase 2 is re-keyed.

  (To force phase 1 re-key => enable DPD)

There are two lifetime values - soft and hard.

  When SA reaches it's soft lifetime treshold, the IKE daemon receives a notice and

  starts another phase 2 exchange to replace this SA with fresh one.

  If SA reaches hard lifetime, it is discarded.

/ip ipsec peer

Flags: X - disabled, D - dynamic, R - responder
 0     ;;; Airport
       address=r.r.r.r/32 auth-method=pre-shared-key secret="???"
       generate-policy=no policy-template-group=default exchange-mode=ike2
       send-initial-contact=yes hash-algorithm=sha256 enc-algorithm=aes-192
       dh-group=modp2048 lifetime=1d dpd-interval=30s

P.S.

Proof of Liveliness 方式: Keepalives vs. Heartbeats

Phase 2 - 建立 SA 去加密流過的資料

  • Ipsec protocol (ah | esp; Default: esp)
  • mode (tunnel or transport)
  • authentication method
  • PFS (DH) group
  • lifetime (Default: 30m)      # How long to use SA before throwing it out

 


Site2Site IPSec 設定

 

Disgram

                  [Office_1]                          <--->                      [Office_2]

Wan:192.168.90.1, Lan:10.1.202.1/24      |      Wan:192.168.80.1, Lan:10.1.101.1/24

設定次序

  1. Peer
  2. Proposal
  3. Policy
  4. NAT and Fasttrack Bypass

Office_1 Setting:

1) Firewall filter

add action=accept chain=input comment=ipsec dst-port=500,4500 in-interface=ether1 protocol=udp

# 當另一方不支援 NAT 時就要用時此 Rule 就生效

add action=accept chain=input in-interface=ether1 protocol=ipsec-esp

# 另一邊過來的 Traffic (假設了 MyLan to All allow)

add action=accept chain=forward src-address-list=RemoteLan dst-address-list=MyLan

2) IPSec Peer's config (Phase 1)

Peer configuration

Settings are used to establish connections between IKE daemons ( phase 1 configuration )

This connection then will be used to negotiate keys and algorithms for SAs.

# It is enough to configure address, auth-method and secret parameters and leaving everything else as default.

/ip ipsec peer
add address=192.168.80.1/32 port=500 auth-method=pre-shared-key secret="test"

Setting

exchange-mode (aggressive | base | main | ike2; Default: main)

    Parameters that are ignored by IKEv2

    proposal-check, compatibility-options, lifebytes, dpd-maximum-failures, nat-traversal.

passive (yes | no; Default: no)    

    When passive mode is enabled will wait for remote peer to initiate IKE connection.
    (不主動發起連線)

port (integer:0..65535; Default: 500)

send-initial-contact (yes | no; Default: yes)

    Specifies whether to send "initial contact" IKE packet or wait for remote side,

    this packet should trigger removal of old peer SAs for current source address.

3) Identities

auth-method (Default: pre-shared-key)

my-id (auto | fqdn | user-fqdn; Default: auto)

    auto = IP address is used as ID

 

4) Profiles

nat-traversal (yes | no; Default: no)

    Use Linux NAT-T mechanism to solve IPsec incompatibility with NAT routers inbetween IPsec peers.

    This can only be used with ESP protocol
    (AH is not supported by design, as it signs the complete packet, including IP header,
     which is changed by NAT, rendering AH signature invalid)

    The method encapsulates IPsec ESP traffic into UDP streams
    in order to overcome some minor issues that made ESP incompatible with NAT.

proposal-check (claim | exact | obey | strict; Default: obey) (Phase 2)

    Phase 2 lifetime check logic:

  • claim - take shortest of proposed and configured lifetimes and notify initiator about it
  • exact - require lifetimes to be the same
  • obey - accept whatever is sent by an initiator
  • strict - if proposed lifetime is longer than the default then reject proposal otherwise accept proposed lifetime

 

 

3) Proposal (Phase 2)

Proposal information that will be sent by IKE daemon to establish SAs for this policy ( Phase 2).

/ip ipsec proposal> print
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

4) Policy (Phase 2)

Policy table is used to determine whether security settings should be applied to a packet.

/ip ipsec policy
add src-address=10.1.202.0/24 src-port=any dst-address=10.1.101.0/24 dst-port=any \
sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 \
tunnel=yes action=encrypt proposal=default

level (Phase 2 Settings)

Specifies what to do if some of the SAs for this policy cannot be found:

use - skip this transform, do not drop packet and do not acquire SA from IKE daemon;

require - drop packet and acquire SA;

unique - drop packet and acquire a unique SA that is only used with this particular policy.
             It is used in setups where multiple clients can sit behind one public IP address (clients behind NAT).

 

5) NAT and Fasttrack Bypass

[Part 1] NAT 問題

Remote router receives encrypted packet but is unable to decrypt it because source address do not match address specified in policy configuration

* If you previously tried to establish tunnel before NAT bypass rule was added,

   you have to clear connection table from existing connection or restart both routers

It is very important that bypass rule is placed at the top of all other NAT rules.

/ip firewall nat
add chain=srcnat action=accept place-before=0 \
 src-address=10.1.202.0/24 dst-address=10.1.101.0/24

[Part 2] Fasttrack 問題

* Another issue is if you have fasttrack enabled, packet bypasses ipsec policies.

So we need to add accept rule before fasttrack

[方法1]

 * this can add significant load to CPU if there is a fair amount of tunnels and significant traffic on each tunnel.

/ip firewall filter
add chain=forward action=accept place-before=1
 src-address=10.1.101.0/24 dst-address=10.1.202.0/24
add chain=forward action=accept place-before=1
 src-address=10.1.202.0/24 dst-address=10.1.101.0/24

此 rule 相當於 router 的 ACL (O2:101 -> O1:202)

[方法2] 建議的做法

 * use RAW firewall tables to bypass connection tracking

/ip firewall raw
add chain=prerouting action=notrack log=no src-address=10.1.202.0/24 dst-address=10.1.101.0/24
add chain=prerouting action=notrack log=no src-address=10.1.101.0/24 dst-address=10.1.202.0/24

[Part 3] Router To Router

/ip firewall raw
 add chain=output action=notrack log=no src-address=10.1.202.1/24 dst-address=10.1.101.0/24

如果無此 Rule, 那 router 就會 ping 唔到對方

在 router 上 ping 對方的方法

# 要指定 source interface / source ip
/ping interface=bridge1 192.168.123.254
                OR
/ping src-address=10.1.202.1 192.168.123.254

# 套用以下設定後就再不用指定 Source IP

/ip route 
add distance=1 dst-address=10.1.101.0/24 gateway=ether2-lan pref-src=192.168.123.254

 * 指定 pref-src 會更通用, 因為 NIC 有機會有多粒 IP

檢看 IPSec Status

# 找出某一 ID 是什麼 Setting (connection)

/ip ipsec peer print

 3     address=r.r.r.r/32 auth-method=pre-shared-key
       secret="????????" generate-policy=no
       policy-template-group=default exchange-mode=main
       send-initial-contact=yes nat-traversal=yes proposal-check=obey
       hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1h
       dpd-interval=1m dpd-maximum-failures=5

Check phase 1

# statistics about remote peers that currently have established phase 1 connection.

/ip ipsec remote-peers print

Flags: R - responder, N - natt-peer
 #    ID                   STATE
 0                         message-1-sent            # 連線中
 1 R                       established               # 建立了

/ip ipsec remote-peers print terse

# local-address 及 remote-address 是 Wan IP 來

 0    local-address=192.168.90.1 remote-address=n.n.n.n state=message-1-sent side=initiator
 1    local-address=192.168.90.1 remote-address=192.168.80.1 state=established side=initiator uptime=53s last-seen=36s

/ip ipsec remote-peers print detail

Flags: R - responder, N - natt-peer
 0 R  local-address=R.R.R.R remote-address=L.L.L.L state=established side=responder uptime=2m9s last-seen=9s
 1    local-address=R.R.R.R remote-address=L.L.L.L state=established side=initiator uptime=2m9s last-seen=9s

Check Phase 2

show current status of the policy

/ip ipsec policy print stats

# 未建立 Phase 2

# no-phase2 - no keys are estabilished at the moment

3 ph2-state=no-phase2

# 建立了 Phase 2

# estabilished - Appropriate SAs are in place and everything should be working fine

3 ph2-state=established

/ip ipsec policy print stats brief

Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
3  A  10.1.202.0/24

# information about installed Security Associations including the keys.

/ip ipsec installed-sa print

# 連線成功時, 就會有兩個 SA ( IPSec 是雙向的 )

Flags: H - hw-aead, A - AH, E - ESP
 0  E spi=0xC1C33D0 src-address=192.168.80.1 dst-address=192.168.90.1
      state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=128
      auth-key="????????????"
      enc-key="????????????" addtime=jul/09/2018 17:26:43
      expires-in=57m31s add-lifetime=48m/1h current-bytes=13308
      current-packets=199 replay=128

 1  E spi=0x83778246 src-address=192.168.90.1 dst-address=192.168.80.1
      state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=128
      auth-key="????????????"
      enc-key="????????????" addtime=jul/09/2018 17:26:43
      expires-in=57m31s add-lifetime=48m/1h current-bytes=8580
      current-packets=143 replay=128

* 當有 package 通過 IPSec 的 tunnel 時, 那 current-packets 就會上升 ( 亦即是 NAT & Fasttrack Bypass )

add-lifetime (time/time)     Added lifetime for the SA in format soft/hard:

  • soft - time period after which ike will try to establish new SA;
  • hard - time period after which SA is deleted.

addtime (time)     Date and time when this SA was added.

Statistics

/ip ipsec statistics print

                  in-errors: 0
           in-buffer-errors: 0
           in-header-errors: 0
               in-no-states: 670
   in-state-protocol-errors: 0
       in-state-mode-errors: 0
   in-state-sequence-errors: 48
           in-state-expired: 0
        in-state-mismatches: 0
           in-state-invalid: 24
     in-template-mismatches: 1
             in-no-policies: 0
          in-policy-blocked: 0
           in-policy-errors: 0
                 out-errors: 0
          out-bundle-errors: 0
    out-bundle-check-errors: 0
              out-no-states: 1732
  out-state-protocol-errors: 0
      out-state-mode-errors: 0
  out-state-sequence-errors: 0
          out-state-expired: 0
         out-policy-blocked: 0
            out-policy-dead: 0
          out-policy-errors: 0

Closing all IPsec connections

This command will clear all installed SAs (Phase2) and

remove all entries from remote-peers menu (Phase1).

/ip ipsec remote-peers kill-connections

Phase 1 is not re-keyed if DPD is disabled when lifetime expires, only phase 2 is re-keyed.

To force phase 1 re-key, enable DPD.

/log

/log print where topics~"ipsec"

02:14:10 ipsec,info initiate new phase 1 (Aggressive): L.L.L.L[500]<=>R.R.R.R[500]
02:14:43 ipsec,info respond new phase 1 (Aggressive): L.L.L.L[500]<=>R.R.R.R[500]
02:14:43 ipsec,info ISAKMP-SA established L.L.L.L[500]-R.R.R.R[500] spi:?:?
02:14:50 ipsec,info ISAKMP-SA established L.L.L.L[500]-R.R.R.R[500] spi:?:?

 * 正常係 initiate 與 respond 係會一 pair 出現的.

 


hw-aead

 

aead = Authenticated encryption with associated data

hw-aead => Whether this SA is hardware accelerated.

Checking

/ip ipsec installed-sa print

flag: hw-aead

Summary

  • 大部份 hardware 只支持 SHA1, SHA256, 不支援 MD5, SHA512
  • 加密支援普遍性: AES-CBC > AES-CTR > AES-GCM
  • 多數只支援 128 bit and 256 bit key sizes (所以不要選 192 bit !!)

 


Doc

 

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

 

 

Creative Commons license icon Creative Commons license icon