MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

MikroTik Training Centre, Toronto, Canada MikroTik Value Added Distributor

T (647) 477-0163
Email: support@wirelessnetware.ca

Wireless Netware Technology LTD.
550 Alden Road, Unti# 210A, Markham, Ontario L3R6A8

Open in Google Maps
  • Home
  • Solutions
  • Services
  • Become a Canadian ISP
    • Business Internet
  • Partners
  • Hardware
  • Training
  • Blog
  • About
  • Contacts
MikroTikSupport
  • Home
  • Blog
  • Blog
  • MikroTik RouterOS and AWS Site-to-Site VPN
Tuesday, 20 March 2018 / Published in Blog

MikroTik RouterOS and AWS Site-to-Site VPN

Site to Site IPsec tunnel, MikroTik <–> AWS

Consider setup as illustrated below. Office router “MikroTik RouterOS” and Amazon Web Services “AWS” are connected to internet and office workstations are behind NAT.

The Office has its own local subnet, 192.168.0.0/24.

Amazon has its own local subnet, 172.16.0.0/16

Both remote office and AWS needs secure tunnel to local networks behind routers.

 

========================================================================

VPN Connection Configuration ========================================================================

! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.

! Your VPN Connection ID : vpn-xxxxxxxx
! Your Virtual Private Gateway ID : vgw-yyyyyyyy
! Your Customer Gateway ID : cgw-zzzzzzzz

! This configuration consists of two tunnels. Both tunnels must be configured on your Customer Gateway, but only one of those tunnels should be up at any given time.
! Note that Mikrotik RouterOs does not support Active/Active or Active/Standby setup with AWS hosted VPN solution.

! At this time this configuration has only been tested for RouterOS 6.36, but may work with other versions.

! This configuration uses the Winbox utility to configure the IPsec VPN connection. Winbox is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.
! You can download this utility from: https://mikrotik.com/download

========================================================================
! IPSec Tunnel #1
========================================================================

! #1: IPSec Proposal Configuration
!
! An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category “VPN,” and not for “VPN-Classic”.

Go to IP Tab –> IPsec –> Proposals

a. Click on “+” button

#ANY NAME”
b. Name: ipsec-vpn-xxxxxxxx-x
c. Auth. Algorithms: sha1
d. Encr. Algorithms: aes-128-cbc
e. Lifetime: 01:00:00
f. PFS Group: modp1024
g. Select Apply and Ok

!———————————————————————————
! #2: Internet Key Exchange
!
! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime,
! and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key
! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category “VPN,” and not for “VPN-Classic”.
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT). To
! ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the “Local Address”.

! Create an IKE policy permitting traffic from your local subnet to the VPC subnet.

Go to IP Tab –> IPsec –> Policies

1) Click on “+” button and select the General Tab
a. Src. Address: local subnet/mask
b. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: xxx.xxx.xxx.xxx “MikroTik Public IP Address”
c. SA Dst. Address: yyy.yyy.yyy.yyy ” AWS Public IP Address”

#”ANY NAME”
d. Proposal: ipsec-vpn-xxxxxxxx-x
e. Select Apply and Ok

! There are two policies configured in IPsec Policy, one for a /30 private IP Address provided by AWS and one for MikroTik local IP Address/AWS local IP Address

! Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.

Go to IP Tab –> IPsec –> Policies

3) Click on “+” button and select the General Tab
a. Src. Address: aaa.aaa.aaa.aaa “Local private IP Address provided by AWS”
b. Dst. Address: bbb.bbb.bbb.bbb “Remote private IP Address provided by AWS”

4) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: xxx.xxx.xxx.xxx “MikroTik Public IP Address”
c. SA Dst. Address: yyy.yyy.yyy.yyy “AWS Public IP Address”
d. Proposal: ipsec-vpn-xxxxxxxx-x “Any name”
e. Select Apply and Ok

Go to IP Tab –> IPsec –> Peers

5) Click on “+” button
a. Address: yyy.yyy.yyy.yyy “AWS Public IP Address”
b. Local Address: xxx.xxx.xxx.xxx “MikroTik Public IP Address”
c. Secret: !@#$%^&*()1234567890ASDFGHJKL
d. Hash Algorith: sha1
e. Encryption Algorithm: aes-128
d. DH Group: modp1024
f. Lifetime: 08:00:00
g. DPD Interval: 10
h. DPD Maximum Failures: 3
i. Select Apply and Ok

! —————————————————————————-
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.

Go to IP Tab –> Addresses

a. Click on “+” button
b. Address: aaa.aaa.aaa.aaa/30 “This IP Address provides by AWS”
b. Interface: Select the WAN/Outside interface
c. Select Apply and Ok

! —————————————————————————-
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with a subnet/mask of 172.16.0.0/16 is provided below:

Go to IP Tab –> Routes

a. Click on “+” button and select the General Tab
b. Dst. Address: 172.16.0.0/16
c. Gateway: bbb.bbb.bbb.bbb/30 “AWS Remote IP Address, a private IP Address provided by AWS”
d. Select Apply and Ok

! —————————————————————————-
! #5: NAT Exemption
!
! If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.
! This example rule permits all traffic from the local subnet to the VPC subnet.

Go to IP Tab –> Firewall –> NAT

1) Click on “+” button and select the General Tab
a. Chain: srcnat
b. Src. Address: local subnet/mask
c. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab
a. Action = accept
b. Select Apply and Ok

! Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.

3) Click on “+” button and select the General Tab
a. Chain: srcnat
b. Src. Address: aaa.aaa.aaa.aaa
c. Dst. Address: bbb.bbb.bbb.bbb

4) Click on Action Tab
a. Action = accept
b. Select Apply and Ok

! Note that there may be multiple firewall rules configured on your Customer Gateway. These rules may be conflicting with the nat exemption rule.
! It is recommended to position the nat exemption rules such that they are evaluated in an order before any other conflicting policy.

For any questions please contact us!





What you can read next

Netflix has identified vulnerabilities in RouterOS.
Mikrotik expert Hani Rahrouh offers tips and tricks
The best practice how to selects the perfect MikroTik hardware for your network.
LHG LTE kit

Recent Posts

  • Load-balance using PCC in MikroTik RouterOS v 6.xx

    Introduction PCC “Per Connection Classifi...
  • Audience – a router for those who value both beauty and functionality

    Audience is a tri-band (2.4 GHz & high + lo...
  • DO NOT let the cables limit you, More Throughput over Power!

    PWR-LINE PRO PWR-LINE PRO (PL7510Gi) is a smart...
  • The First MikroTik product with 10G RJ45 Ethernet ports, CRS312-4C+8XG-RM

    CRS312-4C+8XG-RM Switch of the future: the firs...
  • Netflix has identified vulnerabilities in RouterOS.

    Netflix has identified several TCP networking v...

RSS MikroTik Blog

  • Mēris botnet
    In early September 2021 QRATOR labs published an article about a new wave of DDoS attacks, which are originating from a botnet involving MikroTik devices.  As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that…
  • Fragattacks
    In beginning of May  2021, a security research group from Belgium published a set of vulnerabilities they call "Frag Attacks" (from Fragmentation Attack), which affect all modern security protocols of Wi-Fi. Not all the published issues affect MikroTik products, but those that were found to be potentially affecting RouterOS, have…
  • Upgraded package signatures
    The RouterOS package signing procedure has been upgraded, to use new algorithms and utilize state of the art security hardware. It  will also add a possibility to verify the integrity of existing installations. The new updated package signing procedure provides additional security to prevent installation of malicious software. Best security practices: Keep RouterOS updated…
  • MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
    In compliance with our commitment to ensure the safety of our clients, partners, staff, and visitors at all MikroTik events, we have no other choice but to postpone our upcoming events: MUM Europe in Prague, Czech Republic (March 26-27) MTCSA in Riga, Latvia (March 23-24) Train the Trainer in Riga, Latvia (March 30…
  • DNS cache poisoning vulnerability
    Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poisoning via Winbox. The router is impacted even when DNS is not enabled. One possible attack vector is via Winbox on port 8291 if this port is open to untrusted networks.…
  • Package validation and upgrade vulnerability
    Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnerable to man in the middle attacks and insufficient package validation. An attacker can abuse these vulnerabilities to downgrade a router's installed RouterOS version, possibly lock the…
  • CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
    Summary Netflix has identified several TCP networking vulnerabilities in the Linux kernel that is used in RouterOS. The vulnerabilities can trigger denial of service if the RouterOS system is attacked from an insufficiently protected network interface (port). Firewall can protect against the issue. MikroTik has already applied the necessary patches: fix included in…
  • CVE-2019-3981
    Summary Tenable has published a potential vulnerability in older RouterOS versions where an attacker can retrieve the password hash of a RouterOS username via a complex man-in-the-middle attack over port 8291. The attacker must be able to intercept a valid RouterOS user login attempt, so he must be located in the…
  • CVE-2018-19298 CVE-2018-19299 IPv6 resource exhaustion
    Summary RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries. The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded…
  • MikroTik accelerates the adoption of 60 GHz technologies with Terragraph
    Press Release. 25 February 2019 Riga, Latvia - MikroTik is announcing a collaboration with Facebook to build high-speed connectivity solutions with Terragraph, helping to accelerate the adoption of 60 GHz fixed wireless access technologies to deliver gigabit services and connect more people, faster. The 60 GHz band allows high-speed broadband connectivity…

General information

MikroTik Training Schedules
My Certificate Validation
Who is my local MikroTik Consultant
How to become a MikroTik Consultant
How to become a MikroTik Certified Trainer

Useful URLs

MikroTik Distributor
MikroTik WiKi "Documentation"
MikroTik useful Articles and Examples
The Dude "Monitoring, Notification, Syslog"
User Manager "Free Radius Server"

Legal

  • Privacy Policy
  • General Term
  • Training terms
  • Managed Services Terms
  • Partner term
  • GET SOCIAL
MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

Copyright © 2015 WirelessNetware. All rights reserved.

TOP
Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/tvoippanel/public_html/wp-includes/functions.php on line 5221