Presentation 7168 1572420263

MUM Indonesia
October 24–25, 2019

KUTA, BALI, Indonesia
MikroTik IPSec IKEv2 VPN site-to-site:

easy step-by-step guide by Nikita Tarikin
(MikroTik PRO, Russia)
Nikita Tarikin / [email protected]

Nikita
Tarikin
Certified network engineer
MikroTik PRO, Russia
C E R T I F I E D

Nikita Tarikin
MTCNA 99%
MTCRE 95%
Nikita MTCTCE 96%
Tarikin MTCWE 84%
MTCUME 90%
Certified network engineer
MikroTik PRO, Russia MTCSE 94%
MTCIPv6E 74%

Nikita Tarikin
@tarikin

@tropicalengineer

Send me e-mail:
[email protected]
Find me in Facebook:
Nikita Tarikin
Let’s keep in Subscribe my channels:

@tarikin
@tropicalengineer
touch Direct message me via:
Telegram t.me/tarikin
Messenger Nikita Tarikin

Nikita Tarikin
Watch this presentation on YouTube
https://www.youtube.com/watch?v=n5_Af2vllOA

Why IPSec IKE2?

Compare VPN types (RouterOS) 📸
L2TP L2TP/IPSEC + psk OpenVPN PPTP SSTP IPSec IKE2
Protocol UDP UDP over UDP/ESP TCP GRE TCP UDP, ESP
Performance Fast Medium Slow Fast Slow Very fast
Connection
Medium Slow Slow Medium Medium Very fast
establishment
Requires strong
CPU for No Yes Yes No Yes Yes
encryption
Multicore CPU
Yes Yes No Yes Yes Yes
load balance
Security Low Strong Strong Low Strong Very strong
Push routes No No Yes No No Yes
Bypass NAT Yes Yes Yes Yes Yes Yes
Has interface Yes Yes Yes Yes Yes No
OS popularity High Very high High Very high Low High

1. Blazing fast throughput performance
2. Instant connection establishment
3. Military grade security standards
Why IKE2? 4.
5.
Supported by most modern OS’s
Can push routes to clients
6. Bypasses any NAT
7. Mobile friendly
Nikita
Network diagram

WAN
VPN clients
10.0.88.0/24
IKEv2
VPN
NAT
RouterOS VPN
Router
Archive: MUM Malaysia 2019

network diagram
MikroTik IPSec ike2 VPN server:
LAN
easy step-by-step guide
192.168.88.0/24
https://mum.mikrotik.com/2019/MY/agenda/EN#475_7008
Network diagram
Internet
ISP NAT
HQ Office
Branch office
LAN branch IPSec IKEv2 VPN LAN HQ

192.168.199.0/24 192.168.88.0/24

1. Before you start
2. Build SSL certificates
3. Setting up ipsec vpn server
4. Setting up ipsec vpn client
5. Site-to-site via interface over
Headlines ipsec
6. Site-to-site via ipsec policy
7. Setting up firewall (see MUM
Malaysia 2019)
8. Adjust TCP-MSS
9. Demo lab + hacking quiz
Nikita
Before you 1. MTCNA knowledge (recommended)
2. RouterOS 6.45 or newer
start 3. Lab environment (recommended)
4. Default configuration 6.45+
Checklist for your

demo lab
Nikita
Upgrade RouterOS to 6.45+
3. System -> Reboot
1. Download package from

www.mikrotik.com/download
2. Upload package to / of
your RouterBoard

Reset RouterBoard to default v6.45+ configuration
This will apply new default firewall

rules, interface lists, basic security
settings etc..
System -> Reset configuration

General Agenda for next slides:
system 1. WAN IP/DNS addresses
settings 2.
3.
Timezone
Date/time via NTP
4. Loopback bridge
5. IP pool
Nikita
WAN IP and DNS addresses for IKE2 VPN server
Check DNS records:

Name: vpn.ike2.xyz
Address: 123.45.67.8
* Set DNS records with your domain name registrar

control panel
123.45.67.8 is on WAN interface

Impor
Setup correct timezone tant
/system clock set time-zone-name=Asia/

Kuala_Lumpur
System -> Clock

Impor
Setup auto date/time tant
/system ntp client set enabled=yes

server-dns-
names=0.asia.pool.ntp.org,1.asia.pool.n
tp.org,2.asia.pool.ntp.org
Activate NTP client

Add new loopback bridge
/interface bridge add

name=bridge-loopback

Set loopback bridge IP address
/ip address add

address=10.0.88.1/24
interface=bridge-loopback
network=10.0.88.0

Add new IP Pool for ike2 VPN clients
/ip pool add name="pool

vpn.ike2.xyz"
ranges=10.0.88.2-10.0.88.254

Generate
Agenda for next slides
SSL 1. Generate CA
certificates 2. Generate server SSL
3. Generate client SSL
4. Export client SSL
Nikita
Generate CA SSL certificate
/certificate add name=CA.ike2.xyz

country=MY state=Selangor
locality=Cyberjaya
organization=IKE2.xyz common-
name=ca.ike2.xyz subject-alt-
name=DNS:ca.ike2.xyz key-size=2048
days-valid=3650 trusted=yes key-
usage=digital-signature,key-
encipherment,data-encipherment,key-
cert-sign,crl-sign

Self-sign CA SSL certificate (Certificate Authority)
/certificate sign CA.ike2.xyz

Generate server SSL certificate
/certificate add name=vpn.ike2.xyz

country=MY state=Selangor
locality=Cyberjaya
organization=IKE2.xyz unit=VPN
common-name=vpn.ike2.xyz subject-
alt-name=DNS:vpn.ike2.xyz key-
size=2048 days-valid=1095
trusted=yes key-usage=tls-server

Sign server SSL certificate with CA.ike2.xyz authority
/certificate sign vpn.ike2.xyz

ca=CA.ike2.xyz

Client certificate template
/certificate add name=~client-

[email protected] country=MY
state=Selangor locality=Cyberjaya
organization=IKE2.xyz common-
[email protected]
subject-alt-name=email:~client-
[email protected] key-size=2048
days-valid=365 trusted=yes key-
usage=tls-client

Generate client SSL certificate from template
/certificate add copy-from=~client-

[email protected]
[email protected] common-
[email protected] subject-alt-
name=email:[email protected]

Sign client SSL certificate with CA.ike2.xyz authority
/certificate sign
[email protected] ca=CA.ike2.xyz

Export client SSL certificate + private key to .p12 file
/certificate export-certificate
[email protected] type=pkcs12
export-passphrase=keepinsecret

Generate various client SSL certificates from template (example)

Export CA SSL certificate .crt file
/certificate
export-certificate CA.ike2.xyz
type=pem

Download exported SSL certificates

1. Setup Mode Configs
2. Setup Peer Profiles
3. Setup Peers
Setting up 4.
5.
Setup Proposals
Setup Policy Groups
IPSec 6.
7.
Setup Policy Template
Setup Identities
Nikita
What's new in 6.44
*) ipsec - added account log message when user is successfully *) ike2 - added option to specify certificate chain;
authenticated; *) ike2 - added peer identity validation for RSA auth (disabled after
*) ipsec - added basic pre-shared-key strength checks; upgrade);
*) ipsec - added new "remote-id" peer matcher; *) ike2 - allow to match responder peer by "my-id=fqdn" field;
*) ipsec - allow to specify single address instead of IP pool under *) ike2 - fixed local address lookup when initiating new connection;
"mode-config"; *) ike2 - improved subsequent phase 2 initialization when no childs
*) ipsec - fixed active connection killing when changing peer exist;
configuration; *) ike2 - properly handle certificates with empty "Subject";
*) ipsec - fixed all policies not getting installed after startup (introduced *) ike2 - retry RSA signature validation with deduced digest from
in v6.43.8); certificate;
*) ipsec - fixed stability issues after changing peer configuration *) ike2 - send split networks over DHCP (option 249) to Windows
(introduced in v6.43); initiators if DHCP Inform is received;
*) ipsec - hide empty prefixes on "peer" menu; *) ike2 - show weak pre-shared-key warning;
*) ipsec - improved invalid policy handling when a valid policy is
uninstalled;
*) ipsec - made dynamic "src-nat" rule more specific;
*) ipsec - made peers autosort themselves based on reachability status;
*) ipsec - moved "profile" menu outside "peer" menu;
*) ipsec - properly detect AES-NI extension as hardware AEAD;
*) ipsec - removed limitation that allowed only single "auth-method"
with the same "exchange-mode" as responder;
*) ipsec - require write policy for key generation;
Key ipsec changes in RouterOS 6.44
*) ipsec - added new "remote-id" peer matcher;

*) ipsec - allow to specify single address instead of IP pool under "mode-config";
*) ipsec - moved "profile" menu outside "peer" menu;
*) ipsec - removed limitation that allowed only single "auth-method" with the same
"exchange-mode" as responder;
*) ike2 - added option to specify certificate chain;

*) ike2 - added peer identity validation for RSA auth (disabled after upgrade);
*) ike2 - allow to match responder peer by "my-id=fqdn" field;
*) ike2 - send split networks over DHCP (option 249) to Windows initiators if
DHCP Inform is received;

IPSec structure Before 6.44
After 6.44

1. Setting up new IPSec mode config
/ip ipsec mode-config

add address-pool="pool
vpn.ike2.xyz" address-prefix-
length=32 name="modeconf
vpn.ike2.xyz" split-
include=0.0.0.0/0 static-
dns=10.0.88.1 system-dns=no

2. Setting up new IPSec peer profile (phase 1)
/ip ipsec profile add dh-

group=modp2048,modp1536,modp10
24 enc-
algorithm=aes-256,aes-192,aes-
128 hash-algorithm=sha256
name="profile vpn.ike2.xyz"
nat-traversal=yes proposal-
check=obey

3. Setting up new IPSec peer on public IP address (IKE2 mode)
Accepting clients from all IP

addresses 0.0.0.0/0
Accepting clients on public IP address

123.45.67.8
/ip ipsec peer add exchange-

mode=ike2 address=0.0.0.0/0
local-address=123.45.67.8
name="peer 123.45.67.8"
passive=yes send-initial-
contact=yes profile="profile
vpn.ike2.xyz"

4. Setting up new IPSec proposal (phase 2)
/ip ipsec proposal add auth-

algorithms=sha512,sha256,sha1
enc-algorithms=aes-256-
cbc,aes-256-ctr,aes-256-
gcm,aes-192-ctr,aes-192-
gcm,aes-128-cbc,aes-128-
ctr,aes-128-gcm lifetime=8h
name="proposal vpn.ike2.xyz"
pfs-group=none

5. Setting up new IPSec policy group
/ip ipsec policy group

add name="group vpn.ike2.xyz"

6. Setting up new IPSec policy template
/ip ipsec policy add template=yes

dst-address=10.0.88.0/24
protocol=all src-address=0.0.0.0/0
group="group vpn.ike2.xyz"
proposal="proposal vpn.ike2.xyz"
ipsec-protocols=esp action=encrypt

7. Carefully assembling IPSec identities for each client
/ip ipsec identity add auth-method=digital-
signature certificate=vpn.ike2.xyz remote-
[email protected] generate-
7. Carefully assembling IPSec identities for each client
[email protected] generate-
policy=port-strict match-by=certificate mode-
config="modeconf vpn.ike2.xyz" peer="peer
123.45.67.8" policy-template-group="group
vpn.ike2.xyz" remote-id=user-
fqdn:[email protected]
[email protected] generate-policy=port-strict
match-by=certificate mode-config="modeconf
vpn.ike2.xyz" peer="peer 123.45.67.8" policy-
template-group="group vpn.ike2.xyz" remote-id=user-
fqdn:[email protected]

Setting up Firewall
Understanding the default firewall filter

t
o r tan Accept
Imp
Drop WAN
Empty FIREWALL filter

D
AR
RW
FO
UT
UT
P
TP
IN
OU
src-nat
D
AR
RW
EMPTY FIRELWALL = ALLOW ALL 123.45.67.8/24
FO
RouterOS Router
OUTPUT
192.168.88.1/24
PUT
IN
LAN
192.168.88.0/24

RouterOS 6.45+ default configuration firewall overview

#Input Chain Rules
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-
state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
#Forward Chain Rules

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-
state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Default firewall overview WAN
Setting up Accept
D
Drop AR
Firewall FO
RW
ICMP
UT
UT
DST-NAT
P
TP
IN
OU
src-nat
D
AR
RW
123.45.67.8/24
FO
1. Default firewall RouterOS Router
overview OUTPUT
192.168.88.1/24
UT
2. Allow IPSec IN
P
LAN
192.168.88.0/24
Nikita
Allow IPSec WAN
Setting up
Firewall INPUT:
+ IPSec-esp
+ UDP 500
UT
+ UDP 4500
P
src-nat
IN
123.45.67.8/24
1. Default firewall RouterOS Router
overview
192.168.88.1/24
2. Allow IPSec
LAN
192.168.88.0/24
Nikita
Firewall filter rules for IPSec packets (defconf)
INPUT chain
+ UDP 500
+ UDP 4500
/ip firewall filter add place-

before=[ find where
comment~"defconf: drop all not
coming from LAN" ] protocol=udp dst-
port=500,4500 dst-
address=123.45.67.8 action=accept
chain=input comment="Allow UDP
500,4500 IPSec for 123.45.67.8"

Firewall filter rules for IPSec packets (defconf)
INPUT chain
+ IPSec-esp (protocol 50)
/ip firewall filter add place-

before=[ find where
comment~"defconf: drop all not
coming from LAN" ] protocol=ipsec-
esp dst-address=123.45.67.8
action=accept chain=input
comment="Allow IPSec-esp for
123.45.67.8"

REorder firewall filter rules for IPSec packets (defconf)
INPUT chain
Move allow rules before drop

🎯 RouterOS IPSec
IKEv2 server ready

Network diagram WAN
WAN static public IP
dynamic private IP
LTE
Branch office HQ office

IPSec
IKEv2
VPN
LAN branch LAN HQ

192.168.199.0/24 192.168.88.0/24
🔌 Client 🎯 Server
Setting up client RouterOS 🔌

🔌 Client
Upload and install client SSL certificate
/certificate import file-

name=cert_export_office-01@v
pn.ike2.xyz.p12

🔌 Client
Rename installed SSL certificates: CA and client

🔌 Client
Setting up new IPSec peer profile (phase 1)
/ip ipsec profile add dh-

group=modp2048,modp1536,modp10
24 enc-
algorithm=aes-256,aes-192,aes-
128 hash-algorithm=sha256
name="profile vpn.ike2.xyz"
nat-traversal=yes proposal-
check=obey

🔌 Client
Adding new client IPSec peer (initiator)
/ip ipsec peer

add address=vpn.ike2.xyz exchange-
mode=ike2 name="peer vpn.ike2.xyz"
profile="profile vpn.ike2.xyz"

🔌 Client
Setting up new IPSec proposal (phase 2)
/ip ipsec proposal add auth-

algorithms=sha512,sha256,sha1
enc-algorithms=aes-256-
cbc,aes-256-ctr,aes-256-
gcm,aes-192-ctr,aes-192-
gcm,aes-128-cbc,aes-128-
ctr,aes-128-gcm lifetime=8h
name="proposal vpn.ike2.xyz"
pfs-group=none

🔌 Client
Adding new IPSec policy group
/ip ipsec policy group

add name="group vpn.ike2.xyz"

🔌 Client
Adding new IPSec policy template
/ip ipsec policy

add comment="policy template vpn.ike2.xyz"
dst-address=0.0.0.0/0 group="group
vpn.ike2.xyz" proposal="proposal vpn.ike2.xyz"
src-address=10.0.88.0/24 template=yes

🔌 Client
Carefully assembling client’s IPSec identity
/ip ipsec identity

add auth-method=digital-signature
[email protected]
generate-policy=port-strict mode-
config="modeconf [email protected]"
my-id=user-fqdn:[email protected]
peer="peer vpn.ike2.xyz" policy-template-
group="group vpn.ike2.xyz" remote-
id=fqdn:vpn.ike2.xyz

Cross-check IPSec identity (example)
🎯 Server 🔌 Client

🔌 Client
Testing the IKEv2 connectivity
Active peers
state: established
Dynamic Active(DA)
IPSec policy
generated from
Template (T)
PH2 state:
established
Peer: authorized
Address: acquired

🔌 Client
Testing the IKEv2 connectivity
IP address 10.0.88.254
Interface ether1

All traffic from 10.0.88.254 to 0.0.0.0/0 will be forwarded via IKEv2 tunnel WAN
WAN
10.0.88.254
(dynamic) NAT
NAT
Office-01 HQ office
IKEv2
VPN
LAN branch LAN HQ

192.168.199.0/24 192.168.88.0/24

All traffic from 10.0.88.254 to 0.0.0.0/0 will be forwarded via IKEv2 tunnel
10.0.88.254
(dynamic)
LAN HQ
192.168.88.0/24

OSPF works No TCP MSS
Pros: issues
Easy to configure
and understand
Routable Has
interface
Option 1 (easy)
<interface> over ipsec ike2
Cons:
Decreased MTU due to extra Takes longer
encapsulation overhead to connect and
reconnect

Option #1: routable using your favourite <interface> over IKEv2
Don
’t
to for
<EoIP> a
tra llow
ffi
get
thi
the c o s
n
(bo firew
<IPIP> th a
sid ll
es)
<GRE>
10.0.88.254 (dynamic) 10.0.88.1

Office-01 HQ office
192.168.199.0/24 192.168.88.0/24

🎯 Server
Create new ipsec modeconf with static IP address
10.0.88.3
/ip ipsec add
name="modeconf [email protected]"
address=10.0.88.3 address-prefix-
length=32 split-
include=0.0.0.0/0 system-dns=no

🎯 Server
Select new ipsec static modeconf for the client identity

🔌 Client
Reconnect ipsec peer and check new static IP address
IP address 10.0.88.3
Interface ether1
10.0.88.3

You can establish <interface> connection between static endpoint IP addresses
Even if you have dynamic address on your ether1
Dynamic private
WAN IP
<gre,ipip,eoip>
10.0.88.3 (static) 10.0.88.1

Office-01 HQ office
192.168.199.0/24 192.168.88.0/24

Creating <IPIP interface> on top of static endpoint IP addresses
<ipip>

Setup IP addresses on <IPIP interfaces> and static routes (classic vpn)

🔌 Client
Let’s overview <interfaces>, IP addresses and routes

Let’s test our site-to-site <interface> over ipsec based connectivity
IPIP over IPSec ike2

192.168.199.0/24 192.168.88.0/24

Connects and
Pros: reconnects much
No MTU overhead -> faster Much more stable,
performs faster
less reconnects
Option 2 (advanced)
100% policy based ipsec ike2
OSPF works Cons:

Need to adjust
Harder to TCP MSS manually
configure and Has no routable
understand interface

Option #2: policy based ipsec IKEv2
IPSec IKE2 peer

Office-01 HQ office
IPSec policy
192.168.199.0/24 192.168.88.0/24

🎯 Server
Create new ipsec policy template for <group vpn.ike2.xyz>
192.168.88.0/24
192.168.199.0/24
/ip ipsec policy
add peer="peer vpn.ike2.xyz" src-
address=192.168.199.0/24 dst-
address=192.168.88.0/24 proposal="pro
posal vpn.ike2.xyz" tunnel=yes level=
unique

🔌 Client
Create new static tunnel policy on <peer vpn.ike2.xyz>
192.168.199.0/24
192.168.88.0/24
/ip ipsec policy
add peer="peer vpn.ike2.xyz" src-
address=192.168.199.0/24 dst-
address=192.168.88.0/24 tunnel=yes
proposal="proposal vpn.ike2.xyz"

… this will trigger dynamic policy generation on server (if matches policy template)

IPSec policy
192.168.199.0/24 192.168.88.0/24

🔌 Client
Let’s review our <interfaces>, IP addresses and routes

🔌 Client
Let’s look very carefully at our ipsec policies and ip routes

🔌 Client
Let’s enable ipsec policy and keep ip route disabled

Testing site-to-site ipsec policy based connectivity
IPSec policy
192.168.199.0/24 192.168.88.0/24

Setting up TCP MSS 🎯

Adjust TCP MSS from office-main to office-01 over ipsec policy connection
/ip firewall mangle add action=change-
mss chain=forward new-mss=1360 src-
address=192.168.88.0/24 dst-
address=192.168.199.0/24 protocol=tcp t
cp-flags=syn tcp-mss=!0-1360 ipsec-
policy=in,ipsec passthrough=yes comment
="IKE2: Clamp TCP MSS from office-
main to office-01"

Adjust TCP MSS from office-01 to office-main over ipsec policy connection
/ip firewall mangle add action=change-
mss chain=forward new-mss=1360 src-
address=192.168.199.0/24 dst-
address=192.168.88.0/24 protocol=tcp tc
p-flags=syn tcp-mss=!0-1360 ipsec-
policy=in,ipsec passthrough=yes comment
="IKE2: Clamp TCP MSS from office-01 to
office-main"

Demo lab
Nikita
Demo lab 1. Request certificate via form
2. Receive certificates
Free live demo is 3. Connect to VPN server
available 4. Access via Winbox
Nikita
Request your certificate via form
https://forms.gle/TTmKeHe8W2u9YZ3c7
Demo lab
1. Request certificate
via form
3. Connect to VPN
server
4. Access via Winbox
Nikita
Demo lab
Wait for your certificate
1. Request certificate via Manual processing for this LAB, sorry :)
form
3. Connect to VPN
server
Nikita
IKE2 VPN Server address
Demo lab
vpn.ike2.xyz
1. Request certificate via
form
3. Connect to VPN
server
Nikita
Demo lab Access LAB router via Winbox
Address
1. Request certificate via 10.0.88.1
form
Login lab
Password lab
3. Connect to VPN
server
Nikita
Hack me
if you
c
💋
an
IPSec quiz time!
“ Hack the princess ”
Will be open until 31 December 2019

“Hack the princess” quiz WAN
😎
10.0.88.N
IKEv2 VPN
192.168.188.0/24
10.0.88.2 10.0.88.1
Филиал vpn.ike2.xyz
IKEv2
VPN
192.168.88.0/24
192.168.XX.0/24
💋 Winbox, SSH
192.168.XX.YY
/system identity ???

[email protected]
192.168.XX.0/24
😎💋 192.168.XX.YY
/system identity ???
Send results to e-mail

Send me e-mail:
[email protected]
Find me in Facebook:
Nikita Tarikin
Let’s keep in Subscribe my channels:

@tarikin
@tropicalengineer
touch Direct message me via:
Telegram t.me/tarikin
Messenger Nikita Tarikin

Nikita Tarikin

Presentation 7168 1572420263

Uploaded by

Copyright:

Available Formats

Presentation 7168 1572420263

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Presentation 7168 1572420263

Uploaded by

Copyright:

Available Formats

MUM Indonesia

October 24–25, 2019

MikroTik IPSec IKEv2 VPN site-to-site:

Nikita Tarikin / [email protected]

Nikita Tarikin / [email protected]

Nikita MTCTCE 96%

Tarikin MTCWE 84%

Nikita Tarikin / [email protected]

Nikita Tarikin / [email protected]

Nikita Tarikin / [email protected]

Let’s keep in Subscribe my channels:

Nikita Tarikin / [email protected]

Nikita Tarikin / [email protected]

Nikita Tarikin / [email protected]

Performance Fast Medium Slow Fast Slow Very fast

Security Low Strong Strong Low Strong Very strong

Push routes No No Yes No No Yes

Bypass NAT Yes Yes Yes Yes Yes Yes

Has interface Yes Yes Yes Yes Yes No

OS popularity High Very high High Very high Low High

Nikita Tarikin / [email protected]

Nikita Tarikin / [email protected]

Archive: MUM Malaysia 2019

LAN branch IPSec IKEv2 VPN LAN HQ

Nikita Tarikin / [email protected]

Checklist for your

3. System -> Reboot

1. Download package from

Nikita Tarikin / [email protected]

This will apply new default firewall

System -> Reset configuration

Nikita Tarikin / [email protected]

system 1. WAN IP/DNS addresses

Check DNS records:

* Set DNS records with your domain name registrar

123.45.67.8 is on WAN interface

Nikita Tarikin / [email protected]

/system clock set time-zone-name=Asia/

System -> Clock

Nikita Tarikin / [email protected]

/system ntp client set enabled=yes

Activate NTP client

Nikita Tarikin / [email protected]

/interface bridge add

Nikita Tarikin / [email protected]

/ip address add

Nikita Tarikin / [email protected]

/ip pool add name="pool

Nikita Tarikin / [email protected]

/certificate add name=CA.ike2.xyz

Nikita Tarikin / [email protected]

/certificate sign CA.ike2.xyz

Nikita Tarikin / [email protected]

/certificate add name=vpn.ike2.xyz

Nikita Tarikin / [email protected]

/certificate sign vpn.ike2.xyz

Nikita Tarikin / [email protected]

/certificate add name=~client-

Nikita Tarikin / [email protected]