MikroTik to AWS EC2 instance IPsec tunnel

This topic is worthy of a post, if only because there wasn’t much documentation out there on getting this working. I just wanted to link an Amazon EC2 instance running Ubuntu server, to a MikroTik RouterOS device. Configuration required a bit of tweaking, and I wouldn’t expect the configuration below to work on every setup.

AWS EC2 Instance: “Ubuntu 14.04.3 LTS”, Linux version 3.13.0-74-generic, strongSwan 5.1.2

MikroTik RB750GL, RouterOS 6.34.3

Configuration: Site-to-site “raw” IPsec

Issues encountered included trouble getting past phase 1 IKE, “failed to pre-process ph1 packet” errors, strongswan stuck on “Tasks queued: QUICK_MODE”, and EC2 outgoing port 500 packets seeming like they aren’t even received by the MikroTik device. In the end it seems RouterOS prefers not to be the initiator, and NAT traversal/UDP encapsulation needs to be used. I wasn’t able to get authentication by pre-shared RSA key working, either.

The following IP addresses and ranges have been swapped out in place of real IP’s, and the cryptographic algorithms and hashes are intended as a confirmed starting point (not necessarily secure for every use).

AWS public IP: 50.1.1.1
AWS private IP: 172.31.48.1/20

Mtik public IP: 75.1.1.1
Mtik private IP range: 172.21.1.0/24

Shared key: abc123

MikroTik configuration:

/ip firewall filter add chain=forward action=accept src-address=172.31.48.0/20 in-interface=ether1-WAN log=no place-before=9 comment=AWS
/ip firewall nat add chain=srcnat action=accept src-address=172.21.1.0/24 dst-address=172.31.48.0/20 log=no log-prefix="" place-before=1 comment=AWS
/ip ipsec peer add address=50.1.1.1/32 local-address=0.0.0.0 passive=yes port=500 auth-method=pre-shared-key secret="abc123" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-192,3des dh-group=modp2048 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 comment=AWS
/ip ipsec policy add src-address=172.21.1.0/24 src-port=any dst-address=172.31.48.0/20 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=75.1.1.1 sa-dst-address=50.1.1.1 proposal=aws priority=0 comment=AWS
/ip ipsec proposal add name="aws" auth-algorithms=sha1 enc-algorithms=blowfish lifetime=30m pfs-group=modp2048 comment=AWS
/ip firewall filter add chain=input action=accept protocol=udp src-address=50.1.1.1 dst-port=500,4500 place-before=1 comment=AWS

Amazon AWS security group: Allow UDP 500,4500 from 75.1.1.1

EC2 instance: ipsec.conf

config setup
      uniqueids=yes

conn %default
     keyingtries=0
     authby=rsasig
     left=172.31.48.1
     leftsubnet=172.31.48.0/20

conn office
     right=75.1.1.1
     rightsubnet=172.21.1.0/24
     keyexchange=ikev1
     authby=secret
     ike=aes192-sha256-modp2048
     esp=blowfish-sha256-modp2048
     modeconfig=push
     type=tunnel
     auto=start

EC2 instance: ipsec.secrets

172.31.48.1 *any : PSK "abc123"

Additional notes: During troubleshooting, I added the following to sysctl.conf

net.ipv4.ip_forward=1

net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096

Finally, the connection should establish, and nodes on the two remote subnets should be able to see each other. Whew!