MikroTik to AWS EC2 instance IPsec tunnel
This topic is worthy of a post, if only because there wasn’t much documentation out there on getting this working. I just wanted to link an Amazon EC2 instance running Ubuntu server, to a MikroTik RouterOS device. Configuration required a bit of tweaking, and I wouldn’t expect the configuration below to work on every setup.
AWS EC2 Instance: “Ubuntu 14.04.3 LTS”, Linux version 3.13.0-74-generic, strongSwan 5.1.2
MikroTik RB750GL, RouterOS 6.34.3
Configuration: Site-to-site “raw” IPsec
Issues encountered included trouble getting past phase 1 IKE, “failed to pre-process ph1 packet” errors, strongswan stuck on “Tasks queued: QUICK_MODE”, and EC2 outgoing port 500 packets seeming like they aren’t even received by the MikroTik device. In the end it seems RouterOS prefers not to be the initiator, and NAT traversal/UDP encapsulation needs to be used. I wasn’t able to get authentication by pre-shared RSA key working, either.
The following IP addresses and ranges have been swapped out in place of real IP’s, and the cryptographic algorithms and hashes are intended as a confirmed starting point (not necessarily secure for every use).
AWS public IP: 18.104.22.168
AWS private IP: 172.31.48.1/20
Mtik public IP: 22.214.171.124
Mtik private IP range: 172.21.1.0/24
Shared key: abc123
/ip firewall filter add chain=forward action=accept src-address=172.31.48.0/20 in-interface=ether1-WAN log=no place-before=9 comment=AWS /ip firewall nat add chain=srcnat action=accept src-address=172.21.1.0/24 dst-address=172.31.48.0/20 log=no log-prefix="" place-before=1 comment=AWS /ip ipsec peer add address=126.96.36.199/32 local-address=0.0.0.0 passive=yes port=500 auth-method=pre-shared-key secret="abc123" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-192,3des dh-group=modp2048 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 comment=AWS /ip ipsec policy add src-address=172.21.1.0/24 src-port=any dst-address=172.31.48.0/20 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=188.8.131.52 sa-dst-address=184.108.40.206 proposal=aws priority=0 comment=AWS /ip ipsec proposal add name="aws" auth-algorithms=sha1 enc-algorithms=blowfish lifetime=30m pfs-group=modp2048 comment=AWS /ip firewall filter add chain=input action=accept protocol=udp src-address=220.127.116.11 dst-port=500,4500 place-before=1 comment=AWS
Amazon AWS security group: Allow UDP 500,4500 from 18.104.22.168
EC2 instance: ipsec.conf
config setup uniqueids=yes conn %default keyingtries=0 authby=rsasig left=172.31.48.1 leftsubnet=172.31.48.0/20 conn office right=22.214.171.124 rightsubnet=172.21.1.0/24 keyexchange=ikev1 authby=secret ike=aes192-sha256-modp2048 esp=blowfish-sha256-modp2048 modeconfig=push type=tunnel auto=start
EC2 instance: ipsec.secrets
172.31.48.1 *any : PSK "abc123"
Additional notes: During troubleshooting, I added the following to sysctl.conf
net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.neigh.default.gc_thresh1 = 1024 net.ipv4.neigh.default.gc_thresh2 = 2048 net.ipv4.neigh.default.gc_thresh3 = 4096
Finally, the connection should establish, and nodes on the two remote subnets should be able to see each other. Whew!