IPIP IPsec VPN tunnel between Linux machine and Mikrotik behind NAT provider

Linux: Ubuntu 18.04.4 LTS (GNU / Linux 4.15.0-91-generic x86_64)

• Eth0 1.1.1.1/32 external IP
• ipip-ipsec0 192.168.0.1/30 will be our tunnel

Miktoik: CCR 1009, RouterOS 6.46.5

• Eth0 10.0.0.2/30 internal IP from the provider. The external IP NAT of the provider is dynamic.
• ipip-ipsec0 192.168.0.2/30 will be our tunnel

We will raise the IPsec tunnel on the Linux machine using racoon. I will not describe the details, there is a good article invvpoloskin.

Install the necessary packages:

sudo install racoon ipsec-tools

We configure racoon, it will conditionally act as an ipsec server. Since mikrotik in main mode cannot transmit an additional client identifier, and the external ip address through which it connects to Linux is dynamic, you cannot use the preshared key (password authorization), since the password must be mapped either to the ip address of the connecting host or to identifier.

We will use authorization by RSA keys.

racoon RSA, mikrotik — PEM. plainrsa-gen racoon, Mikrotika PEM — : PEM RSA. plainrsa-gen openssl, ssh-keygen, .

PEM openssl, racoon plainrsa-gen:

#   
openssl genrsa -out server-name.pem 1024
#   
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# 
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key

: /etc/racoon/certs/server. , racoon ( root), 600.

mikrotik WinBox.

server-name.pub.pem mikrotik: «Files» — «Upload».

«IP» — «IP sec» — «Keys». — «Generate Key», mikrotika «Expor Pub. Key», «Files», — «Download».

racoon, «Import», «File name» server-name.pub.pem.

mikrotik

plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key

/etc/racoon/certs .

log info; #  ,    Debug  Debug2.

listen {

    isakmp 1.1.1.1 [500]; #   ,     .
    isakmp_natt 1.1.1.1 [4500]; #   ,         NAT.
    strict_address; #        IP.
}

path certificate "/etc/racoon/certs"; #     .

remote anonymous { # ,       ISAKMP      .   IP,    Mikrotik, ,   anonymous,      .  IP   ,       .

    passive on; #  ""   ,      .
    nat_traversal on; #    NAT-T  ,    NAT. 
    exchange_mode main; #    ,    ---.
    my_identifier address 1.1.1.1; #   linux    ip .
    certificate_type plain_rsa "server/server-name.priv.key"; #   .
    peers_certfile plain_rsa "mikrotik.pub.key"; #   Mikrotik.

    proposal_check claim; #    ISAKMP . Racoon      ()                         ,      ,     ,   .     ,   , racoon           RESPONDER-LIFETIME.
    proposal { #  ISAKMP .

        encryption_algorithm aes; #   ISAKMP .
        hash_algorithm sha512; #  ,   ISAKMP .
        authentication_method rsasig; #    ISAKMP  -  RSA .
        dh_group modp2048; #     -   ISAKMP .
        lifetime time 86400 sec;   .
    }

    generate_policy on; #   ESP   ,    .
}

sainfo anonymous { #  ESP , anonymous -        .   , ,                  ,    ip , , .

    pfs_group modp2048; #     -  ESP .
    lifetime time 28800 sec; #   ESP .
    encryption_algorithm aes; #   ESP .
    authentication_algorithm hmac_sha512; #  ,    ESP .
    compression_algorithm deflate; #   ,     .
}

racoon

sudo systemctl restart racoon

racoon , , syslog racoon , .

racoon , listen strict_address, systemd racoon
/lib/systemd/system/racoon.service, [Unit], After=network.target.

ipsec , :

sudo ip xfrm policy

src 192.168.0.0/30 dst 192.168.0.0/30 
    dir out priority 2147483648 
    tmpl src 1.1.1.1 dst "IP NAT    mikrotik"
        proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30 
    dir fwd priority 2147483648 
    tmpl src "IP NAT    mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel
src 192.168.0.0/30 dst 192.168.0.0/30 
    dir in priority 2147483648 
    tmpl src "IP NAT    mikrotik" dst 1.1.1.1
        proto esp reqid 0 mode tunnel

, syslog, journalctl -u racoon.

L3 , . , IPIP, mikrotik , vti, , , mikrotik . IPIP , multicast (fwmark) , iptables iproute2 (policy-based routing). — , , GRE. , .

.

Linux:

#  
sudo ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
# 
sudo ip link set ipip-ipsec0 up
#  
sudo ip addr add 192.168.0.1/30 dev ipip-ipsec0

mikrotik

sudo ip route add A.B.C.D/Prefix via 192.168.0.2

, /etc/network/interfaces post-up , , , /etc/ipip-ipsec0.conf post-up, , .

#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.0.1 remote 192.168.0.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.0.1/30 dev ipip-ipsec0

ip route add A.B.C.D/Prefix via 192.168.0.2

Mikrotik:

«Interfaces», «IP tunnel»:

«IP» — «Addresses», :

linux , , gateway IPIP-IPsec0.

PS

linux , Clamp TCP MSS ipip :

/etc/iptables.conf :

*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT

/etc/network/interfaces
post-up iptables-restore < /etc/iptables.conf

mikrotik nginx (ip 10.10.10.1), , /etc/iptables.conf:

*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
# mikrotik,   mangle,    route   192.168.0.1      10.10.10.1   80, 443.

#    linux  OpenVPN  172.16.0.1/24,              
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT 

iptables, .

!