Changes in 1d5fcd1: Created RouterOSExample (markdown)

howto/IPsecWithPublicKeys/RouterOSExample.md

@@ -0,0 +1,92 @@

+# IPsec with public key authentication on Mikrotik RouterOS

+## Setup

+### Generate an RSA keypair

+

+ [admin@mtk1] > /ip ipsec key

+ [admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096

+ For key bigger than 1024bit this may take a while..

+ [admin@mtk1] /ip ipsec key> print

+ Flags: P - private-key, R - rsa

+ # NAME KEY-SIZE

+ 0 PR mykey 4096-bit

+

+### Exchange public keys with your peer

+1. Export the public key to a file.

+

+ [admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub

+ 

+ [admin@mtk1] /ip ipsec key> /file print where name=mykey.pub

+ # NAME TYPE SIZE CREATION-TIME

+ 2 mykey.pub ssh key 451 jul/20/2014 12:35:33

+

+2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this:

+

+ -----BEGIN PUBLIC KEY-----

+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL

+ TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO

+ +xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg

+ 23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s

+ 4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh

+ QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs

+ 8QIDAQAB

+ -----END PUBLIC KEY-----

+

+3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.

+

+[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"

+

+## Configuration

+### Configure the phase 1 IKE parameters

+In this example, we'll use the following settings:

+

+| Key | Value |

+| :------------ | :------------ |

+| Encryption | AES-128 |

+| Hash | HMAC-SHA1 |

+| DH Group | 5 (modp1536) |

+| Lifetime | 28800 seconds |

+| Peer address | 192.0.2.2 |

+| Local address | 192.0.2.1 |

+

+1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase)

+

+ [admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key

+ passphrase:

+ 

+ [admin@mtk1] /ip ipsec key> print

+ Flags: P - private-key, R - rsa

+ # NAME KEY-SIZE

+ 0 PR mykey 4096-bit

+ 1 R peer-key 4096-bit

+

+2. Configure your peer definition to use the public key

+

+ [admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key

+ [admin@mtk1] /ip ipsec peer> print

+ Flags: X - disabled

+ 0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500

+ auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no

+ exchange-mode=main send-initial-contact=yes nat-traversal=no

+ proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128

+ dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m

+ dpd-maximum-failures=5

+

+3. All done! Configure the phase 2 parameters as you otherwise would.

+

+## Full GRE/IPsec example

+ # jul/20/2014 13:00:04 by RouterOS 6.15

+ # software id = HBCA-0B2J

+ #

+ /interface gre

+ add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \

+ remote-address=192.0.2.2

+ /ip address

+ add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0

+ /ip ipsec proposal

+ set [ find default=yes ] lifetime=1h pfs-group=modp1536

+ /ip ipsec peer

+ add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \

+ lifetime=8h local-address=192.0.2.1 remote-key=peer-key

+ /ip ipsec policy

+ add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \

+ sa-src-address=192.0.2.1 src-address=192.0.2.1/32

\ No newline at end of file

...	...	@@ -0,0 +1,92 @@
	1	+# IPsec with public key authentication on Mikrotik RouterOS
	2	+## Setup
	3	+### Generate an RSA keypair
	4	+
	5	+ [admin@mtk1] > /ip ipsec key
	6	+ [admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
	7	+ For key bigger than 1024bit this may take a while..
	8	+ [admin@mtk1] /ip ipsec key> print
	9	+ Flags: P - private-key, R - rsa
	10	+ # NAME KEY-SIZE
	11	+ 0 PR mykey 4096-bit
	12	+
	13	+### Exchange public keys with your peer
	14	+1. Export the public key to a file.
	15	+
	16	+ [admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
	17	+
	18	+ [admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
	19	+ # NAME TYPE SIZE CREATION-TIME
	20	+ 2 mykey.pub ssh key 451 jul/20/2014 12:35:33
	21	+
	22	+2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this:
	23	+
	24	+ -----BEGIN PUBLIC KEY-----
	25	+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
	26	+ TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
	27	+ +xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg
	28	+ 23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s
	29	+ 4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh
	30	+ QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
	31	+ 8QIDAQAB
	32	+ -----END PUBLIC KEY-----
	33	+
	34	+3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
	35	+
	36	+[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"
	37	+
	38	+## Configuration
	39	+### Configure the phase 1 IKE parameters
	40	+In this example, we'll use the following settings:
	41	+
	42	+\| Key \| Value \|
	43	+\| :------------ \| :------------ \|
	44	+\| Encryption \| AES-128 \|
	45	+\| Hash \| HMAC-SHA1 \|
	46	+\| DH Group \| 5 (modp1536) \|
	47	+\| Lifetime \| 28800 seconds \|
	48	+\| Peer address \| 192.0.2.2 \|
	49	+\| Local address \| 192.0.2.1 \|
	50	+
	51	+1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase)
	52	+
	53	+ [admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
	54	+ passphrase:
	55	+
	56	+ [admin@mtk1] /ip ipsec key> print
	57	+ Flags: P - private-key, R - rsa
	58	+ # NAME KEY-SIZE
	59	+ 0 PR mykey 4096-bit
	60	+ 1 R peer-key 4096-bit
	61	+
	62	+2. Configure your peer definition to use the public key
	63	+
	64	+ [admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
	65	+ [admin@mtk1] /ip ipsec peer> print
	66	+ Flags: X - disabled
	67	+ 0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500
	68	+ auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no
	69	+ exchange-mode=main send-initial-contact=yes nat-traversal=no
	70	+ proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
	71	+ dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
	72	+ dpd-maximum-failures=5
	73	+
	74	+3. All done! Configure the phase 2 parameters as you otherwise would.
	75	+
	76	+## Full GRE/IPsec example
	77	+ # jul/20/2014 13:00:04 by RouterOS 6.15
	78	+ # software id = HBCA-0B2J
	79	+ #
	80	+ /interface gre
	81	+ add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \
	82	+ remote-address=192.0.2.2
	83	+ /ip address
	84	+ add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0
	85	+ /ip ipsec proposal
	86	+ set [ find default=yes ] lifetime=1h pfs-group=modp1536
	87	+ /ip ipsec peer
	88	+ add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \
	89	+ lifetime=8h local-address=192.0.2.1 remote-key=peer-key
	90	+ /ip ipsec policy
	91	+ add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
	92	+ sa-src-address=192.0.2.1 src-address=192.0.2.1/32
...	...	\ No newline at end of file