1d5fcd13730511da28160788f80d053db5d5a3ac
howto/IPsecWithPublicKeys/RouterOSExample.md
... | ... | @@ -0,0 +1,92 @@ |
1 | +# IPsec with public key authentication on Mikrotik RouterOS |
|
2 | +## Setup |
|
3 | +### Generate an RSA keypair |
|
4 | + |
|
5 | + [admin@mtk1] > /ip ipsec key |
|
6 | + [admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096 |
|
7 | + For key bigger than 1024bit this may take a while.. |
|
8 | + [admin@mtk1] /ip ipsec key> print |
|
9 | + Flags: P - private-key, R - rsa |
|
10 | + # NAME KEY-SIZE |
|
11 | + 0 PR mykey 4096-bit |
|
12 | + |
|
13 | +### Exchange public keys with your peer |
|
14 | +1. Export the public key to a file. |
|
15 | + |
|
16 | + [admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub |
|
17 | + |
|
18 | + [admin@mtk1] /ip ipsec key> /file print where name=mykey.pub |
|
19 | + # NAME TYPE SIZE CREATION-TIME |
|
20 | + 2 mykey.pub ssh key 451 jul/20/2014 12:35:33 |
|
21 | + |
|
22 | +2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this: |
|
23 | + |
|
24 | + -----BEGIN PUBLIC KEY----- |
|
25 | + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL |
|
26 | + TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO |
|
27 | + +xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg |
|
28 | + 23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s |
|
29 | + 4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh |
|
30 | + QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs |
|
31 | + 8QIDAQAB |
|
32 | + -----END PUBLIC KEY----- |
|
33 | + |
|
34 | +3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary. |
|
35 | + |
|
36 | +[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script" |
|
37 | + |
|
38 | +## Configuration |
|
39 | +### Configure the phase 1 IKE parameters |
|
40 | +In this example, we'll use the following settings: |
|
41 | + |
|
42 | +| Key | Value | |
|
43 | +| :------------ | :------------ | |
|
44 | +| Encryption | AES-128 | |
|
45 | +| Hash | HMAC-SHA1 | |
|
46 | +| DH Group | 5 (modp1536) | |
|
47 | +| Lifetime | 28800 seconds | |
|
48 | +| Peer address | 192.0.2.2 | |
|
49 | +| Local address | 192.0.2.1 | |
|
50 | + |
|
51 | +1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase) |
|
52 | + |
|
53 | + [admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key |
|
54 | + passphrase: |
|
55 | + |
|
56 | + [admin@mtk1] /ip ipsec key> print |
|
57 | + Flags: P - private-key, R - rsa |
|
58 | + # NAME KEY-SIZE |
|
59 | + 0 PR mykey 4096-bit |
|
60 | + 1 R peer-key 4096-bit |
|
61 | + |
|
62 | +2. Configure your peer definition to use the public key |
|
63 | + |
|
64 | + [admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key |
|
65 | + [admin@mtk1] /ip ipsec peer> print |
|
66 | + Flags: X - disabled |
|
67 | + 0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500 |
|
68 | + auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no |
|
69 | + exchange-mode=main send-initial-contact=yes nat-traversal=no |
|
70 | + proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 |
|
71 | + dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m |
|
72 | + dpd-maximum-failures=5 |
|
73 | + |
|
74 | +3. All done! Configure the phase 2 parameters as you otherwise would. |
|
75 | + |
|
76 | +## Full GRE/IPsec example |
|
77 | + # jul/20/2014 13:00:04 by RouterOS 6.15 |
|
78 | + # software id = HBCA-0B2J |
|
79 | + # |
|
80 | + /interface gre |
|
81 | + add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \ |
|
82 | + remote-address=192.0.2.2 |
|
83 | + /ip address |
|
84 | + add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0 |
|
85 | + /ip ipsec proposal |
|
86 | + set [ find default=yes ] lifetime=1h pfs-group=modp1536 |
|
87 | + /ip ipsec peer |
|
88 | + add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \ |
|
89 | + lifetime=8h local-address=192.0.2.1 remote-key=peer-key |
|
90 | + /ip ipsec policy |
|
91 | + add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \ |
|
92 | + sa-src-address=192.0.2.1 src-address=192.0.2.1/32 |
|
... | ... | \ No newline at end of file |