Scribd Logo
Upload

Welcome to Scribd!

  • IPSEC - Mikrotik

    Uploaded by

    afif darwich
    40 views26 pages

    Original Title

    IPSEC- Mikrotik.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    40 views26 pages

    IPSEC - Mikrotik

    Uploaded by

    afif darwich

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Internet Protocol Security

    Milan, Italy - March 2017


    Eng. Afif Darwich
    Introduction

    Office 1

    Internet
    Main Office

    Office 2

    Mikrotik TTT Milan 2


    What is IPSec ?
    Set of protocols to secure IP packets
    Authentication Header (AH)
    Application
    Encapsulating Security Payload (ESP)
    Internet Key Exchange(IKE)
    Transport
    Benefits
    Confidentiality Network
    Integrity Network
    Authentication Interface
    Mikrotik TTT Milan 3
    IPSec Phase 1
    Phase 1:
    Session Management
    Internet Key Exchange (IKE), UDP port 500

    Authentication and Keying


    Deffie-Hellman is used for keying between endpoints

    Modes
    Main Mode or Aggressive mode

    Mikrotik TTT Milan 4


    IPSec Phase 2

    Phase 2:

    Encryption and Integrity services


    Encapsulating Security Payload (ESP)

    Authentication Header (AH), IP protocol (51)

    Modes
    Only one mode (Quick mode)

    Mikrotik TTT Milan 5


    Mikrotik TTT Milan 6
    Authentication Header(AH)

    AH provides Authentication but not encryption

    RouterOS supports the following Auth. Algorithms:

    Header is added to IP packet

    The placement of the Header depends on mode used:


    Transport mode

    Tunnel mode

    Mikrotik TTT Milan 7


    Authentication Header(AH)
    IP
    IP packet Header
    Payload

    IP AH
    AH Transport Mode Header Header
    Payload

    Authenticated

    New IP AH IP
    AH Tunnel Mode Header Header Header
    Payload

    Authenticated

    Mikrotik TTT Milan 8


    Encapsulating Security Payload (ESP)

    Shared Key encryption

     IP protocol (50)

    ESP adds 3 components to IP packet:


    ESP Header

    ESP Trailer

    ESP Auth. Data

    Mikrotik TTT Milan 9


    Encapsulating Security Payload (ESP)
    IP
    IP packet Header
    Payload

    IP ESP ESP ESP


    ESP Transport Mode Header Header
    Payload
    Trailer Auth
    Encrypted
    Authenticated
    New IP ESP IP ESP ESP
    ESP Tunnel Mode Header Header Header
    Payload
    Trailer Auth

    Encrypted

    Authenticated
    Mikrotik TTT Milan 10
    IPSec Peer

    Peer configuration settings are used to establish connections


    between IKE daemons (phase1 configuration).

    This connection then will be used to negotiate keys and algorithms


    for SAs.

    Peers are Initiator and responder

    Mikrotik TTT Milan 11


    IPSec Peer

    Authentication Methods: Exchange Modes

    • pre-shared-key • main
    • rsa-signature • aggressive
    • rsa-key • base
    • pre-shared-key-xauth • Main-l2tp
    • rsa-signature-hybrid
    Mikrotik TTT Milan 12
    IPSec Peer: Encryption and Hash algorithms

    Mikrotik TTT Milan 13


    IPSec Policy
    Source address host/subnet

    Destination address
    host/subnet

    IP protocol number:
    TCP
    UDP
    ICMP

    Mikrotik TTT Milan 14


    Policy: IPSec protocol and action
    Action: Specifies what to do with packet matched by the
    policy.
     none - pass the packet unchanged
     discard - drop the packet
     encrypt - apply transformations specified in this policy and it's SA

    IPSec protocol: Specifies what combination of an AH and ESP


    protocols you want to apply to matched traffic.
    Local Peer address
    Tunnel: Identifies wether tunnel mode is enabled
    Remote Peer address

    Mikrotik TTT Milan 15


    Proposal

    Proposal information that will be sent by IKE daemon to establish SAs


    for (Phase2).
    Configured proposals are set in policy configuration.

    Mikrotik TTT Milan 16


    Proposal: Encryption and auth. algorithms

    Allowed Encryption Algorithms and key lengths to use for SAs.

    Authentication Algorithms

    Mikrotik TTT Milan 17


    Installed Security Associations

    /ip ipsec installed-sa

    Property Description
    addtime (time) Date and time when this SA was added.
    auth-algorithm (sha1 | md5) Shows currently used authentication algorithm
    auth-key (string) Shows used authentication key
    current-bytes (64-bit integer) Shows number of bytes seen by this SA
    enc-algorithm (des | 3des | aes ...) Shows currently used encryption algorithm
    state (string) Shows the current state of the SA ("mature", "dying" etc)

    Mikrotik TTT Milan 18


    Create IPSec between two routers with NAT

    10.1.1.0/24

    192.168.1.0/24 192.168.3.0/24

    10.1.1.1 10.1.1.6

    Mikrotik TTT Milan 19


    Task
    Create an IPSec Tunnel between two LANs

     Reset Configurations – No defaults

     Set Identity name and Change Radio name

     Connect to the Class AP


     Wifi password: 12345678
     SSID: TTT_Class

     Add IP 10.1.1.X on your wireless interface

     Add IP 192.168.X.1 to you LAN interface

     ip firewall nat add out-interface=wlan1 action=masquerade chain=srcnat

    Mikrotik TTT Milan 20


    Task
    Create an IPSec Tunnel between two LANs

     Reset Configurations – No defaults

     Set Identity name and Change Radio name

     Add dhcp client on Wireless interface

     Connect to the Class AP


     Wifi password: 12345678
     SSID: TTT_Class

     Add IP 192.168.X.1/24 to your LAN interface

     ip firewall nat add out-interface=wlan1 action=masquerade chain=srcnat

    Mikrotik TTT Milan 21


    Task

    Add New IPSec Peer

    Mikrotik TTT Milan 22


    Task

    Add New IPSec Policy

    Mikrotik TTT Milan 23


    Task

    Add firewall NAT Accept Rule and move it to the top of rules

    Check Connectivity : /ping 192.168.1.1 src-address=192.168.X.1


    Mikrotik TTT Milan 24
    Mikrotik TTT Milan 25
    Summary

    IPsec is a set of protocols

    To use IPSec you will need to configure:


    Peer (Phase1)
    Proposal (Phase2)
    Policy ( Match and apply action)
    Mikrotik TTT Milan 26

    You might also like