Home > MikroTik > Router > MikroTik Router OS V3.0 User Manual

MikroTik Router OS V3.0 User Manual

Add to Favourites

Download as PDF Print this page Share this page

Have a look at the manual MikroTik Router OS V3.0 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1 MikroTik manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

Page 196

&!+

*LF

(

•

%
(
!+

*LF

*LF

•*LF

*

- ...

Page 197 &

05$

Page 198 traffic. AH is applied after ESP, and in case of tunnel mode ESP will be applied in tunnel mode and
AH - in transport mode
level(unique|require|use; default:require) - specifies what to do if some of the SAs for this
policy cannot be found:
•use- skip this transform, do not drop packet and do not acquire SA from IKE daemon
•require- drop packet and acquire SA
•unique- drop packet and acquire a unique SA that is only used with this particular policy
manual-sa(name; default:none) - name of manual-sa...

$Page 199 ! ( 0! 8 ( ( ( Example &/.../DN /.../DC [admin@MikroTik] ip ipsec policy> add sa-src-address=10.0.0.147 \\... sa-dst-address=10.0.0.148 action=encrypt[admin@MikroTik] ip ipsec policy> printFlags: X - disabled, D - dynamic, I - inactive0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any...$

Page 200 exchange-mode(multiple choice: main|aggressive|base; default:main) - different ISAKMP
phase 1 exchange modes according to RFC 2408. Do not use other modes then main unless you
know what you are doing
generate-policy(yes | no; default:no) - allow this peer to establish SA for non-existing policies.
Such policies are created dynamically for the lifetime of SA. This way it is possible, for example, to
create IPsec secured L2TP tunnels, or any other setup where remote peers IP address is not known
at the...

$Page 201 ( Example !+%+%+%!19 $= B [admin@MikroTik] ip ipsec peer>add address=10.0.0.147/32 \\... secret=gwejimezyfopmekun[admin@MikroTik] ip ipsec peer> printFlags: X - disabled0 address=10.0.0.147/32:500 auth-method=pre-shared-keysecret=gwejimezyfopmekun generate-policy=no exchange-mode=mainsend-initial-contact=yes nat-traversal=no proposal-check=obeyhash-algorithm=md5...$

Page 202
(

Property Description
add-lifetime(read-only: time) - soft/hard expiration time counted from installation of SA
addtime(read-only: text) - time when this SA was installed
auth-algorithm(multiple choice, read-only: none|md5|sha1) - authentication algorithm used in
SA
auth-key(read-only: text) - authentication key presented as a hex string
current-bytes(read-only: integer) - amount of data processed by this SAs...

Page 203 !

1

8

!+

!+

(

Property Description
sa-type(multiple choice: ah|all|esp; default:all) - specifies SA types to flush
•ah- delete AH protocol SAs only
•esp- delete ESP protocol SAs only
•all- delete both ESP and AH protocols SAs
Example

!+

[admin@MikroTik] ip ipsec installed-sa> flush[admin@MikroTik]...

$Page 204 [admin@Router1] > ip ipsec policy add sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2 \\... action=encrypt[admin@Router1] > ip ipsec peer add address=1.0.0.2 \\... secret=gvejimezyfopmekun •3 & [admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \\... action=encrypt[admin@Router2] > ip ipsec peer add address=1.0.0.1 \\... secret=gvejimezyfopmekun • F!$ / ...$

$Page 205 1.+ 8 !379+ •3 ! [admin@Router1] > ip firewall nat add chain=srcnat src-address=10.1.0.0/24 \\... dst-address=10.2.0.0/24 action=accept[admin@Router1] > ip firewall nat add chain=srcnat out-interface=public \\... action=masquerade •3 & [admin@Router2] > ip firewall nat chain=srcnat add src-address=10.2.0.0/24 \\... dst-address=10.1.0.0/24 action=accept[admin@Router2] > ip firewall nat chain=srcnat add out-interface=public \\... action=masquerade 2....$

$Page 206 MikroTik router to CISCO Router 6 *$ 1.+ & / 5F! !,+/ *LF •? # [admin@MikroTik] > ip ipsec peer add address=10.0.1.2 \\... secret=gvejimezyfopmekun enc-algorithm=des •,40, ip ipsec proposal set default enc-algorithms=des •,40,$

View all the pages

Add page 201 to Favourites

image text

							 	
   
 
 
   
  	
( 		
Example
 
 
  
	

 !+%+%+%!19 

$=
B	
[admin@MikroTik] ip ipsec peer>add address=10.0.0.147/32 \\... secret=gwejimezyfopmekun[admin@MikroTik] ip ipsec peer> printFlags: X - disabled0 address=10.0.0.147/32:500 auth-method=pre-shared-keysecret=gwejimezyfopmekun generate-policy=no exchange-mode=mainsend-initial-contact=yes nat-traversal=no proposal-check=obeyhash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1dlifebytes=0
[admin@MikroTik] ip ipsec peer>
Remote Peer Statistics
Home menu level:/ip ipsec remote-peers
Description
 
 (  
 (	 
	

 	
 
  
	
 

 	( 
	 	
/ 



 
 
 
 9
 
	
   
%
    
 
%
 	
 
	
 
 *$ 
	 

 	
 
 
 # 	 	
	 
 !+  

   
Property Description
local-address(read-only: IP address) - local ISAKMP SA address
remote-address(read-only: IP address) - peers IP address
side(multiple choice, read-only: initiator|responder) - shows which side initiated the connection
•initiator- phase 1 negotiation was started by this router
•responder- phase 1 negotiation was started by peer
state(read-only: text) - state of phase 1 negotiation with the peer
•estabilished- normal working state
Example
  

 
	 !+
[admin@MikroTik] ip ipsec> remote-peers print0 local-address=10.0.0.148 remote-address=10.0.0.147 state=establishedside=initiator[admin@MikroTik] ip ipsec>
Installed SAs
Home menu level:/ip ipsec installed-sa
Description
Page 190 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

Add page 202 to Favourites

image text

							 	
 ( 
	

 	
 

	 
 		

 

 
 
Property Description
add-lifetime(read-only: time) - soft/hard expiration time counted from installation of SA
addtime(read-only: text) - time when this SA was installed
auth-algorithm(multiple choice, read-only: none|md5|sha1) - authentication algorithm used in
SA
auth-key(read-only: text) - authentication key presented as a hex string
current-bytes(read-only: integer) - amount of data processed by this SAs crypto algorithms
dst-address(read-only: IP address) - destination address of SA taken from respective policy
enc-algorithm(multiple choice, read-only: none|des|3des|aes) - encryption algorithm used in
SA
enc-key(read-only: text) - encryption key presented as a hex string (not applicable to AH SAs)
lifebytes(read-only: integer) - soft/hard expiration threshold for amount of processed data
replay(read-only: integer) - size of replay window presented in bytes. This window protects the
receiver against replay attacks by rejecting old or duplicate packets
spi(read-only: integer) - SPI value of SA, represented in hexadecimal form
src-address(read-only: IP address) - source address of SA taken from respective policy
state(multiple choice, read-only: larval|mature|dying|dead) - SA living phase
use-lifetime(read-only: time) - soft/hard expiration time counted from the first use of SA
usetime(read-only: text) - time when this SA was first used
Example
!	 


  	 
[admin@MikroTik] ip ipsec> installed-sa printFlags: A - AH, E - ESP, P - pfs0 E spi=E727605 src-address=10.0.0.148 dst-address=10.0.0.147auth-algorithm=sha1 enc-algorithm=3des replay=4 state=matureauth-key=ecc5f4aee1b297739ec88e324d7cfb8594aa6c35enc-key=d6943b8ea582582e449bde085c9471ab0b209783c9eb4bbdaddtime=jan/28/2003 20:55:12 add-lifetime=24m/30musetime=jan/28/2003 20:55:23 use-lifetime=0s/0s current-bytes=128lifebytes=0/0
1 E spi=E15CEE06 src-address=10.0.0.147 dst-address=10.0.0.148auth-algorithm=sha1 enc-algorithm=3des replay=4 state=matureauth-key=8ac9dc7ecebfed9cd1030ae3b07b32e8e5cb98afenc-key=8a8073a7afd0f74518c10438a0023e64cc660ed69845ca3caddtime=jan/28/2003 20:55:12 add-lifetime=24m/30musetime=jan/28/2003 20:55:12 use-lifetime=0s/0s current-bytes=512lifebytes=0/0[admin@MikroTik] ip ipsec>
Flushing Installed SA Table
Command name:/ip ipsec installed-sa flush
Description
Page 191 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

Add page 203 to Favourites

image text

							!
 	
 

1

 

	

 
 	 
  8 
  	
	 
 

	 !+

	  
	
 !+   

	
  

  (  
	 	

Property Description
sa-type(multiple choice: ah|all|esp; default:all) - specifies SA types to flush
•ah- delete AH protocol SAs only
•esp- delete ESP protocol SAs only
•all- delete both ESP and AH protocols SAs
Example
  	 
 !+ 

	
[admin@MikroTik] ip ipsec installed-sa> flush[admin@MikroTik] ip ipsec installed-sa> print[admin@MikroTik] ip ipsec installed-sa>
Application Examples
MikroTik Router to MikroTik Router
•
	

  	 
 F!$ 
 	
	
 

•3
!
Page 192 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

Add page 204 to Favourites

image text

							[admin@Router1] > ip ipsec policy add sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2 \\... action=encrypt[admin@Router1] > ip ipsec peer add address=1.0.0.2 \\... secret=gvejimezyfopmekun
•3
&
[admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \\... action=encrypt[admin@Router2] > ip ipsec peer add address=1.0.0.1 \\... secret=gvejimezyfopmekun
•
	

  	 
 F!$ 
 	
	
 
 	
 	
	
  
	

 
 
 /
	
 
	
  
 
 -
•3
!
[admin@Router1] > ip ipsec peer add address=1.0.0.0/24 \\... secret=gvejimezyfopmekun generate-policy=yes
•3
&
[admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \\... action=encrypt[admin@Router2] > ip ipsec peer add address=1.0.0.1 \\... secret=gvejimezyfopmekun
•


  	 
 +, 
 	
	 

•3
!
[admin@Router1] > ip ipsec manual-sa add name=ah-sa1 \\... ah-spi=0x101/0x100 ah-key=abcfed[admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \\... dst-address=10.2.0.0/24 action=encrypt ipsec-protocols=ah \\... tunnel=yes sa-src=1.0.0.1 sa-dst=1.0.0.2 manual-sa=ah-sa1
•3
&
[admin@Router2] > ip ipsec manual-sa add name=ah-sa1 \\... ah-spi=0x100/0x101 ah-key=abcfed[admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24 \\... dst-address=10.1.0.0/24 action=encrypt ipsec-protocols=ah \\... tunnel=yes sa-src=1.0.0.2 sa-dst=1.0.0.1 manual-sa=ah-sa1
IPsec Between two Masquerading MikroTik Routers
Page 193 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

Add page 205 to Favourites

image text

							1.+ 	
 	
 	8	
  
 !379+
•3
!
[admin@Router1] > ip firewall nat add chain=srcnat src-address=10.1.0.0/24 \\... dst-address=10.2.0.0/24 action=accept[admin@Router1] > ip firewall nat add chain=srcnat out-interface=public \\... action=masquerade
•3
&
[admin@Router2] > ip firewall nat chain=srcnat add src-address=10.2.0.0/24 \\... dst-address=10.1.0.0/24 action=accept[admin@Router2] > ip firewall nat chain=srcnat add out-interface=public \\... action=masquerade
2.
 *$
•3
!
[admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \\... dst-address=10.2.0.0/24 action=encrypt tunnel=yes \\... sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2[admin@Router1] > ip ipsec peer add address=1.0.0.2 \\... exchange-mode=aggressive secret=gvejimezyfopmekun
•3
&
[admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24 \\... dst-address=10.1.0.0/24 action=encrypt tunnel=yes \\... sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1[admin@Router2] > ip ipsec peer add address=1.0.0.1 \\... exchange-mode=aggressive secret=gvejimezyfopmekun
Page 194 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

Add page 206 to Favourites

image text

							MikroTik router to CISCO Router
6  
 *$ 
 


  
  
 

 
	 

 	

	 


1.+  &
 	/ 
	

 		
 5F! 	
 !,+/    
 

 *LF 
	
•?
#


[admin@MikroTik] > ip ipsec peer add address=10.0.1.2 \\... secret=gvejimezyfopmekun enc-algorithm=des
•,40, ip ipsec proposal set default enc-algorithms=des
•,40,

Add page 207 to Favourites

image text

							! Create IPsec transform set - transformations that should be applied to! traffic - ESP encryption with DES and ESP authentication with SHA1! This must match /ip ipsec proposalcrypto ipsec transform-set myset esp-des esp-sha-hmacmode tunnelexit
3.+   
	
 	
 
	 

 

 	
 8 


 
 F!$ 
 


 
•?
#


[admin@MikroTik] > ip ipsec policy add \\... src-address=10.0.0.0/24 dst-address=10.0.2.0/24 action=encrypt \\... tunnel=yes sa-src=10.0.1.1 sa-dst=10.0.1.2
•,40, printFlags: A - AH, E - ESP, P - pfs0 E spi=9437482 src-address=10.0.1.1 dst-address=10.0.1.2auth-algorithm=sha1 enc-algorithm=des replay=4 state=matureauth-key=9cf2123b8b5add950e3e67b9eac79421d406aa09enc-key=ffe7ec65b7a385c3 addtime=jul/12/2002 16:13:21add-lifetime=24m/30m usetime=jul/12/2002 16:13:21 use-lifetime=0s/0scurrent-bytes=71896 lifebytes=0/01 E spi=319317260 src-address=10.0.1.2 dst-address=10.0.1.1auth-algorithm=sha1 enc-algorithm=des replay=4 state=matureauth-key=7575f5624914dd312839694db2622a318030bc3benc-key=633593f809c9d6af addtime=jul/12/2002 16:13:21add-lifetime=24m/30m usetime=jul/12/2002 16:13:21 use-lifetime=0s/0scurrent-bytes=0 lifebytes=0/0[admin@MikroTik] ip ipsec installed-sa>
•
,40,

Add page 208 to Favourites

image text

							current outbound spi: 1308650Cinbound esp sas:spi: 0x90012A(9437482)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2000, flow_id: 1, crypto map: mymapsa timing: remaining key lifetime (k/sec): (4607891/1034)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x1308650C(319317260)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2001, flow_id: 2, crypto map: mymapsa timing: remaining key lifetime (k/sec): (4607893/1034)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:
MikroTik Router and Linux FreeS/WAN
*
 
 

 
	  	( - (	
 

 /....1-D 


 
 
  	
 /;-/GCCN.1-D



 
 A
  	
 A
 	 


 

 ( 
 HH 

 /;-/GC..1-D
•#!16+9 
	


config setupinterfaces=ipsec0=eth0klipsdebug=noneplutodebug=allplutoload=%searchplutostart=%searchuniqueids=yes
conn %defaultkeyingtries=0disablearrivalcheck=noauthby=rsasig
conn mt
Page 197 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

Add page 209 to Favourites

image text

							left=192.168.0.108leftsubnet=192.168.87.0/24right=192.168.0.155rightsubnet=10.0.0.0/24authby=secretpfs=noauto=add
•
%

 
192.168.0.108 192.168.0.155 : PSK gvejimezyfopmekun
• 
 
	


[admin@MikroTik] > /ip ipsec peer add address=192.168.0.108 \\... secret=gvejimezyfopmekun hash-algorithm=md5 enc-algorithm=3des \\... dh-group=modp1024 lifetime=28800s
[admin@MikroTik] > /ip ipsec proposal auth-algorithms=md5 \\... enc-algorithms=3des pfs-group=none
[admin@MikroTik] > /ip ipsec policy add sa-src-address=192.168.0.155 \\... sa-dst-address=192.168.0.108 src-address=10.0.0.0/24 \\... dst-address=192.168.87.0/24 tunnel=yes
Page 198 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

Add page 210 to Favourites

image text

							IPIP Tunnel Interfaces
Document revision 1.3 (October 10, 2007, 14:06 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
GeneralInformation
Summary
QuickSetupGuide
Specifications
AdditionalDocuments
IPIPSetup
Description
PropertyDescription
Notes
Description
General Information
Summary
 *$*$ 



 

	

 
 
  
 !  #3 -..: 	

 *$*$ 


  	 

 
	
 
		
 *$ 	
 
 *$ 
 	 	 


 

 
 
  *$*$ 


 

	
		 	 	
 

	 
 
 

	 
 	
 
 

 3 	
 A
 	 
 


  
 	 
 

  
*$ 



 
 	 
 
 
 
 	 

 

•
 


 *

	

 ( 
 *



•
  
 

	   


Quick Setup Guide
 	 	
 *$*$ 


 

 -  
 
 *$ 	!+%*%(%!+1	
!+%!%+%!9& 

*$*$ 


 	 /.../ 	
 /...-  
 

 

•3
	

 
 
 
 *$ 	!+%*%(%!+1
1.+ 	
 *$*$ 

	 & 	
 
 
	  

!
[admin@MikroTik] interface ipip> add local-address=10.5.8.104 \remote-address=10.1.0.172 disabled=no
2.+ 	
 *$ 	 
 	


!

	
[admin@MikroTik] ip address> add address=10.0.0.1/24 interface=ipip1
•3
	

 
 
 
 *$ 	!+%!%+%!9&
Page 199 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

All MikroTik manuals Comments (0)