Table of Contents
_Disclaimer: Instructions are accurate as of 06/11/2024. Mikrotik is not a product or partner of the cloud provider. Users are responsible for verifying if all settings are correct._
Introduction
Establishing a secure and reliable communication channel between cloud environments is crucial for businesses in today’s interconnected digital landscape. This tutorial will guide you through the process of configuring an IPSec VPN between the cloud provider (DO) and Amazon Web Services (AWS) using Mikrotik's Cloud Hosted Router (CHR). These steps are designed to enable seamless and secure data transfer between your cloud infrastructures.
Prerequisites
Before you dive into the configuration steps, ensure you have the following prerequisites:
- A cloud account.
- Access to Mikrotik’s Cloud-Hosted Router Image
- An AWS account with access to the AWS Management Console
Step 1 - Configure Mikrotik CHR as a NAT Gateway
Begin by setting up and following the tutorial on Configure Mikrotik CHR as a NAT Gateway.
This foundational setup is critical as it lays the groundwork for establishing the Site-to-Site VPN connection.
Step 2 - Create a Customer Gateway in AWS
Log in to your AWS Management Console and navigate to VPC -> Customer gateways -> Create customer gateway.
AWS charges for Customer Gateways as long as they exist, whether used or not. For values not mentioned, leave them under their default option. Configure the following:
- Name tag: Example: “DO-Mikrotik-GW”
- BGP ASN: Example: 65000
- IP address: Your Droplet acting as the NAT address
Step 3 - Create a Virtual Private Gateway in AWS
You can create a Virtual Private Gateway by navigating to VPC -> Virtual private gateways -> Create virtual private gateway.
For values not mentioned, leave them under their default option. Configure the following:
- Name tag: “DO-Mikrotik-Virtual-Private-Gateway”
- Autonomous System Number (ASN): Select “Amazon default ASN”
Step 4 - Create a Site-to-Site VPN Connection
Create a Site-to-Site VPN by navigating to VPC -> VPN connections -> Create VPN connection.
Configure the following:
- Name tag: “DO-Mikrotik-GW”
- Target gateway type: Select “Virtual private gateway”
- Virtual private gateway: Select the previously created Virtual Private Gateway
- Customer gateway: Select “Existing”
- Customer gateway ID: Select the previously created Customer Gateway
- Routing options: Select “Dynamic (requires BGP)”
- Local IPv4 network CIDR: Your the cloud provider VPC subnet (e.g., 192.168.80.0/24)
- Remote IPv4 network CIDR: Your AWS VPC subnet (e.g., 192.168.81.0/24)
Step 5 - Download AWS VPN Configuration
While the Site-to-Site VPN finishes its pending state and becomes available, we can download the configuration details you will need from AWS to configure the tunnel from the the cloud provider side. Once the VPN connection is in the pending state, click the “Download Configuration” button to download the configuration details needed to set up the tunnel on the the cloud provider side. Use the following options:
Use the following options:
- Select vendor: Mikrotik
- Select Platform: Router OS
- Select Software: Latest available version
- IKE version: ikev1
[info] Note: The above steps are the minimum required to retrieve the AWS configuration to initiate tunnel connection. Additional AWS configuration changes, such as Routing Table, Network ACL, and Security Group changes, might still be required to allow traffic to transit via the tunnel. These are out of the scope of this guide; Please consult with your AWS Administrator for details required on your AWS deployment.
Step 6 - Configure the tunnel on the Mikrotik CHR
Log in to your previously configured Mikrotik CHR. There are multiple ways to log in (SSH , Web UI, Winbox [Desktop App]). AWS suggests using the Desktop App, but for this tutorial, you will use SSH to configure the IPSEC tunnel
Once logged in, you will copy values from the AWS guide and input them via the SSH console. You will need to repeat these steps for both tunnels:
a. Configure IPsec Proposal on Mikrotik CHR: Use the AWS configuration values to set up the IPsec proposal. Example:
Go to IP Tab --> IPsec --> Proposals
a. Click on "+" button
b. Name: ipsec-vpn-3rswpavcor47abarsn-0
c. Auth. Algorithms: sha1
d. Encr. Algorithms: aes-128-cbc
e. Lifetime: 01:00:00
f. PFS Group: modp1024
g. Select Apply and Ok
You can configure the same by using the following command line on the Mikrotik, replace the <> values with the values indicated by the AWS configuration guide:
/ip ipsec proposal
add auth-algorithms=<^><Auth. Algorithms><^> enc-algorithms=<^><Encr. Algorithms><^> lifetime=<^><Lifetime><^> pfs-group=<^><PFS Group><^> name="<^><AWS Proposed Name><^>"
An example would look something like this:
/ip/ipsec/proposal
add auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=1h pfs-group=modp1024 name="ipsec-vpn-3rswpavcor47abarsn-0"
b. Set Up IPsec Profile on Mikrotik CHR: You will skip the policy creation to prevent losing access to the firewall and configure the IPsec Profile instead, again the AWS example looks similar to this:
Go to IP Tab --> IPsec --> Profile
6) Click on "+" button
a. Profile name: profile-vpn-3rswpavcor47abarsn-0
b. Hash Algorith: sha1
c. Encryption Algorithm: aes-128
d. DH Group: modp1024
e. Lifetime: 08:00:00
f. DPD Interval: 10
g. DPD Maximum Failures: 3
h. Select Apply and Ok
You can configure the same by using the following command line on the Mikrotik, replace the <> values with the values indicated by AWS configuration guide:
/ip ipsec profile
add name=<^>"<Profile name>"<^> hash-algorithm=<^><Hash Algorith><^> enc-algorithm=<^><Encryption Algorithm><^> dh-group=<^><DH Group><^> lifetime=<^><Lifetime><^> dpd-interval=<^><DPD Interval><^> dpd-maximum-failures=<^><DPD Maximum Failures><^>
c. Create 1st IPsec tunnel Peer on Mikrotik CHR: Create the first peer. Skip the policy creation to prevent losing access to the firewall and configure the IPsec Profile instead, again the AWS example looks similar to this:
Go to IP Tab --> IPsec --> Peer
a. Address: yyy.yyy.xxx.zzz
b. Local Address: yyy.yyy.xxx.zzz
c. Profile: profile-vpn-3rswpavcor47abarsn-0
d. Exchange Mode: Main
e. Select Apply and Ok
You can configure the same by using the following command line on the Mikrotik, replace the <> values with the values indicated by AWS configuration guide:
/ip ipsec peer
add name="aws-ipsec-vpn-1" address=<^><Address>/32<^> local-address=<^><Local Address> <^>exchange-mode=main send-initial-contact=yes profile=<^>"<Profile>"<^>
d. Set Up IPsec Identity on Mikrotik CHR: Set up the IPsec identity with pre-shared key:
Go to IP Tab --> IPsec --> Identities
a. Auth Method: Pre-Shared key
b. Secret: xxxxxxxxxxxxxxxxxxxxxxx
c. Select Apply and Ok
Configure the same using the following command line on the Mikrotik, replace the <> values with the values indicated by AWS configuration guide:
/ip ipsec identity
add peer="aws-ipsec-vpn-1" auth-method=pre-shared-key secret=<^>"<Secret>"<^>
e. Assign IP Address to WAN Interface: AWS provides us with the IP we must use for the P2P tunnel in the configuration file you received from them. Assign this to the WAN interface on the Mikrotik CHR; the AWS example looks similar to this:
Go to IP Tab --> Addresses
a. Click on "+" button
b. Address: 169.254.13.170/30
b. Interface: Select the WAN/Outside interface
c. Select Apply and Ok
You can configure it using the following command line on Mikrotik.
/ip address
add address=<^><Address/Subnet><^> interface=<^>wan<^>
f. Configure IPsec Policy on Mikrotik CHR: Create IPsec policies for the P2P tunnel and the subnet tunnel.
You will not be using 0.0.0.0/0 as AWS suggests instead, you will create 2 policies one for the tunnel and one for the subnet you want to tunnel, the AWS example looks similar to this:
Go to IP Tab --> IPsec --> Policies
1) Click on "+" button and select the General Tab
a. Src. Address: 0.0.0.0/0
b. Dst. Address: 0.0.0.0/0
2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: yyy.yyy.xxx.zzz
c. SA Dst. Address: yyy.yyy.xxx.zzz
d. Proposal: ipsec-vpn-3rswpavcor47abarsn-0
e. Select Apply and Ok
Customer gateway inside IP Address: yyy.yyy.xxx.zzz
Virtual Private gateway inside Address: yyy.yyy.xxx.zzz
You can configure the same by using the following command line on the Mikrotik.
Note: The destination address must be Virtual Private gateway inside Address – 1 octet number, for example for an ip address ending on 169, the ip used on the policy will be 168.
/ip ipsec policy
add dst-address=<^><Virtual Private gateway inside Address - 1 ><^>/30 peer=<^>"<Peer Name created on previous step>"<^> proposal=<^>"<Proposal>"<^> src-address=<^><Customer gateway inside IP Address>/32<^> tunnel=yes
Now, create the tunnel for the subnets you will be sharing between both providers:
/ip/ipsec/policy
add dst-address=<^><AWS VPC Net/subnet><^> peer=<^>"<Peer Name created on previous step>"<^> proposal=<^>"<Proposal>"<^> src-address=<^><the cloud provider VPC Net/subnet><^> tunnel=yes
g. Open Firewall Rules on Mikrotik CHR: You must open the necessary firewall rules to allow AWS to connect via IPsec protocol. By adding the place-before=1, you add this rule above the first one you created on your NAT Gateway guide.
/ip firewall filter
add chain=input action=accept protocol=ipsec-esp src-address=<^><SA Dst. Address><^> dst-address=<^><Droplet Public IP><^> in-interface=wan place-before=1
add chain=input action=accept protocol=udp src-address=<^><SA Dst. Address><^> dst-address=<^><Droplet Public IP><^> in-interface=wan src-port=500 dst-port=500 place-before=1
add chain=input action=accept protocol=tcp src-address=<^><Virtual Private Gateway IP><^> dst-address=<^><Customer Gateway IP><^> dst-port=179 place-before=1
h. Configure BGP for Route Sharing: Configure Border Gateway Protocal routing protocol for route sharing between AWS and DO:
Go to Configure Routing --> BGP --> Instances
a. Apply correct local AS
b. Select APPLY
Go to Routing Tab --> BGP --> Peer
a. Click on "+" button and select the General Tab
b. Name: BGP-vpn-3rswpavcor47abarsn-0
c. Remote Address: yyy.yyy.xxx.zzz
d. Remote AS: 64512
d. Hold Time: 30
e. Keepalive Time: 10
f. Select Apply and Ok
First you need to create an address list with your local network you want to expose to AWS.
/ip firewall address-list
add address=<^><the cloud provider VPC Net/Subnet><^> list=vpc
Configure the same by using the following command line on the Mikrotik, use the values from the AWS BGP configuration section. The Mikrotik AS should match the one specified in the AWS portal at the time of Customer Gateway Creation, by default 65000 :
/routing bgp connection
add as=<^><65000><^> disabled=no hold-time=<^><Hold Time><^> keepalive-time=<^><Keepalive Time><^> local.role=ebgp name=<^>"<Name>"<^> output.network=vpc remote.address=<^><Remote Address><^> .as=<^><Remote AS><^> routing-table=main
i. Add Firewall NAT Rule: Ensure traffic through the tunnel is not NAT by the WAN tunnel address, by adding a NAT rule to override this:
/ip firewall nat
add action=accept chain=srcnat dst-address=<^><AWS Subnet><^> log=yes src-address=<^><VPC Subnet><^> place-before=0
Step 7 - Verify Tunnel State
Check the tunnel state from both AWS and Mikrotik to ensure it is up and running:
/ip ipsec policy
print detail
[secondary_label output]
Flags: T - template; B - backup; X - disabled, D - dynamic, I - invalid, A - active; * - default
0 T X* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 peer=peer-vpn-3rswpavcor47abarsn-0 tunnel=yes src-address=169.254.13.170/32 src-port=any dst-address=169.254.13.168/30 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=yyy.yyy.xxx.zzz
sa-dst-address=yyy.yyy.xxx.zzz proposal=ipsec-vpn-3rswpavcor47abarsn-0 ph2-count=0 ph2-state=no-phase2
2 A peer=peer-vpn-3rswpavcor47abarsn-0 tunnel=yes src-address=192.168.80.0/24 src-port=any dst-address=192.168.81.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=yyy.yyy.xxx.zzz
sa-dst-address=yyy.yyy.xxx.zzz proposal=ipsec-vpn-3rswpavcor47abarsn-0 ph2-count=2 ph2-state=established
After establishing the first tunnel, repeat the Mikrotik configuration process for the second AWS tunnel to ensure redundancy.
Conclusion
In this tutorial, you learned how to configure an IPSec VPN between the cloud provider and AWS using Mikrotik’s Cloud Hosted Router. These steps are designed to create a secure and efficient inter-cloud communication channel, essential for modern hybrid cloud architectures.
