IPsec tunnel between Ubuntu 20.04 and Mikrotik router using strongSwan

Posted on March 6, 2021 by blogger

Here is how to establish an IPsec tunnel between an Ubuntu 20.04 host and a Mikrotik router using IKEv2.

The 2 endpoints of the tunnel are:

  • ubuntu.xentoo.info : the Ubuntu server. This server has a local private subnet 10.0.0.0/24 and a fixed public IPv4 address 1.2.3.4 . The hostname ubuntu.xentoo.info resolves to the public IP address.
  • mikrotik.xentoo.info : the Mikrotik router. This router has a local private subnet 192.168.0.0/24 and a dynamic public IPv4 address.

I will use fqdn identifiers, pre-shared-key and both IKE and ESP will have the same parameters:

  • encryption: AES256
  • integrity: SHA256
  • Diffie-Hellman group: ECP384

Let’s first configure the Mikrotik router. Go straight into the configuration of IPSEC tunnels:

/ip ipsec profile
add dh-group=ecp384 dpd-interval=10s enc-algorithm=aes-256 hash-algorithm=sha256 name=ubuntu.xentoo.info <
    nat-traversal=no
/ip ipsec peer
add address=ubuntu.xentoo.info exchange-mode=ike2 name=ubuntu.xentoo.info profile=ubuntu.xentoo.info
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr name=ubuntu.xentoo.info pfs-group=ecp384
/ip ipsec identity
add my-id=fqdn:mikrotik.xentoo.info peer=ubuntu.xentoo.info remote-id=ubuntu.xentoo.info secret=mysecretkey
/ip ipsec policy
add dst-address=10.0.0.0/24 peer=ubuntu.xentoo.info proposal=ubuntu.xentoo.info sa-dst-address=1.2.3.4 \
    sa-src-address=0.0.0.0 src-address=192.168.0.0/24 tunnel=yes

On Ubuntu side, first install the package:

apt-get install strongswan

The tunnels are configured in /etc/ipsec.conf . There are 2 members in a connection: a left one and a right one. I always use the left one for the local host and the right one for the remote host. I name the connection using the remote host name. Since the Mikrotik router has a dynamic public IP address, its IP address is configured with %any.

The configuration for this tunnel is the following:

conn mikrotik.xentoo.info
    leftsubnet=10.0.0.0/24
    left=1.2.3.4
    leftid=fqdn:ubuntu.xentoo.info
    rightsubnet=192.168.0.0/24
    right=%any
    rightid=fqdn:mikrotik.xentoo.info
    authby=psk
    auto=start
    ike=aes256-sha256-ecp384
    keyexchange=ikev2
    esp=aes256-sha256-ecp384
    type=tunnel

The secret keys are stored in /etc/ipsec.secrets . Each line is a different secret. The syntax I use is leftid rightid : PSK "psk" .

fqdn:ubuntu.xentoo.info fqdn:mikrotik.xentoo.info : PSK "mysecretkey"

Restart IPSEC service to apply the changes:

systemctl restart ipsec

After you restart the service, you should see the following in /var/log/syslog:

Mar  6 11:35:51 ubuntu charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar  6 11:35:51 ubuntu charon: 00[CFG]   loaded IKE secret for fqdn:ubuntu.xentoo.info fqdn:mikrotik.xentoo.info
...
Mar  6 11:35:51 ubuntu charon: 05[CFG] added configuration 'mikrotik.xentoo.info'
Mar  6 11:35:57 ubuntu charon: 09[NET] received packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (208 bytes)
Mar  6 11:35:57 ubuntu charon: 09[ENC] parsed IKE_SA_INIT request 0 [ No KE SA ]
Mar  6 11:35:57 ubuntu charon: 09[IKE] 6.7.8.9 is initiating an IKE_SA
Mar  6 11:35:57 ubuntu charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Mar  6 11:35:57 ubuntu charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(CHDLESS_SUP) N(MULT_AUTH) ]
Mar  6 11:35:57 ubuntu charon: 09[NET] sending packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (232 bytes)
Mar  6 11:35:57 ubuntu charon: 10[NET] received packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (448 bytes)
Mar  6 11:35:57 ubuntu charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi AUTH IDr N(INIT_CONTACT) SA TSi TSr ]
Mar  6 11:35:57 ubuntu charon: 10[CFG] looking for peer configs matching 1.2.3.4[ubuntu.xentoo.info]...6.7.8.9[mikrotik.xentoo.info]
Mar  6 11:35:57 ubuntu charon: 10[CFG] selected peer config 'mikrotik.xentoo.info'
Mar  6 11:35:57 ubuntu charon: 10[IKE] authentication of 'mikrotik.xentoo.info' with pre-shared key successful
Mar  6 11:35:57 ubuntu charon: 10[IKE] authentication of 'ubuntu.xentoo.info' (myself) with pre-shared key
Mar  6 11:35:57 ubuntu charon: 10[IKE] IKE_SA mikrotik.xentoo.info[2] established between 1.2.3.4[ubuntu.xentoo.info]...6.7.8.9[mikrotik.xentoo.info]

You can see the secret was loaded correctly, both endpoints were detected correctly. Then the configuration for tunnel mikrotik.xentoo.info was loaded. When a first packet was received from the Mikrotik router, the correct proposal was chosen, the the authentication using pre-shared-key succeeded and the tunnel was established.

This entry was posted in Computer, Linux, Mikrotik, Networking. Bookmark the permalink.

2 Responses to IPsec tunnel between Ubuntu 20.04 and Mikrotik router using strongSwan

  1. acadea says:
    March 16, 2022 at 12:57 am

    why bother with ipsec when wireguard is now included in the linux kernel and also available on routerOS v7+

  2. blogger says:
    March 21, 2022 at 11:40 pm

    RouterOS 7 was not stable when I wrote this post :-)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.