[IPsec] Configuring various IPsec tunnels between Teltonika and Mikrotik devices

[tomasp-xyz]

This writeup is more of a note to myself, in case I forget what goes where but have to come back to it at some point. Additional tests probably will not be performed after each config example is added here, although I may revisit this issue at some point in time to provide more information on specific matters

To save time and preserve relatively valuable information for future use, a few IPsec configuration examples shall be provided in this issue. As the title of this issue suggests, the issue will contain configuration examples based on Teltonika and Mikrotik devices. Each config example will be added as a separate comment to make things easier and more understandable. I will also try to detail how running configuration looks like from CLI perspective.

List below is for each individual comment, in order:

1. Simple configuration example between Teltonika and Mikrotik devices - LAN to LAN
2. TBC...

[tomasp-xyz]

Simple configuration example between Teltonika and Mikrotik devices - LAN to LAN

This is a very simple configuration example for LAN to LAN IPsec-protected communication. Most notable information about this setup, which will be configured accordingly:

• PSK authentication method
• IKEv2 key exchange version
• Tunnel mode
• Access to both routers CLI and WebUI over IPsec tunnel is possible
• Phase 2 PFS enabled
• NAT-T not used
• Teltonika as initiator, Mikrotik as responder

Teltonika side

• Firmware version 7.3.4
• Local subnet is Teltonika LAN
• Remote subnet is Mikrotik LAN
• Teltonika side uses DPD and inactivity timer, but they are not mandatory (Using DPD is recommended on initiator end though)
• No custom local/remote identifiers used
• Forcing P1/P2 proposals
• Stronger encryption for P1, weaker for P2 (adjust if needed)

root@Teltonika-RUTX12:~# cat /var/ipsec/ipsec.conf
# generated by /etc/init.d/ipsec
version 2

conn TLTside-TLTside_c
  left=%any
  right=10.10.10.2
  leftfirewall=yes
  rightfirewall=no
  ikelifetime=4h
  lifetime=1h
  margintime=9m
  keyingtries=3
  dpdaction=restart
  dpddelay=10s
  dpdtimeout=30s
  inactivity=180
  leftauth=psk
  rightauth=psk
  rightsubnet=10.10.35.0/24
  auto=start
  leftsubnet=192.168.12.0/24
  aggressive=no
  forceencaps=no
  type=tunnel
  keyexchange=ikev2
  esp=aes128gcm16-sha256-ecp256!
  ike=aes256-sha512-ecp521!

Screenshots + CLI stuff

     ``` root@Teltonika-RUTX12:~# uci show ipsec ipsec.@ipsec[0]=ipsec ipsec.@ipsec[0].rtinstall_enabled='1' ipsec.TLTside=remote ipsec.TLTside.transport='TLTside_c' ipsec.TLTside._multiple_secrets='0' ipsec.TLTside.authentication_method='psk' ipsec.TLTside.pre_shared_key='0x566572795374726f6e67537472696e67313233' ipsec.TLTside.gateway='10.10.10.2' ipsec.TLTside.force_crypto_proposal='1' ipsec.TLTside.enabled='1' ipsec.TLTside.crypto_proposal='TLTside_ph1_1' ipsec.TLTside_c=connection ipsec.TLTside_c.local_firewall='1' ipsec.TLTside_c.remote_firewall='0' ipsec.TLTside_c.ikelifetime='4h' ipsec.TLTside_c.defaultroute='0' ipsec.TLTside_c.lifetime='1h' ipsec.TLTside_c.mode='start' ipsec.TLTside_c.comp_mode='0' ipsec.TLTside_c.type='tunnel' ipsec.TLTside_c.force_crypto_proposal='1' ipsec.TLTside_c.forceencaps='0' ipsec.TLTside_c.flush='0' ipsec.TLTside_c.keyexchange='ikev2' ipsec.TLTside_c.aggressive='0' ipsec.TLTside_c.local_subnet='192.168.12.0/24' ipsec.TLTside_c.dpdaction='restart' ipsec.TLTside_c.crypto_proposal='TLTside_ph2_1' ipsec.TLTside_c.dpdtimeout='30' ipsec.TLTside_c._dpd='1' ipsec.TLTside_c.remote_subnet='10.10.35.0/24' ipsec.TLTside_c.dpddelay='10' ipsec.TLTside_c.inactivity='180' ipsec.TLTside_ph1_1=proposal ipsec.TLTside_ph1_1.encryption_algorithm='aes256' ipsec.TLTside_ph1_1.hash_algorithm='sha512' ipsec.TLTside_ph1_1.dh_group='ecp521' ipsec.TLTside_ph2_1=proposal ipsec.TLTside_ph2_1.encryption_algorithm='aes128gcm16' ipsec.TLTside_ph2_1.hash_algorithm='sha256' ipsec.TLTside_ph2_1.dh_group='ecp256' ``` ``` root@Teltonika-RUTX12:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.221, armv7l): uptime: 9 minutes, since Feb 07 15:49:47 2023 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic Listening IP addresses: 10.10.10.1 192.168.12.1 fd18:1b18:76d2::1 Connections: TLTside-TLTside_c: %any...10.10.10.2 IKEv2, dpddelay=10s TLTside-TLTside_c: local: uses pre-shared key authentication TLTside-TLTside_c: remote: [10.10.10.2] uses pre-shared key authentication TLTside-TLTside_c: child: 192.168.12.0/24 === 10.10.35.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): TLTside-TLTside_c[1]: ESTABLISHED 9 minutes ago, 10.10.10.1[10.10.10.1]...10.10.10.2[10.10.10.2] TLTside-TLTside_c[1]: IKEv2 SPIs: db2ddc1534a21217_i* 1da74d4198a77fa3_r, pre-shared key reauthentication in 3 hours TLTside-TLTside_c[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521 TLTside-TLTside_c{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca85ca0b_i 0fd5771e_o TLTside-TLTside_c{1}: AES_GCM_16_128, 17221080 bytes_i (509 pkts, 0s ago), 17341164 bytes_o (512 pkts, 0s ago), rekeying in 37 minutes TLTside-TLTside_c{1}: 192.168.12.0/24 === 10.10.35.0/24 ```

Mikrotik side

• Firmware version 7.3.1
• Local subnet is Mikrotik LAN
• Remote subnet is Teltonika LAN
• Mikrotik side does not use DPD or inactivity timer (Using DPD is recommended on initiator end though)
• Local and remote identifiers set to "auto"
• Forcing P1/P2 proposals
• Stronger encryption for P1, weaker for P2 (adjust if needed)

Screenshots + CLI stuff

Policies (what traffic to protect/accept)  Proposals (P2)  Peers  Identities  Profiles (P1)  ``` [admin@MTrb4011] /ip/ipsec> export # nov/15/2022 17:15:58 by RouterOS 7.3.1 # software id = 1ED7-E1Z4 # # model = RB4011iGS+ # serial number = ABCDEFGAAAAA /ip ipsec policy group add name=group1 /ip ipsec profile set [ find default=yes ] dh-group=ecp384 dpd-interval=disable-dpd enc-algorithm=aes-128 lifetime=1h nat-traversal=no proposal-check=claim add dh-group=ecp521 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha512 name=Secure1 nat-traversal=no prf-algorithm=sha512 proposal-check=exact /ip ipsec peer add address=10.10.10.1/32 exchange-mode=ike2 name=MKTside passive=yes profile=Secure1 send-initial-contact=no /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-gcm lifetime=6h pfs-group=ecp256 /ip ipsec identity add peer=MKTside policy-template-group=group1 /ip ipsec policy set 0 disabled=yes add dst-address=192.168.12.0/24 peer=MKTside src-address=10.10.35.0/24 tunnel=yes /ip ipsec settings set accounting=no ``` ``` [admin@MTrb4011] /ip/ipsec> active-peers/print Flags: R - RESPONDER Columns: ID, STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS # ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS 0 R 10.10.10.1 established 9m37s 1 10.10.10.1 [admin@MTrb4011] /ip/ipsec> installed-sa/print Flags: S - SEEN-TRAFFIC; H - HW-AEAD; E - ESP Columns: SPI, STATE, SRC-ADDRESS, DST-ADDRESS, ENC-ALGORITHM, ENC-KEY-SIZE # SPI STATE SRC-ADDRESS DST-ADDRESS ENC-ALGORITHM ENC-KEY-SIZE 0 SHE 0x1C52108 mature 10.10.10.1 10.10.10.2 aes-gcm 160 1 SHE 0xC81BA1A8 mature 10.10.10.2 10.10.10.1 aes-gcm 160 [admin@MTrb4011] /ip/ipsec> peer/print Flags: X - disabled; D - dynamic; R - responder 0 R name="MKTside" address=10.10.10.1/32 passive=yes profile=Secure1 exchange-mode=ike2 send-initial-contact=no [admin@MTrb4011] /ip/ipsec> profile/print Flags: * - default 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=ecp384 lifetime=1h proposal-check=claim nat-traversal=no dpd-interval=disable-dpd 1 name="Secure1" hash-algorithm=sha512 prf-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d proposal-check=exact nat-traversal=no dpd-interval=disable-dpd ```

Additional notes

Access to Teltonika device (WebUI/SSH) isn't possible by default, firewall prevents this

[admin@MTrb4011] > system/ssh address=192.168.12.1 src-address=10.10.35.1 user=root
connectHandler: Connection refused

Welcome back!
[admin@MTrb4011] > 

To make this work, on Teltonika device, we need to configure extra traffic rule at Network > Firewall > Traffic rules. Add additional ports as needed, or modify them:

Rule in UCI format:

firewall.26.name='permit-IPsec-INPUT'
firewall.26.target='ACCEPT'
firewall.26.priority='15'
firewall.26.src='wan'
firewall.26.extra='-m policy --dir in --pol ipsec'
firewall.26.utc_time='0'
firewall.26.dest_port='22' '443'
firewall.26.src_ip='10.10.35.0/24'
firewall.26.dest_ip='192.168.12.1'
firewall.26.enabled='1'

Rule in /etc/config/firewall file:

config rule '26'
        option proto 'tcp'
        option name 'permit-IPsec-INPUT'
        option target 'ACCEPT'
        option priority '15'
        option src 'wan'
        option extra '-m policy --dir in --pol ipsec'
        option utc_time '0'
        list dest_port '22'
        list dest_port '443'
        list src_ip '10.10.35.0/24'
        list dest_ip '192.168.12.1'
        option enabled '1'

Test using SSH client from Mikrotik after adding the rule:

[admin@MTrb4011] > system/ssh address=192.168.12.1 src-address=10.10.35.1 user=root
password:

BusyBox v1.34.1 (2023-02-07 12:46:36 UTC) built-in shell (ash)

   ____        _    ___  ____
  |  _ \ _   _| |_ / _ \/ ___|
  | |_) | | | | __| | | \___ \
  |  _ <| |_| | |_| |_| |___) |
  |_| \_\\__,_|\__|\___/|____/

 ---------------------------------
   Teltonika RUTX series 2023
 ---------------------------------
root@Teltonika-RUTX12:~# 

IPsec tunnel closes after a while (CHILD_SA deleted)

Two ways this can happen:

1. Consequence of "inactivity" configuration option (which I configured for this example on Teltonika device
2. Other side (remote peer) deleting CHILD_SA for similar (or some other) reasons

In such cases, the following may be seen on Teltonika side:

Relevant logs:

Tue Feb  7 17:06:51 2023 daemon.info ipsec: 07[JOB] deleting CHILD_SA after 180 seconds of inactivity
Tue Feb  7 17:06:51 2023 daemon.info ipsec: 07[IKE] closing CHILD_SA TLTside-TLTside_c{2} with SPIs cc19a101_i (252 bytes) 0eda418c_o (252 bytes) and TS 192.168.12.0/24 === 10.10.35.0/24
Tue Feb  7 17:06:51 2023 daemon.info ipsec: 07[IKE] sending DELETE for ESP CHILD_SA with SPI cc19a101
Tue Feb  7 17:06:51 2023 daemon.info ipsec: 05[IKE] CHILD_SA closed
Tue Feb  7 17:06:52 2023 local0.notice vpn: - 10.10.10.2 10.10.35.0/24 == 10.10.10.2 -- 10.10.10.1 == 192.168.12.0/24

IPsec now has no CHILD_SA for its IKE_SA

root@Teltonika-RUTX12:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.221, armv7l):
  uptime: 3 minutes, since Feb 07 17:03:38 2023
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
  10.10.10.1
  192.168.12.1
  fd18:1b18:76d2::1
Connections:
TLTside-TLTside_c:  %any...10.10.10.2  IKEv2, dpddelay=10s
TLTside-TLTside_c:   local:  uses pre-shared key authentication
TLTside-TLTside_c:   remote: [10.10.10.2] uses pre-shared key authentication
TLTside-TLTside_c:   child:  192.168.12.0/24 === 10.10.35.0/24 TUNNEL, dpdaction=restart
Routed Connections:
TLTside-TLTside_c{1}:  ROUTED, TUNNEL, reqid 1
TLTside-TLTside_c{1}:   192.168.12.0/24 === 10.10.35.0/24
Security Associations (1 up, 0 connecting):
TLTside-TLTside_c[1]: ESTABLISHED 3 minutes ago, 10.10.10.1[10.10.10.1]...10.10.10.2[10.10.10.2]
TLTside-TLTside_c[1]: IKEv2 SPIs: 7e44d7fc58612eff_i* 5eed6d2441b0c348_r, pre-shared key reauthentication in 3 hours
TLTside-TLTside_c[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521

DPD checks for active IKE_SA, not CHILD_SA. It is suggested to use "Routed" mode on Teltonika device in such cases.

When interesting traffic is detected (as in - when we try to reach 10.10.35.0/24 subnet), charon will "trap" packets temporarily and will attempt to re-establish IPsec CHILD_SA. This also prevents leaking interesting traffic packets during times when rekeys are happening.

root@Teltonika-RUTX12:~# ping 10.10.35.1
PING 10.10.35.1 (10.10.35.1): 56 data bytes
Tue Feb  7 17:08:50 2023 daemon.info ipsec: 04[KNL] creating acquire job for policy 192.168.12.1/32[icmp/8] === 10.10.35.1/32[icmp/8] with reqid {1}
Tue Feb  7 17:08:50 2023 daemon.info ipsec: 06[IKE] establishing CHILD_SA TLTside-TLTside_c{3} reqid 1
Tue Feb  7 17:08:50 2023 daemon.info ipsec: 06[ENC] generating CREATE_CHILD_SA request 31 [ SA No KE TSi TSr ]
Tue Feb  7 17:08:50 2023 daemon.info ipsec: 06[NET] sending packet: from 10.10.10.1[500] to 10.10.10.2[500] (320 bytes)
Tue Feb  7 17:08:50 2023 daemon.info ipsec: 10[NET] received packet: from 10.10.10.2[500] to 10.10.10.1[500] (400 bytes)
Tue Feb  7 17:08:50 2023 daemon.info ipsec: 10[ENC] parsed CREATE_CHILD_SA response 31 [ No KE TSi TSr SA ]
Tue Feb  7 17:08:50 2023 daemon.info ipsec: 10[CFG] selected proposal: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ
Tue Feb  7 17:08:50 2023 daemon.info ipsec: 10[IKE] CHILD_SA TLTside-TLTside_c{3} established with SPIs c92165f8_i 0752b796_o and TS 192.168.12.0/24 === 10.10.35.0/24
Tue Feb  7 17:08:50 2023 local0.notice vpn: + 10.10.10.2 10.10.35.0/24 == 10.10.10.2 -- 10.10.10.1 == 192.168.12.0/24
64 bytes from 10.10.35.1: seq=1 ttl=64 time=0.981 ms
...ping continues...