My adventure on MikroTik

Posted under tech On By xpk

Recently, I came across the MikroTik routers and so happen I need to troubleshoot a site-to-site VPN issue. MikroTik providers the RouterOS for anyone to install in a virtual environment. There is also an AMI on AWS. Here I’ll demonstrate how to get it to connect to AWS VPN in no time.

First thing first, setup a customer gateway, transit gateway, and VPN connection on AWS. In this example, I’ll be using customized tunnel options. The default ones are quite weak in terms of cipher choices. These are the options I used:

Now we are ready for MikroTik. Just search for mikrotik in the AMI page, launch an ec2 instance and attach an EIP to it. t3.small is more than enough. Once launched, ssh to the instance with the ssh key.

First we want to set a password and configure an IP on the instance, so we can manage it through the web console. We also want to enable https on the web console.

/ip address add address= interface=ether1
/system identity set name=mikrotik

add name=root-cert common-name=RouterOSCA days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=RouterOS days-valid=365
sign ca=root-cert https-cert
/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yes

Once that’s done, go to https://eip-of-your-instance and setup an IPsec profile. Go to IP > IPsec > Profiles, edit the default profile so it matches with the AWS VPN tunnel options

Similarly, create an IPsec proposal. Go to IP > IPsec > Proposals and edit the default one

Next, setup the IPsec peers. Go to IP > IPsec > peers, create 2 peers.

For the two peers, enter the pre-shared keys by going to IP > IPsec > Identities

Next, setup IPsec policies. Go to IP > IPsec > Policies. Create policies for the outside IPs

Then the inside IPs. Notice the SA source addresses need to be the private IP of the ec2 instance

Next, configure BGP routing. Go to Routing > BGP > Peers. My transit gateway on AWS side uses AS 65080

Configure AS number for the MikroTik side. Go to Routing > BGP > Instances. Enter the router id and the customer gateway AS number. I’m using 65123.

Advertise the private subnets on the MikroTik side. Go to Routing > BGP > Networks

In a few moments, the tunnel and BGP status will be UP on the AWS console. To check the propagated routes, go to Routing > BGP > Advertisements. I can see routes from AS 65080 as well as 64277 which is another VPN attached to the same transit gateway.

At this point, the connectivity is established. Remember to configure the VPC subnet route tables, send to transit gateway. Also edit the security groups on instances you want to access. That’s it!

Thank you for reading this long post. Hope that’s useful.

 161 total views,  2 views today

Leave a comment

Your email address will not be published. Required fields are marked *