Recently, I came across the MikroTik routers and so happen I need to troubleshoot a site-to-site VPN issue. MikroTik providers the RouterOS for anyone to install in a virtual environment. There is also an AMI on AWS. Here I’ll demonstrate how to get it to connect to AWS VPN in no time.
First thing first, setup a customer gateway, transit gateway, and VPN connection on AWS. In this example, I’ll be using customized tunnel options. The default ones are quite weak in terms of cipher choices. These are the options I used:
Now we are ready for MikroTik. Just search for mikrotik in the AMI page, launch an ec2 instance and attach an EIP to it. t3.small is more than enough. Once launched, ssh to the instance with the ssh key.
First we want to set a password and configure an IP on the instance, so we can manage it through the web console. We also want to enable https on the web console.
/password /ip address add address=192.168.200.160/24 interface=ether1 /system identity set name=mikrotik /certificate add name=root-cert common-name=RouterOSCA days-valid=3650 key-usage=key-cert-sign,crl-sign sign root-cert add name=https-cert common-name=RouterOS days-valid=365 sign ca=root-cert https-cert /ip service set www-ssl certificate=https-cert disabled=no set www disabled=yes
Once that’s done, go to https://eip-of-your-instance and setup an IPsec profile. Go to IP > IPsec > Profiles, edit the default profile so it matches with the AWS VPN tunnel options
Similarly, create an IPsec proposal. Go to IP > IPsec > Proposals and edit the default one
Next, setup the IPsec peers. Go to IP > IPsec > peers, create 2 peers.
For the two peers, enter the pre-shared keys by going to IP > IPsec > Identities
Next, setup IPsec policies. Go to IP > IPsec > Policies. Create policies for the outside IPs
Then the inside IPs. Notice the SA source addresses need to be the private IP of the ec2 instance
Next, configure BGP routing. Go to Routing > BGP > Peers. My transit gateway on AWS side uses AS 65080
Configure AS number for the MikroTik side. Go to Routing > BGP > Instances. Enter the router id and the customer gateway AS number. I’m using 65123.
Advertise the private subnets on the MikroTik side. Go to Routing > BGP > Networks
In a few moments, the tunnel and BGP status will be UP on the AWS console. To check the propagated routes, go to Routing > BGP > Advertisements. I can see routes from AS 65080 as well as 64277 which is another VPN attached to the same transit gateway.
At this point, the connectivity is established. Remember to configure the VPC subnet route tables, send 192.168.220.0/24 to transit gateway. Also edit the security groups on instances you want to access. That’s it!
Thank you for reading this long post. Hope that’s useful.
161 total views, 2 views today