I'm currently doing battle with an AWS VPN (and many thanks to those people here who have helped me; I can't name names, but they know who they are). I've got it working, but there are a couple of things I don' t understand. One thing that the AWS doco mentions is "tunnel interfaces" and it is clear from the various sample configurations for other platforms that the common way to do this is to set up a virtual interface at the ends of the tunnel. ASCII art coming up: REALIP REALIP ----------------------- VIP -------------------------------- VIP ----------------------- The tunnel proper is between the two real IPs; these are globally routable IP addresses. In my test setup, they are my routers outside address 1.2.3.4, and an Amazon address 2.3.4.5. Amazon also provides the two VIPs - which it calls "inside addresses" and suggests should be placed on "tunnel interfaces". I've just stuck them on the same interfaces as the real IPs, and it works fine. But is there some way to set up a virtual interface that would work the way Amazon seems to intend? It would be nicer not to have the outside interface festooned with private addresses. By analogy, look at a GRE interface. That's a virtual interface that forms a network with the other end of the GRE tunnel. Traffic can be routed across a GRE tunnel. I tried creating a bridge interface, but could see no way to associate it with the IPsec tunnel. EoIP, IPIP and GRE are about the only tunnel interface types I can think of of the top of my head, but they all require cooperation at the other end. AWS is fully automated - what you get is what you get. Am I not understanding IPsec, or not understanding RouterOS? Any ideas most welcome. Or pointers to good explanations :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
HI Karl, are you actually creating a VPN is it is just some type of tunnel ? You can create a virtual ethernet interface in RouterOS, perhaps this is what you are looking for, but my thoughts would have been around a bridge interface. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Saturday, 25 June 2016 6:49 PM To: MikroTik Public Subject: [MT-AU Public] virtual interfaces in ROS? I'm currently doing battle with an AWS VPN (and many thanks to those people here who have helped me; I can't name names, but they know who they are). I've got it working, but there are a couple of things I don' t understand. One thing that the AWS doco mentions is "tunnel interfaces" and it is clear from the various sample configurations for other platforms that the common way to do this is to set up a virtual interface at the ends of the tunnel. ASCII art coming up: REALIP REALIP ----------------------- VIP -------------------------------- VIP ----------------------- The tunnel proper is between the two real IPs; these are globally routable IP addresses. In my test setup, they are my routers outside address 1.2.3.4, and an Amazon address 2.3.4.5. Amazon also provides the two VIPs - which it calls "inside addresses" and suggests should be placed on "tunnel interfaces". I've just stuck them on the same interfaces as the real IPs, and it works fine. But is there some way to set up a virtual interface that would work the way Amazon seems to intend? It would be nicer not to have the outside interface festooned with private addresses. By analogy, look at a GRE interface. That's a virtual interface that forms a network with the other end of the GRE tunnel. Traffic can be routed across a GRE tunnel. I tried creating a bridge interface, but could see no way to associate it with the IPsec tunnel. EoIP, IPIP and GRE are about the only tunnel interface types I can think of of the top of my head, but they all require cooperation at the other end. AWS is fully automated - what you get is what you get. Am I not understanding IPsec, or not understanding RouterOS? Any ideas most welcome. Or pointers to good explanations :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Sat, 2016-06-25 at 20:09 +1000, Paul Julian wrote:
HI Karl, are you actually creating a VPN is it is just some type of tunnel ?
Amazon calls it a VPN. The remote end is an AWS VPC (private addressing only), the local end is my MikrotTik router with my home network behind it. An IPsec tunnel joins them. Is that a VPN or just some type of tunnel? :-)
You can create a virtual ethernet interface in RouterOS, perhaps this is what you are looking for, but my thoughts would have been around a bridge interface.
Yes - the issue is "connecting" these to the IPsec tunnel. Amazon supplies an "outside" addresses and an "inside" address for the AWS end. The "outside" address at my end is my router's Internet-facing interface address, and Amazon provides an "inside" address for my end. The two "inside" addresses are from the same /30 IPv4 network. Key point: Traffic for the remote VPC must be routed over the "inside" address at the AWS end. The way I originally had it working was simply to place my "inside" address on the same interface as my "outside" address. Worked fine; I had an IPsec policy that covered traffic from my "inside" address to the AWS "inside" address, an IPsec policy that covered traffic from anywhere to the remote VPC, and a static route that sent traffic for the VPC via the AWS "inside" address. But I've done some more experimenting and it seems that I don't need to configure the "inside" addresses supplied by Amazon at all! I widened the IPsec policy for traffic to the AWS "inside address" to cover any source, removed the local "inside" address completely, and everything still works just fine. But I'd still like to know whether it's possible to somehow attach a virtual interface of some sort to an IPsec tunnel. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
Mmm, interesting situation, I can't think what you would do really, IPSEC doesn't have an interface as such like PPTP for example, I don't know what the reason could be either that AWS want that or how it would work, IPSEC is IPSEC, it simply encrypts the traffic between the endpoints based on your policy, why you would need some type of other address at either end is bit strange. Glad you got it sorted though, perhaps somebody else might know a bit more about such a situation and be able to provide more advice. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Saturday, 25 June 2016 9:12 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual interfaces in ROS? On Sat, 2016-06-25 at 20:09 +1000, Paul Julian wrote:
HI Karl, are you actually creating a VPN is it is just some type of tunnel ?
Amazon calls it a VPN. The remote end is an AWS VPC (private addressing only), the local end is my MikrotTik router with my home network behind it. An IPsec tunnel joins them. Is that a VPN or just some type of tunnel? :-)
You can create a virtual ethernet interface in RouterOS, perhaps this is what you are looking for, but my thoughts would have been around a bridge interface.
Yes - the issue is "connecting" these to the IPsec tunnel. Amazon supplies an "outside" addresses and an "inside" address for the AWS end. The "outside" address at my end is my router's Internet-facing interface address, and Amazon provides an "inside" address for my end. The two "inside" addresses are from the same /30 IPv4 network. Key point: Traffic for the remote VPC must be routed over the "inside" address at the AWS end. The way I originally had it working was simply to place my "inside" address on the same interface as my "outside" address. Worked fine; I had an IPsec policy that covered traffic from my "inside" address to the AWS "inside" address, an IPsec policy that covered traffic from anywhere to the remote VPC, and a static route that sent traffic for the VPC via the AWS "inside" address. But I've done some more experimenting and it seems that I don't need to configure the "inside" addresses supplied by Amazon at all! I widened the IPsec policy for traffic to the AWS "inside address" to cover any source, removed the local "inside" address completely, and everything still works just fine. But I'd still like to know whether it's possible to somehow attach a virtual interface of some sort to an IPsec tunnel. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I can't remember exactly how I did it, but I think I used an IPIP Tunnel in conjunction with AWS's VPN. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Saturday, 25 June 2016 20:45 To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] virtual interfaces in ROS? Mmm, interesting situation, I can't think what you would do really, IPSEC doesn't have an interface as such like PPTP for example, I don't know what the reason could be either that AWS want that or how it would work, IPSEC is IPSEC, it simply encrypts the traffic between the endpoints based on your policy, why you would need some type of other address at either end is bit strange. Glad you got it sorted though, perhaps somebody else might know a bit more about such a situation and be able to provide more advice. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Saturday, 25 June 2016 9:12 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual interfaces in ROS? On Sat, 2016-06-25 at 20:09 +1000, Paul Julian wrote:
HI Karl, are you actually creating a VPN is it is just some type of tunnel ?
Amazon calls it a VPN. The remote end is an AWS VPC (private addressing only), the local end is my MikrotTik router with my home network behind it. An IPsec tunnel joins them. Is that a VPN or just some type of tunnel? :-)
You can create a virtual ethernet interface in RouterOS, perhaps this is what you are looking for, but my thoughts would have been around a bridge interface.
Yes - the issue is "connecting" these to the IPsec tunnel. Amazon supplies an "outside" addresses and an "inside" address for the AWS end. The "outside" address at my end is my router's Internet-facing interface address, and Amazon provides an "inside" address for my end. The two "inside" addresses are from the same /30 IPv4 network. Key point: Traffic for the remote VPC must be routed over the "inside" address at the AWS end. The way I originally had it working was simply to place my "inside" address on the same interface as my "outside" address. Worked fine; I had an IPsec policy that covered traffic from my "inside" address to the AWS "inside" address, an IPsec policy that covered traffic from anywhere to the remote VPC, and a static route that sent traffic for the VPC via the AWS "inside" address. But I've done some more experimenting and it seems that I don't need to configure the "inside" addresses supplied by Amazon at all! I widened the IPsec policy for traffic to the AWS "inside address" to cover any source, removed the local "inside" address completely, and everything still works just fine. But I'd still like to know whether it's possible to somehow attach a virtual interface of some sort to an IPsec tunnel. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Sat, 2016-06-25 at 21:39 +0800, Russell Hurren wrote:
I can't remember exactly how I did it, but I think I used an IPIP Tunnel in conjunction with AWS's VPN.
It would be extremely useful if you *could* remember exactly how you did it... :-) My understanding of IPIP is that the other end needs to be configured to match it. Amazons VPN setup doco definitely does not mention IPIP. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
Unfortunately I did it 2 years ago and then wiped out the configuration now I'm not using EC2 anymore. Going through some old emails, I found this: http://rant.gulbrandsen.priv.no/amazon/mikrotik-aws-ipsec I may be thinking of something else I did around the same time using IPIP tunnels. I'll have a closer look at the documentation and see if I can dig up any notes I might have left myself. I do remember that it only works with a single tunnel... -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Saturday, 25 June 2016 21:47 To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual interfaces in ROS? On Sat, 2016-06-25 at 21:39 +0800, Russell Hurren wrote:
I can't remember exactly how I did it, but I think I used an IPIP Tunnel in conjunction with AWS's VPN.
It would be extremely useful if you *could* remember exactly how you did it... :-) My understanding of IPIP is that the other end needs to be configured to match it. Amazons VPN setup doco definitely does not mention IPIP. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Sun, 2016-06-26 at 21:23 +0800, Russell Hurren wrote:
Unfortunately I did it 2 years ago and then wiped out the configuration now I'm not using EC2 anymore. Going through some old emails, I found this: http://rant.gulbrandsen.priv.no/amazon/mikrotik-aws-ipsec
Yes - that's a useful article.
I'll have a closer look at the documentation and see if I can dig up any notes I might have left myself. I do remember that it only works with a single tunnel...
Yes - MikroTik doesn't permit two different policies to apply to the same data. If you try, it disables one. But I found I could switch between the two quite easily by disabling the working one, enabling the disabled one, then flushing the installed security associations. Since the only reason you would ever need to switch would be if the one you were using failed, it's a good candidate for a little script to monitor the remote endpoint and switch if it becomes unreachable. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
participants (3)
-
Karl Auer
-
Paul Julian
-
Russell Hurren