Mikrotik Tutorial no. 38 - Site to Site IPSec VPN Tunnel Configuration in Mikrotik

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome back to another tutorial from Lam my to the contradictions race to this topic is about side to side IPSec VPN so now that we've been due to really look what is I be sick Internet Protocol security IPSec is a protocol suite defined by IETF internet Engineering Task Force to CQ IP communication over unprotected opinion such as internet overlays line this suite is an open standard so it works on cross platform security so you can have a connection from mikrotik to Cisco or juniper or other IPSec router or firewall IPSec protocol so it can be divided into three groups i ke internet key exchange h authentication header and ESPN capsule 18 security payload i ke internet key exchange is a system that provides king materials for isakmp internet security association and key management protocol framework this is basically provides a means for authentication and automatic management of assets as a what is access security Association and all rule is actually associated with essays security Association that is specific what and how data is encrypted H is a protocol that provides authentication of either all or part of the contents of data gram through the addition of a header that is calculated based on values of the diagram and encapsulating security payload use a shared key encryption to provide data privacy there anti books dedicate to IP 6 so I will not cover all the ins and outs of IPSec technology I assume you will read more about it before you configure it let's dig into the configuration let me show you an illustration this is pretty much of it see two remote offices connected to internet the robber confusion is very simple we get one IP mln IP on both router you can see public IP address on the local address it's LAN address for this particular Network before out to the Internet netting for LAN apiece now I will see if I can be to one facing IP address from opposite and other outer it's best practice to check if bottom can ping each other before you configure why to see tunnel so long to this to router wanna stay clip taka and one is taking absurdity from the new terminal 1 6 8 okay I can ping to that far in this yeah so we have one level connectivity on both router the offices make secure tunnel to local networks behind routers ok from the hurricane now we will configure IPSec first we go to that IPSec menu from this router IP the 90 sync you see some new tabs here in the new version might really change IPSec menu and it tends to change what you do with IPSec over time so if you do it in all the region this Russian will look a lot different I'm currently using six point four four point five Russian ruble with but the basic thing is still the same you were still gonna add peer-pressured key and proposal for your encryption policy the menu might look different but it doesn't change the setup gain IPSec we start off with curating phase 1 profile and then phase 2 proposal we'll use a stronger encryption parameters for Bookman and here you specify authentication algorithm diffie-hellman group and encryption parameters make separate entries for both menu we will do it now as we go the phase one is profound we will not change the link you can change the name or you can add another one if you know what hashing algorithm you will not use the session English I want this better not use 3d yes we use a is 256 and one zero two four which is actually CUDA fishermen group keep it default less than one day it's fine another settings same so we'll go to this router do the exact same thing I could say the profile hang out with them sha-1 and collection algorithms aes-256 if you don't mind 1:04 which is group 2 okay left hand is one day fine apply ok now we will go to the now we will go to the face two proposals we still keep this default but we will change the parameters here authentication don't share one fine encryption algorithm we will keep a is 256 cbc and life them we will change to these sturdy means we will change it to 8 hours this is 8 hours if it's blue default is fine go to this router click on the proposal tab click on it 256 cbc this one is 8 hours keep the same these parameters must match between the sides otherwise the connection will not establish now we will go to the Pierce down ok fine and we have to add Pierce you can keep the default name or you can change to any name you want tickle absurdity in address reporter I'm excited with so what is your side of this did not stick six body what you can split a 504 you can keep the default the default is 500 and profile we didn't set any name so it will show only default profile exchange what is main this is fine now we will talk to this router your step plus sign apt he used to take IP address of the remote site in 66 children 182 if I'm not wrong yes Oh is 500 files/default we didn't change anything we didn't create any profile you just set some parameters exchange was name the next is creating identity that I didn't just cap plus I into that here already it appear authentication method this pre-taped key now we will set the password strong password and password must be same for both routers I mean please click + to add pizzas my authentication is pre shared key my server is same keep the default you need to change anything here last we create policy which can cause traffic and production this time grant in general so the destination address you want to edit local address 6 ok ok now in action tab action a send proficient level wait where is it ESP select analyst mode in tunnel mode original IP packet is encapsulated within a new IP packet and we have got s address which is security Association address security Association this is basically one idea to Sofia router that create IPSec time I know my my dad was Robin's robber and the destination address his remote one address which is six eight one six to fourteen K proposal is deformed we didn't create anything so it's the different now here in the policies plus sign to apps or services this router local Atlas which we want to encrypt the destination addresses labeled and an address which is one seascape one birthday / 20 full network and in action tab we've never week we're visit portable CSP it's like it has a tunnel mode as the source addresses one actress of this router in one six eight one six to adopt one four and I said this distinction at risk just remove m1 aggression in six eight once these two about to divorce apply and ok if you complete up to this part your tongue must come up say its face to say face to state-established yes okay same thing your face to state is established if you go to the SI installed si you can see it is established still just say anything else here yeah stuff is too so we have got our tunnel now we will test if we can ping across the tunnel from sight Alon okay go to this part my pelvis is one and once he say wonder - okay the other side of 72 1 6 8 1.2 can see cannot reach the other end of the router being responsible showing turnout I can I camp which to side billary there is a reason for that because all the traffic from land being netted from the router we have the net configure on our rudder in both rod actually so we will have to bypass the net to get worked let's go back to a router hey this one go to the baby firewall in the net you see now we have to buy just snapped yes I am the general we give a land at risk is 192 1/24 and the expansion land is shin except now great the route to the top same thing we will do in the other browser for the IP and to the firewall you have the net who does you see plus sign to her it's a source based Maps or chain will be source net source net is in the source addresses the land and press of this router the destination accept and drag the route to the top to bypass now let's quickly test again the last time we got because time out again within now you see we're getting the response from the other end of the router lamp necklace that's it we completed site to site VPN so you'll saw this is very basic and simple configuration maybe the men who looks different as Michael tends to change this lot but if you know the best thing you can do it just fine now I'll show you from the other end of the Lamb PC if I can ping to the other end of the rockers l'm two one six eight yeah that's it we complete the site to site VPN that's all for today subscribe this channel for more videos on my tree to drill in the next week thanks

Info

Channel: techie LAB

Views: 21,306

Rating: undefined out of 5

Keywords: mikrotik, router, ipsec vpn explained, mikrotik ipsec site to site vpn configuration, mikrotik ipsec, mikrotik ipsec vpn, ipsec mikrotik, ipsec vpn mikrotik, ipsec vpn mikrotik router, ipsec vpn configuration in mikrotik, ipsec vpn setup, site to site ipsec vpn configuration on mikrotik, mikrotik router configuration step by step bangla, mikrotik bangla tutorial, mikrotik ipsec tutorial, ipsec vpn tutorial

Id: qZwPweJrmLU

Channel Id: undefined

Length: 18min 43sec (1123 seconds)

Published: Mon Dec 23 2019