Professional Documents
Culture Documents
IPSec Tunnel - Mikrotik to pfSense - ODλ Zero Dispersion
IPSec Tunnel - Mikrotik to pfSense - ODλ Zero Dispersion
Introduction
I recently began working with a Mikrotik router OS based device for use in small business. I thought this was
the perfect time to try out some cross platform configurations between Mikrotik and pfSense which are
both very popular in the hobbyist and small business space.
This post will show the steps I used to configure an IPSec tunnel between a Mikrotik router and a pfSense
firewall. This is a basic tunnel configuration so traffic will flow freely through the tunnel based on the phase
2 configuration. This is a great configuration if you want to tunnel some traffic between two trusted
networks.
The tunnel shown in this configuration is an IPv4 tunnel only, but IPv6 traffic could be added with minor
tweaks. A Mutal PSK authentication is used to simplify the configuration.
This configuration has not been audited for maximum security and has not been tested for performance.
Requirements
This configuration is based on the following systems:
The systems must be able to reach each other over a WAN interface and should have unique LAN IP address
ranges. You will also need to add a rule on pfSense to accept the ISAKMP connection on port 500. To be
most secure you can create this rule to only allow the peer IP/host.
Like many other sites, this website is supported via advertising that sometimes uses cookies to
Configure Phaseprovide
1 – pfSense
personalized ads. OK Reject Read More
https://www.zerodispersion.com/ipsec-tunnel-mikrotik-to-pfsense/ 1/12
07/01/2022 14:42 IPSec Tunnel : Mikrotik to pfSense - ODλ Zero Dispersion
Of the two platforms pfSense is probably the most logical of the two in how it lays out the configuration.
ODλ Zero Dispersion
The configuration entries are neat and tidy and nested in the GUI.
Navigate to VPN -> IPSec -> Tunnel. Then click the Add P1 button to start adding the new phase 1 entry.
Then begin filling in the General Information as shown.
Next, create/update a Phase 1 Proposal (Encryption Algorithm). You should be able to get by with a single
correct entry here.
Algorithm: AES
Key length: 128 bits (I’m sure you can go larger as dictated by your requirements)
Hash: SHA256
DH Group: 14 (2048 bit)
Like many other sites, this website is supported via advertising that sometimes uses cookies to
The final step in phase provide
1 is to gopersonalized
over the advanced
ads.options.
OK TheReject
defaults Read be fine. Then click Save.
shouldMore
https://www.zerodispersion.com/ipsec-tunnel-mikrotik-to-pfsense/ 2/12
07/01/2022 14:42 IPSec Tunnel : Mikrotik to pfSense - ODλ Zero Dispersion
First, we can configure the peer by going to IP -> IPSec -> Peers and clicking Add New. Then fill in the
following:
Name: This can be the hostname or other identified you want to use
Address: This can be an IP address or hostname
Port and Local address can be left as default
Profile can be left as default
Exchange mode: IKE2
Passive: Disabled
Send INITIAL_CONTACT: Enabled
Next
Like we need
many to update
other sites,the default
this profile
website to match our
is supported pfSense
via settings.
advertising Head
that over to IP ->
sometimes IPSec
uses ->
cookies to
Profiles and click on default and change the settings as follows. When you are done click OK. Settings not
mentioned can remainprovide personalized ads. OK
at default. Reject Read More
https://www.zerodispersion.com/ipsec-tunnel-mikrotik-to-pfsense/ 3/12
07/01/2022 14:42 IPSec Tunnel : Mikrotik to pfSense - ODλ Zero Dispersion
Finally, go over to IP -> IPSec -> Identities and click Add New to create an identity for this tunnel.
Enabled: Checked
Peer: The peer you created earlier
Auth. Method: pre shared key
Secret: The key generated in pfSense
My ID Type: auto
Remote ID Type: auto
Match by: remote id
Like many other sites, this website is supported via advertising that sometimes uses cookies to
Verify Phase 1
Verifying phase 1 will show us that the the devices have connectivity to one another and no firewall rules
are blocking the session from being established.
In pfSense go to Status -> IPSec and look for your IPSec session to be Established.
In Mikrotik you can verify the Phase 1 session under IP -> IPSec -> Active Peers. You should see an increasing
uptime for the configured session.
Like many other sites, this website is supported via advertising that sometimes uses cookies to
Protocol: ESP
Encryption Algorithms
AES128-GCM – 128 Bits
AES192-GCM – Auto
AES256-GCM – Auto
Hash Algorithms
SHA256
PFS Key Group: 14 (2048 bit)
Auth Algorithms:
sha256
Encr. Algorithms
Like many other sites, this website is supported via advertising that sometimes uses cookies to
aes-192 ctr
aes-128 gcm provide personalized ads. OK Reject Read More
https://www.zerodispersion.com/ipsec-tunnel-mikrotik-to-pfsense/ 6/12
07/01/2022 14:42 IPSec Tunnel : Mikrotik to pfSense - ODλ Zero Dispersion
aes-256 gcm
ODλPFSZero Dispersion
Group: modp2048
The final step for phase 2 on the Mikrotik is to create a policy. Navigate to IP -> IPSec -> Policies and click
Add New. The fill in the settings as follows:
Enabled: Checked
Peer: The peer you created
Tunnel: Checked (If you don’t check this you might lose your remote management, be careful)
Src Address: Subnet and mask of local subnet to tunnel
Dst. Address: Subnet and mask of remote subnet to tunnel
Protocol: 255 (all)
Action: encrypt
Level: require
IPSec Protocols: esp
Proposal: default
Like many other sites, this website is supported via advertising that sometimes uses cookies to
To test from Mikrotik go to Tools -> Ping and setup a ping to the LAN gateway on the pfSense system. In my
case the far end LAN is 192.168.1.1. I was able to test it by using the Mikrotik bridge interface as the source
interface.
Like many other sites, this website is supported via advertising that sometimes uses cookies to
To test from pfSense it’s the same idea, go to Diagnostics -> Ping and use the LAN as the Source address.
Statistics are available on both platforms. In pfSense go to Status -> IPSec, in Mikrotik take a look under IP ->
IPSec -> Active Peers.
Conclusion
Like many other sites, this website is supported via advertising that sometimes uses cookies to
Configuring a secure IPSec tunnel between Mikrotik and pfSense was not as hard as I expected. Both
ODλ Zero
platforms Dispersion
have plenty of configuration options allowing a secure tunnel to be established with ease. The
drawback to this configuration is that there is no logical interface for the connection on either platform,
meaning the tunneled traffic is basically assumed to be in a protected zone as it exits the tunnel. This is
great if both sides are more or less the same traffic level, but not sufficient if you want to make rules for
traffic as it enters on one side or the other. For that reason I am intending on switching to a GRE tunnel with
IPSec which will be shown in a later post.
Share this:
Related
Leave a comment
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Post Comment
ODλ Zero Dispersion
Post navigation
← Study With Me | CCNP SP | SPCOR 350-501 | 1.1.a | Core Architectures | MPLS
Archives
› May 2020 (1)
› February 2020 (3)
› September 2017 (1)
› June 2017 (2)
› January 2017 (1)
› July 2016 (1)
› June 2016 (1)
› May 2016 (1)
Categories
› Development (1)
› Home Project (3)
› Networking (1)
› Shopping (1)
› Study With Me (3)
› Telecommunications (4)
› Unboxing (1)
› XenServer (1)
Tags
350-501
CCNP
Cisco
Deal Hunting
ebay
Ethernet
Backup
CCNA
Firewall
Home
IT
Linux
mac
macOS
mikrotik
OpenVPN
Orange Pi
pfSense
shopping
Project
ISP
study
Telecommunications
Unboxing
VPN
Work
xamarin
XenServer
Xenserver Tips
Search this Site
Search
Like many other sites, this website is supported via advertising that sometimes uses cookies to
Subscribe
provide personalized to Blog
ads. OK via Reject
Email Read More
https://www.zerodispersion.com/ipsec-tunnel-mikrotik-to-pfsense/ 11/12
07/01/2022 14:42 IPSec Tunnel : Mikrotik to pfSense - ODλ Zero Dispersion
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
ODλ Zero Dispersion Join 4 other subscribers
Email Address
Subscribe
· © 2022 ODλ Zero Dispersion · Powered by · Designed with the Customizr theme ·
Like many other sites, this website is supported via advertising that sometimes uses cookies to