Route based IPSec to mikrotik RouterOS7 with BGP

11. July 2022 Community, Level300, Microsoft 0
Route based IPSec to mikrotik RouterOS7 with BGP

There are many instructions for miktrotik, but few that work. Precisely because a lot has changed with Router OS v7, I would like to show a few variants here:

  • “simple” IPsec tunnels (I show later)
  • Route-based IPSec tunnels with BGP

so lets start with the tricky:

I have 2 ISPs with 2 public IP-addresses, right. So to make the connection redundant we need also a routing protocol to make the paths automatic switching over when one way fails. In Azure we have to use BGP because there is just that option.

the WAN Plan

IP Network Plan

the Azure side

so I have 2 vNets because of 2 Subscriptions. Subscriptions are not connected by default, so I had to connect them by usng vNet-Peering. Then my vNet apo-vnet (192.168.104.0/22) and my second vNet infra-vnet (192.168.100.0/22) is connected and the apo-vnet is using and sharing the VPN-Gateway, so there is just one VPN-Gateway needed.

vNet infra-vnet
apo-vnet
some Subnets
BGP Peers of the VGN Gateway

the VPN Gateway is a “normal VpnGw1 SKU which is for most of the use-cases fully enough. The BGP Feature is built in at no additional costs.

BGP Settings of the VPN Gateway – ASN 65511 – the BGP peering address is appearing when the provisioning is done.
at the “Local network gateway” there is no address space BUT of course the BGP AS Number and the peering address to mention

the mikrotik Side – aka On-Prem

TL;DR: the IPSec settings in the mikrotik RouterOS v7 – I am currently using 7.3.1:

Phase1: aes-256, sha1 or sha256, modp1024, lifetime 07:30:00 7h30=27000sec, just in my case NAT-Traversal because i am behind a NAT-Router so udp 500/4500 is usedfor the connection.
dead-peer-detection is set to 30sec, so maximum recognition is 5×30 = 150sec.

Phase2: aes256 cbc (only that is in hardware!), sha256, lifetime 07:30:00 and PFS modp1024.

other combinations may also work but are not tested.

the VPN Peer
the IPSec IKE2 Phase 1 – called IPSec Profile- Lifetime should be 07:30:00 = 27000sec!!
a rather simple setting – the pre shared key
the IPSec Phase 2 – SA Proposal – using aes-256-cbc is hardware accelerated!
IPSec Policies for traffic selection. It is prepared that also the default route can be directed to On Premises! So Internet Traffic can be seen on the local Firewall.

the BGP Routing part – On-Prem

because we are routing between loopback-Adresses which are always online, we are creating socalled loopback-Interfaces. Giving them a fixed non-overlapping IP-Address (192.168.254.2 and 192.168.254.4) and set a static route to the other side.

the route to the Azure BGP Peer (192.168.101.126) is not needed because the default route show the direction.

2 BGP Connection – one to Azure – second for iBGP to the seconde ISP-Line
setting up eBGP from On-Prem to Azure (side 1)
setting up iBGP between both routers (side1 – side2)

when the BGP router can connect to each other, the sessions are created and the routes will be installed!

done 😉

ask my on twitter… @sdenninger