OXO Connect with Mikrotik RouterOS

Mikrotik RouterOS based routers can be used as VPN endpoints to provide remote support for Alcatel-Lucent PABX’s. This includes the virtual device images (Cloud Hosted Router), so a dedicated virtual machine can be implemented to provide the VPN responder.

At the time of writing this post, Mikrotik does not support EAP on the responding end, so a IKEv2_PSK+PSK option must be used in the OXO VPN profile. i.e Only pre-shared keys are supported.

  1. Add a DHCP Pool for VPN IP addresses: IP -> Pool -> Add
    Name = oxovpn-pool
    Addresses = 10.215.0.1-10.215.0.2
  2. Add a corresponding Mode Config: IP->IPsec->Mode Configs
    Name = oxovpn-modecfg
    Address Pool = oxovpn-pool
    Address Prefix Length = 24
    Split Include = <your private LAN subnet>
  3. Add a phase 1 Profile: IP->IPsec->Profiles
    Name = oxovpn-phase1
    Hash = sha256
    Encryption = aes-256
    DH group = modp2048
    Proposal Check = strict
    NAT Traversal = (tick if Mikrotik is behind another router)
    (These are default values – tweak to match your own profile)
  4. Add a phase 2 Proposal: IP->IPsec-> Proposals
    Name = oxovpn-phase2
    Auth = sha256
    Encryption = aes-256-cbc
    PFS Group = modp2048
    (These are default values – tweak to match your own profile)
  5. Add a Peer: IP->IPsec->Peers
    Name = oxo-peer
    Address = ::/0 (i.e. any)
    Profile = oxovpn-phase1
    Exchange Mode = IKE2
    Passive = tick
    Send INITIAL_CONTACT = unticked
  6. Add Identity: IP->IPsec->Identities
    Peer = oxo-peer
    Auth Method = pre shared key
    Secret = <enter a long pre-shared key consisting only of letters and numbers, more than 12 characters recommended>
    Policy Template Group = default
    Notrack Chain = prerouting
    My ID Type = fqdn
    My ID = <public IP address of your remote service center>
    Remote ID = OXO (default = OXO, change this to match what is entered as the Peer ID in the OXO’s VPN Profile)
    Match By = remote id
    Mode Config = oxovpn-modecfg
    Generate Policy = port strict
  7. Add an policy to match traffic to tunnel: IP -> IPsec->Policies
    Peer = oxo-peer
    Tunnel = tick
    Src Address = 0.0.0.0/0
    Dst Address = 10.215.0.0/24
    Template = unticked
    Action = encrypt
    Level = require
    IPsec Protocols = esp
    Proposal = oxovpn-phase2
  8. If behind a NAT router it is necessary to source-NAT outbound traffic to the VPN: IP->Firewall->NAT->Add New:
    Chain = srcnat
    Src Address = <your LAN>
    Dst Address = 10.215.0.0/24
    Action = netmap
    To Address = <public IP of the remote service center>
  9. (Optional) Enable logging to assist diagnostics:
    System -> Logging -> Add New
    Topics = ipsec
    Action = memory

These are the key settings to get the VPN established. Note that settings that have been skipped are non-critical and can be left at defaults or modified to suit your requirements.

If only a small number of clients are required, with static IP addresses their IP addresses can be used in individual peer entries.

Create a corresponding VPN Profile in the OXO Connect web interface, following the OXO Connectivity User’s Manual.

To enhance security firewall rules can be created to only allow ICMP & HTTPS from the LAN to the VPN, allow all corresponding replies but block any other traffic originating from the VPN.

Simultaneous connections to multiple clients can be achieved by additon of individual entries for Policies, Identities and Peers with appropriate tweaking to match each connection.

Note that the Mikrotik RouterOS can only listen on UDP ports 500 & 4500 for IPsec connections. However if the Mikrotik is behind another NAT router alternative ports can be configured to port forward through to these ports, provided NAT-Traversal is enabled on the Mikrotik. e.g.:

Edge router, public IP, UDP-501 -> port forward to UDP-500 on Mikrotik
Edge router, public IP, UDP-4501 -> port forward to UDP-4500 on Mikrotik