Mikrotik RouterOS based routers can be used as VPN endpoints to provide remote support for Alcatel-Lucent PABX’s. This includes the virtual device images (Cloud Hosted Router), so a dedicated virtual machine can be implemented to provide the VPN responder.
At the time of writing this post, Mikrotik does not support EAP on the responding end, so a IKEv2_PSK+PSK option must be used in the OXO VPN profile. i.e Only pre-shared keys are supported.
- Add a DHCP Pool for VPN IP addresses: IP -> Pool -> Add
Name = oxovpn-pool
Addresses = 10.215.0.1-10.215.0.2 - Add a corresponding Mode Config: IP->IPsec->Mode Configs
Name = oxovpn-modecfg
Address Pool = oxovpn-pool
Address Prefix Length = 24
Split Include = <your private LAN subnet> - Add a phase 1 Profile: IP->IPsec->Profiles
Name = oxovpn-phase1
Hash = sha256
Encryption = aes-256
DH group = modp2048
Proposal Check = strict
NAT Traversal = (tick if Mikrotik is behind another router)
(These are default values – tweak to match your own profile) - Add a phase 2 Proposal: IP->IPsec-> Proposals
Name = oxovpn-phase2
Auth = sha256
Encryption = aes-256-cbc
PFS Group = modp2048
(These are default values – tweak to match your own profile) - Add a Peer: IP->IPsec->Peers
Name = oxo-peer
Address = ::/0 (i.e. any)
Profile = oxovpn-phase1
Exchange Mode = IKE2
Passive = tick
Send INITIAL_CONTACT = unticked - Add Identity: IP->IPsec->Identities
Peer = oxo-peer
Auth Method = pre shared key
Secret = <enter a long pre-shared key consisting only of letters and numbers, more than 12 characters recommended>
Policy Template Group = default
Notrack Chain = prerouting
My ID Type = fqdn
My ID = <public IP address of your remote service center>
Remote ID = OXO (default = OXO, change this to match what is entered as the Peer ID in the OXO’s VPN Profile)
Match By = remote id
Mode Config = oxovpn-modecfg
Generate Policy = port strict - Add an policy to match traffic to tunnel: IP -> IPsec->Policies
Peer = oxo-peer
Tunnel = tick
Src Address = 0.0.0.0/0
Dst Address = 10.215.0.0/24
Template = unticked
Action = encrypt
Level = require
IPsec Protocols = esp
Proposal = oxovpn-phase2 - If behind a NAT router it is necessary to source-NAT outbound traffic to the VPN: IP->Firewall->NAT->Add New:
Chain = srcnat
Src Address = <your LAN>
Dst Address = 10.215.0.0/24
Action = netmap
To Address = <public IP of the remote service center> - (Optional) Enable logging to assist diagnostics:
System -> Logging -> Add New
Topics = ipsec
Action = memory
These are the key settings to get the VPN established. Note that settings that have been skipped are non-critical and can be left at defaults or modified to suit your requirements.
If only a small number of clients are required, with static IP addresses their IP addresses can be used in individual peer entries.
Create a corresponding VPN Profile in the OXO Connect web interface, following the OXO Connectivity User’s Manual.
To enhance security firewall rules can be created to only allow ICMP & HTTPS from the LAN to the VPN, allow all corresponding replies but block any other traffic originating from the VPN.
Simultaneous connections to multiple clients can be achieved by additon of individual entries for Policies, Identities and Peers with appropriate tweaking to match each connection.
Note that the Mikrotik RouterOS can only listen on UDP ports 500 & 4500 for IPsec connections. However if the Mikrotik is behind another NAT router alternative ports can be configured to port forward through to these ports, provided NAT-Traversal is enabled on the Mikrotik. e.g.:
Edge router, public IP, UDP-501 -> port forward to UDP-500 on Mikrotik
Edge router, public IP, UDP-4501 -> port forward to UDP-4500 on Mikrotik