howto/IPsecWithPublicKeys/RouterOSExample.md
... ...
@@ -0,0 +1,92 @@
1
+# IPsec with public key authentication on Mikrotik RouterOS
2
+## Setup
3
+### Generate an RSA keypair
4
+
5
+ [admin@mtk1] > /ip ipsec key
6
+ [admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
7
+ For key bigger than 1024bit this may take a while..
8
+ [admin@mtk1] /ip ipsec key> print
9
+ Flags: P - private-key, R - rsa
10
+ # NAME KEY-SIZE
11
+ 0 PR mykey 4096-bit
12
+
13
+### Exchange public keys with your peer
14
+1. Export the public key to a file.
15
+
16
+ [admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
17
+
18
+ [admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
19
+ # NAME TYPE SIZE CREATION-TIME
20
+ 2 mykey.pub ssh key 451 jul/20/2014 12:35:33
21
+
22
+2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this:
23
+
24
+ -----BEGIN PUBLIC KEY-----
25
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
26
+ TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
27
+ +xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg
28
+ 23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s
29
+ 4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh
30
+ QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
31
+ 8QIDAQAB
32
+ -----END PUBLIC KEY-----
33
+
34
+3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
35
+
36
+[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"
37
+
38
+## Configuration
39
+### Configure the phase 1 IKE parameters
40
+In this example, we'll use the following settings:
41
+
42
+| Key | Value |
43
+| :------------ | :------------ |
44
+| Encryption | AES-128 |
45
+| Hash | HMAC-SHA1 |
46
+| DH Group | 5 (modp1536) |
47
+| Lifetime | 28800 seconds |
48
+| Peer address | 192.0.2.2 |
49
+| Local address | 192.0.2.1 |
50
+
51
+1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase)
52
+
53
+ [admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
54
+ passphrase:
55
+
56
+ [admin@mtk1] /ip ipsec key> print
57
+ Flags: P - private-key, R - rsa
58
+ # NAME KEY-SIZE
59
+ 0 PR mykey 4096-bit
60
+ 1 R peer-key 4096-bit
61
+
62
+2. Configure your peer definition to use the public key
63
+
64
+ [admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
65
+ [admin@mtk1] /ip ipsec peer> print
66
+ Flags: X - disabled
67
+ 0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500
68
+ auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no
69
+ exchange-mode=main send-initial-contact=yes nat-traversal=no
70
+ proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
71
+ dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
72
+ dpd-maximum-failures=5
73
+
74
+3. All done! Configure the phase 2 parameters as you otherwise would.
75
+
76
+## Full GRE/IPsec example
77
+ # jul/20/2014 13:00:04 by RouterOS 6.15
78
+ # software id = HBCA-0B2J
79
+ #
80
+ /interface gre
81
+ add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \
82
+ remote-address=192.0.2.2
83
+ /ip address
84
+ add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0
85
+ /ip ipsec proposal
86
+ set [ find default=yes ] lifetime=1h pfs-group=modp1536
87
+ /ip ipsec peer
88
+ add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \
89
+ lifetime=8h local-address=192.0.2.1 remote-key=peer-key
90
+ /ip ipsec policy
91
+ add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
92
+ sa-src-address=192.0.2.1 src-address=192.0.2.1/32
... ...
\ No newline at end of file