How to build an IPSec-tunnel between SonicWall and MikroTik?
One of those challenges I faced for an assignment was the fact I had to create an IPSec-tunnel between a SonicWall-firewall with a dedicated, static Public IP and a MikroTik RouterBoard that would have dynamic IPs. When searching for the appropriate documentation, I couldn’t find any. So read on for my guide to building a SonicOS to RouterOS IKEv2 IP Sec Tunnel.
Probably stating the obvious, but log in to the SonicWall firewall and move to the VPN tab, create a new VPN-policy. If you want you can use the SonicWall wizard instead of the manual creation of the policy as shown in the steps below.
More information on the SonicWall configuration can be found on the SonicWall website.
The configuration of the MikroTik-device can be done both by WinBox and the Terminal. In this tutorial I use the Terminal-commands, but they are similiar to the WinBox-UI navigation.
Firewall, NAT and Fasttrack
In my scenario I wanted to tunnel multiple IP-ranges on the SonicWall to my MikroTik. So for the purpose of Access rules and because of the NAT-bypass I added the following address list.
/ip firewall address-list add address=10.88.0.0/16 list=IPSec_Tunnel add address=172.16.1.0/24 list=IPSec_Tunnel
Because of the lack of public IPv4-space and being behind a consumer dynamic connection with the RouterBoard we’ll need to bypass NAT for the packets that are intended for the IP Sec tunnel. If we don’t bypass NAT, packets will be masqueraded before being encrypted.
/ip firewall nat add action=accept chain=srcnat comment="No NAT for IPSec" src-address=192.168.88.0/24 dst-address-list=IPSec_Tunnel
Since you should have setup a good firewall already, you’ll need to add rules to accept traffic from the IPSec tunnel, I used the following rules:
/ip firewall filter add action=accept chain=forward comment="Allow all from VPN" src-address-list=IPSec_Tunnel add action=accept chain=input src-address-list=IPSec_Tunnel
Note: personally I don’t use fasttrack yet, if you do use Fasttrack; have a look at this topic in the official MikroTik-wiki.
Next up is the configuration of the IPsec tunnels, move to the /ip ipsec menu in Winbox or in the terminal and get going.
During the set-up of the SonicWall we came across the proposal tab, in that tab we specified the use of 3DES with a life-time of 8 hours (28800 seconds). Let’s add a new proposal to RouterOS to match this:
/ip ipsec proposal add enc-algorithms=3des lifetime=8h name=sonicwall pfs-group=none
Next up, our MikroTik router needs to know where the IPSec-server is located, so lets add our SonicWall as peer
/ip ipsec peer add address=SonicWall-IP dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=3des exchange-mode=ike2 myid=fqdn:routerboard.domain.net secret=YourOwnChoice
As you can see, there is a first overlap on here, it matches the settings on the General tab of the SonicWall-firewall.
SonicWall uses the selector field, in RouterOS we specify type as fqdn.
|IPSec Primary peer||address||Public IP of SonicWall|
At this point we have the MikroTik configured to connect to its peer, the SonicWall firewall. You’ll notice there is a connection on the /ip ipsec remote-peers tab.
Last but not least we have to add the necessary IPsec policies, so traffic will be matched to these policies.
/ip ipsec policy add dst-address=10.88.0.0/16 level=unique proposal=sonicwall \ sa-dst-address=SonicWall-IP sa-src-address=0.0.0.0 src-address=192.168.88.0/24 tunnel=yes add dst-address=172.16.1.0/24 level=unique proposal=sonicwall \ sa-dst-address=SonicWall-IP sa-src-address=0.0.0.0 src-address=192.168.88.0/24 tunnel=yes
In the IPSec policy, we use level Unique, because we want to tunnel multiple subnets to the SonicWall firewall. If you use the default required only one remote network is accessible by the IPsec tunnel.
If everything has gone as planned we should now be seeing the VPN-connection to turn green on both sides of the tunnel. On RouterOS you can verify it by running /ip ipsec installed-sa print it will output the imported SA’s from the SonicWall.
In the SonicWall you’ll see a green light next to the VPN-tunnel and the tunnel will show up in the Status screen.
At this point, you should run a variety of check to verify connectivity trough the VPN-tunnel. If you followed this guideline, everything should work fine.
SonicWall and MikroTik and it's logos are copyright protected, I've pulled them as illustration by this blog