SlideShare a Scribd company logo
www.glcnetworks.com
IPSEC on
Mikrotik
GLC Webinar,
25 Mar 2021
Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia
1
www.glcnetworks.com
Agenda
● Introduction
● Review basic knowledge
● Security on OSI layers
● IPsec
● IPsec on mikrotik
● Live practice
● Q & A
2
www.glcnetworks.com
introduction
3
www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● Based in Bandung, Indonesia
● Areas: Training, IT Consulting
● Certified partner for: Mikrotik, Ubiquity, Linux foundation
● Product: GLC radius manager
● Regular event
4
www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999, mikrotik user since 2007, UBNT
2011
● Mikrotik Certified Trainer
(MTCNA/RE/WE/UME/INE/TCE/IPv6)
● Mikrotik/Linux Certified Consultant
● Website contributor: achmadjournal.com, mikrotik.tips,
asysadmin.tips
● More info:
http://au.linkedin.com/in/achmadmardiansyah
5
www.glcnetworks.com
Past experience
6
● 2021 (Congo DRC, Malaysia): network support,
radius/billing integration
● 2020 (Congo DRC, Malaysia): IOT integration,
network automation
● 2019, Congo (DRC): build a wireless ISP from
ground-up
● 2018, Malaysia: network revamp, develop billing
solution and integration, setup dynamic routing
● 2017, Libya (north africa): remote wireless migration
for a new Wireless ISP
● 2016, United Kingdom: workshop for wireless ISP,
migrating a bridged to routed network
www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title:
tahun baru bersama solaris - new year
with solaris OS)
● As a sharing event with various topics:
linux, networking, wireless, database,
programming, etc
● Regular schedule
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/schedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information
7
www.glcnetworks.com
Please introduce yourself
● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?
8
www.glcnetworks.com
Prerequisite
● This presentation is not for beginner
● We assume you already understand:
○ Encapsulation process
○ Routing
○ Security concepts
○ Encryption
○ Mikrotik basics
○ Mikrotik packet flow
9
www.glcnetworks.com
Review basic knowledge
10
www.glcnetworks.com
7 OSI layer & protocol
11
● OSI layer Is a conceptual model from ISO
(International Standard Organization) for project
OSI (Open System Interconnection)
● When you send a message with a courier, you
need to add more info to get your message arrived
at the destination (This process is called
encapsulation)
● What is protocol
○ Is a set of rules for communication
○ Available on each layer
● Communication consist of series encapsulation
○ SDU: service data unit (before PDU)
○ PDU: protocol data unit (after header is added)
www.glcnetworks.com
Layered model (TCP/IP vs ISO) and encapsulation
12
/ datagram
www.glcnetworks.com
Did you notice?
● There is a big overhead on encapsulation process
● More encapsulation means less payload?
13
www.glcnetworks.com
Typical connection (logical) and routing table
Routing table:
● A table at router that is used to forward packet
● Available on every devices (router and host)
● Entry is executed sequentially
14
192.168.0.0/26
R1
192.168.0.1/26
192.168.0.3/26
192.168.0.2/26
R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
destination gateway
192.168.0.0/26 direct
192.168.1.0/24 direct
192.168.2.0/24 192.168.0.2
192.168.3.0/24 192.168.0.3
192.168.16.3/32 192.168.0.2
0.0.0.0/0 (default gw) 192.168.0.3
www.glcnetworks.com
General Security Aspects (CIA)
● Confidentiality. prevents
unauthorized use or
disclosure of information
● Integrity. safeguards the
accuracy and
completeness of
information
● Availability. authorized
users have reliable and
timely access to information
15
www.glcnetworks.com
AAA security
• Authentication: only registered user can
access
– What you know: username and password
– What you have: token, sms
– What you are: retina scan, fingerprint
• Authorization: define rights of a user
– Access control
– Data access control
– Restriction
– Type of Service
• Accounting: recording of what user is doing
(useful for billing/reporting)
– Traffic volume
– Online time
– Session
– Log: login, logout
Mainly implemented using radius
www.glcnetworks.com 16
www.glcnetworks.com
Goals of Information Security (CIA)
● Confidentiality. prevents
unauthorized use or
disclosure of information
● Integrity. safeguards the
accuracy and
completeness of
information
● Availability. authorized
users have reliable and
timely access to information
17
www.glcnetworks.com
Security mechanism…
Source: william stalling, network security essentials
www.glcnetworks.com
Cryptography - encryption
● practice and study of techniques for
secure communication in the presence
of third parties.
● cryptography is about constructing and
analyzing protocols that prevent third
parties or the public from reading
private messages
● General implementation:
○ Start with asymmetric encryption, to transfer
shared-key
○ Switch to symmetric encryption
19
Source:
medium/com/hackernoon
www.glcnetworks.com
IPSEC
20
www.glcnetworks.com
Issues with layer 3
● Internet Protocol (IP) has no security features
○ IP protocol was designed in the early stages of the Internet where security was not an issue
○ We assume a hosts are trusted
○ All hosts in the network are known
● Possible security issues
○ Source spoofing
○ Replay packets
○ No data integrity
○ No confidentiality
21
www.glcnetworks.com
IPsec
● A set of protocols and algorithms used to secure IP data at the network layer
● Security extension on layer 3, especially on IPv6
● Provide blanket security for applications:
○ Transparent to applications, they do not need to be aware of IPsec
○ Application does not need to be rewritten to add security features
○ E.g. securing telnet? :-p
● Components:
○ Security associations (SA)
○ Authentication headers (AH)
○ Encapsulating security payload (ESP)
○ Internet Key Exchange (IKE)
● Usually implemented as VPN technology:
○ Router-to-router (e.g. site-to-site VPN)
○ End-device to router (road warrior)
22
www.glcnetworks.com
What IPsec can provide?
● Confidentiality
○ IPsec can encrypt data transfer
● Integrity
○ Data “signed” by sender and “signature” is verified by the recipient
○ Modification of data can be detected by signature “verification”
● Authentication
○ Using signatures and certificates
● Anti-replay protection
○ Optional; the sender must provide it but the recipient may ignore
● Key management
○ IKE – session negotiation and establishment
○ Secret keys are securely established and authenticated
○ Remote peer is authenticated through varying options
● IPsec still allows normal router to forward IPsec packets
23
www.glcnetworks.com
IPsec Standards
● https://tools.ietf.org/html/rfc4301
○ Defines the original IPsec architecture and
elements common to both AH and ESP
● https://tools.ietf.org/html/rfc4302
○ Defines authentication headers (AH)
● https://tools.ietf.org/html/rfc4303
○ Defines the Encapsulating Security Payload
(ESP)
● https://tools.ietf.org/html/rfc2408
○ Internet Security Association and Key
Management Protocol (ISAKMP)
● https://tools.ietf.org/html/rfc5996
○ IKE version 2 (IKEv2)
● https://tools.ietf.org/html/rfc4835
○ Cryptographic algorithm implementation for ESP
and AH
24
www.glcnetworks.com
IPsec Modes
● Tunnel Mode
○ Entire IP packet is encrypted and becomes a payload of a new (and larger) IP packet.
○ Frequently used in an IPsec site-to-site VPN
● Transport Mode
○ IPsec header is inserted into the IP packet, no new packet is created
○ Works well in networks where increasing a packet’s size could cause an issue
○ Frequently used for remote-access VPNs
25
A C
B
www.glcnetworks.com
IPsec Architecture
26
Source: APNIC ipsec presentation
www.glcnetworks.com
Security Associations (SA)
● A collection of parameters required to establish
a secure session
● Identified by unique parameters:
○ Security Parameter Index (SPI)
○ IP destination address
○ Security protocol (AH or ESP) identifier
● An SA is either uni or bidirectional
○ IKE SAs are bidirectional
○ IPsec SAs are unidirectional
■ Two SAs required for a bidirectional
communication
● A single SA can be used for AH or ESP, but not
both
○ must create two (or more) SAs for each direction if
using both AH and ESP
27
Source: APNIC ipsec presentation
www.glcnetworks.com
Internet Security Association and Key Management Protocol
(ISAKMP)
● Used for establishing Security Associations (SA) and cryptographic keys
● Only provides the framework for authentication and key exchange, but key
exchange independent
● Key exchange protocols
○ Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK)
28
Source: APNIC ipsec presentation
www.glcnetworks.com
Authentication Header (AH)
● Use protocol 51
● Provides source authentication and data integrity (protect source spoofing &
reply attack)
● Authentication is applied to the entire packet, with the mutable fields in the IP
header zeroed out
● NO encryption
● MTU issue?
● NAT issue?
29
www.glcnetworks.com
AH example
30
30
www.glcnetworks.com
Encapsulating Security Payload (ESP)
● Uses IP protocol 50
● Provides all that is offered by AH, plus data confidentiality
○ It uses symmetric key encryption
● Must encrypt and/or authenticate in each packet
○ Encryption occurs before authentication
● Authentication is applied to data in the IPsec header as well as the data
contained as payload
31
Source: APNIC ipsec presentation
www.glcnetworks.com
ESP example
32
www.glcnetworks.com
Internet Key Exchange (IKE)
● Typically used for establishing IPsec sessions
● A key exchange mechanism
● Five variations of an IKE negotiation:
○ Aggressive vs main mode (2 modes)
○ Authentication: pre-shared, public-key encryption,
public-key signature (3 modes)
● Uses UDP port 500
● Consist of 2 parts:
○ Initiator (active)
○ Responder (passive)
33
Source: APNIC ipsec presentation
www.glcnetworks.com
IKE mode
34
Mode Description
Main Three exchanges of information between IPsec
peers. Initiator sends one or more proposals to the
other peer (responder) Responder selects a proposal
Aggressive Achieves same result as main mode using only 3
packets:
● First packet sent by initiator containing all info to
establish SA
● Second packet by responder with all security
parameters selected
● Third packet finalizes authentication of the
ISAKMP session
Quick Negotiates the parameters for the IPsec session.
Entire negotiation occurs within the protection of
ISAKMP session
www.glcnetworks.com
IKE phase
● Phase 1
○ Establish a secure channel
(ISAKMP SA)
○ Using either main mode or
aggressive mode
○ Authenticate computer
identity using certificates or
pre-shared secret
● Phase 2
○ Establishes a secure channel
between computers intended
for the transmission of data
(IPsec SA)
○ Using quick mode
●
35
Source: APNIC ipsec presentation
www.glcnetworks.com
IKE phase 1 (main mode)
36
Source: APNIC ipsec presentation
www.glcnetworks.com
IKE phase 1 (aggressive mode)
● Uses 3 (vs 6) messages to establish IKE SA
● No denial of service protection
● Does not have identity protection
● Optional exchange and not widely implemented
37
Source: APNIC ipsec presentation
www.glcnetworks.com
IKE phase 2 (quick mode)
● All traffic is encrypted using
the ISAKMP Security
Association
● Each quick mode
negotiation results in two
IPsec Security Associations
(one inbound, one
outbound)
● Creates/refreshes keys
38
Source: APNIC ipsec presentation
www.glcnetworks.com
IKE1 issue
● Different interpretation between vendors
● Different implementations between vendors
● Vendor incompatibility
● Suggestion: use IKEv2
39
www.glcnetworks.com
IKEv2 specification
● Feature Preservation
○ Most features and characteristics of
baseline IKE v1 protocol are being
preserved in v2
● Compilation of Features and
Extensions
○ Quite a few features that were added
on top of the baseline IKE protocol
functionality in v1 are being
reconciled into the mainline v2
framework
● Some New Features
40
Source: APNIC ipsec presentation
www.glcnetworks.com
IPSEC on mikrotik
41
www.glcnetworks.com
General packet flow
42
www.glcnetworks.com
IPsec flow
43
www.glcnetworks.com
IPsec encryption
44
www.glcnetworks.com
IPsec decryption
45
www.glcnetworks.com
IPsec on Mikrotik
● Mikrotik supports AH, ESP, ISAKMP
● There are 2 parts of IPsec:
○ Initatior: define policy (auth and encryption – proposal)
○ Responder: will adjust the auth and encryption
● Recommended to use static IP for peer
○ Can be built on top of L2TP
● Encryption requires CPU power
● Its recommended to use routerboard with
hardware accelerator
○ RB1100
○ CCR
46
www.glcnetworks.com
IPsec steps
● Prepare SA
○ Setup profile
○ Setup proposal
● Prepare phase 1
○ Setup peer
○ Setup identity
● Prepare phase 2
○ Setup IPsec policy
47
www.glcnetworks.com
Setup IPsec policy
● This will determine the phase2 parameters
○ Mode: transport vs tunnel
○ Ipsec protocol: AH vs ESP
○ Negotiation of mechanism (hash, authentication,
encryption)
48
www.glcnetworks.com
IPsec tips
● DO UNDERSTAND HOW IPSEC WORKS!!!
● Do not just follow tutorial instructions from blog/youtube
● Use protocol analyzer
● Activate debug log
● Check IPsec parameters
● Often problem happens in phase 2, especially on different vendor
● Use IKEv2
49
www.glcnetworks.com
LIVE practice
50
www.glcnetworks.com
preparation
● SSH client
● SSH parameters
○ SSH address
○ SSH port
○ SSH username
○ SSH password
51
www.glcnetworks.com
Q & A
52
www.glcnetworks.com
Interested? Just come to our training...
● Topics are arranged in systematic and logical way
● You will learn from experienced teacher
● Not only learn the materials, but also sharing experiences, best-practices, and
networking
53
www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: https://www.facebook.com/glcnetworks
● Slide: https://www.slideshare.net/glcnetworks/
● Recording (youtube): https://www.youtube.com/c/GLCNetworks
● Stay tune with our schedule
● Any questions?
54

More Related Content

What's hot

Mikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackMikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs Fasttrack
GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
GLC Networks
 
Connection load balancing with mikrotik [workshop]
Connection load balancing with mikrotik [workshop]Connection load balancing with mikrotik [workshop]
Connection load balancing with mikrotik [workshop]
Achmad Mardiansyah
 
Mikrotik fastpath
Mikrotik fastpathMikrotik fastpath
Mikrotik fastpath
Achmad Mardiansyah
 
Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep Dive
GLC Networks
 
Network Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappNetwork Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and Whatsapp
GLC Networks
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on Mikrotik
GLC Networks
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radius
Achmad Mardiansyah
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
GLC Networks
 
ISP load balancing with mikrotik nth
ISP load balancing with mikrotik nthISP load balancing with mikrotik nth
ISP load balancing with mikrotik nth
Achmad Mardiansyah
 
GLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikGLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotik
Achmad Mardiansyah
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
GLC Networks
 
Choosing Mikrotik Platform x86 vs chr
Choosing Mikrotik Platform x86 vs chrChoosing Mikrotik Platform x86 vs chr
Choosing Mikrotik Platform x86 vs chr
GLC Networks
 
Detecting network virus using mikrotik
Detecting network virus using mikrotikDetecting network virus using mikrotik
Detecting network virus using mikrotik
Achmad Mardiansyah
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
GLC Networks
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotik
Achmad Mardiansyah
 
Routing Information Protocol (RIP) on Mikrotik
Routing Information Protocol (RIP) on MikrotikRouting Information Protocol (RIP) on Mikrotik
Routing Information Protocol (RIP) on Mikrotik
Achmad Mardiansyah
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with Mikrotik
GLC Networks
 
BGP filter with mikrotik
BGP filter with mikrotikBGP filter with mikrotik
BGP filter with mikrotik
Achmad Mardiansyah
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrack
Achmad Mardiansyah
 

What's hot (20)

Mikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs FasttrackMikrotik Fastpath vs Fasttrack
Mikrotik Fastpath vs Fasttrack
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
 
Connection load balancing with mikrotik [workshop]
Connection load balancing with mikrotik [workshop]Connection load balancing with mikrotik [workshop]
Connection load balancing with mikrotik [workshop]
 
Mikrotik fastpath
Mikrotik fastpathMikrotik fastpath
Mikrotik fastpath
 
Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep Dive
 
Network Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappNetwork Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and Whatsapp
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on Mikrotik
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radius
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
ISP load balancing with mikrotik nth
ISP load balancing with mikrotik nthISP load balancing with mikrotik nth
ISP load balancing with mikrotik nth
 
GLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotikGLC webinar: limiting bandwidth using mikrotik
GLC webinar: limiting bandwidth using mikrotik
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
 
Choosing Mikrotik Platform x86 vs chr
Choosing Mikrotik Platform x86 vs chrChoosing Mikrotik Platform x86 vs chr
Choosing Mikrotik Platform x86 vs chr
 
Detecting network virus using mikrotik
Detecting network virus using mikrotikDetecting network virus using mikrotik
Detecting network virus using mikrotik
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotik
 
Routing Information Protocol (RIP) on Mikrotik
Routing Information Protocol (RIP) on MikrotikRouting Information Protocol (RIP) on Mikrotik
Routing Information Protocol (RIP) on Mikrotik
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with Mikrotik
 
BGP filter with mikrotik
BGP filter with mikrotikBGP filter with mikrotik
BGP filter with mikrotik
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrack
 

Similar to IPsec on Mikrotik

Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1
GLC Networks
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep Dive
GLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
GLC Networks
 
Socket Programming with Python
Socket Programming with PythonSocket Programming with Python
Socket Programming with Python
GLC Networks
 
Using protocol analyzer on mikrotik
Using protocol analyzer on mikrotikUsing protocol analyzer on mikrotik
Using protocol analyzer on mikrotik
Achmad Mardiansyah
 
BGP Services IP Transit vs IP Peering
BGP Services  IP Transit vs IP PeeringBGP Services  IP Transit vs IP Peering
BGP Services IP Transit vs IP Peering
GLC Networks
 
Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 Segment
GLC Networks
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
GLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
GLC Networks
 
CCNA : Intro to Cisco IOS - Part 1
CCNA :  Intro to Cisco IOS - Part 1CCNA :  Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
GLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
GLC Networks
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and Security
GLC Networks
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
GLC Networks
 
SSL certificate with mikrotik
SSL certificate with mikrotikSSL certificate with mikrotik
SSL certificate with mikrotik
Achmad Mardiansyah
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
Inductive Automation
 
Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network
GLC Networks
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
GLC Networks
 
Software Defined Datacenter with Proxmox
Software Defined Datacenter with ProxmoxSoftware Defined Datacenter with Proxmox
Software Defined Datacenter with Proxmox
GLC Networks
 
RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7
GLC Networks
 
Mikrotik API
Mikrotik APIMikrotik API
Mikrotik API
Achmad Mardiansyah
 

Similar to IPsec on Mikrotik (20)

Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep Dive
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
Socket Programming with Python
Socket Programming with PythonSocket Programming with Python
Socket Programming with Python
 
Using protocol analyzer on mikrotik
Using protocol analyzer on mikrotikUsing protocol analyzer on mikrotik
Using protocol analyzer on mikrotik
 
BGP Services IP Transit vs IP Peering
BGP Services  IP Transit vs IP PeeringBGP Services  IP Transit vs IP Peering
BGP Services IP Transit vs IP Peering
 
Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 Segment
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
 
CCNA : Intro to Cisco IOS - Part 1
CCNA :  Intro to Cisco IOS - Part 1CCNA :  Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and Security
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
 
SSL certificate with mikrotik
SSL certificate with mikrotikSSL certificate with mikrotik
SSL certificate with mikrotik
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network Using Mikrotik Switch Features to Improve Your Network
Using Mikrotik Switch Features to Improve Your Network
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
 
Software Defined Datacenter with Proxmox
Software Defined Datacenter with ProxmoxSoftware Defined Datacenter with Proxmox
Software Defined Datacenter with Proxmox
 
RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7
 
Mikrotik API
Mikrotik APIMikrotik API
Mikrotik API
 

More from GLC Networks

Firewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundFirewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inbound
GLC Networks
 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loop
GLC Networks
 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopback
GLC Networks
 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up route
GLC Networks
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route origin
GLC Networks
 
Steering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costSteering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface cost
GLC Networks
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
GLC Networks
 
Tuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateTuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix Aggregate
GLC Networks
 
Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF:  area hierarchy, LSA, and area typeTuning OSPF:  area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area type
GLC Networks
 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdf
GLC Networks
 
GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration Management
GLC Networks
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINX
GLC Networks
 
Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2
GLC Networks
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1
GLC Networks
 
Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2
GLC Networks
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
GLC Networks
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIP
GLC Networks
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2
GLC Networks
 
BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2
GLC Networks
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
GLC Networks
 

More from GLC Networks (20)

Firewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inboundFirewall mangle PBR: steering outbound path similar to inbound
Firewall mangle PBR: steering outbound path similar to inbound
 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loop
 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopback
 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up route
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route origin
 
Steering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costSteering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface cost
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
 
Tuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateTuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix Aggregate
 
Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF:  area hierarchy, LSA, and area typeTuning OSPF:  area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area type
 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdf
 
GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration Management
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINX
 
Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1
 
Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIP
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2
 
BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 

Recently uploaded

How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 

Recently uploaded (20)

How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 

IPsec on Mikrotik

  • 1. www.glcnetworks.com IPSEC on Mikrotik GLC Webinar, 25 Mar 2021 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia 1
  • 2. www.glcnetworks.com Agenda ● Introduction ● Review basic knowledge ● Security on OSI layers ● IPsec ● IPsec on mikrotik ● Live practice ● Q & A 2
  • 4. www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
  • 5. www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
  • 6. www.glcnetworks.com Past experience 6 ● 2021 (Congo DRC, Malaysia): network support, radius/billing integration ● 2020 (Congo DRC, Malaysia): IOT integration, network automation ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network
  • 7. www.glcnetworks.com About GLC webinar? ● First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) ● As a sharing event with various topics: linux, networking, wireless, database, programming, etc ● Regular schedule ● Irregular schedule: as needed ● Checking schedule: http://www.glcnetworks.com/schedule ● You are invited to be a presenter ○ No need to be an expert ○ This is a forum for sharing: knowledge, experiences, information 7
  • 8. www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 8
  • 9. www.glcnetworks.com Prerequisite ● This presentation is not for beginner ● We assume you already understand: ○ Encapsulation process ○ Routing ○ Security concepts ○ Encryption ○ Mikrotik basics ○ Mikrotik packet flow 9
  • 11. www.glcnetworks.com 7 OSI layer & protocol 11 ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added)
  • 12. www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 12 / datagram
  • 13. www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 13
  • 14. www.glcnetworks.com Typical connection (logical) and routing table Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially 14 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3
  • 15. www.glcnetworks.com General Security Aspects (CIA) ● Confidentiality. prevents unauthorized use or disclosure of information ● Integrity. safeguards the accuracy and completeness of information ● Availability. authorized users have reliable and timely access to information 15
  • 16. www.glcnetworks.com AAA security • Authentication: only registered user can access – What you know: username and password – What you have: token, sms – What you are: retina scan, fingerprint • Authorization: define rights of a user – Access control – Data access control – Restriction – Type of Service • Accounting: recording of what user is doing (useful for billing/reporting) – Traffic volume – Online time – Session – Log: login, logout Mainly implemented using radius www.glcnetworks.com 16
  • 17. www.glcnetworks.com Goals of Information Security (CIA) ● Confidentiality. prevents unauthorized use or disclosure of information ● Integrity. safeguards the accuracy and completeness of information ● Availability. authorized users have reliable and timely access to information 17
  • 18. www.glcnetworks.com Security mechanism… Source: william stalling, network security essentials
  • 19. www.glcnetworks.com Cryptography - encryption ● practice and study of techniques for secure communication in the presence of third parties. ● cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages ● General implementation: ○ Start with asymmetric encryption, to transfer shared-key ○ Switch to symmetric encryption 19 Source: medium/com/hackernoon
  • 21. www.glcnetworks.com Issues with layer 3 ● Internet Protocol (IP) has no security features ○ IP protocol was designed in the early stages of the Internet where security was not an issue ○ We assume a hosts are trusted ○ All hosts in the network are known ● Possible security issues ○ Source spoofing ○ Replay packets ○ No data integrity ○ No confidentiality 21
  • 22. www.glcnetworks.com IPsec ● A set of protocols and algorithms used to secure IP data at the network layer ● Security extension on layer 3, especially on IPv6 ● Provide blanket security for applications: ○ Transparent to applications, they do not need to be aware of IPsec ○ Application does not need to be rewritten to add security features ○ E.g. securing telnet? :-p ● Components: ○ Security associations (SA) ○ Authentication headers (AH) ○ Encapsulating security payload (ESP) ○ Internet Key Exchange (IKE) ● Usually implemented as VPN technology: ○ Router-to-router (e.g. site-to-site VPN) ○ End-device to router (road warrior) 22
  • 23. www.glcnetworks.com What IPsec can provide? ● Confidentiality ○ IPsec can encrypt data transfer ● Integrity ○ Data “signed” by sender and “signature” is verified by the recipient ○ Modification of data can be detected by signature “verification” ● Authentication ○ Using signatures and certificates ● Anti-replay protection ○ Optional; the sender must provide it but the recipient may ignore ● Key management ○ IKE – session negotiation and establishment ○ Secret keys are securely established and authenticated ○ Remote peer is authenticated through varying options ● IPsec still allows normal router to forward IPsec packets 23
  • 24. www.glcnetworks.com IPsec Standards ● https://tools.ietf.org/html/rfc4301 ○ Defines the original IPsec architecture and elements common to both AH and ESP ● https://tools.ietf.org/html/rfc4302 ○ Defines authentication headers (AH) ● https://tools.ietf.org/html/rfc4303 ○ Defines the Encapsulating Security Payload (ESP) ● https://tools.ietf.org/html/rfc2408 ○ Internet Security Association and Key Management Protocol (ISAKMP) ● https://tools.ietf.org/html/rfc5996 ○ IKE version 2 (IKEv2) ● https://tools.ietf.org/html/rfc4835 ○ Cryptographic algorithm implementation for ESP and AH 24
  • 25. www.glcnetworks.com IPsec Modes ● Tunnel Mode ○ Entire IP packet is encrypted and becomes a payload of a new (and larger) IP packet. ○ Frequently used in an IPsec site-to-site VPN ● Transport Mode ○ IPsec header is inserted into the IP packet, no new packet is created ○ Works well in networks where increasing a packet’s size could cause an issue ○ Frequently used for remote-access VPNs 25 A C B
  • 27. www.glcnetworks.com Security Associations (SA) ● A collection of parameters required to establish a secure session ● Identified by unique parameters: ○ Security Parameter Index (SPI) ○ IP destination address ○ Security protocol (AH or ESP) identifier ● An SA is either uni or bidirectional ○ IKE SAs are bidirectional ○ IPsec SAs are unidirectional ■ Two SAs required for a bidirectional communication ● A single SA can be used for AH or ESP, but not both ○ must create two (or more) SAs for each direction if using both AH and ESP 27 Source: APNIC ipsec presentation
  • 28. www.glcnetworks.com Internet Security Association and Key Management Protocol (ISAKMP) ● Used for establishing Security Associations (SA) and cryptographic keys ● Only provides the framework for authentication and key exchange, but key exchange independent ● Key exchange protocols ○ Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK) 28 Source: APNIC ipsec presentation
  • 29. www.glcnetworks.com Authentication Header (AH) ● Use protocol 51 ● Provides source authentication and data integrity (protect source spoofing & reply attack) ● Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out ● NO encryption ● MTU issue? ● NAT issue? 29
  • 31. www.glcnetworks.com Encapsulating Security Payload (ESP) ● Uses IP protocol 50 ● Provides all that is offered by AH, plus data confidentiality ○ It uses symmetric key encryption ● Must encrypt and/or authenticate in each packet ○ Encryption occurs before authentication ● Authentication is applied to data in the IPsec header as well as the data contained as payload 31 Source: APNIC ipsec presentation
  • 33. www.glcnetworks.com Internet Key Exchange (IKE) ● Typically used for establishing IPsec sessions ● A key exchange mechanism ● Five variations of an IKE negotiation: ○ Aggressive vs main mode (2 modes) ○ Authentication: pre-shared, public-key encryption, public-key signature (3 modes) ● Uses UDP port 500 ● Consist of 2 parts: ○ Initiator (active) ○ Responder (passive) 33 Source: APNIC ipsec presentation
  • 34. www.glcnetworks.com IKE mode 34 Mode Description Main Three exchanges of information between IPsec peers. Initiator sends one or more proposals to the other peer (responder) Responder selects a proposal Aggressive Achieves same result as main mode using only 3 packets: ● First packet sent by initiator containing all info to establish SA ● Second packet by responder with all security parameters selected ● Third packet finalizes authentication of the ISAKMP session Quick Negotiates the parameters for the IPsec session. Entire negotiation occurs within the protection of ISAKMP session
  • 35. www.glcnetworks.com IKE phase ● Phase 1 ○ Establish a secure channel (ISAKMP SA) ○ Using either main mode or aggressive mode ○ Authenticate computer identity using certificates or pre-shared secret ● Phase 2 ○ Establishes a secure channel between computers intended for the transmission of data (IPsec SA) ○ Using quick mode ● 35 Source: APNIC ipsec presentation
  • 36. www.glcnetworks.com IKE phase 1 (main mode) 36 Source: APNIC ipsec presentation
  • 37. www.glcnetworks.com IKE phase 1 (aggressive mode) ● Uses 3 (vs 6) messages to establish IKE SA ● No denial of service protection ● Does not have identity protection ● Optional exchange and not widely implemented 37 Source: APNIC ipsec presentation
  • 38. www.glcnetworks.com IKE phase 2 (quick mode) ● All traffic is encrypted using the ISAKMP Security Association ● Each quick mode negotiation results in two IPsec Security Associations (one inbound, one outbound) ● Creates/refreshes keys 38 Source: APNIC ipsec presentation
  • 39. www.glcnetworks.com IKE1 issue ● Different interpretation between vendors ● Different implementations between vendors ● Vendor incompatibility ● Suggestion: use IKEv2 39
  • 40. www.glcnetworks.com IKEv2 specification ● Feature Preservation ○ Most features and characteristics of baseline IKE v1 protocol are being preserved in v2 ● Compilation of Features and Extensions ○ Quite a few features that were added on top of the baseline IKE protocol functionality in v1 are being reconciled into the mainline v2 framework ● Some New Features 40 Source: APNIC ipsec presentation
  • 46. www.glcnetworks.com IPsec on Mikrotik ● Mikrotik supports AH, ESP, ISAKMP ● There are 2 parts of IPsec: ○ Initatior: define policy (auth and encryption – proposal) ○ Responder: will adjust the auth and encryption ● Recommended to use static IP for peer ○ Can be built on top of L2TP ● Encryption requires CPU power ● Its recommended to use routerboard with hardware accelerator ○ RB1100 ○ CCR 46
  • 47. www.glcnetworks.com IPsec steps ● Prepare SA ○ Setup profile ○ Setup proposal ● Prepare phase 1 ○ Setup peer ○ Setup identity ● Prepare phase 2 ○ Setup IPsec policy 47
  • 48. www.glcnetworks.com Setup IPsec policy ● This will determine the phase2 parameters ○ Mode: transport vs tunnel ○ Ipsec protocol: AH vs ESP ○ Negotiation of mechanism (hash, authentication, encryption) 48
  • 49. www.glcnetworks.com IPsec tips ● DO UNDERSTAND HOW IPSEC WORKS!!! ● Do not just follow tutorial instructions from blog/youtube ● Use protocol analyzer ● Activate debug log ● Check IPsec parameters ● Often problem happens in phase 2, especially on different vendor ● Use IKEv2 49
  • 51. www.glcnetworks.com preparation ● SSH client ● SSH parameters ○ SSH address ○ SSH port ○ SSH username ○ SSH password 51
  • 53. www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 53
  • 54. www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule ● Any questions? 54