Mikrotik #1

Mikrotik #1

Mikrotik is really good network devices provider (in my opinion) and even with a basic models you get amazing functionality.
Graphing functionality:

/tool graphing interface
add
/tool graphing resource
add

Sniffer (like tcpdump or packet capture on ASA)
/tool sniffer set filter-ip-protocol=icmp
/tool sniffer start 
/tool sniffer packet print

Print packages, list services and a lot of other things. It is quite intuitive.
/system package print
/ip services print

Site2site mikrotik VPN

Router2 is masquerading all clients on his subnet, therefore we need to set up policy to match the IPs from 0.0.0.0 to 192.168.101.200. On the other side you have to do it reverse.

R1- 192.168.101.1
R2- 192.168.101.200

router1:

/ip ipsec peer profile
set [ find default=yes ] dh-group=modp4096,modp2048,modp1024 enc-algorithm=\
    aes-128,3des,des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,blowfish pfs-group=modp3072
/ip ipsec peer
add address=192.168.101.200/32 exchange-mode=ike2 secret=Passwdhere1.
/ip ipsec policy
add dst-address=192.168.101.200/32 sa-dst-address=192.168.101.200 \
    sa-src-address=192.168.101.1 src-address=0.0.0.0/0 tunnel=yes

router2:
peer profile and proposal is the same.
/ip ipsec peer
add address=192.168.101.1/32 exchange-mode=ike2 secret=Tazkeheslo1.
/ip ipsec policy
add dst-address=0.0.0.0/0 sa-dst-address=192.168.101.1 sa-src-address=\
    192.168.101.200 src-address=192.168.101.200/32 tunnel=yes

-tunnel=yes – In tunnel mode original IP packet is encapsulated within a new IP packet thus securing IP payload and IP header. In transport mode only payload is encrypted not IP header.

-ipsec-protocols=ah – AH is a protocol that provides authentication of datagram but doesn’t encrypt it.

Check installed sa:

/ip ipsec installed-sa print 
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0xEED4F62 src-address=192.168.101.1 dst-address=192.168.101.200 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="861d8248d120baca3ff498da77689e6ed3513aa032c00622041e01281baf0f03" enc-key="99edfd01dbcaeee6e02096160d6eb6dd65d249c1a70e2dc08639f7e17f71963e" 
      addtime=nov/18/2018 20:39:10 expires-in=28m59s add-lifetime=24m21s/30m27s current-bytes=7404322 current-packets=5473 replay=128 

 1  E spi=0x5956E00 src-address=192.168.101.200 dst-address=192.168.101.1 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="707fdfba849cf839f102227581a789af242d29433d4aa17cbe4616fbb0fcafe2" enc-key="ea1da730196d3abd61f819c576930ed4c5cf0c19cc41f611d8b8bf4e3842ec6f" 
      addtime=nov/18/2018 20:39:10 expires-in=28m59s add-lifetime=24m21s/30m27s current-bytes=394687 current-packets=4543 replay=128 

For debugging issues:
/system logging add topics=ipsec,!debug
/log print