Mikrotik as NBN CPE

Tags

Australia NBN, Australia NBN CPE Mikrotik, iprimus, mikrotik, Mikrotik NBN, NBN, NBN CPE

My service provider (iPrimus) provided Huawei CPE (HG659) for my NBN connection. The modem was not bad (I have used it for my old ADSL link) but for some reason it’s not working properly with new NBN connection. The link dropped randomly and it not resolved until and unless I power cycle the modem. Was not even able to ping CPE IP.

I am big fan of Mikrotik and thought I would be great to have MT as CPE.  I bought a MikroTik RB760iGS hEX S. It has decent hardware and comes with 5 Gig ports + 1 SFP port.

All the configuration is straight forward; but only catch is VLAN. iPrimus uses VLAN 100. Below is the Huawei CPE configuration:

Continue reading →

Mikrotik ssh key authentication

Tags

mikrotik, SSH, ssh authentication

We can use SSH key to authenticate Mikrotik box.

Step 1: Check you SSH key pairs. We will copy the public key (id_rsa.pub)

bash-3.2$ ls
config id_rsa id_rsa.pub known_hosts


Step 2: Copy public key (id_rsa.pub) to the MT. In this case MT IP is 192.168.99.1 and username is admin
bash-3.2$ scp id_rsa.pub admin@192.168.99.1:/

Step 3: Login to MT and check whether the public key has been copied successfully
[admin@mt] > file print
# NAME TYPE SIZE CREATION-TIME
0 flash disk jan/01/1970 11:00:07
1 id_rsa file 1896 dec/18/2019 10:19:45
2 flash/skins directory jan/01/1970 11:00:08
3 flash/mt-20191217-0031.backup backup 18.3KiB dec/17/2019 00:31:20

Step 4: Now enable ssh-key login for user admin. Run the following command from MT
[admin@mt] > user ssh-keys import user=admin public-key-file=id_rsa.pub

Step 5: Verify it. Run the following command from MT
[admin@mt] > user ssh-keys print
Flags: R - RSA, D - DSA
# USER BITS KEY-OWNER
0 R admin 2048 fakrul@au-mohammad-macbook.local


Step 6: Try to ssh to you MT box. It will ask for passphrase
bash-3.2$ ssh admin@192.168.99.1
Enter passphrase for key '/Users/fakrul/.ssh/id_rsa'

Setup a Site to Site IPsec VPN With Strongswan & Meraki MX (IKEv1)

Tags

Azure, Azure VPN Gateway, IKEv1, Meraki, Site2Site VPN, StrongSwan

Recently I am trying to build Site 2 Site IPSEC VPN with Azure VPN gateway and Meraki MX firewall. Meraki start supporting (27th May 2019) IKEv2 in their beta firmware MX 15.13 but it’s not stable.

Please check https://community.meraki.com/t5/Security-SD-WAN/Azure-VPN-IKEv2-intermittent/m-p/47688#M12029 and https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/48333#M12197

Azure Policy Based VPN gateway (IKEv1) is ok but it only suppotrs one Site 2 Site VPN tunnel.

To overcome the issue; I have created one Ubuntu Server which works as VPN gateway and added User-defined route to route all VPN traffic via Ubuntu Server.

A. Azure Configuration

1. Create a virtual machine. I my case I have created VM with Ubuntu 18.04 LTS with following specification

2. After creating VM go to VM > Networking > Network Interface and Enable IP forwarding settings

3. From NSG make sure UDP/500 and UDP/4500 has been allowed.

4. Create Route Table. 192.168.100.0/24 is the remote subnet and 10.0.0.9 is the IP address of Ubuntu Server.

5. Make sure you associate it with existing network/VNET

Continue reading →

Configure Express Route and Site-to-Site coexisting connections

Tags

Azure, Express Route, IPSEC, Meraki

 

We can now configure Express Route and Site-To-Site VPN connection that coexist. Can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.

There are some limitation and restriction; for details please check:

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager

In this example I already have VPN Gateway configured with /24 Gateway Subnet

 

Now will create a New VPN Gateway for IPSEC

Step 1: Get the VNET, Gateway Subnet details

$vnet = Get-AzVirtualNetwork -Name SEGResourceGroup-vnet -ResourceGroupName SEGResourceGroup
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet

Step 2: New Public IP address and assign it to VPN gateway

$gwpip= New-AzPublicIpAddress -Name SEG-GatewayVPNPublicIP -ResourceGroupName SEGResourceGroup -Location australiaeast -AllocationMethod Dynamic
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name SEG-GatewayVPNPublicIPConfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

Step 3: Now create site-to-site VPN gateway

New-AzVirtualNetworkGateway -Name SEG-GatewayVPN -ResourceGroupName SEGResourceGroup -Location australiaeast -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Standard

Verify the VPN Gateway configuration. Important things to check:

GatewayType: VPN

VPNType: RouteBased

VPNClientConfiguration: IkeV2

Step 4: Create the Local Network Gateway Continue reading →

Microsoft Teams: Set preferred calling application

Tags

Microsoft Skype for Business, Microsoft Teams, Windows Powershell

By default Microsoft Skype for Business will be preferred application to receive incoming voice call. We can set it to Microsoft Teams by using powershell.

1. Click Start, click All Programs, click Accessories, click Windows PowerShell, and then click Windows PowerShell.

After the Windows PowerShell console appears, you must then create a Windows PowerShell credentials object. The credentials object is used to securely convey your user name and password to Skype for Business Online. To create a credentials object, type the following command at the Windows PowerShell prompt and then press ENTER:

$credential = Get-Credential

After you press ENTER, you should see the Windows PowerShell Credential dialog box. In the User name box, type your Skype for Business Online user name. In the Password box, type your Skype for Business Online password.

if you want to verify that the object was created, simply type the variable name at the Windows PowerShell prompt and press ENTER:

$credential

2. Next you need to import SkypeOnlineConnector module. To do that run the followign commands:

Set-ExecutionPolicy Unrestricted
Import-Module SkypeOnlineConnector

3. After you have created the credentials object, you can then create a new remote Windows PowerShell session that makes a connection to Skype for Business Online. To do this, type the following command at the Windows PowerShell prompt and then press ENTER:

$session = New-CsOnlineSession -Credential $credential -Verbose

If your connection succeeds, you’ll see messages similar to this in the Windows PowerShell console:

Continue reading →