Mikrotik

Mikrotik router kan benyttes som IKEv2 vpn gateway, her er et par noter i forhold til opsætning på windows 10.

Hvis man både har en internt windows pki, som udlevere certificater og man har Mikrotik som udlevere certficater, kan kan få 2 certificater i sin machine store, der hedder det samme ( hostname.domain.company.tld )

Derfor skal man når VPN oprettes på windows 10 fortælle hvilket "RootCa" som certificateret skal defineres imod.

# Set these to the correct values
$server_address = "123.123.234.345"
$connection_name = "Mikrotik Ikev2_Prod"
$certificate_path = "C:\certtest\cert_export_hostname.domain.company.tld.p12"
$ca_cert_path = 'C:\certtest\cert_export_ca.crt'
$password = ConvertTo-SecureString -String "1234567890" -AsPlainText -Force

$password1 = ConvertTo-SecureString -String "0987654321" -AsPlainText -Force

# Import machine cert
Import-PfxCertificate -FilePath $certificate_path -CertStoreLocation Cert:\LocalMachine\My\ -Password $password

# Import CA root
Import-Certificate -FilePath $ca_cert_path -CertStoreLocation Cert:\LocalMachine\Root\ -Password $password

# Add VPN connection IKEv2 with machine cert
Add-VpnConnection -Name $connection_name -ServerAddress $server_address -TunnelType Ikev2 -EncryptionLevel Required -AuthenticationMethod MachineCertificate -AllUserConnection

# Add IPv6 default route (::/0 does not work)
Add-VpnConnectionRoute -ConnectionName $connection_name -DestinationPrefix ::/1
Add-VpnConnectionRoute -ConnectionName $connection_name -DestinationPrefix 8000::/1

##Define certificate which should be used for the vpn.
Set-VpnConnection -Name $connection_name -MachineCertificateIssuerFilter 'C:\certtest\cert_export_ca_vpn_Router2021.crt' -AllUserConnection

##skal Rootca'et benyttes på en Iphone skal certificatet password ændres, mikrotik vil have 10 char kode på det, når det exporteres og IOS tillader kun en 6 cifferet kode:
## Mikrotik P12 to PEM with 6 diget Code.
openssl.exe pkcs12 -des3 -in "C:\certest\cert_export_ca_vpn_Router2021.p12" -out "C:\certest\cert_export_ca_vpn_Router2021.ios.crt" -passin pass:0123456789 -passout pass:123456

Selv om det virker fin, er der meget manuelt Certificat management i at benytte IkeV2 vpn på mikrotik, men mindre man evner at få mikrotik IkeV2 serveren til at benytte en certificat udstedet af det intern PKI.

En script som laver en Routeros ip4v whitelist udfra fra Microsoft's xml

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$o365Ips = "https://support.content.office.net/en-us/static/O365IPAddresses.xml"

$output = "$PSScriptRoot\O365IPAddresses.xml"

$RosFirewallAddresslist = "/ip firewall address-list"
$RosAddList = "add list=Whitelist_O365 address="
$RosComment = " comment=O365_"

$RosScriptOutput = "c:\temp\o365Ros.rsc"

$RosFirewallAddresslist | out-file $RosScriptOutput -Encoding unicode -Force

$wc = New-Object System.Net.WebClient
$wc.DownloadFile($o365Ips, $output)

[xml]$o365Data = Get-Content $output
$o365 = @()

foreach($product in $o365Data.products.product)
{
    write-host $product.name
    
    foreach ($address in $product.addresslist)
    {

        if ($address.type -eq "IPv4")
        {

            if ($address.address)
            {
                $ourObject = New-Object -TypeName psobject 
                $ourObject | Add-Member -MemberType NoteProperty -Name Product -Value $product.name
                $ourObject | Add-Member -MemberType NoteProperty -Name AddressesType -Value $address.type
                $ourObject | Add-Member -MemberType NoteProperty -Name IPaddresses -Value $address.address
            }
                   
        }
        elseif($address.type -eq "IPv6")
        {
            #       Write-host $address.address
        }
        elseif($address.type -eq "URL")
        {
            #   Write-host $address.address
        }

    }
    $o365 += $ourObject
    $ourObject = $null

}
$o365

$o365 | foreach { $Prod = $_.Product  ; $ips = $_.IPaddresses ; $Prod + " : " + $ips.Count ; `
foreach ($ip in $ips){ $RosAddList + $ip + $RosComment +  $Prod | out-file $RosScriptOutput -Encoding unicode -Append }; `
` }
#Write-host "test "
get-content $RosScriptOutput

En powershell script som bygger en blocklist udfra nogle at de Data som Sans stiller til rådighed.

## makes powershell use TLS1.2

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$blacklist = "https://isc.sans.edu/api/threatlist/shodan?json"

$Webdata = Invoke-WebRequest $blacklist -UserAgent "This email address is being protected from spambots. You need JavaScript enabled to view it.]"
$data = $Webdata | ConvertFrom-Json

#$data.ipv4.Count
#Start-Sleep -Seconds 100

$RosFirewallAddresslist = "/ip firewall address-list"
$RosAddList = "add list=blacklist address="
$RosComment = " comment=Sans_shodan"

$RosScriptOutput = "c:\temp\Sans_shodan.rsc"
$RosFirewallAddresslist | out-file $RosScriptOutput -Encoding unicode -Force

## https://chrisjwarwick.wordpress.com/2012/09/16/more-regular-expressions-regex-for-ip-v4-addresses/
Function ExtractValidIPAddress($String){
    $IPregex=‘(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))’
    If ($String -Match $IPregex) {$Matches.Address}
}

foreach( $line in $data.ipv4 )
{
	if ($line -and (ExtractValidIPAddress($line) )) {
	$RosAddList + $line + $RosComment | out-file $RosScriptOutput -Encoding unicode -Append
}
}

#Get-Content $RosScriptOutput

Lidt powershell som danner en RSC file til mikrotik enheder, der kan bruges til blocklists

## makes powershell use TLS1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$blacklist = "http://malc0de.com/bl/IP_Blacklist.txt"

$data = Invoke-WebRequest $blacklist

$RosFirewallAddresslist = "/ip firewall address-list"
$RosAddList = "add list=blacklist address="
$RosComment = " comment=Malcode"

$RosScriptOutput = "c:\temp\Malcode.rsc"
$RosFirewallAddresslist | out-file $RosScriptOutput -Encoding unicode -Force

## https://chrisjwarwick.wordpress.com/2012/09/16/more-regular-expressions-regex-for-ip-v4-addresses/
Function ExtractValidIPAddress($String){
 $IPregex=‘(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))’
 If ($String -Match $IPregex) {$Matches.Address}
}

foreach( $line in $data.RawContent.Split("") )
{
if ($line -and (ExtractValidIPAddress($line) )) {
$RosAddList + $line + $RosComment | out-file $RosScriptOutput -Encoding unicode -Append
}
}
#Get-Content $RosScriptOutput

Et Powershell script som danner en RSC output file til brug på mikrotik enheder.


## makes powershell use TLS1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$blacklist = "https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt"

$data = Invoke-WebRequest $blacklist

$RosFirewallAddresslist = "/ip firewall address-list"
$RosAddList = "add list=blacklist address="
$RosComment = " comment=RansomwareTracker"

$RosScriptOutput = "c:\temp\RansomwareTracker.rsc"

$RosFirewallAddresslist | out-file $RosScriptOutput -Encoding unicode -Force

## https://chrisjwarwick.wordpress.com/2012/09/16/more-regular-expressions-regex-for-ip-v4-addresses/
Function ExtractValidIPAddress($String){
 $IPregex=‘(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))’
 If ($String -Match $IPregex) {$Matches.Address}
}

foreach( $line in $data.RawContent.Split("") )
{
if ($line -and (ExtractValidIPAddress($line) )) {
$RosAddList + $line + $RosComment | out-file $RosScriptOutput -Encoding unicode -Append
}
}
#Get-Content $RosScriptOutput

Page 1 of 3

Mikrotik IKEV2 vpn - windows 10 og IOS

RouterOS whitelist O365

Sans Blockliskt RouterOS

Malc0de to Routeros Blocklist

abuse.ch RansomwareBlockList to RouterOS

Main Menu