Open Peering Policy

Overview

The HamWAN Open Peering Policy (OPP) is a standard for communication and routing between 44-net allocations and the Internet. It has several nice properties:

Secure

All communication between a 44-net user and an OPP server is tamper proofed by the use of IPSec(AH). Any attempt to forge or inject packets that did not originate from the legitimate 44-net user will result in those packets being discarded. In order to authenticate to an OPP server, a user must hold a valid certificate and corresponding private key. The user is also limited to advertising only the 44-net allocations that are assigned to them, so traffic hi-jacking cannot take place.

Dynamic

The presence or absence of networks is communicated via the long proven BGP protocol. This is the standard protocol for routing on the Internet. The user is free to announce their net block, and only their net block, in whatever way they choose. This means everything from no announcement, to simply announcing the assigned block, to splitting the block up into multiple sub-blocks and announcing those partially or fully. OPP puts full routing control in the hands of the user through this design.

Furthermore, there is no need to register your public IP with some central authority. Users can connect to an OPP provider from any Internet address. This makes OPP compatible with typical Internet Service Providers (ISPs), who do not give their users static IP addresses, but instead hand IPs out at random from a pool. Should a user's IP address change, a properly configured OPP router will re-establish the OPP connection and traffic flow will resume automatically.

Decentralized

An OPP server will, at your discretion, announce your net block onto the Internet. This doesn't mean this is the only place you can announce your net block. The OPP design allows you to simultaneously peer with other OPP providers and get them to perform redundant announcements. You can pick and choose who you wish to use. When one provider goes down, your traffic simply re-routes via your other providers and your network stays reachable throughout.

Part 97 Compliant

OPP does not perform any encryption. The data is sent in clear text, and is merely accompanied by short digital signatures (Authentication Headers) which prove who the data is coming from and that it hasn't been tampered with. This makes it possible to pass OPP traffic over amateur radio frequencies, should the need ever arise.

Scalable

Because the OPP design allows multiple redundant providers, there is no limit to how many OPP providers can exist to provide 44net users with gateway services. If a certain provider is overwhelmed with traffic, users can shift their traffic to other providers which may have faster service.

Efficient

Most other virtual network solutions take on the cost of doing full data encryption to provide security, which is far more processor intensive than OPP's minimal approach of just using IPsec(AH). Since amateur radio traffic is not supposed to be private, OPP sheds this encryption cost and reaps the speed benefits of just calculating authentication header values.

Improving Support

OPP needs to implement the following missing features before it can be considered complete from a support perspective:

User Implementation

Getting Started

First, create an account on https://portal.ampr.org/. Request a net block to be allocated to you. If you intend this net block to be announced on the Internet, it has to be at least of /24 in size (netmask: 255.255.255.0). Alternatively, if you don't need all 254 IPs that a /24 gives you, you can work with your regional coordinator to give you a smaller allocation in a multi-user /24 net block meant to be announced on the Internet.

Once you have your allocation, and if it's a dedicated /24 or larger, you'll need to get a Letter of Authorization (LoA) from the Amateur Radio Digital Communications corporation. You can start the process by makeing a request on the portal. They will send you a form to fill out, requesting Network Service Provider (NSP) details. Here are the details for HamWAN - Puget Sound Data Ring:

NSP name: HamWAN
NSP postal address: 1122 E Pike St Unit 570, Seattle, WA 98122
NSP telephone: (206) 805-8865
NSP email contact: netops@HamWAN.org
NSP ASN: 63479

Once you have your LoA, please forward it to netops@HamWAN.org and request an OPP account.

Getting Your Certificate

If you already have a Logbook of the World (LotW) certificate, you're ready! Simply forward the certificate (not your private key!) to netops@HamWAN.org.

If you would instead like to get a HamWAN certificate, generate a 2048 bit (not 4096-bit!) Certificate Signing Request (CSR) and email it to netops@HamWAN.org.

How to Generate a CSR

A good way to do this is with the OpenSSL utility:

Generate a CSR

openssl genrsa -aes256 -out <YOUR CALLSIGN>-key.pem 2048
openssl req -new -sha256 -key <YOUR CALLSIGN>-key.pem -out <YOUR CALLSIGN>.csr

Be sure to use a strong password when doing the first command. Your private key is stored encrypted with this password in the -key.pem file. Do not share this file with others, and do not share your encryption password for this key with others. During the second command you will be asked several questions. The answers don't matter. We will set all the correct values when we send you back the signed certificate. You will also be asked towards the end if you'd like to encrypt this CSR with a password. Do not supply a password here since it is not needed, just hit enter.

Setup on MikroTik / RouterOS Edge Router

The following setup instructions are for a situation where a MikroTik RouterOS device is connected directly between your Internet Service Provider (ISP) bridge modem and your Local Area Networks (LANs). A publicly routable IP address is required to be present on this edge router for these instructions to work.

Import Certificates

Once you've received your .pem signed certificate from the OPP provider, or if you've exported the signed LoTW certificate to this file, you'll need to upload it to your router, along with the private key that corresponds to this certificate. You will also need to install the certificate of your OPP provider, called the OPP CERTIFICATE. The OPP CERTIFICATE is typically saved as .pem. In the case of HamWAN - Puget Sound Data Ring (PSDR), that OPP CALLSIGN is K7WAN-3 and the certificate filename is K7WAN-2020.pem, and is available here. Copy all of these files to your router using scp or winbox drag n drop, then:

Import Certificates

/certificate import file-name=<YOUR CALLSIGN>.pem # It'll ask for a password, just hit enter
/certificate import file-name=<YOUR CALLSIGN>-key.pem # Provide your private key password
/certificate set [find common-name=<YOUR CALLSIGN>] name=<YOUR CALLSIGN>
/certificate import file-name=<OPP CERTIFICATE>
/certificate set [find common-name=<OPP CALLSIGN>] name=<OPP CALLSIGN>

Be sure to import your certificate prior to importing your private key. The other way around will not work.

Configure Tunnel Interface

Your OPP provider will give you a set of 4 IP addresses. Two of them dedicated to you (LOCAL), and two of them which live at the provider (REMOTE). They will be consecutively numbered. In the following instructions, the FIRST and SECOND words refer to the lower and higher numbered IP addresses, respectively. In the case of HamWAN-PSDR the FIRST REMOTE ADDRESS is 44.25.4.0 and the SECOND REMOTE ADDRESS is 44.25.4.1. (Note: previous users of this process will these addresses used to be 44.24.246.0 and 44.24.246.1. They will be supported until all legacy users have been transitioned to the new address allocation)

If you experience an error when you try to use the "!keepalive" option, it means you have an older version of RouterOS and should either upgrade or simply remove that option from the command line.

Configure Tunnel Interface

/interface ipip add name=HamWAN-PSDR mtu=1456 !keepalive clamp-tcp-mss=no local-address=<SECOND LOCAL ADDRESS> remote-address=<SECOND REMOTE ADDRESS>
/ip address add interface=HamWAN-PSDR address=<FIRST LOCAL ADDRESS>/32 network=<FIRST REMOTE ADDRESS>
/ip address add interface=HamWAN-PSDR address=<SECOND LOCAL ADDRESS>/32

Please do not try to run any services on the LOCAL addresses assigned to you. They are not fully routable. Keep any services on your dedicated 44net allocation.

Configure IPsec(AH)

Your OPP provider will also give you a 5th IP address, called the OPP ADDRESS. In the case of HamWAN-PSDR, this address is 44.24.221.2. Use it in the following configuration:

Configure IPsec(AH)

/ip ipsec proposal add auth-algorithms=md5 enc-algorithms=null name=vpn-ah
/ip ipsec peer add address=<OPP ADDRESS>/32 auth-method=rsa-signature certificate=<YOUR CALLSIGN> enc-algorithm=aes-128 nat-traversal=no remote-certificate=<OPP CALLSIGN> exchange-mode=aggressive
/ip ipsec policy add dst-address=<FIRST REMOTE ADDRESS>/31  src-address=<FIRST LOCAL ADDRESS>/31 ipsec-protocols=ah proposal=vpn-ah sa-dst-address=<OPP ADDRESS> sa-src-address=0.0.0.0 tunnel=yes

Configure Firewall

Configure Address Lists

/ip firewall address-list add address=<YOUR 44NET> list=NONAT-src
/ip firewall address-list add address=<FIRST REMOTE ADDRESS>/31 list=NONAT-dst
/ip firewall address-list add address=<OPP ADDRESS> list=NONAT-dst
/ip firewall address-list add address=<FIRST LOCAL ADDRESS>/31 list=My44Net
/ip firewall address-list add address=<YOUR 44NET> list=My44Net
/ip firewall address-list add address=10.0.0.0/8 list=RFC1918
/ip firewall address-list add address=172.16.0.0/12 list=RFC1918
/ip firewall address-list add address=192.168.0.0/16 list=RFC1918

Configure Mangle Rules

/ip firewall mangle add action=change-mss chain=output new-mss=1378 protocol=tcp tcp-flags=syn tcp-mss=!0-1378
/ip firewall mangle add action=change-mss chain=forward new-mss=1378 protocol=tcp tcp-flags=syn tcp-mss=!0-1378
/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=HamWAN-OPP src-address-list=My44Net
/ip firewall mangle add action=mark-routing chain=output new-routing-mark=HamWAN-OPP src-address-list=My44Net

The following configuration will create a brief disconnection of your Network Address Translated (NATed) Internet connectivity. Make sure you are doing this from a location that allows you continued access to the router, such as your LAN. The instructions also assume you have a masquerade rule defined already on your ISP INTERFACE, which is typical.

Configure NAT Rules

/ip firewall nat add action=accept chain=srcnat dst-address-list=NONAT-dst place-before=0
/ip firewall nat add action=accept chain=srcnat routing-table=!ISP src-address-list=NONAT-src place-before=0
/ip firewall nat remove [find action=masquerade] # This will stop NAT service and potentially disconnect you!
/ip firewall nat add action=masquerade chain=srcnat out-interface=<ISP INTERFACE>
/ip firewall nat add action=masquerade chain=srcnat out-interface=HamWAN-PSDR

Configure Border Gateway Protocol (BGP)

Your OPP provider will give you an Autonomous System Number (ASN) to use for this configuration. This is referred to as OPP ASN below. In the case of HamWAN-PSDR this number is 65530.

Configure BGP

/routing filter add action=accept chain=HamWAN-OPP prefix=0.0.0.0/0 set-routing-mark=HamWAN-OPP
/routing bgp instance add name=HamWAN-PSDR as=<OPP ASN>  client-to-client-reflection=no router-id=<FIRST LOCAL ADDRESS>
/routing bgp network add network=<YOUR 44NET> synchronize=no
/routing bgp peer add name=HamWAN-PSDR in-filter=HamWAN-OPP remote-address=<FIRST REMOTE ADDRESS> remote-as=<OPP ASN> instance=HamWAN-PSDR keepalive-time=10s update-source=<FIRST LOCAL ADDRESS>

The above instructions assume you just want to announce your entire 44net allocation whenever you connect. This is the simplest scenario, although it's entirely valid to skip the "network add" command and instead use redistribute-* commands. Such advanced scenarios are not documented here.

Configure Policy Routing

Configure Policy Routing

/ip route rule add action=lookup dst-address=<OPP ADDRESS>/32 table=ISP
/ip route rule add action=lookup table=main
/ip route rule add action=lookup routing-mark=HamWAN-OPP table=HamWAN-OPP
/ip route rule add action=lookup table=ISP

If you're an expert in this stuff, you may have noticed there is no ISP routing table yet. The ISP routing table is used to hold the default gateway your ISP provides you. The following command assumes this is obtained via DHCP from your ISP:

Configure Dynamic ISP Routing Table

/routing filter add action=accept chain=dynamic-in prefix=0.0.0.0/0 set-routing-mark=ISP

If your ISP configuration is instead a static one (where you manually enter a default gateway address), use this command instead:

Configure Static ISP Routing Table

/ip route set [find dst-address=0.0.0.0/0 routing-mark=main] routing-mark=ISP

Configure 44net LAN

In order to make use of your 44net space you'll want to provide some services on it, or just stick some computers on it. The simplest way of doing this is to attach them to a dedicated 44net interface on your router: Configure 44net Interface

/ip address add interface=<44NET INTERFACE> address=<YOUR 44NET + 1>/<YOUR 44NET MASK>

For example, if YOUR 44NET is 44.24.131.0/24, then YOUR 44NET + 1 would be 44.24.24.131.1 and YOUR 44NET MASK would be 24. After that, attach some computers to this interface, give them unique IPs from YOUR 44NET, and set their default gateway to be YOUR 44NET + 1.

Configure 44net LAN Security

By default the whole Internet can talk to everything attached to your 44net LAN. This is rarely desired. In most cases, you'll want to expose some services for others to reach, and block out all other inbound communication. The below is a simple way of implementing this for a sample SSH service (TCP port 22) running on IP address YOUR 44NET + 2. Configure 44net Service Firewall

/ip firewall filter add chain=44net action=accept comment="SSH" dst-address=<YOUR 44NET + 2> protocol=tcp port=22
/ip firewall filter add chain=44net action=drop comment="Default deny for all other 44net inbound communications"
/ip firewall filter add chain=forward action=jump dst-address=<YOUR 44NET>/<YOUR 44NET MASK> jump-target=44net comment="Process 44net service rules"

To add a new service, simply add another entry to the 44net chain, making sure to use place-before in such a way that the new entry is before the action=drop rule.

Optionally Configure Dynamic IP Support

If your ISP has you on a dynamic (changing) IP, you can keep OPP aware of your current IP by using a Dynamic DNS service. The easiest one to setup is http://www.DuckDNS.org/. Some people also use Hurricane Electric's Dynamic DNS service. The script below supports both providers. Simply define the variables documented at the top of this script (must be done first), and then paste the following into your router:

/system scheduler remove dyn-dns
/system script remove dyn-dns
/system script add name=dyn-dns policy=read,write,test,policy source={
  # Update DynDNS IP Address
  #
  # Requires the following global variables:
  #
  # DynDNSMethod:       The method used to update the IP.
  #                     Depends on your provider.
  #                     The supported values are:
  #                     duck: DuckDNS
  #                     he: Hurricane Electric DynDNS
  # DynDNSInterface:    The name of the interface whose IP will be registered
  # DynDNSRegisteredIP: The last IP successfully registered with DynDNS
  # DynDNSHost:         The hostname record to update with the new IP
  # DynDNSPassword:     The API password/token/key to send when updating the IP
  # DynDNSServer:       The server to communicate with to update the IP
  #                     duck: www.duckdns.org
  #                     he: dyn.dns.he.net
  #
  # You can set these with the following command:
  # :global <variable> "<value>"
  #
  # For example:
  # :global DynDNSMethod "duck"
  # :global DynDNSInterface "ether1"
  # :global DynDNSRegisteredIP "0.0.0.0"
  # :global DynDNSHost "my-awesome-hostname"
  # :global DynDNSPassword "a5f30519-4df1-4541-a114-58c56c045079"
  # :global DynDNSServer "www.duckdns.org"
  #
  # To check the state of the current global variables:
  # /system script environment print

  :global DynDNSMethod;
  :global DynDNSInterface;
  :global DynDNSRegisteredIP;
  :global DynDNSHost;
  :global DynDNSPassword;
  :global DynDNSServer;

  :if ($DynDNSMethod != "duck" && $DynDNSMethod != "he") do={
    :log error "DynDNS: Invalid DynDNSMethod '$DynDNSMethod' specified.";
    :error "";
  };

  :local MyIP [tostr [/ip address get [find interface=$DynDNSInterface] address]];
  :local MyIP [pick $MyIP 0 [find $MyIP "/"]];

  :if ([len $MyIP] = 0) do={
    :log error "DynDNS: Interface '$DynDNSInterface' has no IP address.";
    :error "";
  };

  :if ($MyIP = $DynDNSRegisteredIP) do={
    :error "";
  };
 
  :do {
    :if ($DynDNSMethod = "duck") do={
      /tool fetch url="https://$DynDNSServer/update\?domains=$DynDNSHost&token=$DynDNSPassword&ip=$MyIP" dst-path=DynDNS.tmp;
      :local OK [/file get DynDNS.tmp contents];
      /file remove DynDNS.tmp;
      if ($OK != "OK") do={
        :error "";
      };
    };

    :if ($DynDNSMethod = "he") do={
      /tool fetch url="https://$DynDNSServer/nic/update\?hostname=$DynDNSHost&password=$DynDNSPassword&myip=$MyIP" keep-result=no;
    };

    :global DynDNSRegisteredIP $MyIP;
    :log info "DynDNS: Updated '$DynDNSHost' IP to $MyIP.";
  } on-error={
    :log error "DynDNS: Failed to update '$DynDNSHost' record on the '$DynDNSServer' server.";
  };
}
/system scheduler add name=dyn-dns on-event=dyn-dns start-time=startup interval=1m

To clarify, DynDNSInterface is supposed to be the name of the interface which receives the dynamic IP from your ISP.

Testing and Troubleshooting

First, make sure your IPIP interface is in the Running state. This is denoted with a little bold R in front of it:

Check IPIP Interface is Running

/interface ipip print interval=1

If the interface is not running, this is probably because the local-address is not bound to the router (check the step where SECOND LOCAL ADDRESS was used in /ip address add), or the remote-address is not routable (check to make sure you have a default route installed). You can do a further remote-address routability check by using: /ip route check .

Another reason for an IPIP interface not coming up is if it was configured with the keepalive= option set. Please be sure to disable the keepalive feature on the interface by typing: /interface ipip set [find name=HamWAN-PSDR] !keepalive. In and around RouterOS v6.27 we are seeing a bug with keepalive not being set properly. To really make sure keepalive is not being set, do a "print detail" in /interface ipip, and check to make sure keepalive is missing from the output. Also, do an /interface ipip export and make sure !keepalive is visible. Finally, do an /interface ipip export verbose, and similarly check !keepalive is visible. If any of these 3 command outputs are reporting conflicting values for keepalive, RouterOS has hit a bug and the IPIP interface must be removed and re-created. When you re-create the interface, you'll also need to update any configs that reference it (eg: /ip firewall nat, /ip address).

If the IPIP interface has an R flag that blinks about once per second and/or the /ip route check command above changes its output about once per second, please reach out to your OPP provider for support.

Second, make sure you can ping your OPP provider over IPsec(AH):

Ping OPP Provider Over IPsec(AH)

/ping src-address=<FIRST LOCAL ADDRESS> <FIRST REMOTE ADDRESS>

It's perfectly normal if the first ping fails, but subsequent pings should succeed. If you are getting constant ping failures, check to make sure IPsec has established a Security Association (SA): Check for IPsec Security Associations (SAs)

/ip ipsec installed-sa print

They should be in state=mature, and there should be 2 or 4 of them. When there are 4, it is OK if 2 of them are in state=dying. This is a normal part of IPsec refreshing its SAs before they expire. If you do not see any associations, or they are in state=larval, please reach out to your OPP provider for support.

Third, make sure BGP is connected:

Check BGP Connectivity

/routing bgp peer print status

The last attribute printed should say state=established. If it says state=active or state=idle or anything else, the BGP connection is having problems. You can do a basic TCP connectivity check to your OPP BGP service with: /system telnet port=179 . You should see telnet say that it has connected, and you should also see some strange characters show up, followed by telnet waiting for your input. Press Ctrl-] and type q to disconnect. If you do not see the connection being established, there is a routing problem. If the connection is closed right after it's established, the routing is working but there's a BGP configuration problem. In either case, report the results to your OPP provider and ask them for help.

Fourth, check if YOUR 44NET can talk to the Internet:

Check Your 44Net Outbound Internet Connectivity

/ping src-address=<YOUR 44NET + 1> 8.8.8.8

You should see pings coming back. Next check to make sure it's being routed correctly:

Check Your 44Net Outbound Routing

/tool traceroute src-address=<YOUR 44NET + 1> 8.8.8.8

A proper traceroute will show a first hop of , and then proceed through the Internet to the destination. If something isn't working here, but the previous tests have passed, reach out to your OPP provider for support. They may have a problem on their end.

Fifth, check if the Internet can reach you by using one of the various public traceroute servers. For example: http://www.monitis.com/traceroute/. Give this tool address.

If you are having routing problems, you can in general look at two things:

Check Your BGP Routes

/ip route print where bgp

This will show you what routes your router has learned from your OPP providers and installed into its routing table. Conversely, you can also check what routes you're sending to your OPP provider and make sure YOUR 44NET is in the list:

Check Your 44Net Advertisements

/routing bgp advertisements print

If you don't see YOUR 44NET in the list, check /routing bgp networks, and make sure it's in there.

Setup on Linux Edge Router

Please help write this section.

Setup on Cisco IOS Edge Router

Please help write this section.

Performance

Your performance will be limited by your router's ability to do IPsec(AH) cryptographic calculations. Check your router's CPU usage to see if it's having problems under heavy network load. You can improve performance by upgrading your router (eg: CCR1009, RB1100AHx2), or migrating the router function to a server or a virtual machine hosted on a server. MikroTik provides x86 versions of its RouterOS, and they are compatible with VMware. Make sure to use the E1000 network adapter for best performance and an emulated IDE hard drive for compatibility. You will need an L4 or better license.

Provider Implementation

The following is a suboptimal implementation using RouterOS. It's only suboptimal because it doesn't allow OPP users to connect from arbitrary IPs. A better implementation would support that, but it's out of reach for now.

New User Activation

Our private certificate authority is in /root/CA on seattle-srv1.hamwan.net. If the client has not provided a Logbook of the World certificate, we'll create a self-signed one for them. If you have a certificate (.pem file), skip this step and move on to the scp step.

root@Seattle-SRV1:~/CA $ ./sign.sh K7LL "/C=US/ST=Washington/L=Pullman/O=Puget Sound Data Ring/CN=K7LL"
Using configuration from openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9700663244630097771 (0x869fadd31ddd7f6b)
        Validity
            Not Before: Nov 19 02:00:52 2016 GMT
            Not After : Nov 17 02:00:52 2026 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Washington
            organizationName          = Puget Sound Data Ring
            commonName                = K7LL
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2D:7E:8D:B7:F0:F3:FF:09:CE:24:F9:93:3B:7F:8A:AB:FD:A9:7F:E3
            X509v3 Authority Key Identifier:
                keyid:6B:BA:17:67:10:62:85:A8:C3:F7:7C:02:8D:8C:59:E8:49:DE:FC:34

Certificate is to be certified until Nov 17 02:00:52 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@Seattle-SRV1:~/CA $ ls -l K7LL*
-rw-r--r-- 1 eo eo 1017 Nov 18 17:54 K7LL.csr
-rw-rw---- 1 eo eo 3803 Nov 18 18:00 K7LL.pem

Copy the certificate to the edge router and start the registration process. If you don't forward your credentials to SRV1, you'll need to 'sudo root -' first.

eo@Seattle-SRV1:~/CA $ scp K7LL.pem Seattle-ER1.hamwan.net:
K7LL.pem                                                                                                       100% 3803     3.7KB/s   3.7KB/s   00:00

Allocate an OPP address pair from 44.25.4.0/22. assignopppair will take a -n (or --dry-run) argument to show the next available pair but not actually assign it. The -f option will force a assgnment of a new OPP pair for a previously existing host. This process assigns the next available subnet, and the assigns the first and second addresses to the host OPP- (OPP-K7LL in this case). Do not do this as root. Assign the OPP addresses using your individual account.

eo@Seattle-SRV1:~$ cd /srv/www/hamwan-portal
eo@Seattle-SRV1:/srv/www/hamwan-portal$ source env/bin/activate
(env)eo@Seattle-SRV1:/srv/www/hamwan-portal$ ./manage.py assignopppair K7LL
44.25.4.16 44.25.4.17
(env)eo@Seattle-SRV1:/srv/www/hamwan-portal$

In this case we allocated 44.25.4.16/31 in the admin portal. The "first" address will be 44.25.4.16 and the "second" address will be 44.25.4.17.

We will be using a remote-asn of 65530 in both the examples below. This is the normal case for our clients. Check the certificate after importing to see what the COMMON-NAME is and adjust the command below as needed. Logbook-of-the-World certificates may have the users full name rather than call.

This example is for a non-NATed client address.

eo@jo ~ $ ssh seattle-er1 -p 222
[eo@ER1.Seattle] > /certificate import file-name=K7LL.pem
passphrase:
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

# Check the common name before running this command
[eo@ER1.Seattle] > /certificate set [find common-name=K7LL] name=K7LL
[eo@ER1.Seattle] > /interface ipip add clamp-tcp-mss=no dscp=0 !keepalive local-address=44.25.4.1 mtu=1456 name=OPP-K7LL remote-address=44.25.4.17
[eo@ER1.Seattle] > /ip address add interface=OPP-K7LL address=44.25.4.0/32 network=44.25.4.16
[eo@ER1.Seattle] > /ip ipsec policy group add name=OPP-K7LL
# NOTE: See Dynamic DNS Support, below
[eo@ER1.Seattle] > /ip ipsec peer add address=76.178.151.83/32 auth-method=rsa-signature certificate=K7WAN-2020 comment=K7LL enc-algorithm=aes-128 exchange-mode=aggressive generate-policy=port-override nat-traversal=no passive=yes policy-template-group=OPP-K7LL remote-certificate=K7LL send-initial-contact=no
[eo@ER1.Seattle] > /ip ipsec policy add dst-address=44.25.4.0/31 group=OPP-K7LL proposal=vpn-ah src-address=44.25.4.16/31 template=yes
[eo@ER1.Seattle] > /routing filter add action=accept chain=OPP-K7LL prefix=44.12.48.0/24 prefix-length=24-32
[eo@ER1.Seattle] > /routing filter add action=reject chain=OPP-K7LL
[eo@ER1.Seattle] > /routing filter add action=accept chain=OPP comment=OPP-K7LL prefix=44.12.48.0/24 place-before=0
[eo@ER1.Seattle] > /routing bgp aggregate add comment=OPP-K7LL include-igp=yes inherit-attributes=no instance=default prefix=44.12.48.0/24
[eo@ER1.Seattle] > /routing bgp peer add default-originate=if-installed in-filter=OPP-K7LL instance=OPP keepalive-time=10s name=OPP-K7LL out-filter=OPP-OUT passive=yes remote-address=44.25.4.16 remote-as=65530 route-reflect=yes update-source=44.25.4.0

This example is for a NATed client.

eo@jo ~ $ ssh seattle-er1 -p 222
[eo@ER1.Seattle] > /certificate import file-name=KG5IRU.pem
passphrase:
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

# Check the common name before running this command
[eo@ER1.Seattle] > /certificate set [find common-name=KG5IRU] name=KG5IRU
[eo@ER1.Seattle] > /interface ipip add clamp-tcp-mss=no dscp=0 !keepalive local-address=44.25.4.1 mtu=1456 name=OPP-KG5IRU remote-address=44.25.4.33
[eo@ER1.Seattle] > /ip address add interface=OPP-KG5IRU address=44.25.4.0/32 network=44.25.4.32
[eo@ER1.Seattle] > /ip ipsec policy group add name=OPP-KG5IRU 
# NOTE: See Dynamic DNS Support, below
[eo@ER1.Seattle] > /ip ipsec peer add address=0.0.0.0/0 auth-method=rsa-signature certificate=K7WAN-2020 comment=KG5IRU enc-algorithm=aes-128 exchange-mode=aggressive generate-policy=port-override nat-traversal=yes passive=yes policy-template-group=OPP-KG5IRU remote-certificate=KG5IRU send-initial-contact=no
[eo@ER1.Seattle] > /ip ipsec policy add dst-address=44.25.4.0/31 group=OPP-KG5IRU proposal=vpn-esp src-address=44.25.4.32/31 template=yes
[eo@ER1.Seattle] > /routing filter add action=accept chain=OPP-KG5IRU prefix=44.31.137.0/24 prefix-length=24-32
[eo@ER1.Seattle] > /routing filter add action=reject chain=OPP-KG5IRU
[eo@ER1.Seattle] > /routing filter add action=accept chain=OPP comment=OPP-KG5IRU prefix=44.31.137.0/24 place-before=0
[eo@ER1.Seattle] > /routing bgp aggregate add comment=OPP-KG5IRU include-igp=yes inherit-attributes=no instance=default prefix=44.31.137.0/24
[eo@ER1.Seattle] > /routing bgp peer add default-originate=if-installed in-filter=OPP-KG5IRU instance=OPP keepalive-time=10s name=OPP-KG5IRU out-filter=OPP-OUT passive=yes remote-address=44.25.4.32 remote-as=65530 route-reflect=yes update-source=44.25.4.0

Be sure to email upstream providers about allowing the new network to be announced, if needed. Networks matching 44.0.0.0/9^16-24 are already permitted by HamWAN's current upstream providers and do not need explicit notification.

Update User's IP

Did the user's public IP change? Run the following:

[eo@ER1.Seattle] > /ip ipsec peer set [find remote-certificate=<USER CALLSIGN>] address=<NEW PUBLIC IP>/32

Dynamic DNS Support

As a quick hack on the OPP server side, we now support users updating a Dynamic DNS service to automatically change their OPP IPs. Use the following script on the OPP router:

/system script add name=opp-dyn-dns policy=read,write,test source={
:local users [/ip ipsec peer find comment~",DYNDNS:"];
:foreach user in=$users do={
  :local comment [/ip ipsec peer get $user comment];
  :local comma [find $comment "," -1];
  :local callsign [pick $comment 0 ($comma)];
  :local colon [find $comment ":" -1];
  :local dyndns [pick $comment ($colon+1) [len $comment]];
  :do {
    :local ip [resolve $dyndns];
    :if ([/ip ipsec peer get [find remote-certificate="$callsign"] address] != "$ip/32") do={
      :log info "DynDNS: Updating $callsign /ip ipsec peer address to $ip";
      /ip ipsec peer set [find remote-certificate=$callsign] address="$ip/32";
    }
  } on-error={ :log error "DynDNS: Failed to resolve $dyndns for $callsign" };
};
}
/system scheduler add name=opp-dyn-dns on-event=opp-dyn-dns interval=1m start-time=startup
In order to use this feature, you must create new OPP /ip ipsec peer entries with comment="CALLSIGN,DYNDNS:HOSTNAME". For example: comment="KI7KOC,DYNDNS:44peer.desu.ne.jp".

Attachments

Filename Size Modified
K7WAN-2020.pem 2.4KiB 2020-12-08 22:42:52
Open Source Software for Routing.pdf 1.7MiB 2016-08-06 00:16:18