Ebix Sunrise VPN

The Sunrise™ Exchange platform allows insurance intermediaries and underwriters to transact together, securely in real time around a vast range of insurance products and services. Sunrise Exchange has been designed to streamline all of the transactions across underwriters you work with.

Although the official documentation (http://ebix.com.au/files/pdf/VPN-Information-Sheet.pdf) implies that only Cisco equipment is suitable to establish a Hardware based VPN to the Sunrise service, Mikrotik RouterOS can provide a high quality, stable and secure link at a fraction of the price.

This article assumes that your Mikrotik RouterOS system is already deployed to the network boundary and acts as the primary internet gateway for internet connectivity.  If you do not already have a Mikrotik RouterIOS device deployed, we recommend the following products:

 

Before you start:

First of all, if you have not already done so, you will need to obtain a static IP address from your ISP.  Most Business grade services these days will come with a static IP address - you will need to quote that static address to the Ebix Sunrise Support before they can assign your custom configuration details.  Record this IP address and substitute for the fields <STATIC-IP> in the configuration steps below.

Next, you need to know the IP Network of the LAN.  You will need to enter this information in the form:

<network>/<mask bits>

For example:

192.168.1.0/24 (for addresses 192.168.1.1 to 192.168.1.254)

Substitute this information for the fields <LAN-NETWORK> in the steps below.

Lastly, you need to obtain the custom connection details from Ebix support.  This information will be provided in the form of a pdf or word document containing the following details:

 VPN IP Address: This is the IP address of the Ebix VPN server - referred as <VPN-ADDRESS> below.

Shared Secret Login: This is the encyryption key for the secure VPN link - referrer as <SECRET> below.

Private IP Address: This is the IP address assigned for your LAN NAT - referred as <PRIVATE-IP> below.

Once you have the document from Ebix, substitute these values where noted in the configuration guide/s below:

Configuration method:

The following steps provide a method to complete the configuration using the Winbox GUI configuration tool.  Most system admins will consider this method preferable, however a guide to using the routerOS shell is provided below for a potentially quicker method.

Step 1:  Create a custom IPsec Proposal

click on "IP" in the WinBox main menu, then choose IPsec from the options.

click on the "Proposals" tab, then click the "add" (red '+' symbol) icon, and complete teh following details:

  • Name: ebix
  • Auth Algorithms: md5 enabled (all others DISabled)
  • Encr. Algorithms: 3des enables (all others DISabled)
  • Lifetime: 08:00:00 (8 hours)
  • PFS Group: none

Click "OK".

Step 2:  Create the IPsec Peer

On the IPsec configuration window, select the "Peers" tab, and click "add".  Enter the following detail:

  • Address: <VPN-ADDRESS> (as nominated by Ebix)
  • Port: 500
  • Auth. Method: Pre Shared key
  • Secret: <SECRET> (as nominated by Ebix)
  • Exchange Mode: main
  • Send Initial Contact: ENabled
  • NAT Traversal: DISabled
  • Proposal Check: strict
  • Hash Algorithm: md5
  • Encryption Algorithm: 3des
  • DH Group: modp1024
  • Generate Policy: DISabled
  • Lifetime: 08:00:00 (8 hours)
  • Lifebytes: 10000000 (10K)
  • DPD Interval: 0 (disable DPD)
  • DPD Maximum Failures: 1 (not used)

Click "OK"

Step 2: Create the IPsec routing policy

On the IPsec configuration window, select the "Policies" tab, and click "add".  On the "General" tab, enter the following detail:

  • Src. Address: <PRIVATE-IP> (as nominated by Ebix)
  • Src. Port: blank (leave 'grey' field)
  • Dst. Address: 172.27.1.0/24
  • Dst. Port: not defined (leave 'grey' field)
  • Protocol: 255 (all)

On the "Action" tab, enter the following detail:

  • Action: encrypt
  • Level: unique
  • IPsec Protocols: esp
  • Tunnel: ENabled
  • SA Src Address: <STATIC-IP> (from your ISP)
  • SA Dst Address: <VPN-ADDRESS> (as nominated by Ebix)
  • Proposal: ebix
  • Priority: 1

Click "OK", then click "add" again.  On the General tab, enter:

  • Src. Address: <PRIVATE-IP> (as nominated by Ebix)
  • Src. Port: blank (leave 'grey' field)
  • Dst. Address: 10.125.0.0/16
  • Dst. Port: not defined (leave 'grey' field)
  • Protocol: 255 (all)

On the "Action" tab, enter the following detail:

  • Action: encrypt
  • Level: unique
  • IPsec Protocols: esp
  • Tunnel: ENabled
  • SA Src Address: <STATIC-IP> (from your ISP)
  • SA Dst Address: <VPN-ADDRESS> (as nominated by Ebix)
  • Proposal: ebix
  • Priority: 1

Click "OK".

Step 3: Add IP Firewall NAT for the VPN

Choose "IP" in the Winbox Main Menu, and select "Firewall" from the options.

Select the NAT tab, and click the "add" (red '+' symbol) icon.  On the "General" tab, enter:

  • Chain: srcnat
  • Src. Address: <LAN-NETWORK> (in the form a.b.c.d/nn)
  • Dst. Address: 172.27.1.0/24
  • Leave all other fields on this tab not defined (i.e. grey field)

Select the Action tab, and complete as follows:

  • Action: src-nat
  • To-Addresses: <PRIVATE-IP> (as nominated by Ebix)
  • To-Ports: not defined (leave grey field)

Click "Comment" and enter "masquerade lan addresses to Sunrise VPN"

Click OK, and then click "add" again.  On the general tab, enter:

  • Chain: srcnat
  • Src. Address: <LAN-NETWORK> (in the form a.b.c.d/nn)
  • Dst. Address: 10.125.0.0/16
  • Leave all other fields on this tab not defined (i.e. grey field)

Select the Action tab, and complete as follows:

  • Action: src-nat
  • To-Addresses: <PRIVATE-IP> (as nominated by Ebix)
  • To-Ports: not defined (leave grey field)

Click "Comment" and enter "masquerade lan addresses to Sunrise VPN"

Click OK.

Step 4: Test with Ping

You are now ready to test the application by accessing one of the URLs listed in the Ebix documentation.  You can also test the service from the RouterOS device by using the Ping tool, and specifying the source IP address:

 In the WinBox application main menu, click "Tools" and then click "Ping".

On the "General" tab, enter:

Ping To: 172.27.1.91

Then select the "Advanced" tab, and enter:

Src. Address: <PRIVATE-IP> (as nominated by Ebix)

Now click "Ping" and observe the result.  You should expect to see request times of reasonable interval (e.g. < 200ms) and no 'request times out' responses.

You can also click on the "IP -> IPsec" menu, and observe related entries recorded under the "Installed SAs" tab.


Configuration Method using RouterOS Shell:

Step 1: Download the configuration file

The configuration template file is available here.  (Right click the link and choose 'save-link-as')

Step 2: Substitute address variables

Refer to the section "Before You Start" above, and then open the downloaded configuration file using a text editor, then substitute the relevant variables in the configuration template.

Step 2: Log on to router Shell

Either connect to the router using ssh or telnet, or click "New Terminal" in the winbox tool.

Step 3: Run the configuration script

After substituiting of all the required variables, select all text in the configuration file, and copy.  Now 'paste' all text into the routerOS shell.

Step 4: Test with Ping

Follow the same test procedure as the ping tests above.


Need help with your Mikrotik Configuration projects? As an authorised Mikrotik Consultant, we are available to assist on short term or contract basis. Contact us for more info.