Jay Taylor's notes

back to listing index

IPsec VPN Mikrotik to Cisco

[web search]
Original source (www.firstdigest.com)
Tags: configuration routers vpn mikrotik ipsec www.firstdigest.com
Clipped on: 2016-01-29

Our website uses cookies. By using our website and agreeing to this policy, you consent to our use of cookies.

IPsec VPN Mikrotik to Cisco

Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

Image (Asset 1/2) alt=

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example).

On Console the configuration looks like this:

CLI

Shell
1
2
3
4
5
6
7
!
ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input proto=udp port=500 action accept place-before=0
ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0
!
ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.0.0/24 action=accept place-before=0

2. The IPsec Proposal

GUI

IP > IPsec > Proposals

Shell
1
2
3
4
Name: MyProposal
Auth. Algorithm: sha1
Encr. Algorithm: aes-256 cbc
PFS Group: none

CLI

Shell
1
ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none

3. The IPsec Policy

GUI

IP > IPsec > Policies

Shell
1
2
3
4
5
6
7
8
9
10
SRC ADDR: 192.168.88.0/24
DST ADDR: 192.168.0.0/24
Protocol: all
Action: Encrypt
Level: require
IPsec protocols: esp
Tunnel: check
SA SRC: 10.0.0.2
SA DST: 192.168.23.3
Proposal: MyProposal

CLI

Shell
1
ip ipsec policy add src-address=192.168.88.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.0.0.2 sa-dst-address=192.168.23.3 proposal=MyProposal

4. The IPsec Peer

GUI

IP > IPsec > Peers

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Address: 192.168.23.3
Port: 500
Auth. Method: pre shared key
Passive: not checked
Secret: MYKEY
Policy Template Group: default
Exchange mode: main
Send Initial Contact: checked
NAT Traversal: checked
My ID: Auto - empty
Proposal Check: obey
Hash Algorithm: sha1
Encryptions Algorithm: aes-256
DH Group: modp1024
Generate policy: no

CLI

Shell
1
ip ipsec peer add address=192.168.23.3 port=500 auth-method=pre-shared-key secret=MY_KEY exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 generate-policy=no

Cisco configuration

1. Crypto ISAKMP Policy

Shell
1
2
3
4
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

Shell
1
crypto isakmp key MYKEY address 10.0.0.2 no-xauth

3. Crypto IPsec transformation set

Shell
1
2
crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac
mode tunnel

4. Crypto map

Shell
1
2
3
4
5
crypto map MYCRYPTOMAP 10 ipsec-isakmp
description Mikrotik VPN
set peer 10.0.0.2
set transform-set MYTRANSFORMSET
match address ACLTRAFF

5. Access-list for interesting traffic

Shell
1
2
ip access-list extended ACLTRAFF
permit ip 192.168.0.0 0.0.0.255 192.168.88.0 0.0.0.255

6. Interface config

Shell
1
2
3
int fa1/0
description Internet facing interface
crypto map MYCRYPTOMAP

The settings (like encryption algorithm) can be tuned to fit your requirements.

If you have any questions or something is unclear please let me know in Comments.

Like this:

Be the first to like this.

Related

Mikrotik IPsec VPNDecember 16, 2014In "Hardware"

Mikrotik L2TP with IPsec for mobile clientsJanuary 9, 2015In "Hardware"

IPsec VPN Mikrotik to LinuxDecember 16, 2014In "Hardware"

2 thoughts on “IPsec VPN Mikrotik to Cisco

  • Pingback: Mikrotik L2TP with IPsec for mobile clients | FirstDigest

  • Image (Asset 2/2) alt=
    April 27, 2015 at 10:11
    Permalink

    hello I created a vpn between a cisco on site 1 and site 2 microtik on the vpn the site works 1 2 browse the site but unfortunately the site 2 does not peel the site1 anyone has had the same problem, configuration, everything seems correct, you any idea on who controls take to resolve the problem

    thanks

    Reply

Leave a Reply

Copyright © 2016 FirstDigest. Powered by WordPress. Theme: Spacious by ThemeGrill.