IPsec VPN Mikrotik to Cisco

Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example).

On Console the configuration looks like this:

CLI

Shell

1 2 3 4 5 6 7

! ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0 ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0 ip firewall filter add chain=input proto=udp port=500 action accept place-before=0 ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0 ! ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.0.0/24 action=accept place-before=0

2. The IPsec Proposal

GUI

IP > IPsec > Proposals

Shell

1 2 3 4

Name: MyProposal Auth. Algorithm: sha1 Encr. Algorithm: aes-256 cbc PFS Group: none

CLI

Shell

1	ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none

3. The IPsec Policy

GUI

IP > IPsec > Policies

Shell

1 2 3 4 5 6 7 8 9 10

SRC ADDR: 192.168.88.0/24 DST ADDR: 192.168.0.0/24 Protocol: all Action: Encrypt Level: require IPsec protocols: esp Tunnel: check SA SRC: 10.0.0.2 SA DST: 192.168.23.3 Proposal: MyProposal

CLI

Shell

1	ip ipsec policy add src-address=192.168.88.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.0.0.2 sa-dst-address=192.168.23.3 proposal=MyProposal

4. The IPsec Peer

GUI

IP > IPsec > Peers

Shell

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Address: 192.168.23.3 Port: 500 Auth. Method: pre shared key Passive: not checked Secret: MYKEY Policy Template Group: default Exchange mode: main Send Initial Contact: checked NAT Traversal: checked My ID: Auto - empty Proposal Check: obey Hash Algorithm: sha1 Encryptions Algorithm: aes-256 DH Group: modp1024 Generate policy: no

CLI

Shell

1	ip ipsec peer add address=192.168.23.3 port=500 auth-method=pre-shared-key secret=MY_KEY exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 generate-policy=no

Cisco configuration

1. Crypto ISAKMP Policy

Shell

1 2 3 4

crypto isakmp policy 1 encr aes 256 authentication pre-share group 2

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

Shell

1	crypto isakmp key MYKEY address 10.0.0.2 no-xauth

3. Crypto IPsec transformation set

Shell

1 2	crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac mode tunnel

4. Crypto map

Shell

1 2 3 4 5

crypto map MYCRYPTOMAP 10 ipsec-isakmp description Mikrotik VPN set peer 10.0.0.2 set transform-set MYTRANSFORMSET match address ACLTRAFF

5. Access-list for interesting traffic

Shell

1 2	ip access-list extended ACLTRAFF permit ip 192.168.0.0 0.0.0.255 192.168.88.0 0.0.0.255

6. Interface config

Shell

1 2 3

int fa1/0 description Internet facing interface crypto map MYCRYPTOMAP

The settings (like encryption algorithm) can be tuned to fit your requirements.