IPsec VPN Mikrotik to Cisco

Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

IPsec VPN Mikrotik Cisco

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example).

On Console the configuration looks like this:

CLI

!
ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input proto=udp port=500 action accept place-before=0
ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0
!
ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.0.0/24 action=accept place-before=0

2. The IPsec Proposal

GUI

IP > IPsec > Proposals

Name: MyProposal
Auth. Algorithm: sha1
Encr. Algorithm: aes-256 cbc
PFS Group: none

CLI

ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none

3. The IPsec Policy

GUI

IP > IPsec > Policies

SRC ADDR: 192.168.88.0/24
DST ADDR: 192.168.0.0/24
Protocol: all
Action: Encrypt
Level: require
IPsec protocols: esp
Tunnel: check
SA SRC: 10.0.0.2
SA DST: 192.168.23.3
Proposal: MyProposal

CLI

ip ipsec policy add src-address=192.168.88.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.0.0.2 sa-dst-address=192.168.23.3 proposal=MyProposal

4. The IPsec Peer

GUI

IP > IPsec > Peers

Address: 192.168.23.3
Port: 500
Auth. Method: pre shared key
Passive: not checked
Secret: MYKEY
Policy Template Group: default
Exchange mode: main
Send Initial Contact: checked
NAT Traversal: checked
My ID: Auto - empty
Proposal Check: obey
Hash Algorithm: sha1
Encryptions Algorithm: aes-256
DH Group: modp1024
Generate policy: no

CLI

ip ipsec peer add address=192.168.23.3 port=500 auth-method=pre-shared-key secret=MY_KEY exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 generate-policy=no

Cisco configuration

1. Crypto ISAKMP Policy

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

crypto isakmp key MYKEY address 10.0.0.2 no-xauth

3. Crypto IPsec transformation set

crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac
 mode tunnel

4. Crypto map

crypto map MYCRYPTOMAP 10 ipsec-isakmp
 description Mikrotik VPN
 set peer 10.0.0.2
 set transform-set MYTRANSFORMSET
 match address ACLTRAFF

5. Access-list for interesting traffic

ip access-list extended ACLTRAFF
 permit ip 192.168.0.0 0.0.0.255 192.168.88.0 0.0.0.255

6. Interface config

int fa1/0
 description Internet facing interface
 crypto map MYCRYPTOMAP

The settings (like encryption algorithm) can be tuned to fit your requirements.

If you have any questions or something is unclear please let me know in Comments.

Published by

Calin

Calin is a network engineer, with more than 20 years of experience in designing, installing, troubleshooting, and maintaining large enterprise WAN and LAN networks.

6 thoughts on “IPsec VPN Mikrotik to Cisco”

  1. hello I created a vpn between a cisco on site 1 and site 2 microtik on the vpn the site works 1 2 browse the site but unfortunately the site 2 does not peel the site1 anyone has had the same problem, configuration, everything seems correct, you any idea on who controls take to resolve the problem

    thanks

  2. Hello,

    I use yuor manual.. TNX…
    But I have problem witth IPSec tunel. Tunel dops connection after some time… Then helps, that I disable Peers and Polices on Mikrotik, and then enable again….
    Do you have some diea?

  3. I guess the problem here is that the local LAN on MT site does source NAT if the author used the MT default config on the MT and the peer traffic MUST be excluded from source NAT cause it has to be transported without NAT over the tunnel.
    The above IPsec Config works fine and is established but without excluding 192.168.88.0 /24 to 192.168.0.0 /24 traffic from src NAT it wont work cause this traffic is src NATed to 10.0.0.2 and hence never get to the target net on the Cisco site.

  4. hello
    My problem is:

    Crypto session current status

    Interface: FastEthernet0/0
    Session status: DOWN-NEGOTIATING
    Peer: 10.0.0.1 port 500
    IKE SA: local 10.0.0.2/500 remote 10.0.0.1/500 Inactive
    IKE SA: local 10.0.0.2/500 remote 10.0.0.1/500 Inactive
    IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.1.0/255.255.255.0
    Active SAs: 0, origin: crypto map

Any opinion on this post? Please let me know:

This site uses Akismet to reduce spam. Learn how your comment data is processed.