Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.
The topology looks like this:
The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.
1. Firewal rules
By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)
On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.
On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example).
On Console the configuration looks like this:
! ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0 ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0 ip firewall filter add chain=input proto=udp port=500 action accept place-before=0 ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0 ! ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.0.0/24 action=accept place-before=0
2. The IPsec Proposal
IP > IPsec > Proposals
Name: MyProposal Auth. Algorithm: sha1 Encr. Algorithm: aes-256 cbc PFS Group: none
ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none
3. The IPsec Policy
IP > IPsec > Policies
SRC ADDR: 192.168.88.0/24 DST ADDR: 192.168.0.0/24 Protocol: all Action: Encrypt Level: require IPsec protocols: esp Tunnel: check SA SRC: 10.0.0.2 SA DST: 192.168.23.3 Proposal: MyProposal
ip ipsec policy add src-address=192.168.88.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.0.0.2 sa-dst-address=192.168.23.3 proposal=MyProposal
4. The IPsec Peer
IP > IPsec > Peers
Address: 192.168.23.3 Port: 500 Auth. Method: pre shared key Passive: not checked Secret: MYKEY Policy Template Group: default Exchange mode: main Send Initial Contact: checked NAT Traversal: checked My ID: Auto - empty Proposal Check: obey Hash Algorithm: sha1 Encryptions Algorithm: aes-256 DH Group: modp1024 Generate policy: no
ip ipsec peer add address=192.168.23.3 port=500 auth-method=pre-shared-key secret=MY_KEY exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 generate-policy=no
1. Crypto ISAKMP Policy
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2
You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.
2. Crypto ISAKMP neighbor
crypto isakmp key MYKEY address 10.0.0.2 no-xauth
3. Crypto IPsec transformation set
crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac mode tunnel
4. Crypto map
crypto map MYCRYPTOMAP 10 ipsec-isakmp description Mikrotik VPN set peer 10.0.0.2 set transform-set MYTRANSFORMSET match address ACLTRAFF
5. Access-list for interesting traffic
ip access-list extended ACLTRAFF permit ip 192.168.0.0 0.0.0.255 192.168.88.0 0.0.0.255
6. Interface config
int fa1/0 description Internet facing interface crypto map MYCRYPTOMAP
The settings (like encryption algorithm) can be tuned to fit your requirements.
If you have any questions or something is unclear please let me know in Comments.