Hello ,
I am trying configure Mikrotik to establish VPN with Cisco 2901.
To Cisco, our ISP has the following configuration :
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ***** address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 7200
set transform-set strong
!
!
interface Tunnel0
ip address 192.168.200.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 70
no ip split-horizon eigrp 70
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/0.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
!
router eigrp 70
network 10.0.0.0 0.0.0.255
network 192.168.200.0
!
access-list 111 permit udp any host A.B.C.D eq isakmp log
access-list 111 permit udp any host A.B.C.D eq non500-isakmp log
access-list 111 permit esp any host A.B.C.D log
---
And ISP provided a simple configuration to implement a Cisco router (client) in order to establish the VPN's:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname espanha
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
clock timezone PT 0
clock summer-time PT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
vtp mode transparent
archive
log config
hidekeys
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ******* address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 10
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 7200
set transform-set strong
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.200.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ********
ip nhrp map multicast dynamic
ip nhrp map multicast A.B.C.D
ip nhrp map 192.168.200.1 A.B.C.D
ip nhrp network-id 1
ip nhrp nhs 192.168.200.1
ip nhrp registration no-unique
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 192.168.0.15 255.255.255.0
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex full
speed 100
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.0.100 255.255.255.0
ip access-group deny_PASCOAL>TPM in
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
duplex auto
speed auto
no cdp enable
!
router eigrp 70
network 10.1.0.0 0.0.0.255
network 192.168.200.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 10.1.0.0 0.0.0.255
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
---
Question:
Anyone can help me how to implement it on Mikrotik with Router OS 6.22 and equipment http://routerboard.com/RB2011UiAS-2HnD-IN ?
Please.
Re: Mikrotik to Cisco GRE Multipoint
Hi,
This will not work as Mikrotik does not implement NHRP protocol, as that is required for mGRE tunnels to work. You will have to use point-to-point GRE tunnels between Cisco and Mikrotik gear. Also, Mikrotik does not implement EIGRP protocol, so even if you would get mGRE running, you would still have no possibility to exchange routes with your peer. Just get a refurbished Cisco 1841 for around 100$ to do that for you.
This will not work as Mikrotik does not implement NHRP protocol, as that is required for mGRE tunnels to work. You will have to use point-to-point GRE tunnels between Cisco and Mikrotik gear. Also, Mikrotik does not implement EIGRP protocol, so even if you would get mGRE running, you would still have no possibility to exchange routes with your peer. Just get a refurbished Cisco 1841 for around 100$ to do that for you.
-
-
brumartins
just joined
- Posts: 2
- Joined:
Re: Mikrotik to Cisco GRE Multipoint
Hi,
Thanks in advance for your awnser.
In this case have 4 Mikrotiks RB2011UiAS-2HnD-IN to connect with cisco 2901.
Could anyone help a simpler implementation as PPTP Server on the Cisco side in order to make PPTP client side of Mikrotik.
In order toMicrotiks communicate with the Cisco like cliente - server .
After that, between Mikrotiks will establish VPNs PPTP between them and would use the manual routing.
What do you think, is viable?
(Sorry my english...)
Thank you.
Thanks in advance for your awnser.
In this case have 4 Mikrotiks RB2011UiAS-2HnD-IN to connect with cisco 2901.
Could anyone help a simpler implementation as PPTP Server on the Cisco side in order to make PPTP client side of Mikrotik.
In order toMicrotiks communicate with the Cisco like cliente - server .
After that, between Mikrotiks will establish VPNs PPTP between them and would use the manual routing.
What do you think, is viable?
(Sorry my english...)
Thank you.
Re: Mikrotik to Cisco GRE Multipoint
Hello,
I am looking for same configuration.
Do you get it working?
Regards.
I am looking for same configuration.
Do you get it working?
Regards.
Re: Mikrotik to Cisco GRE Multipoint
This is good on a wireless segment of an OSPF network but perhaps not so good in your situation ????
Who is online
Users browsing this forum: No registered users and 18 guests