Hi,

I'm triying to set up vpn tunnel between Cisco 800 Series and Mikrotik 3.0rc10 following this Howto:
http://wiki.mikrotik.com/wiki/IPSec_VPN ... _and_Cisco but they can't connect.
I log to Winbox and try to ping to remote wan ip address and I receive this error message "timeout: ping reply not recieved after 1000mss"
I check many times all configuration, is the same as the tutorial.

Any help?

Thanks in advance.

Pablo

Can you post your configuration here, in order to give you some assistance.

Regards

Faton

Configuration of both routers

On Mikrotik

/interface ipip
add comment="" disabled=no local-address=10.118.1.2 mtu=1480 name="Tunel1" remote-address=10.118.1.1

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=WAN max-mru=1480 max-mtu=1480 \
mrru=disabled name="pppoe-out1" password="xxxxx" profile=default service-name="xx" use-peer-dns=no user="xxxx"

add address=10.118.1.2/29 broadcast=10.118.1.7 comment="" disabled=no interface=WAN network=10.118.1.0
add address=192.168.15.1/24 broadcast=192.168.15.255 comment="" disabled=no interface=LAN network=192.168.15.0
add address=10.135.1.2/30 broadcast=10.135.1.3 comment="" disabled=no interface=Tunel1 network=10.135.1.0


/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no timeout-timer=3m update-timer=30s
/routing rip interface
add authentication=none authentication-key="" disabled=no in-prefix-list="" interface=Tunel1 key-chain="" out-prefix-list="" passive=no receive=v2 send=v2
/routing rip neighbor
add address=10.135.1.1 disabled=no
/routing rip network
add disabled=no network=192.168.15.0/24
add disabled=no network=10.135.1.0/30

/ip ipsec policy
add action=encrypt disabled=no dst-address=10.118.1.1/32:any ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=ipsec protocol=all \
sa-dst-address=10.118.1.1 sa-src-address=10.118.1.2 src-address=10.118.1.2/32:any tunnel=no
/ip ipsec peer
add address=10.118.1.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no enc-algorithm=3des exchange-mode=main generate-policy=no \
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret="ipsec" send-initial-contact=yes

/ip ipsec proposal
add auth-algorithms=sha1 disabled=yes enc-algorithms=3des lifetime=30m name="default" pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name="ipsec" pfs-group=modp1024


On Cisco

interface Tunnel1
description Tunel1
ip address 10.135.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip tcp adjust-mss 1400
load-interval 30
tunnel source 10.118.1.1
tunnel destination 10.118.1.2
tunnel mode ipip
tunnel protection ipsec profile encrypt
hold-queue 1024 in
hold-queue 1024 out

interface FastEthernet4
description $ES_WAN$$ETH-WAN$
ip address 10.118.1.1 255.255.255.248
ip virtual-reassembly
speed auto
full-duplex

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.97.254.1 255.255.0.0
ip virtual-reassembly
ip tcp adjust-mss 1452

router rip
version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
network 192.168.15.0
distribute-list prefix LAN out
no auto-summary
!

ip prefix-list LAN seq 10 permit 10.97.0.0/16

route-map connected-to-rip permit 10
match interface FastEthernet4
!
route-map static-to-rip permit 10
match ip address prefix-list LAN

crypto isakmp key ipsec address 0.0.0.0 0.0.0.0

crypto ipsec security-association idle-time 600

crypto ipsec transform-set vpn esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile encrypt
set transform-set vpn
!
!
crypto map vpn 1 ipsec-isakmp
description *expo*
set peer 10.118.1.2
set transform-set vpn
set pfs group2
match address mikrotik_peer

ip access-list extended mikrotik_peer
permit ipinip host 10.118.1.1 host 10.118.1.2
!

Sorry double post.

For the time being I don not see any problem with your configuration. But, can you debug a bit this connection and see if you are authenticating.

Regards.

Faton

You mean ipsec authentication, right?

Yes, I meant for IPSec.

Regards

Both keys are the same, I don't know what's in wrong.


Regards,
Pablo

Just try without encryption to reach side to side connection, I have a dozen of connections in this setup and have no problem. One thing to stress here , do not copy paiste configuration but just write all, I had an issue with cisco 831 in copy paiste method of configuration.

Regards


Faton

Just check the latest update of the wiki regarding this issue, and there you will find the solution.

Regards.

Faton