Page 1 of 1

IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Thu Nov 15, 2007 11:53 pm
by plucchetti

I'm triying to set up vpn tunnel between Cisco 800 Series and Mikrotik 3.0rc10 following this Howto: ... _and_Cisco but they can't connect.
I log to Winbox and try to ping to remote wan ip address and I receive this error message "timeout: ping reply not recieved after 1000mss"
I check many times all configuration, is the same as the tutorial.

Any help?

Thanks in advance.


Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Fri Nov 16, 2007 10:13 am
by fatonk
Can you post your configuration here, in order to give you some assistance.



Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Fri Nov 16, 2007 2:11 pm
by plucchetti
Configuration of both routers

On Mikrotik

/interface ipip
add comment="" disabled=no local-address= mtu=1480 name="Tunel1" remote-address=

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=WAN max-mru=1480 max-mtu=1480 \
mrru=disabled name="pppoe-out1" password="xxxxx" profile=default service-name="xx" use-peer-dns=no user="xxxx"

add address= broadcast= comment="" disabled=no interface=WAN network=
add address= broadcast= comment="" disabled=no interface=LAN network=
add address= broadcast= comment="" disabled=no interface=Tunel1 network=

/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no timeout-timer=3m update-timer=30s
/routing rip interface
add authentication=none authentication-key="" disabled=no in-prefix-list="" interface=Tunel1 key-chain="" out-prefix-list="" passive=no receive=v2 send=v2
/routing rip neighbor
add address= disabled=no
/routing rip network
add disabled=no network=
add disabled=no network=

/ip ipsec policy
add action=encrypt disabled=no dst-address= ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=ipsec protocol=all \
sa-dst-address= sa-src-address= src-address= tunnel=no
/ip ipsec peer
add address= auth-method=pre-shared-key dh-group=modp1024 disabled=no enc-algorithm=3des exchange-mode=main generate-policy=no \
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret="ipsec" send-initial-contact=yes

/ip ipsec proposal
add auth-algorithms=sha1 disabled=yes enc-algorithms=3des lifetime=30m name="default" pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name="ipsec" pfs-group=modp1024

On Cisco

interface Tunnel1
description Tunel1
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip tcp adjust-mss 1400
load-interval 30
tunnel source
tunnel destination
tunnel mode ipip
tunnel protection ipsec profile encrypt
hold-queue 1024 in
hold-queue 1024 out

interface FastEthernet4
description $ES_WAN$$ETH-WAN$
ip address
ip virtual-reassembly
speed auto

interface Vlan1
ip address
ip virtual-reassembly
ip tcp adjust-mss 1452

router rip
version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
distribute-list prefix LAN out
no auto-summary

ip prefix-list LAN seq 10 permit

route-map connected-to-rip permit 10
match interface FastEthernet4
route-map static-to-rip permit 10
match ip address prefix-list LAN

crypto isakmp key ipsec address

crypto ipsec security-association idle-time 600

crypto ipsec transform-set vpn esp-3des esp-md5-hmac
mode transport
crypto ipsec profile encrypt
set transform-set vpn
crypto map vpn 1 ipsec-isakmp
description *expo*
set peer
set transform-set vpn
set pfs group2
match address mikrotik_peer

ip access-list extended mikrotik_peer
permit ipinip host host

Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Fri Nov 16, 2007 2:36 pm
by plucchetti
Sorry double post.

Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Fri Nov 16, 2007 6:52 pm
by fatonk
For the time being I don not see any problem with your configuration. But, can you debug a bit this connection and see if you are authenticating.



Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Fri Nov 16, 2007 8:35 pm
by plucchetti
You mean ipsec authentication, right?

Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Sat Nov 17, 2007 12:54 pm
by fatonk
Yes, I meant for IPSec.


Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Mon Nov 19, 2007 4:11 pm
by plucchetti
Both keys are the same, I don't know what's in wrong.


Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Mon Nov 19, 2007 4:38 pm
by fatonk
Just try without encryption to reach side to side connection, I have a dozen of connections in this setup and have no problem. One thing to stress here , do not copy paiste configuration but just write all, I had an issue with cisco 831 in copy paiste method of configuration.



Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco

Posted: Tue Nov 20, 2007 12:28 pm
by fatonk
Just check the latest update of the wiki regarding this issue, and there you will find the solution.

