Cisco 1800 series / DMVPN / connect MikroTik RB750 as client

maroon · Thu Nov 10, 2011 4:57 pm

Is it possible to establish a VPN connection from RB750 to Cisco 1800 using the below configuration....

DU-XYZ-1841#show run
Building configuration...

Current configuration : 4641 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 10000
enable secret 5 $1$6tsl$Eymq5zUkHIMfdsf32rwef
enable password 7 3dfdsvfsdcvfwe
!
aaa new-model
!
!
aaa authentication login USER local
aaa authorization network l-auth local
!
!
aaa session-id common
dot11 syslog
ip cef
!
!
!
!
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
no ip domain lookup
ip domain name yfholding.com
!
multilink bundle-name authenticated
password encryption aes
!
!
!
!
username xduser password 7 070B226C570F110DEFSDSFA1B16020203
username du secret 5 $1$Vmp8$UEwV.6RUClcwerwugcgIQ8DaO.
username fvpn password 7 023FSDFS224D1B085F71
username ku password 7 063F29294342SDFSD0D100B103526
archive
 log config
  logging enable
  hidekeys
!
crypto keyring dmvpnspokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key Verysecretoooo
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group DUolding
 key DUKey!@
 pool VPN
 acl 181
 split-dns 192.100.100.100
crypto isakmp profile DMVPN
   keyring dmvpnspokes
   match identity address 0.0.0.0
crypto isakmp profile VPNclient
   match identity group DUHolding
   client authentication list USER
   isakmp authorization list l-auth
   client configuration address respond
!
!
crypto ipsec transform-set DU-SET esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile DU-PROFILE
 set transform-set DU-SET
 set isakmp-profile DMVPN
!
!
crypto dynamic-map IMAP 10
 set transform-set DU-SET
 set isakmp-profile VPNclient
 reverse-route
!
!
crypto map mymap 100 ipsec-isakmp dynamic IMAP
!
!
!
ip ssh version 2
!
!
!
interface Tunnel0
 bandwidth 4000
 ip address 192.168.234.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip hold-time eigrp 90 60
 no ip next-hop-self eigrp 90
 ip nhrp authentication cisco@DU
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 60
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 90
 ip ospf network point-to-multipoint
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DU-PROFILE
!
interface FastEthernet0/0
 description LAN
 ip address 192.100.100.253 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description WAN
 ip address 82.195.135.2 255.255.255.248
 ip access-group internet in
 no ip redirects
 no ip unreachables
 ip inspect FWOUT out
 duplex auto
 speed auto
 no cdp enable
 crypto map mymap
!
router eigrp 90
 redistribute static
 redistribute ospf 1 metric 1 1 1 1 1
 network 192.100.100.0
 network 192.168.234.0
 no auto-summary
!
router ospf 1
 log-adjacency-changes
 redistribute eigrp 90 subnets
 network 192.100.100.0 0.0.0.255 area 0
 network 192.168.234.0 0.0.0.255 area 0
!
ip local pool VPN 172.16.100.1 172.16.100.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 82.195.135.1
!
!
ip http server
no ip http secure-server
!
ip access-list extended internet
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 172.16.0.0 0.0.15.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 permit esp any any
 permit udp any host 82.195.135.2 eq isakmp
 permit tcp host 212.98.130.56 eq 22 host 82.195.135.2
 permit udp any host 82.195.135.2 eq non500-isakmp
 permit gre any any
 permit tcp host 174.8.7.53 host 82.195.135.2 eq 22
 deny   ip any any log
!
access-list 181 permit ip 192.100.100.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 181 permit ip 192.168.40.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 181 permit ip 10.20.10.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 181 permit ip 194.194.0.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 181 permit ip 192.168.0.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 181 permit ip 10.20.20.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 181 permit ip 193.193.0.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 181 permit ip 10.55.55.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 181 permit ip 10.40.40.0 0.0.0.255 172.16.100.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 30 0
 logging synchronous
 transport input telnet ssh
line vty 5 807
 exec-timeout 60 0
 transport input ssh
!
scheduler allocate 20000 1000
end

DU-XYZ-1841#

any advice/help would be highly appreciated!!!

fewi · Thu Nov 10, 2011 5:05 pm

No. RouterOS doesn't support NHRP (or multipoint GRE interfaces) so it cannot be part of a DMVPN. You can build classic IPsec tunnels, though.

maroon · Fri Nov 11, 2011 11:16 am

What if we want to change the main router (Cisco 1841) with a Routerboard 1200 and migrate all the cisco clients to RB750 clients or windows vpn client?

Any existing scenario for VPN infrastructure with OSPF configuration? howto's, tips and quick hints are most welcome

fewi · Fri Nov 11, 2011 1:36 pm

Honestly I wouldn't

I love RouterOS, but the way it does IPsec is very cumbersome. It isn't exposed as a tunnel interface that you can just attach a policy to. This makes tunneled tunnels (and you'd need something GRE like underneath IPsec so you can run a routing protocol) a giant pain.

Sat Nov 12, 2011 10:44 am

Honestly I wouldn't

I love RouterOS, but the way it does IPsec is very cumbersome. It isn't exposed as a tunnel interface that you can just attach a policy to. This makes tunneled tunnels (and you'd need something GRE like underneath IPsec so you can run a routing protocol) a giant pain.

I agree, I wish Mikrotik would hurry up and implement IPSEC tunnel interfaces.

oreggin · Mon Feb 06, 2012 9:45 pm

When will be approx. supported multipont GRE and/or NHRP in RoS? Where are these features on the roadmap?

oreggin · Mon Feb 06, 2012 9:57 pm

Moreover GRE tunnel interface doesn't have IPv6 link-local address and I can't set up link-local address on GRE tunnel interface so I can't use DHCPv6 on it.

florinsanaja · Sun Sep 16, 2012 1:29 pm

Can I build multi peer VPN (central) in cisco 2911 router and to connect with other branches which are mikrotik routers.
Is it possible to run multi peer VPN in same time on cisco router connected to mikrotik branches ?

florinsanaja · Sun Sep 16, 2012 7:49 pm

Dear friends,

Is it possible to crate VPN between Cisco router 2911 and mikrotik RB750
I cannot make multi peers mikrotik in central cisco router??
I think mikrotik do not support GRE or DMVPN in order to configure in both routers.

Any idea will be much appreciated???

Thanks alot

infused · Sat Sep 28, 2013 7:55 am

Just bumping this because you can make this work, we just did.

You have your main cisco DMVPN router connect to the mikrotik using a simple GRE tunnel. Add the routes to the DMVPN and away you go. It's really not hard.

You just need to manually add the routes to the Mikrotik.