1) I read in another thread that Mikrotik's have IPSEC issues with Cisco's (VPN 3000 and/or PIX) due to Cisco not following RFC guidelines in relation to SA lifetime. I've been testing a setup to a VPN 3000 and once the tunnel is up it seems fine, but I've seen a few cases where the tunnel doesn't appear to come up (perhaps after a config change, etc.) There is an SA present when this happens that shows 0 current bytes. This still needs more testing on my side to consistently replicate the issue. Is this still a known issue? VPN reliability/re-establishment is absolutely critical for us.
2) For client sites, we'll assign a subnet such as 10.1.1.0/29. But, we want all traffic from that subnet to 10.0.0.0/8 tunneled. We have this working fine. But, if 10.1.1.1/29 is assigned to a Mikrotik interface and a client at 10.1.1.2 tries to ping 10.1.1.1, that traffic is sent over the tunnel. The Mikrotik doesn't see that it's a local subnet (high priority) and respond to that ping. Is there an easy fix for this?
3) What is the best Mikrotik solution to act as a VPN concentrator for other Mikrotik's that can handle hundreds of VPN tunnels (with average throughput of 100-500 kbps each)?
4) What is the best way to establish redundancy/high availablity from client Mikrotiks to our concentrator? If item 1 is resolved, we'd like to stick with a redundant pair of ASA's. Should we just do GRE instead with VRRP, or is there something else that you can suggest?
Thanks.
Re: VPN Questions: IPSEC src/dst network overlap & Cisco VPN
Okay, so in regard to the VPN issue. Running 5.2.3.
1) Tunnel went down
2) Mikrotik showed installed SA's,with counters incrementing.
3) VPN 3000 did not show active SA's on it's side
4) DPD enabled with 10 seconds, 3 failures
5) SA's never removed.
6) Flushed SA's
7) Tunnel came up and all began working.
1) Tunnel went down
2) Mikrotik showed installed SA's,with counters incrementing.
3) VPN 3000 did not show active SA's on it's side
4) DPD enabled with 10 seconds, 3 failures
5) SA's never removed.
6) Flushed SA's
7) Tunnel came up and all began working.
Re: VPN Questions: IPSEC src/dst network overlap & Cisco VPN
I have been running into the same issues with VPN IPSec settings.
The only thing that I have found to work at this time is setup a ping to monitor the ip's on the VPN connection and if it is not responding flush the sa's and things keep working.
Some of the things that I have done is change the IP Policy setting to Unique also and that seem to have worked a little bit.
I wish there was a better response on this on what to do and not just a work around.
I talked to one guy and he finally gave up and put in two Mikrotik in place and setup EOIP setup. But that doesn't help the people that have a mixed environment and can not go into a fully into Mikrotik.
The only thing that I have found to work at this time is setup a ping to monitor the ip's on the VPN connection and if it is not responding flush the sa's and things keep working.
Some of the things that I have done is change the IP Policy setting to Unique also and that seem to have worked a little bit.
I wish there was a better response on this on what to do and not just a work around.
I talked to one guy and he finally gave up and put in two Mikrotik in place and setup EOIP setup. But that doesn't help the people that have a mixed environment and can not go into a fully into Mikrotik.
Re: VPN Questions: IPSEC src/dst network overlap & Cisco VPN
Did you see the post?
http://forum.mikrotik.com/viewtopic.php?f=2&t=68591
People are having issues between two mikrotik's and the cisco to mikrotik.
Not sure what to do myself getting very frustrated.
TM
http://forum.mikrotik.com/viewtopic.php?f=2&t=68591
People are having issues between two mikrotik's and the cisco to mikrotik.
Not sure what to do myself getting very frustrated.
TM