IPSEC Tunnel
Posted: Wed Jan 15, 2014 12:23 pm
Hi there
I am trying to create a VPN tunnel using IPSEC between a Mikrotik router and a Cisco ASA. However I cant get the tunnel to come up. The client has confirmed all is correct on their ASA.
My config is as follows:
x.x.x.x = Cisco ASA
y.y.y.y = Mikrotik Public IP
a.a.a.a = Mikrotik internal network
b.b.b.b = Cisco internal network
Mikrotik
;;; Peer
address=x.x.x.x/32 passive=no port=500 auth-method=pre-shared-key
secret="" generate-policy=port-override exchange-mode=main
send-initial-contact=yes nat-traversal=no my-id-user-fqdn=
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
;;;; Polocy
src-address=a.a.a.a/24 src-port=any dst-address=b.b.b.b/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=y.y.y.y
sa-dst-address=a.a.a.a proposal=MTN priority=1
;;;; Proposal
name="MTN" auth-algorithms=sha1 enc-algorithms=3des lifetime=8h
pfs-group=none
Cisco ASA config (provided by client)
object-group network IPSEC_REMOTE
network-object host y.y.y.y
object-group network IPSEC_LOCAL
network-object host b.b.b.b
global (inside) 44 10.200.206.4 netwmask 255.255.255.255
nat (outside) 44 y.y.y.y 255.255.255.255
route outside y.y.y.y 255.255.255.255 196.11.243.1
access-list acl-IPSEC_X permit ip object-group IPSEC_LOCAL object-group IPSEC_REMOTE
access-list 100 permit ip object-group IPSEC_LOCAL object-group IPSEC_REMOTE
access-list acl-inside permit ip object-group IPSEC_LOCAL object-group IPSEC_REMOTE
crypto map IPSEC-OUTSIDE 127 match address acl-IPSEC_X
crypto map IPSEC-OUTSIDE 127 set peer y.y.y.y
crypto map IPSEC-OUTSIDE 126 set transform-set ESP-3DES-SHA
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
According to the client, they dont see the tunnel coming up on their side at all i.e. its not even getting past phase 1.
Any help would fantastic.
Thanks in advance.
Warren
I am trying to create a VPN tunnel using IPSEC between a Mikrotik router and a Cisco ASA. However I cant get the tunnel to come up. The client has confirmed all is correct on their ASA.
My config is as follows:
x.x.x.x = Cisco ASA
y.y.y.y = Mikrotik Public IP
a.a.a.a = Mikrotik internal network
b.b.b.b = Cisco internal network
Mikrotik
;;; Peer
address=x.x.x.x/32 passive=no port=500 auth-method=pre-shared-key
secret="" generate-policy=port-override exchange-mode=main
send-initial-contact=yes nat-traversal=no my-id-user-fqdn=
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
;;;; Polocy
src-address=a.a.a.a/24 src-port=any dst-address=b.b.b.b/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=y.y.y.y
sa-dst-address=a.a.a.a proposal=MTN priority=1
;;;; Proposal
name="MTN" auth-algorithms=sha1 enc-algorithms=3des lifetime=8h
pfs-group=none
Cisco ASA config (provided by client)
object-group network IPSEC_REMOTE
network-object host y.y.y.y
object-group network IPSEC_LOCAL
network-object host b.b.b.b
global (inside) 44 10.200.206.4 netwmask 255.255.255.255
nat (outside) 44 y.y.y.y 255.255.255.255
route outside y.y.y.y 255.255.255.255 196.11.243.1
access-list acl-IPSEC_X permit ip object-group IPSEC_LOCAL object-group IPSEC_REMOTE
access-list 100 permit ip object-group IPSEC_LOCAL object-group IPSEC_REMOTE
access-list acl-inside permit ip object-group IPSEC_LOCAL object-group IPSEC_REMOTE
crypto map IPSEC-OUTSIDE 127 match address acl-IPSEC_X
crypto map IPSEC-OUTSIDE 127 set peer y.y.y.y
crypto map IPSEC-OUTSIDE 126 set transform-set ESP-3DES-SHA
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
According to the client, they dont see the tunnel coming up on their side at all i.e. its not even getting past phase 1.
Any help would fantastic.
Thanks in advance.
Warren