Mikrotik to Cisco GRE Multipoint
Posted: Sat Nov 22, 2014 2:25 pm
Hello ,
I am trying configure Mikrotik to establish VPN with Cisco 2901.
To Cisco, our ISP has the following configuration :
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ***** address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 7200
set transform-set strong
!
!
interface Tunnel0
ip address 192.168.200.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 70
no ip split-horizon eigrp 70
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/0.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
!
router eigrp 70
network 10.0.0.0 0.0.0.255
network 192.168.200.0
!
access-list 111 permit udp any host A.B.C.D eq isakmp log
access-list 111 permit udp any host A.B.C.D eq non500-isakmp log
access-list 111 permit esp any host A.B.C.D log
---
And ISP provided a simple configuration to implement a Cisco router (client) in order to establish the VPN's:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname espanha
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
clock timezone PT 0
clock summer-time PT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
vtp mode transparent
archive
log config
hidekeys
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ******* address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 10
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 7200
set transform-set strong
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.200.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ********
ip nhrp map multicast dynamic
ip nhrp map multicast A.B.C.D
ip nhrp map 192.168.200.1 A.B.C.D
ip nhrp network-id 1
ip nhrp nhs 192.168.200.1
ip nhrp registration no-unique
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 192.168.0.15 255.255.255.0
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex full
speed 100
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.0.100 255.255.255.0
ip access-group deny_PASCOAL>TPM in
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
duplex auto
speed auto
no cdp enable
!
router eigrp 70
network 10.1.0.0 0.0.0.255
network 192.168.200.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 10.1.0.0 0.0.0.255
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
---
Question:
Anyone can help me how to implement it on Mikrotik with Router OS 6.22 and equipment http://routerboard.com/RB2011UiAS-2HnD-IN ?
Please.
I am trying configure Mikrotik to establish VPN with Cisco 2901.
To Cisco, our ISP has the following configuration :
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ***** address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile cisco
set security-association lifetime seconds 7200
set transform-set strong
!
!
interface Tunnel0
ip address 192.168.200.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 70
no ip split-horizon eigrp 70
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/0.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
!
router eigrp 70
network 10.0.0.0 0.0.0.255
network 192.168.200.0
!
access-list 111 permit udp any host A.B.C.D eq isakmp log
access-list 111 permit udp any host A.B.C.D eq non500-isakmp log
access-list 111 permit esp any host A.B.C.D log
---
And ISP provided a simple configuration to implement a Cisco router (client) in order to establish the VPN's:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname espanha
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
clock timezone PT 0
clock summer-time PT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
vtp mode transparent
archive
log config
hidekeys
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ******* address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 10
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 7200
set transform-set strong
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.200.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ********
ip nhrp map multicast dynamic
ip nhrp map multicast A.B.C.D
ip nhrp map 192.168.200.1 A.B.C.D
ip nhrp network-id 1
ip nhrp nhs 192.168.200.1
ip nhrp registration no-unique
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 192.168.0.15 255.255.255.0
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex full
speed 100
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.0.100 255.255.255.0
ip access-group deny_PASCOAL>TPM in
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
duplex auto
speed auto
no cdp enable
!
router eigrp 70
network 10.1.0.0 0.0.0.255
network 192.168.200.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 10.1.0.0 0.0.0.255
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
---
Question:
Anyone can help me how to implement it on Mikrotik with Router OS 6.22 and equipment http://routerboard.com/RB2011UiAS-2HnD-IN ?
Please.