VPN with Virtual Routing and Forwarding / Mikrotik and Cisco
This example shows how to setup an VPN using Virtual Routing and Forwarding (VRF), Virtual Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. In this example you can find setup between Mikrotik and Cisco routers. Below are the steps to complete the configuration.
First should configure a Tunnel Interface on Mikrotik Router1 and Router2
Router1:
/ interface ipip add name="tunnel" local-address=218.100.100.29 remote-address=218.100.98.5 comment="" disabled=no
Router2:
/ interface ipip add name="tunnel" local-address=218.100.100.30 remote-address=218.100.98.5 comment="" disabled=no
After all interfaces are configured, we should asign IP addresses for interfaces on Router1 and Router2
Router1:
add address=218.100.100.29/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether1 comment="" disabled=no
add address=172.16.1.1/30 network=172.16.1.0 broadcast=172.16.1.3 interface=tunnel comment="" disabled=no
Router2:
add address=218.100.100.30/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ether1 comment="" disabled=no
add address=172.16.1.5/30 network=172.16.1.4 broadcast=172.16.1.7 interface=tunnel comment="" disabled=no
On Cisco router create VRF instance :
cisco#conf t cisco(config)#ip vrf TEST cisco(config-vrf)#rd 10:10 cisco(config-vrf)#end
Create interface on Router1 and add to vrf TEST:
cisco#conf t cisco(config)#interface Tunnel 900 cisco(config-if)#ip vrf forwarding TEST cisco(config-if)#description Tunnel_to_Mikrotik_router1 cisco(config-if)#tunnel destination <IP_Adress_router1> cisco(config-if)#tunnel source Loopback1 cisco(config-if)#load-interval 30 cisco(config-if)#tunnel mode ipip cisco(config-if)#tunnel path-mtu-discovery cisco(config-if)#ip address 172.16.1.2 255.255.255.0 cisco(config-if)#end
Create Interface on Router2 and add to vrf TEST:
cisco#conf t cisco(config)#interface Tunnel 901 cisco(config-if)#ip vrf forwarding TEST cisco(config-if)#description Tunnel_to_Mikrotik_router2 cisco(config-if)#tunnel destination <IP_Adress_router2> cisco(config-if)#tunnel source Loopback1 cisco(config-if)#load-interval 30 cisco(config-if)#tunnel mode ipip cisco(config-if)#tunnel path-mtu-discovery cisco(config-if)#ip address 172.16.1.6 255.255.255.0 cisco(config-if)#end
Set up route and some rules on Mikrotik and Cisco
Router1:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes
in-interface=ether1 src-address=192.168.1.0/24 disabled=no
/ip route rule
add add routing-mark=tun action=lookup table=tun
/ip route
add dst-address=192.168.2.0/24 gateway=172.16.1.2 routing-mark=tun
Router2:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes
in-interface=ether1 src-address=192.168.2.0/24 disabled=no
/ip route rule
add add routing-mark=tun action=lookup table=tun
/ip route
add dst-address=192.168.1.0/24 gateway=172.16.1.6 routing-mark=tun
Cisco Router:
cisco#conf t
cisco(config)#ip ro vrf TEST 192.168.1.0 255.255.255.0 Tunnel900
cisco(config)#ip ro vrf TEST 192.168.2.0 255.255.255.0 Tunnel901
cisco(config)#end
It can be done vpn directly from Router1 to Router2, but when you have a lot customers with a lot routers and many of them
have same address space , this is a great and easy solution.
All adresses are for example only.