IPSec VPN with Dynamic Routing / Mikrotik and Cisco

From MikroTik Wiki
Revision as of 10:28, 2 October 2007 by Fatonk (talk | contribs) (New page: ***MIKROTIK*** / interface ipip add name="ipip1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no / ip address add address=10.10.1.100/24 network=10...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
      • MIKROTIK***

/ interface ipip add name="ipip1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no

/ ip address add address=10.10.1.100/24 network=10.10.1.0 broadcast=10.10.1.255 interface=WAN comment="" disabled=no add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN comment="" disabled=no add address=192.168.0.18/30 network=192.168.0.18 broadcast=192.168.0.18 interface=ipip1 comment="" disabled=no


/ routing rip set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 metric-bgp=1 \ 

   update-timer=30s timeout-timer=3m garbage-timer=2m

/ routing rip interface add interface=Tunnel-1 receive=v2 send=v2 authentication=none authentication-key="" prefix-list-in="" prefix-list-out="" / routing rip neighbor add address=172.16.0.17 / routing rip network add address=192.168.1.0/24 add address=172.16.0.16/30


/ ip ipsec policy add src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no \ 

   sa-src-address=10.10.1.100 sa-dst-address=10.10.1.100 proposal=VPN manual-sa=none dont-fragment=clear disabled=no

/ ip ipsec peer add address=10.10.1.200 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 \ 

   enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no

/ ip ipsec proposal add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no



      • CISCO***

interface Tunnel1 

description **Cisco Peer**
ip address 192.168.0.17 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip rip v2-broadcast
ip tcp adjust-mss 1400
load-interval 30
tunnel source 10.10.1.200
tunnel destination 10.10.1.100
tunnel mode ipip
tunnel protection ipsec profile encrypt
hold-queue 1024 in
hold-queue 1024 out

router rip 

version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
network 192.168.0.0
distribute-list prefix LAN out
no auto-summary

! ip prefix-list LAN seq 10 permit 192.168.2.0/24 ! route-map connected-to-rip permit 10 

match interface FastEthernet0/0

! route-map static-to-rip permit 10 

match ip address prefix-list LAN

! ! ! crypto ipsec security-association idle-time 600 ! crypto isakmp key ipsec address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set vpn esp-3des esp-md5-hmac 

mode transport

! crypto ipsec profile encrypt 

set transform-set vpn

! crypto map vpn 1 ipsec-isakmp 

description **To Mikrotik Peer**
set peer 10.10.1.100
set transform-set vpn 
set pfs group2
match address mikrotik_peer

! ip access-list extended mikortik_peer 

permit ipinip host 10.10.1.200 host 10.10.1.100
Retrieved from "https://wiki.mikrotik.com/index.php?title=IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco&oldid=5469"