IPSec VPN with Dynamic Routing / Mikrotik and Cisco

From MikroTik Wiki
Revision as of 10:23, 3 October 2007 by Fatonk (talk | contribs)
Jump to: navigation, search

UNDER CONSTRUCTION

First setup Tunnel Interface: 

   / interface ipip 
   add name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no

Setup IP addresses for interfaces: 

   / ip address
   add address=10.10.1.100/24 network=10.10.1.0 broadcast=10.10.1.255 interface=WAN comment="" disabled=no 
   add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN comment="" disabled=no 
   add address=172.16.0.1/30 network=172.16.0.0 broadcast=192.168.0.3 interface=Tunnel1 comment="" disabled=no

Enable Routing: 

  / routing rip 
  set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 
  metric-connected=1  metric-ospf=1 metric-bgp=1
  update-timer=30s timeout-timer=3m garbage-timer=2m 
  / routing rip interface
  add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" prefix-list-in="" prefix-list-out="" 
  / routing rip neighbor 
  add address=172.16.0.2 
  / routing rip network 
  add address=192.168.1.0/24
  add address=172.16.0.1/30

IPSec setup: 

  / ip ipsec policy 
  add src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any protocol=all action=encrypt level=require
  ipsec-protocols=esp  tunnel=no
  sa-src-address=10.10.1.100 sa-dst-address=10.10.1.100 proposal=IPSec manual-sa=none dont-fragment=clear disabled=no 
  / ip ipsec peer
  add address=10.10.1.200 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes 
  proposal-check=obey   hash-algorithm=md5
  enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no 
  / ip ipsec proposal 
  add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no

Cisco Interfaces and addresses: 

  FastEthernet 0/0
   description *** WAN ***
   ip address 10.10.1.200 255.255.255.0
  FastEthernet 0/1
   description *** LAN ***
   ip address 192.168.2.1 255.255.255.0

Cisco Tunnel Interface: 

  interface Tunnel1
  description **Cisco Peer**
  ip address 172.16.0.2 255.255.255.252
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1480
  ip rip v2-broadcast
  ip tcp adjust-mss 1400
  load-interval 30
  tunnel source 10.10.1.200
  tunnel destination 10.10.1.100
  tunnel mode ipip
  tunnel protection ipsec profile encrypt
  hold-queue 1024 in
  hold-queue 1024 out

Routing in Cisco: 

  router rip
   version 2
   timers basic 30 60 90 90
   redistribute connected metric 1 route-map connected-to-rip
   redistribute static metric 5 route-map static-to-rip
   network 192.168.0.0
   distribute-list prefix LAN out
   no auto-summary

Setup the prefix-list to match the Local subnet: 

  ip prefix-list LAN seq 10 permit 192.168.2.0/24

Setup route-maps: 

  route-map connected-to-rip permit 10
  match interface FastEthernet0/0
 !
  route-map static-to-rip permit 10
  match ip address prefix-list LAN

IPSec and Crypto setup in Cisco: 

  crypto ipsec security-association idle-time 600
 !
  crypto isakmp key ipsec address 0.0.0.0 0.0.0.0
 !
  crypto ipsec transform-set vpn esp-3des esp-md5-hmac
   mode transport
 !
  crypto ipsec profile encrypt
   set transform-set vpn
 !
  crypto map vpn 1 ipsec-isakmp 
   description **To Mikrotik Peer**
   set peer 10.10.1.100
   set transform-set vpn 
   set pfs group2
   match address mikrotik_peer
 !

Setup access-list to match the IPSec peer: 

  ip access-list extended mikortik_peer
   permit ipinip host 10.10.1.200 host 10.10.1.100


- Faton -

Retrieved from "https://wiki.mikrotik.com/index.php?title=IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco&oldid=5490"