IPSec VPN with Dynamic Routing / Mikrotik and Cisco

From MikroTik Wiki
Revision as of 09:40, 31 October 2007 by Normis (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This example shows how to setup an IPSec VPN using dynamic routing protocol (RIP), it can be use also another protocol. In this exaple you can find setup between Mikrotik and Cisco routers, but it can be done also just between Mikrotik routers, but to be more colorfull I decided to use Mikrotik and Cisco. Below are the steps to complete the configuration of IPSec VPN with Dynamic Routing.

First should configure a Tunnel Interface: 

   / interface ipip 
   add name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no

After that all interfaces are configured, than should asign IP addresses for interfaces: 

   / ip address
   add address=10.10.1.100/24 network=10.10.1.0 broadcast=10.10.1.255 interface=WAN comment="" disabled=no 
   add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN comment="" disabled=no 
   add address=172.16.0.1/30 network=172.16.0.0 broadcast=192.168.0.3 interface=Tunnel1 comment="" disabled=no

Enable Routing in Mikrotik Router, in this case RIP: 

  / routing rip 
  set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 
  metric-connected=1  metric-ospf=1 metric-bgp=1
  update-timer=30s timeout-timer=3m garbage-timer=2m 
  / routing rip interface
  add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" prefix-list-in="" prefix-list-out="" 
  / routing rip neighbor 
  add address=172.16.0.2 
  / routing rip network 
  add address=192.168.1.0/24
  add address=172.16.0.1/30

IPSec setup, here should be defined the ipsec policy, peer and proposal. Make sure that policy should not have enabled option tunnel, in this case tunel should be set to NO, because it will be used the transport mode of IPSec not the tunnel mode: 

  / ip ipsec policy 
  add src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any protocol=all action=encrypt level=require
  ipsec-protocols=esp  tunnel=no
  sa-src-address=10.10.1.100 sa-dst-address=10.10.1.100 proposal=IPSec manual-sa=none dont-fragment=clear disabled=no 
  / ip ipsec peer
  add address=10.10.1.200 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes 
  proposal-check=obey   hash-algorithm=md5
  enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no 
  / ip ipsec proposal 
  add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no

Cisco Interfaces and addresses: 

  FastEthernet 0/0
   description *** WAN ***
   ip address 10.10.1.200 255.255.255.0
  FastEthernet 0/1
   description *** LAN ***
   ip address 192.168.2.1 255.255.255.0

Cisco Tunnel Interface: 

  interface Tunnel1
  description **Cisco Peer**
  ip address 172.16.0.2 255.255.255.252
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1480
  ip rip v2-broadcast
  ip tcp adjust-mss 1400
  load-interval 30
  tunnel source 10.10.1.200
  tunnel destination 10.10.1.100
  tunnel mode ipip
  tunnel protection ipsec profile encrypt
  hold-queue 1024 in
  hold-queue 1024 out

Routing in Cisco: 

  router rip
   version 2
   timers basic 30 60 90 90
   redistribute connected metric 1 route-map connected-to-rip
   redistribute static metric 5 route-map static-to-rip
   network 192.168.0.0
   distribute-list prefix LAN out
   no auto-summary

Setup the prefix-list to match the Local subnet: 

  ip prefix-list LAN seq 10 permit 192.168.2.0/24

Setup route-maps to match interfaces to be advertised by RIP: 

  route-map connected-to-rip permit 10
  match interface FastEthernet0/0
 !
  route-map static-to-rip permit 10
  match ip address prefix-list LAN

IPSec and Crypto setup in Cisco, also here trasnport mode of IPSec should be setup: 

  crypto ipsec security-association idle-time 600
 !
  crypto isakmp key ipsec address 0.0.0.0 0.0.0.0
 !
  crypto ipsec transform-set vpn esp-3des esp-md5-hmac
   mode transport
 !
  crypto ipsec profile encrypt
   set transform-set vpn
 !
  crypto map vpn 1 ipsec-isakmp 
   description **To Mikrotik Peer**
   set peer 10.10.1.100
   set transform-set vpn 
   set pfs group2
   match address mikrotik_peer
 !

Setup access-list to match the IPSec peer: 

  ip access-list extended mikortik_peer
   permit ipinip host 10.10.1.200 host 10.10.1.100

This example can be implemented also with another routing protocol like OSPF, and also very simply we can setup here a failover connection. Regarding the failover, the setup is very easy, all that we need is to create another set of tunnels via another ISP or gateway, but again the remote peer is the same router. Instead of the routing protocol for the second set of tunnels, it needs static routes to be configured, only that the static routes should have higher distance than the dynamic protocol. The idea is that, when the primary link will go down (dynamic routing distance=120) than the backup link becomes active (static routes distance=200), as soon as the primary link will come up, it will put the failover link in inactive mode.

Retrieved from "https://wiki.mikrotik.com/index.php?title=IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco&oldid=5865"