Difference between revisions of "Manual:IP/IPsec"

From MikroTik Wiki
Jump to navigation Jump to search
m (Protected "IPsec": will be in manual [edit=sysop:move=sysop])
 
m (revert vandalism)
Line 18: Line 18:
!
!
isakmp enable outside
isakmp enable outside
isakmp key gsdhg%#@
isakmp key gsdhg%#@&$*&#$U782GY#JG#HJ1231 address 10.11.0.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
</pre>
* On MikroTik router:
<pre>
/ip ipsec peer add secret="gsdhg%#@&$*&#$U782GY#JG#HJ1231" address=10.11.0.2/32 \
\... enc-algorithm=3des hash-algorithm=sha1 dh-group=modp1024 lifetime=1d
/ip ipsec proposal add auth-algorithms=sha1 enc-algorithm=3des lifetime=1d
/ip ipsec policy add src-address 192.168.1.0/24 dst-address=192.168.0.0/24 \
\... sa-src-address=10.0.0.1 sa-dst-address=10.11.0.2 ipsec-protocols=esp action=encrypt level=require tunnel=yes</pre>

Revision as of 08:12, 19 February 2008

IPsec between MikroTik and Cisco PIX in tunnel mode

  • On Cisco PIX firewall:
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 101
!
sysopt connection permit-ipsec
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac 
!
crypto map MyMap 1 ipsec-isakmp
crypto map MyMap 1 match address 101
crypto map MyMap 1 set peer 10.11.0.2
crypto map MyMap 1 set transform-set MySet
crypto map MyMap 10 set security-association lifetime seconds 86400
crypto map MyMap interface outside
!
isakmp enable outside
isakmp key gsdhg%#@&$*&#$U782GY#JG#HJ1231 address 10.11.0.2 netmask 255.255.255.255 
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
  • On MikroTik router:
/ip ipsec peer add secret="gsdhg%#@&$*&#$U782GY#JG#HJ1231" address=10.11.0.2/32 \
\... enc-algorithm=3des hash-algorithm=sha1 dh-group=modp1024 lifetime=1d
/ip ipsec proposal add auth-algorithms=sha1 enc-algorithm=3des lifetime=1d
/ip ipsec policy add src-address 192.168.1.0/24 dst-address=192.168.0.0/24 \
\... sa-src-address=10.0.0.1 sa-dst-address=10.11.0.2 ipsec-protocols=esp action=encrypt level=require tunnel=yes