MikroTik router to CISCO PIX Firewall IPSEC
Contents
How to interconnect two networks with IPSec between Mikrotik ROS and Cisco PIX
This example shows how to interconnect remote offices uses IPSec VPN between Mikrotik RouterOS device and Cisco PIX Firewall or Cisco Router, running Cisco IOS. Also I show you how to provide Internet access for network using masquerade/PAT on Mikrotik RouterOS, Cisco PIX Firewall and Cisco Router, running Cisco IOS. Network topology is shown below. We would like to interconnect networks 172.22.1.1/24 and 172.22.2.1/24 using corresponding public addresses 1.0.0.2 and 2.0.0.2. Assume 1.0.0.1 is default gateway for router, running Mikrotik RouterOS and 2.0.0.1 is default gateway for router running Cisco IOS or Cisco PIX Firewall, running Cisco PIX OS. This configuration tested and works well with Mikrotik RouterOS 3.20, Cisco IOS 12.4(21) and 12.3(26) advanced security features set with encryption and PIX OS 6.3(5).
Configuration of router running Mikrotik RouterOS
This configuration is simple and very similar to official 3.0 ipsec manual page
Mikrotik Router
Add addresses on interfaces
[admin@Mikrotik] > ip address add \ address=1.0.0.2/30 broadcast=1.0.0.3 disabled=no \ interface=public network=1.0.0.0 [admin@Mikrotik] > ip address add \ address=172.22.1.1/24 broadcast=172.22.1.255 disabled=no \ interface=inside network=172.22.1.0
Add ip routes
[admin@Mikrotik] > ip route add \ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 \ scope=30 target-scope=10
Add accept and masquerading rules in SRC-NAT
[admin@Mikrotik] > ip firewall nat add \ chain=srcnat \ src-address=172.22.1.0/24 \ dst-address=172.22.2.0/24 action=accept [admin@Mikrotik] > ip firewall nat add \ chain=srcnat out-interface=public action=masquerade
Add peer (with phase1 configuration parameters), DES and SHA1 will be used to protect IKE traffic
for MikroTik router
[admin@MikroTik] > ip ipsec peer add \ address=2.0.0.2 secret="gvejimezyfopmekun" enc-algorithm=des
Set encryption proposal (phase2 proposal - settings that will be used to encrypt actual data) to use DES to encrypt data
for MikroTik router
[admin@MikroTik] > ip ipsec proposal set default enc-algorithms=des auth-algorithms=md5
Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode
for MikroTik router
[admin@MikroTik] > ip ipsec policy add \ src-address=172.22.1.0/24 \ dst-address=172.22.2.0/24 \ action=encrypt \ tunnel=yes sa-src=1.0.0.2 sa-dst=2.0.0.2
Add firewall rules to permit VPN traffic and private traffic
[admin@Mikrotik] >ip firewall add \ action=accept chain=input disabled=no protocol=ipsec-esp src-address=2.0.0.2 [admin@Mikrotik] >ip firewall add \ action=accept chain=customer disabled=no dst-address=172.22.1.0/24 \ in-interface=public out-interface=inside src-address=172.22.2.0/24
Cisco PIX Firewall configuration
I think this configuration is quiet clear because of detailed comments.
Cisco PIX Firewall
PIX Version 6.3(5) nameif ethernet0 outside security0 nameif ethernet1 inside security100 ! !--- Create access list that matches traffic that should be encrypted (traffic to RouterOS device) access-list myacl permit ip 172.22.2.0 255.255.255.0 172.22.2.0 255.255.255.0 ! !--- Create access list that matches traffic that should not be NATed (traffic to RouterOS device) access-list nonat permit ip 172.22.2.0 255.255.255.0 172.22.1.0 255.255.255.0 ! !--- Configuring NAT ip address outside 2.0.0.2 255.255.255.252 ip address inside 172.22.2.1 255.255.255.0 ! global (outside) 1 2.0.0.2 ! !--- Do not make NAT for traffic to RouterOS device nat (inside) 0 access-list nonat nat (inside) 1 172.22.2.0 255.255.255.0 0 0 ! route outside 0.0.0.0 0.0.0.0 2.0.0.1 1 ! sysopt connection permit-ipsec ! !--- Create IPsec transform set - transformations that should be applied to !--- traffic - ESP encryption with DES and ESP authentication with SHA1 !--- This must match "/ip ipsec proposal" crypto ipsec transform-set myset esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 1800 ! !--- Create crypto map that will use transform set "myset", use peer 1.0.0.2 !--- to establish SAs and encapsulate traffic and use access-list myacl to !--- match traffic that should be encrypted crypto map mymap 21 ipsec-isakmp crypto map mymap 21 match address myacl crypto map mymap 21 set peer 1.0.0.2 crypto map mymap 21 set transform-set myset crypto map mymap interface outside ! !--- Configure ISAKMP policy (phase1 config, must match configuration !--- of "/ip ipsec peer" on RouterOS). isakmp enable outside !--- Add preshared key to be used when talking to RouterOS isakmp key gvejimezyfopmekun address 1.0.0.2 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 : end
Corresponding Cisco Router configuration
This configuration is just for example. You can use Cisco router instead Cisco PIX Firewall.
Cisco Router
!--- Configure ISAKMP policy (phase1 config, must match configuration !--- of "/ip ipsec peer" on RouterOS). Note that DES is default !--- encryption algorithm on Cisco. SHA1 is default authentication !--- algorithm crypto isakmp policy 20 authentication pre-share hash md5 exit ! !--- Add preshared key to be used when talking to RouterOS crypto isakmp key gvejimezyfopmekun address 1.0.0.2 ! ! Create IPsec transform set - transformations that should be applied to ! traffic - ESP encryption with DES and ESP authentication with SHA1 ! This must match "/ip ipsec proposal" crypto ipsec transform-set myset esp-des esp-sha-hmac mode tunnel exit ! ! !--- Create crypto map that will use transform set "myset", use peer 1.0.0.2 !--- to establish SAs and encapsulate traffic and use access-list 101 to !--- match traffic that should be encrypted crypto map mymap 21 ipsec-isakmp set peer 1.0.0.2 set transform-set myset set pfs group2 match address 101 exit ! ! !--- And finally apply crypto map to outside interface interface Ethernet0 ip address 2.0.0.2 255.255.255.252 no ip directed-broadcast ip nat outside crypto map mymap ! interface Ethernet1 ip address 172.22.2.1 255.255.255.0 no ip directed-broadcast ip nat inside ! ! !--- Create NAT pool ip nat pool mypool 2.0.0.2 2.0.0.2 netmask 255.255.255.252 ! !--- Do not make NAT for traffic to RouterOS device ip nat inside source route-map nonat pool mypool overload ip classless ip route 0.0.0.0 0.0.0.0 2.0.0.1 ! !--- Create access list that matches traffic that should be encrypted (traffic to RouterOS device) access-list 101 permit ip 172.22.2.0 0.0.0.255 172.22.1.0 0.0.0.255 ! !--- Create access list that matches traffic that should not be NATed (traffic to RouterOS device): access-list 102 deny ip 172.22.2.0 0.0.0.255 172.22.1.0 0.0.0.255 access-list 102 permit ip 172.22.2.0 0.0.0.255 any ! !--- Create route-map for traffic that should be NATed route-map nonat permit 10 match ip address 102 ! end
--shados 21:12, 19 February 2009 (EET)