VPN with Virtual Routing and Forwarding / Mikrotik and Cisco

From MikroTik Wiki
Revision as of 07:52, 25 October 2007 by Normis (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This example shows how to setup an VPN using Virtual Routing and Forwarding (VRF), Virtual Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. In this example you can find setup between Mikrotik and Cisco routers. Below are the steps to complete the configuration.


First should configure a Tunnel Interface on Mikrotik Router1 and Router2

Router1:

  / interface ipip
  add name="tunnel" local-address=218.100.100.29 remote-address=218.100.98.5 comment="" disabled=no

Router2:

  / interface ipip
  add name="tunnel" local-address=218.100.100.30 remote-address=218.100.98.5 comment="" disabled=no

After all interfaces are configured, we should asign IP addresses for interfaces on Router1 and Router2

Router1:

    add address=218.100.100.29/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no 
    add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether1 comment="" disabled=no 
    add address=172.16.1.1/30 network=172.16.1.0 broadcast=172.16.1.3 interface=tunnel comment="" disabled=no

Router2:

    add address=218.100.100.30/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no 
    add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ether1 comment="" disabled=no 
    add address=172.16.1.5/30 network=172.16.1.4 broadcast=172.16.1.7 interface=tunnel comment="" disabled=no


On Cisco router create VRF instance :

   cisco#conf t
   cisco(config)#ip vrf TEST
   cisco(config-vrf)#rd 10:10
   cisco(config-vrf)#end
   

Create interface on Router1 and add to vrf TEST:

   cisco#conf t
   cisco(config)#interface Tunnel 900
   cisco(config-if)#ip vrf forwarding TEST
   cisco(config-if)#description Tunnel_to_Mikrotik_router1
   cisco(config-if)#tunnel destination <IP_Adress_router1>        
   cisco(config-if)#tunnel source Loopback1 
   cisco(config-if)#load-interval 30
   cisco(config-if)#tunnel mode ipip
   cisco(config-if)#tunnel path-mtu-discovery
   cisco(config-if)#ip address 172.16.1.2 255.255.255.0
   cisco(config-if)#end


Create Interface on Router2 and add to vrf TEST:

   cisco#conf t
   cisco(config)#interface Tunnel 901
   cisco(config-if)#ip vrf forwarding TEST
   cisco(config-if)#description Tunnel_to_Mikrotik_router2
   cisco(config-if)#tunnel destination <IP_Adress_router2>        
   cisco(config-if)#tunnel source Loopback1 
   cisco(config-if)#load-interval 30
   cisco(config-if)#tunnel mode ipip
   cisco(config-if)#tunnel path-mtu-discovery
   cisco(config-if)#ip address 172.16.1.6 255.255.255.0
   cisco(config-if)#end

Set up route and some rules on Mikrotik and Cisco

Router1:

    /ip firewall mangle
      add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes 
      in-interface=ether1 src-address=192.168.1.0/24 disabled=no 
    /ip route rule
     add  add routing-mark=tun action=lookup table=tun 
    /ip route 
     add dst-address=192.168.2.0/24 gateway=172.16.1.2 routing-mark=tun

Router2:

     /ip firewall mangle
      add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes 
      in-interface=ether1 src-address=192.168.2.0/24 disabled=no 
    /ip route rule
     add  add routing-mark=tun action=lookup table=tun 
    /ip route 
     add dst-address=192.168.1.0/24 gateway=172.16.1.6 routing-mark=tun     

Cisco Router:

      cisco#conf t
      cisco(config)#ip ro vrf TEST 192.168.1.0 255.255.255.0 Tunnel900
      cisco(config)#ip ro vrf TEST 192.168.2.0 255.255.255.0 Tunnel901
      cisco(config)#end


It can be done vpn directly from Router1 to Router2, but when you have a lot customers with a lot routers and many of them have same address space , this is a great and easy solution.

All adresses are for example only.