MikroTik router behind firewall and subnets to CISCO ASA Firewall IPSEC
THIS IT'S A WORK IN PROGRESS. IT'S NOT FINISHED YET
MikroTik router with subnets behind a Firewall VPN IPSEC connection with CISCO ASA
In other examples on this wiki you could see how to connect a Mikrotik within a Cisco router, but all of they have the Cisco as gateway and they only have one internal subnet.
In this tutorial the Mikrotik has more than one subnet for tunneling throught the Cisco and the Mikrotik it's behind a Firewall.
First of all we have the network map image which will explain it better than some lines of text.
Network Map
Configuration of Mikrotik Router
Add addresses on interfaces
[admin@Mikrotik] > ip address add \ address=172.16.0.1/24 broadcast=172.16.0.255 disabled=no \ interface=inside network=172.16.0.0 [admin@Mikrotik] > ip address add \ address=192.168.1.1/24 broadcast=192.168.1.255 disabled=no \ interface=inside network=192.168.1.0 [admin@Mikrotik] > ip address add \ address=192.168.2.1/24 broadcast=192.168.2.255 disabled=no \ interface=inside network=192.168.2.0
Add default Route
[admin@Mikrotik] > ip route add \ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.2 \ scope=30 target-scope=10
Add IPSec Peer (Phase 1)
[admin@Mikrotik] > ip ipsec peer add \ address=80.0.0.1/32 local-address=0.0.0.0 passive=no port=500 \ auth-method=pre-shared-key secret="** IPSEC_password **" \ generate-policy=no exchange-mode=main send-initial-contact=yes \ nat-traversal=yes my-id-user-fqdn="70.0.0.1" proposal-check=obey \ hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d \ lifebytes=4608000 dpd-interval=disable-dpd dpd-maximum-failures=5
Set encryption proposal (IPSec Phase2)
[admin@MikroTik] > ip ipsec proposal add src-address=172.16.0.1/32 src-port=any dst-address=10.0.0.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=172.16.0.1 sa-dst-address=80.0.0.1 proposal=Phase2 priority=0
Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode
for MikroTik router
[admin@MikroTik] > ip ipsec policy add \ src-address=172.22.1.0/24 \ dst-address=172.22.2.0/24 \ action=encrypt \ tunnel=yes sa-src=1.0.0.2 sa-dst=2.0.0.2
Add firewall rules to permit VPN traffic and private traffic
[admin@Mikrotik] >ip firewall add \ action=accept chain=input disabled=no protocol=ipsec-esp src-address=2.0.0.2 [admin@Mikrotik] >ip firewall add \ action=accept chain=customer disabled=no dst-address=172.22.1.0/24 \ in-interface=public out-interface=inside src-address=172.22.2.0/24
--User:NetVicious 17:00, 21 May 2014 (CET)
Category:VPN]] Category:Firewall]]