MikroTik router behind firewall and subnets to CISCO ASA Firewall IPSEC

From MikroTik Wiki
Jump to: navigation, search

THIS IT'S A WORK IN PROGRESS. IT'S NOT FINISHED YET

MikroTik router with subnets behind a Firewall VPN IPSEC connection with CISCO ASA

In other examples on this wiki you could see how to connect a Mikrotik within a Cisco router, but all of they have the Cisco as gateway and they only have one internal subnet.

In this tutorial the Mikrotik has more than one subnet for tunneling throught the Cisco and the Mikrotik it's behind a Firewall.

First of all we have the network map image which will explain it better than some lines of text.

Network Map

Configuration of Mikrotik Router

Add addresses on interfaces

[admin@Mikrotik] > ip address add \
	address=172.16.0.1/24 broadcast=172.16.0.255 disabled=no \
	interface=inside network=172.16.0.0
[admin@Mikrotik] > ip address add \
	address=192.168.1.1/24 broadcast=192.168.1.255 disabled=no \
	interface=inside network=192.168.1.0
[admin@Mikrotik] > ip address add \
	address=192.168.2.1/24 broadcast=192.168.2.255 disabled=no \
	interface=inside network=192.168.2.0

Add default Route

[admin@Mikrotik] > ip route add \
	disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.2 \
	scope=30 target-scope=10

Add IPSec Peer (Phase 1)

[admin@Mikrotik] > ip ipsec peer add \
    address=80.0.0.1/32 local-address=0.0.0.0 passive=no port=500 \
    auth-method=pre-shared-key secret="** IPSEC_password **" \
    generate-policy=no exchange-mode=main send-initial-contact=yes \
    nat-traversal=yes my-id-user-fqdn="70.0.0.1" proposal-check=obey \
    hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d \
    lifebytes=4608000 dpd-interval=disable-dpd dpd-maximum-failures=5 

Set encryption proposal (IPSec Phase2)

[admin@MikroTik] > ip ipsec proposal add src-address=172.16.0.1/32 src-port=any dst-address=10.0.0.0/24
     dst-port=any protocol=all action=encrypt level=unique
     ipsec-protocols=esp tunnel=yes sa-src-address=172.16.0.1
     sa-dst-address=80.0.0.1 proposal=Phase2 priority=0


Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode for MikroTik router

[admin@MikroTik] > ip ipsec policy add \
	src-address=172.22.1.0/24 \
	dst-address=172.22.2.0/24 \
	action=encrypt \
	tunnel=yes sa-src=1.0.0.2 sa-dst=2.0.0.2


Add firewall rules to permit VPN traffic and private traffic

[admin@Mikrotik] >ip firewall add \
	action=accept chain=input disabled=no protocol=ipsec-esp src-address=2.0.0.2

[admin@Mikrotik] >ip firewall add \
	action=accept chain=customer disabled=no dst-address=172.22.1.0/24 \
 	in-interface=public out-interface=inside src-address=172.22.2.0/24

--User:NetVicious 17:00, 21 May 2014 (CET)

Category:VPN]] Category:Firewall]]