Mikrotik to Cisco ASA IPsec VPN

Posted on October 1, 2012 By Nikola Stojanoski

We needed to setup IPsec VPN for a client with a remote location that already had Cisco
ASA. So, here is a Mikrotik to Cisco ASA IPsec howto.

Tutorial Scenario
Cisco ASA site

 WAN: 1.1.1.2/30 (outside)

 LAN: 192.168.2.1/24 (inside)

Mikrotik site

 WAN: 1.1.1.1/30 (ether1)

 LAN: 192.168.1.1/24 (ether2)

Cisco ASA to Mikrotik configuration

Launch the VPN configuration wizard on your Cisco ASA router

Set VPN Tunnel Type as Site-to-Site

Set the Remote Peer IP Address: 1.1.1.1(Mikrotik WAN) and Pre-shared key.
Also Tunnel Group Name should be the Remote Peer IP Address.
Set the IKE Policy Encryption to 3DES, Authentication to MD5 and DH Group to 2
Set the IPsec Encryption to 3DES and Authentication to MD5
Set the Local and Remote Networks
Don’t forget to set the IKE Parameters to Identity: Address to avoid connection
problems
Mikrotik to Cisco ASA configuration
Create new policy

Create new Peer

Modify the default proposal to accept MD5 as Authentication

Create NAT rule to bypass the traffic that should to trough the tunnel
Move the rule to the top

Now you can connect your branch offices using Mikrotik Routers even if you have Cisco
ASA’s installed on the other locations

Setting Mikrotik as IPSec Concentrator

Posted on October 13, 2012 By Nikola Stojanoski

This tutorial is on setting Mikrotik as IPSec concentrator. Road-Warriors will be able to

establish secure IPSec connection using the ShrewSoft VPN client.

Setting Mikrotik IPSec parametars

Since Road-Warriors will connect from different locations we need to set peer with
address 0.0.0.0/0 and automatically generate polixy

/ip ipsec peer

add address=0.0.0.0/0 auth-method=pre-shared-key exchange-mode=main\

 secret=123456 hash-algorithm=md5 enc-algorithm=3des generate-policy=yes

Make sure that the default proposal has Authentication algorithm sha1 and Encryption
algorithm 3des
Setting ShrewSoft VPN Client
Put the Mikrotik router Public IP address in Remote Host and change the Local
Host to Use existing adapter and current address
Disable NAT Traversal and IKE Fragmentation if you are not using NAT Traversal
If you need WINS and Local DNS put it manually, otherwise disable this parameters
Under Authentication set Authentication Method as Mutual PSK, Local Identity as IP
Address and put the secret in Credential -> Pre Shared Key
Set the Phase1 Parameters to match Mikrotik Peer configuration: main, group2, 3des,
md5, 86400
Set the Phase2 Parameters to match Mikrotik default proposal: esp-3des, sha1, group2,
and change the Key Life Time limit to 1800 because in Mikrotik default
proposal Lifetime is 00:30:00
Finally we need to add the local network (10.20.30.0/24) that we want to route trough
the IPSec VPN connection.
That’s it! You have your 50$ IPSec VPN Concentrator without the need to buy additional
licences or expensive routers

Site-to-Site IPSec VPN using Mikrotik

Routers
Posted on September 18, 2012 By Nikola Stojanoski

Some time ago i had a client that needed Site-to-Site IPSec VPN connection between 5
locations but ware not ready to pay for Cisco routers.

The solution was simple, I’m going to build a Miktorik Site to Site VPN with my
favorite cheep but reliable routers, Mikrotik

They didn’t need any special requirements, on the main location they had a server with a
application and a on the other locations they had a few PC’s that needed to contact the
database on that server. I purchased 5 RB751G-2HnD routers and applyed this
configuration.
Create list of addresses that will have full access to the
router
/ ip firewall address-list

add list=remote_access address=10.44.11.0/24 comment="Location 1" disabled=no

add list=remote_access address=10.44.12.0/24 comment="Location 2" disabled=no

add list=remote_access address=1.1.1.1/32 comment="Public IP From Location 1" disabled=no

add list=remote_access address=2.2.2.2/32 comment="Public IP From Location 1" disabled=no

add list=remote_access address=Public_IP/32 comment="My Piblic IP for Remote Control"

disabled=no

Create rules to restrict unwanted traffic

/ ip firewall filter

add chain=input connection-state=established comment="Accept established connections"

disabled=no

add chain=input connection-state=related comment="Accept related connections" disabled=no

add chain=input connection-state=invalid action=drop comment="Drop invalid connections"

disabled=no

add chain=input protocol=udp action=accept comment="UDP" disabled=no

add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" disabled=no

add chain=input protocol=icmp action=drop comment="Drop excess pings" disabled=no

add chain=input src-address-list=remote_access action=accept comment="Allow access to router

from known network" disabled=no

add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else" disabled=no

add chain=input action=drop comment="Drop everything else" disabled=no

Now let’s jump into Site-to-Site IPSec VPN rules

This rules are needed to skip sending traffic to the WAN interface and route the traffic
trough the VPN connection

# Router 1 - Router 2

/ip ipsec policy

add action=encrypt disabled=no dst-address=10.44.12.0/24 dst-port=any ipsec-protocols=esp

level=require priority=0 proposal=default protocol=all sa-dst-address=\

2.2.2.2 sa-src-address=1.1.1.1 src-address=10.44.11.0/24 src-port=any tunnel=yes

comment="IPSec VPN Skopje-Tabanovce"

/ip ipsec peer

add address=2.2.2.2/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-

interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \

generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-

traversal=no port=500 proposal-check=obey secret=Sp3d1c1jaVPN send-initial-contact=\

yes comment="IPSec VPN Skopje-Tabanovce"

/ip firewall nat

add action=accept chain=srcnat comment="IPSec VPN Skopje-Kumanovo" disabled=no dst-

address=10.44.12.0/24 src-address=10.44.11.0/24

# Router 2 - Router 1

/ip ipsec policy

add action=encrypt disabled=no dst-address=10.44.11.0/24 dst-port=any ipsec-protocols=esp

level=require priority=0 proposal=default protocol=all sa-dst-address=\

1.1.1.1 sa-src-address=2.2.2.2 src-address=10.44.12.0/24 src-port=any tunnel=yes

comment="IPSec VPN Skopje-Tabanovce"

/ip ipsec peer

add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-

interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \

generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-

traversal=no port=500 proposal-check=obey secret=Sp3d1c1jaVPN send-initial-contact=\

yes comment="IPSec VPN Skopje-Tabanovce"

/ip firewall nat

add action=accept chain=srcnat comment="IPSec VPN Skopje-Tabanovce" disabled=no dst-

address=10.44.11.0/24 src-address=10.44.12.0/24

More on Mikrotik IPsec: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Configuring Cisco Site To Site IPSec VPN With
Dynamic IP Endpoint Cisco Routers
Article Reads:289034

This article serves as an extension to our popular Cisco VPN topics covered here on Firewall.cx.
While we’ve covered Site to Site IPSec VPN Tunnel Between Cisco Routers (using static public
IP addresses), we will now take a look on how to configure our headquarter Cisco router to
support remote Cisco routers with dynamic IP addresses. One important note to keep in mind
when it comes to this implementation, is that Site-to-Site VPN networks with Dynamic remote
Public IP addresses can only be brought up by the remote site routers as only they are
aware of the headquarter's router Public IP address.

IPSec VPN tunnels can also be configured using GRE (Generic Routing Encapsulation) Tunnels
with IPsec encryption. GRE tunnels greatly simply the configuration and administration of VPN
tunnels and are covered in our Configuring Point-to-Point GRE VPN Tunnels article. Lastly,
DMVPNs – a new VPN trend that provide outstanding flexibility and almost no administration
overhead can also be examined by reading our Understanding Cisco Dynamic Multipoint VPN
(DMVPN), Dynamic Multipoint VPN (DMVPN) Deployment Models &
Architectures and Configuring Cisco Dynamic Multipoint VPN (DMVPN) - Hub, Spokes ,
mGRE Protection and Routing - DMVPN Configuration articles.

ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential
to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange),
is the negotiation protocol that allows two hosts to agree on how to build an IPsec security
association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.

Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2
creates the tunnel that protects data. IPSec then comes into play to encrypt the data using
encryption algorithms and provides authentication, encryption and anti-replay services.

IPSec VPN Requirements

To help make this an easy-to-follow exercise, we have split it into two required steps to get the
Site-to-Site IPSec Dynamic IP Endpoint VPN Tunnel to work.

These steps are:

(1) Configure ISAKMP (ISAKMP Phase 1)

(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)

Our example setup consists of the headquarter router R1 which is assigned a static public IP
address, and two remote routers, R2 & R3. Both remote routers (R2 & R3) connect to the
Internet and have a dynamic public IP address assigned by the ISP, as shown in the diagram
below:

Our Headquarters is assigned an internal network of 10.10.10.0/24, while Remote Site 1 has
been assigned network 20.20.20.0/24. and Remote Site 2 network 30.30.30.0/24. The goal is to
securely connect both remote sites with our headquarters and allow full communication, without
any restrictions.

Configure ISAKMP (IKE) - (ISAKMP Phase 1)

IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must
negotiate an SA (an ISAKMP SA) relationship with the peer.

To begin, we’ll start working on the Headquarter router (R1).

First step is to configure an ISAKMP Phase 1 policy:

crypto isakmp policy 1

encr 3des
hash md5
authentication pre-share
group 2
 lifetime 86400

The above commands define the following (in listed order):

3DES - The encryption method to be used for Phase 1.

MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or
seconds. Value set is the default value.

We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have
five different remote sites and configured five different ISAKMP Phase 1 policies (one for each
remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five
policies and use the first match that is accepted by both ends. Since we only have one ISAKMP
policy, this will be used for all remote VPN routers.

Next we are going to define a pre-shared key for authentication with our peers (R2 & R3 routers)
by using the following command:

crypto isakmp key firewallcx address 0.0.0.0 0.0.0.0

The peers pre-shared key is set to firewallcx and note that we are defining a remote public IP
address of 0.0.0.0 0.0.0.0. This tells our headquarter router that the remote routers have dynamic
public IP addresses and ensures it will try to negotiate and establish a VPN tunnel with any
router that requests it.

Configure IPSec
To configure IPSec we need to setup the following in order:

- Create extended ACL

- Create IPSec Transform
- Create Dynamic Crypto Maps
- Apply crypto map to the public interface

Let us examine each of the above steps.

Creating Extended ACL
Next step is to create an access-list and define the traffic we would like the router to pass through
each VPN tunnel. In this example, for the first VPN tunnel it would be traffic from headquarters
(10.10.10.0/24) to remote site 1 (20.20.20.0/24) and for the second VPN tunnel it will be from
our headquarters (10.10.10.0/24) to remote site 2 (30.30.30.0/24). Access-lists that define VPN
traffic are sometimes called crypto access-list or interesting traffic access-list.

Because we are dealing with two separate VPN tunnels, we’ll need to create one set of access-
lists for each:

ip access-list extended VPN1-TRAFFIC

permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
ip access-list extended VPN2-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 30.30.30.0 0.0.0.255

Create IPSec Transform (ISAKMP Phase 2 Policy)

Now we need to create the transform set used to protect our data. We’ve named our transform
set TS:

crypto ipsec transform-set TS esp-3des esp-md5-hmac

The above command defines the following:

- ESP-3DES - Encryption method

- MD5 - Hashing algorithm

Create Dynamic Crypto Maps

The Crypto Map is the last step of our setup and connects the previously
defined ISAKMP and IPSec configuration together. We will need one dynamic crypto map for
each remote endpoint, which means a total of two crypto maps for our setup.

First we create a crypto map named VPN which will be applied to the public interface of our
headquarter router, and connect it with the dynamic crypto maps we named as hq-vpn.

crypto map VPN 1 ipsec-isakmp dynamic hq-vpn

The ipsec-isakmp tag tells the router that this crypto map is an IPsec crypto map. Now we create
our two dynamic crypto maps using the following configuration commands:

crypto dynamic-map hq-vpn 10

set security-association lifetime seconds 86400
set transform-set TS
match address VPN1-TRAFFIC
!
crypto dynamic-map hq-vpn 11
set security-association lifetime seconds 86400
set transform-set TS
match address VPN2-TRAFFIC

Notice how we create one dynamic map for each remote network. The configuration is similar
for each dynamic crypto map, with only the instance number (10 , 11) and match address
(VPN1-TRAFFIC , VPN2-TRAFFIC) changing.

Adding additional remote sites in the future is as easy as simply adding more dynamic crypto
maps, incrementing the index number and specifying the match address extended access-lists for
each remote network.

Apply Crypto Map To The Public Interface

The final step is to apply our crypto map to the public interface of the headquarter router, which
is FastEthernet0/1. In many cases, this might be a serial or ATM (ADSL - Dialer) interface:

interface FastEthernet0/1
crypto map VPN

Note that you can assign only one crypto map to an interface.

As soon as we apply crypto map on the interface, we receive a message from the router that
confirms isakmp is on: “ISAKMP is ON”.

At this point, we have completed the IPSec VPN configuration on our headquarter router and we
can move to the remote endpoint routers.
Configuring Remote Endpoint Routers (Dynamic Public IP
Addresses)
Our remote routers connect to the Internet and are assigned a dynamic IP address which changes
periodically by the ISP. In most part, the configuration is similar to that of the headquarter
router, but with a few minor changes.

In the configuration below, IP address 74.200.90.5 represents the public IP address of our
headquarter router.

Remote Site 1 Router

crypto isakmp policy 1

encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewallcx address 74.200.90.5
!
ip access-list extended VPN-TRAFFIC
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 74.200.90.5
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0/1
crypto map vpn-to-hq
Remote Site 2 Router
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewallcx address 74.200.90.5
!
ip access-list extended VPN-TRAFFIC
permit ip 30.30.30.0 0.0.0.255 10.10.10.0 0.0.0.255
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 74.200.90.5
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0/1
crypto map vpn-to-hq
It is noticeable that the only major difference between the two routers configuration is the extended
access list.

Network Address Translation (NAT) & IPSec VPN

Tunnels
Network Address Translation (NAT) is most likely to be configured to provide Internet access
to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the
router not to perform NAT (deny NAT) on packets destined to the remote VPN networks.

This is easily done by inserting a deny statement at the beginning of the NAT access lists as
shown below:

For the headquarter router, deny NAT for packets destined to the remote VPN networks, but
allow NAT for all other networks (Internet):

ip nat inside source list 100 interface fastethernet0/1 overload

!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 30.30.30.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 remark

For Remote Site 1 Router, deny NAT for packets destined to the headquarter network:

ip nat inside source list 100 interface fastethernet0/1 overload

!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 remark

For Remote Site 2 Router, deny NAT for packets destined to the headquarter network:

ip nat inside source list 100 interface fastethernet0/1 overload

!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 30.30.30.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 30.30.30.0 0.0.0.255 any
access-list 100 remark

Bringing Up & Verifying The VPN Tunnel

At this point, we’ve completed our configuration and the VPN Tunnel is ready to be brought up.
To initiate the VPN Tunnel, we need to force one packet to traverse the VPN and this can be
achieved by pinging from one router to another. There is however one caveat that was
mentioned in the beginning of this article:

Site to Site VPN networks with Dynamic remote Public IP addresses can only be brought up by
the remote sites.

The reason for this is simple and logical. Only the remote site routers are aware of the
headquarter’s public IP address (74.200.90.5) because it is static, and therefore only the remote
router can initiate the VPN tunnel.

From Remote Site 1, let’s ping the headquarter router:

R2# ping 10.10.10.1 source fastethernet0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 73.54.120.100
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 42/46/5

The first ping received a timeout, but the rest received a reply, as expected. The time required to
bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first ping to
timeout.

To verify the VPN Tunnel, use the show crypto session command:

R2# show crypto session

Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 74.200.90.5 port 500
IKE SA: local 73.54.120.100/500 remote 74.200.90.5 /500 Active
IPSEC FLOW: permit ip 20.20.20.0/255.255.255.0
10.10.10.0/255.255.255.0
Active SAs: 2, origin: crypto map

From Remote Site 2, let’s ping the headquarter router:

R3# ping 10.10.10.1 source fastethernet0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 85.100.120.5
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 47/50/53
ms

Again, the first ping received a timeout, but the rest received a reply, as expected. The time
required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first
ping to timeout.
To verify the VPN Tunnel, use the show crypto session command:

R3# show crypto session

Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 74.200.90.5 port 500
IKE SA: local 85.100.120.5/500 remote 74.200.90.5 /500 Active
IPSEC FLOW: permit ip 30.30.30.0/255.255.255.0
10.10.10.0/255.255.255.0
Active SAs: 2, origin: crypto map

Issuing the show crypto session command at the headquarter router will reveal all remote
routers public IP addresses. This is usually a good shortcut when trying to figure out the public
IP address of your remote routers

Mikrotik To CISCO ASA IPSec Site to Site VPN Tunnel Configuration

FIG:Mikrotik To CISCO ASA IPSec Site to Site VPN Tunnel

ASA1 Configuration:
CISCOASA>enable
ASA#conf t
ASA(conf)#hostname CISCOASA
CISCOASA(config)#crypto isakmp enable outside
CISCOASA(config)#object network local
CISCOASA(config-network-object)#subnet 192.168.2.0 255.255.255.0
CISCOASA(config-network-object)# object network remote
CISCOASA(config-network-object)#subnet 192.168.1.0 255.255.255.0
CISCOASA(config-network-object)#exit
CISCOASA(config)#crypto isakmp enable
CISCOASA(config)#access-list outside_crypto permit ip object local object remote
CISCOASA(config)#tunnel-group 20.2.2.2 type ipsec-l2l
CISCOASA(config)#tunnel-group 20.2.2.2 ipsec-attributes
CISCOASA(config-tunnel-ipsec)#pre-shared key sitetosite
CISCOASA(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
CISCOASA(config-tunnel-ipsec)#exit

IKE called Internet Association and key management protocol. I KE that used for two
host agree to hoe build an IPSec security association. There are two part of IKE
negotiation that are phase1 and phase2.

CISCOASA(config)#crypto isakmp policy 10 authentication pre-share

CISCOASA(config)#crypto isakmp policy 10 3des
CISCOASA(config)#crypto isakmp policy 10 hash sha
CISCOASA(config)#crypto isakmp policy 10 group 2
CISCOASA(config)#crypto isakmp policy 10 lifetime 66400
CISCOASA(config)#crypto isakmp transform-set ESP-3DES esp-sha-hmac
CISCOASA(config)#crypto map outside-map 1 set match address outside_crypto
CISCOASA(config)#crypto map outside-map 1 set pfs group1
CISCOASA(config)#crypto map outside-map 1 set peer 20.2.2.2
CISCOASA(config)#crypto map outside-map 1 set transform-set ESP-3DES-SHA
CISCOASA(config)#crypto map outside-map interface outside
CISCOASA(config)#nat (inside,outside) 1 source static local local destination remote
remote
CISCOASA(config)#route 0 0 (Gateway Address)
CISCOASA(config)#wr
CISCO ASA Verification:
#show crypto map
#show

Mikrotik Router Peer Configuration:

[admin@MikroTik] /ip ipsec peer>add address=10.1.1.2/32:500 auth-
method=pre-shared-key secret="sitetosite"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik] /ip ipsec policy>add src-address=192.168.1.0/24:any dst-
address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=20.2.2.2 sa-dst-address=10.1.1.2 proposal=default
priority=0
[admin@MikroTik] /ip ipsec proposal>add name="default" auth-algorithms=sha1
enc-algorithms=3des lifetime=30m
pfs-group=modp1024

[admin@MikroTik] /ip firewall nat>add chain=srcnat action=accept src-

address=192.168.1.0/24 dst-address=192.168.2.0/24
[admin@MikroTik] /ip firewall nat>chain=srcnat action=masquerade src-
address=192.168.1.0/24 out-interface=ether1

Basic OSPF Setup Between Mikrotik and Cisco Router

Topology Diagram
R1>enable
R1#conf t
R1 (config)#hostname Ciscorouter1
Ciscorouter1 (config)#interface fastethernet 0/0
Ciscorouter1 (config-if)#ip address 192.168.1.1 255.255.255.252
Ciscorouter1 (config-if)#no shutdown
Ciscorouter1 (config-if)#exit
Ciscorouter1 (config)#interface loopback 1
Ciscorouter1 (config-if)#ip address 10.1.0.1 255.255.255.0
Ciscorouter1 (config-if)#no shutdown
Ciscorouter1 (config-if)#exit

Ciscorouter1 (config)#interface loopback 2

Ciscorouter1 (config-if)#ip address 10.2.0.1 255.255.255.0
Ciscorouter1 (config-if)#no shutdown
Ciscorouter1 (config-if)#exit
Ciscorouter1 (config)#interface loopback 3
Ciscorouter1 (config-if)#ip address 10.3.0.1 255.255.255.0
Ciscorouter1 (config-if)#no shutdown
Ciscorouter1 (config-if)#exit
Ciscorouter1 (config)#interface loopback 4
Ciscorouter1 (config-if)#ip address 192.168.100.1 255.255.255.255
Ciscorouter1 (config-if)#no shutdown
Ciscorouter1 (config-if)#exit
Ciscorouter1 (config)#router ospf 100
Ciscorouter1 (config-router)#network 10.0.0.0 0.255.255.255 area 0
Ciscorouter1 (config-router)#network 192.168.1.0 0.0.0.3 area 0
Ciscorouter1 (config-router)#network 192.168.100.1 0.0.0.0 area 0

Mikrotik Configuration:
[admin@MikroTik] > interface bridge add name=loopback1
[admin@MikroTik] > interface bridge add name=loopback2
[admin@MikroTik] > interface bridge add name=loopback3
[admin@MikroTik] > interface bridge add name=loopback4
[admin@MikroTik] > ip address add address=192.168.1.2/30 interface=ether1
[admin@MikroTik] > ip address add address=192.168.99.1/32 interface=loopback4
[admin@MikroTik] > ip address add address=172.16.30.1/24 interface=loopback3
[admin@MikroTik] > ip address add address=172.16.20.1/24 interface=loopback2
[admin@MikroTik] > ip address add address=172.16.10.1/24 interface=loopback1

OSPF Configuration
[admin@MikroTik] /routing ospf> interface add interface=all
[admin@MikroTik] /routing ospf> network add network=192.168.1.0/30
area=backbone
[admin@MikroTik] /routing ospf> network add network=192.168.99.1/32
area=backbone
[admin@MikroTik] /routing ospf> network add network=172.16.10.0/24
area=backbone
[admin@MikroTik] /routing ospf> network add network=172.16.20.0/24
area=backbone
[admin@MikroTik] /routing ospf> network add network=172.16.30.0/24
area=backbone

Mikrotik Router OSPF Verification:

[admin@MikroTik] > routing ospf neighbor print

0 instance=default router-id=192.168.100.1 address=192.168.1.1
interface=ether1 priority=1 dr-address=192.168.1.1
backup-dr-address=192.168.1.2 state="Full" state-changes=5
ls-retransmits=0 ls-requests=0 db-summaries=0 adjacency=7m59s

[admin@MikroTik] > routing ospf lsa print

AREA TYPE ID ORIGINATOR SEQUENCE-NU...
backbone router 192.168.100.1 192.168.100.1 0x80000006
backbone network 192.168.1.1 192.168.100.1 0x80000001

[admin@MikroTik] /ip route> print

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADo 10.1.0.1/32 192.168.1.1 110
1 ADo 10.2.0.1/32 192.168.1.1 110
2 ADo 10.3.0.1/32 192.168.1.1 110
3 ADC 172.16.10.0/24 172.16.10.1 loopback1 0
4 ADC 172.16.20.0/24 172.16.20.1 loopback2 0
5 ADC 172.16.30.0/24 172.16.30.1 loopback3 0
6 ADC 192.168.1.0/30 192.168.1.2 ether1 0
7 ADC 192.168.99.1/32 192.168.99.1 loopback4 0
8 ADo 192.168.100.1/32 192.168.1.1 110

[admin@MikroTik] > routing ospf route print

# DST-ADDRESS STATE COST GATEWAY INTERFACE
0 10.1.0.1/32 intra-area 11 192.168.1.1 ether1
1 10.2.0.1/32 intra-area 11 192.168.1.1 ether1
2 10.3.0.1/32 intra-area 11 192.168.1.1 ether1
3 172.16.10.0/24 intra-area 10 0.0.0.0 loopback1
4 172.16.20.0/24 intra-area 10 0.0.0.0 loopback2
5 172.16.30.0/24 intra-area 10 0.0.0.0 loopback3
6 192.168.1.0/30 intra-area 10 0.0.0.0 ether1
7 192.168.99.1/32 intra-area 10 0.0.0.0 loopback4
8 192.168.100.1/32 intra-area 11 192.168.1.1 ether1

Cisco Router Verification:

Ciscorouter1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set

172.16.0.0/24 is subnetted, 3 subnets

O 172.16.30.0 [110/11] via 192.168.1.2, 00:14:03, FastEthernet0/0
O 172.16.20.0 [110/11] via 192.168.1.2, 00:14:03, FastEthernet0/0
O 172.16.10.0 [110/11] via 192.168.1.2, 00:14:03, FastEthernet0/0
192.168.99.0/32 is subnetted, 1 subnets
O 192.168.99.1 [110/11] via 192.168.1.2, 00:14:03, FastEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets
C 10.2.0.0 is directly connected, Loopback2
C 10.3.0.0 is directly connected, Loopback3
C 10.1.0.0 is directly connected, Loopback1
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, FastEthernet0/0
192.168.100.0/32 is subnetted, 1 subnets
C 192.168.100.1 is directly connected, Loopback4

Show ip route comment tell us about all directly connected routers and possible all
path
To the destination. We see that our all route will exit the routing table.
Ciscorouter1#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.1.2 1 FULL/BDR 00:00:37 192.168.1.2 FastEthernet0/0

Shown in the output we see that 192.168.1.2 is BDR state bcz Cisco Router have
highest loopback interface and highest loopback interface also be win to DR election
process.

Ciscorouter1#sh ip ospf database

OSPF Router with ID (192.168.100.1) (Process ID 100)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

192.168.1.2 192.168.1.2 694 0x80000002 0x00F7F7 5
192.168.100.1 192.168.100.1 698 0x80000008 0x00ED8F 5

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum

192.168.1.1 192.168.100.1 698 0x80000001 0x006B5C

Site-toSite GRE Configuration Between Mikrotik And Cisco Router

CiscoRouter Configuration:
R1>enable
R1#conf t
R1 (config)# hostname CiscoRouter
CiscoRouter (config)# interface FastEthernet0/0
CiscoRouter (config-if)# ip address 104.10.1.2 255.255.255.252
CiscoRouter (config-if)#no shutdown
CiscoRouter (config-if)#exit
CiscoRouter (config)# interface FastEthernet0/1
CiscoRouter (config-if)# ip address 172.16.2.1 255.255.255.0
CiscoRouter (config-if)# no shutdown
CiscoRouter (config-if)# exit
CiscoRouter (config)# interface tunnel 0
CiscoRouter (config-if)# ip ip address 192.168.1.2 255.255.255.252
CiscoRouter (config-if)# no shutdown
CiscoRouter (config-if)# tunnel source 104.10.1.2
CiscoRouter (config-if )# tunnel destination 27.10.10.2
CiscoRouter (config-if )#exit
CiscoRouter (config)# ip route 0.0.0.0 0.0.0.0 104.10.1.1
CiscoRouter (config)# ip route 172.16.1.0 255.255.255.0 192.168.1.1

Cisco Router Verification :

CiscoRouter#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 104.10.1.1 to network 0.0.0.0

172.16.0.0/24 is subnetted, 2 subnets

S 172.16.1.0 [1/0] via 192.168.1.1
C 172.16.2.0 is directly connected, FastEthernet0/1
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Tunnel0
104.0.0.0/30 is subnetted, 1 subnets
C 104.10.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 104.10.1.1

CiscoRouter#sh int tunnel 0

Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.1.2/30
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 104.10.1.2, destination 27.10.10.2
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:12:16, output 00:12:16, output hang never
Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
95 packets input, 8040 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
105 packets output, 9112 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

Mikrotik Route Configuration:

[admin@MikroTik] > ip address add address=27.10.10.2/30 interface=ether1

[admin@MikroTik] > ip address add address=172.16.1.1/24 interface=ether2

[admin@MikroTik] > interface gre add name=tunnel0 local-address=27.10.10.2

remote-address=104.10g .1.2
[admin@MikroTik] > ip address add address=192.16.1.1/30 interface=tunnel0
[admin@MikroTik] > ip route add dst-address=0.0.0.0 gateway=27.10.10.1
[admin@MikroTik] > ip route add dst-address=172.16.2.0/24 gateway=192.168.1.2

Cisco ASA Failover Configuration

Posted on September 21, 2013 By Nikola Stojanoski

This tutorial is for configuring Cisco ASA Failover into Active/Standby mode, assuming
your primary Cisco ASA is configured and working.

Primary Cisco ASA

Setup your failover interface on Primary Cisco ASA

enable

config t

failover lan unit primary

interface gigabitEthernet 0/3

no shutdown

Assign the failover IP Address on your Primary Cisco ASA

failover lan interface FAILOVER gigabitethernet0/3

failover interfaces ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover key YourSecretKey

failover link FAILOVER

Assign standby Outside IP Address on Primary Cisco ASA
Assign your Cisco ASA standby External IP Address, add “standby {SECONDARY ASA IP
ADDRESS}”

interface gigabitEthernet 0/0

ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2

Assign standby Internal IP Address on Primary Cisco ASA

Assign Internal IP Address as you did for the External IP Address with the “standby
{SECONDARY ASA IP ADDRESS}”

interface gigabitEthernet 0/1

ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

Enable monitoring on SubInterfaces on Primary Cisco ASA (optional)

By default, monitoring physical interfaces is enabled and monitoring subinterfaces is
disabled. You can monitor up to 250 interfaces on a unit. You can control which
interfaces affect your failover policy by disabling the monitoring of specific interfaces
and enabling the monitoring of others. This lets you exclude interfaces attached to less
critical networks from affecting your failover policy.

monitor-interface if_name

You can turn off monitoring the management interface:

no monitor management

Enable failover

conf t

failover
Verify your Cisco ASA Failover

show failover

Secondary Cisco ASA

Setup failover interface on Secondary Cisco ASA

config t

no failover

failover lan unit secondary

interface gigabitEthernet 0/3

no nameif

no shutdown

failover lan interface FAILOVER gigabitEthernet0/3

Assign your failover IP Address on Secondary ASA using FAILOVER

failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover key YourSecretKey

failover link FAILOVER

failover
Automatic Configuration Copy from Primary to Secondary Cisco ASA
The device configurations are automatically copied from the primary Cisco ASA device
to the secondary Cisco ASA device using the following commands:

config t

interface gigabitEthernet 0/3

no shutdown

Verify your Cisco ASA Failover

show failover

MikroTik BOVPN Integration Guide

Deployment Overview
WatchGuard provides integration instructions to help our customers configure
WatchGuard products to work with products created by other organizations. If you need
more information or technical support about how to configure a third-party product, see
the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel
between a WatchGuard Firebox and a MikroTik device.

Integration Summary
The hardware and software used in this guide include:

 WatchGuard M400
o Fireware v12.7.2
 MikroTik RB2011iL-RM
o Version RouterOS v7.1.3

Test Topology
This diagram shows the topology used to connect your WatchGuard Firebox and a
MikroTik device through a VPN.

Configure the Firebox

To configure a BOVPN connection, from Fireware Web UI:

1. Select VPN > Branch Office VPN.

The Branch Office VPN configuration page opens.

2. To add a gateway, in the Gateways section, click Add.

The Gateway Endpoint Settings dialog box opens.

3. In the Gateway Name text box, type the Gateway name.

4. In the Address Family drop-down list, select IPv4 Address.

5. In the Credential Method section, select Use Pre-Shared Key and String-
Based.

6. In the adjacent text box, type the pre-shared key.

7. In the Gateway Endpoint section, click Add.
The Gateway Endpoint Settings dialog box opens.

8. From the External Interface drop-down list, select External.

9. From the Interface IP Address drop-down list, select Primary Interface IP

Address.
 The Primary Interface IP Address is the primary IP address you configured on
the selected external interface.

10.Select By IP Address.

11.In adjacent text box, type the primary IP address of the External Firebox
interface.

12.Select the Remote Gateway tab.

13.Select Static IP Address.

14.In the adjacent text box, type the public IP address of your MikroTik
connection.

15.Select By IP Address.
16.In the adjacent text box, type the public IP address of your MikroTik
connection.

17.Keep the default settings for all other options.

18.Click OK.
Next, configure the Phase 1 settings.

1. Select the Phase 1 Settings tab.

2. From the Version drop-down list, select IKEv2.

3. For all other settings, keep the default values.

4. Click Save.
Next, configure the Tunnels:

1. On the Branch Office VPN page, in the Tunnels section, click Add.
The Branch Office VPN Tunnel configuration interface opens.

2. From the Gateway drop-down list, select the gateway that you added.
3. In the Addresses section, click Add to configure tunnel routes for the tunnel.
The Tunnel Route Settings dialog box opens.

4. In the Local IP section, from the Choose Type drop-down list,

select Network IPv4.

5. In the Network IP text box, type the Network IP address, which is the
internal network IP address of the WatchGuard Firebox.

6. In the Remote IP section, from the Choose Type drop-down list,

select Network IPv4.

7. In the Network IP text box, type the Network IP address, which is the
internal network IP address of the MikroTik device.

8. For all other settings, keep the default values.

9. Click OK.

10.Click Save.
For more information about Branch Office VPN configuration on the Firebox,
see Configure Manual BOVPN Gateways and Configure Manual BOVPN Tunnels

Configure the MikroTik Device

To configure the MikroTik device:

1. Log on to the MikroTik Web UI. The default IP address and port
are http://192.168.88.1 and ether2 .

2. Configure all required MikroTik interfaces.

3. Verify that MikroTik can connect to the Internet and to host2.

4. Select IP > Firewall > NAT.

5. Click Add New.

6. From the Chain drop-down list, select srcnat.

7. In the Src. Address text box, type the Network IP address, which is the
internal network IP address of the MikroTik device.
8. In the Dst. Address text box, type the Network IP address, which is the
internal network IP address of the Firebox.

9. From the Out. Interface drop-down list, select ether1.

10.From the Action drop-down list, select Accept.

11.Keep the default settings for all other options.

 12.Click Apply and OK.

Next, configure IPSec settings on the MikroTik device:

1. Select IP > IPsec > Proposals.

2. Modify the default proposal.

3. In the Name text box, type the proposal name or keep the default name.

4. In the Auth. Algorithms section, select sha256.

5. In the Encr. Algorithms section, selet aes-256 cbc.

6. From the PFS Group drop-down list, select modp2048.

7. Keep the default settings for all other options.

8. Click Apply and OK.
9. Select the Peers tab.

10.To add new peer, click Add New .

11.In the Name text box, type the peer name.

12.In the Address text box, type the IP address of the External interface of the
Firebox.

13.In the Local Address text box, type the IP address of the ether1 interface of
the MikroTik.

14.From the Exchange Mode drop-down list, select IKE2.

15.Keep the default settings for all other options.

16.Click Apply and OK.
17.Select the Identities tab.

18.To add a new Identity, click Add New .

19.From the Peer drop-down list, select peer1.

20.From the Auth. Method drop-down list, select pre shared key.

21.In the Secret text box, type the secret. The secret must be the same as
the pre-shared key specified in the Firebox settings.

22.Keep the default settings for all other options.

23.Click Apply and OK.
24.Select the Profiles tab.

25.Modify the default profile.

26.From the Hash Algorithms drop-down list, select sha256.

27.In the Encryption Algorithm section, select aes-256.

28.In the DH Group section, select modp2048.

29.Keep the default settings for all other options.

30.Click Applyand OK.
31.Select the Policies tab.

32.To add a new policy, click Add New.

33.From the Peer drop-down list, select peer1.

34.Select Tunnel.

35.In the Src. Address text box, type the Network IP address, which is the
internal network IP address of the MikroTik device.

36.In the Dst. Address text box, type the Network IP address, which is the
internal network IP address of the WatchGuard Firebox.

37.Keep the default settings for all other options.

38.Click Applyand OK.
Test the Integration
To test the integration, from Fireware Web UI:

1. Select System Status > VPN Statistics.

2. Select the Branch Office VPN tab.

3. Verify that the VPN is established.

To test the integration:

1. From the from the MikroTik Web UI, select IP > IPsec > Policies.

2. Verify that the PH2 State is established.

3. If the BOVPN has multiple tunnel routes:
a. From the Leveldrop-down list, select unique.
b. Add the related NAT.

c. Select the policies tab to verify the results.

 d. From Fireware Web UI, select System Status > VPN Statistics >
Branch Office VPN to verify the results for both tunnels.

Finally, verify that Host1 and Host2 can ping each other successfully. In our
example, Host1 is a computer behind the Firebox. Host2 is a computer behind the
MikroTik device

IPSec VPN Between FortiGate And

Cisco ASA
Leave a Comment / By YongKW / February 20, 2021

Tutorial on how to configure IPSec VPN Between FortiGate And Cisco

ASA Firewall in our lab
 Name IP Address Remarks

FortiGate 60E 121.121.43.50 Site 1 – WAN IP

FortiGate 60E 192.168.1.1 Site 1 – LAN IP

Cisco ASA 103.18.246.208 Site 2 – WAN IP

Cisco ASA 10.10.10.8 Site 2 – LAN IP

IKEv1 IPSec VPN Between FortiGate And Cisco ASA

Configuration Of FortiGate Firewall

IKEv1 tunnel is configured by default when using FortiGate Site to Site

VPN Wizard

Create object for Local (LAN_192.168.1.0) & Remote

(REMOTE_10.10.10.0) Network

config firewall address

edit REMOTE-10.10.10.0
set subnet 10.10.10.0 255.255.255.0
end

edit LAN-192.168.1.0
 set subnet 192.168.1.0 255.255.255.0
end

Create IPSec Phase 1 called VPN-ToAIMS on WAN1 Interface with

 Proposal = AES256-SHA1
 DH GRoup = 2
 Remote Gateway = 103.18.246.208
 Pre-Share Key = P@ssw0rd
 Key Lifetime (Seconds) = 86400

Diffie-Hellman (DH) groups determine the strength of the key used in

the key exchange process. Higher group numbers are more secure but
require additional time to compute the key.

 DH Group 2: 1024-bit group

 DH Group 5: 1536-bit group
 DH Group 19: 256-bit elliptic curve group
config vpn ipsec phase1-interface
edit "VPN-ToAIMS"
set interface wan1
set peertype any
set proposal aes256-sha1
set dhgrp 2
set remote-gw 103.18.246.208
set psksecret P@ssw0rd
end

Create IPSec Phase 2 called VPN-ToAIMS-P2 with

 Associate to Phase 1 VPN-ToAIMS

 Proposal = AES256-SHA1
 Enable Perfect Forward Secrecy (PFS) = 2
 Source & Destination Network

Perfect Forward Secrecy (PFS) makes keys more secure because new
keys are not made from previous keys. If a key is compromised, new
session keys are still secure. When you specify PFS during Phase 2, a
Diffie-Hellman exchange occurs each time a new SA is negotiated.

config vpn ipsec phase2-interface

edit "VPN-ToAIMS-P2"
set phase1name "VPN-ToAIMS"
set proposal aes256-sha1
set dhgrp 2
 set src-addr-type name
set dst-addr-type name
set src-name "LAN-192.168.1.0"
set dst-name "REMOTE-10.10.10.0"
next
end

Static Route to forward IPSEC Traffic to VPN-ToAIMS Interface and

to Blackhole when the VPN tunnel is down

config router static

edit 2
set dst 10.10.10.0 255.255.255.0
set distance 1
set device "VPN-ToAIMS"
next
edit 3
set dst 10.10.10.0 255.255.255.0
set distance 254
set blackhole enable
next
end

Create a firewall policy called VPN-LAN-REMOTE to allow traffic from

LAN-192.168.1.0 to REMOTE-10.10.10.0 on VPN-ToAIMS Interface

config firewall policy

edit 20
set name "VPN-LAN-REMOTE"
set srcintf "internal"
set dstintf "VPN-ToAIMS"
set srcaddr "LAN-192.168.1.0"
set dstaddr "REMOTE-10.10.10.0"
set action accept
set schedule "always"
set service "ALL"
next
end

Create a firewall policy called VPN-REMOTE-VPN to allow traffic from

REMOTE-10.10.10.0 to LAN-192.168.1.0** on Internal Interface

config firewall policy

edit 21
set name "VPN-ToAIMS"
set srcintf "VPN-ToAIMS"
set dstintf "internal"
set srcaddr "REMOTE-10.10.10.0"
set dstaddr "LAN-192.168.1.0"
set action accept
 set schedule "always"
set service "ALL"
next
end

Configuration Of Cisco ASA Firewall

Create object for Local & Remote Network

object network LAN-10.10.10.0

subnet 10.10.10.0 255.255.255.0

object network REMOTE-192.168.1.0

subnet 192.168.1.0 255.255.255.0

Enable IKEv1 on Outside Interface

crypto ikev1 enable outside

NAT Exemption for traffic between LAN-10.10.10.0 & REMOTE-

192.168.1.0

nat (inside,outside) source static LAN-10.10.10.0 LAN-10.10.10.0

destination static REMOTE-192.168.1.0 REMOTE-192.168.1.0 no-proxy-arp
route-lookup

Access List called outside_cryptomap for traffic to be encrypted and

tunneled

access-list outside_cryptomap extended permit ip object 10.10.10.0 object

REMOTE-LAN

New Group Policy called GroupPolicy_121.121.43.50 with IKEv1

enabled

group-policy GroupPolicy_121.121.43.50 internal

group-policy GroupPolicy_121.121.43.50 attributes
vpn-tunnel-protocol ikev1

Create Tunnel Group called 121.121.43.50 with pre-shared-key defined

tunnel-group 121.121.43.50 type ipsec-l2l

tunnel-group 121.121.43.50 general-attributes
default-group-policy GroupPolicy_121.121.43.50

tunnel-group 121.121.43.50 ipsec-attributes

 ikev1 pre-shared-key *****

Configure the Crypto Map with the following

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 121.121.43.50
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map interface outside

The following default IKEv1 Policy will be used

crypto ikev1 policy 10

authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

Reference Link

1. Configure IKEv1 IPsec Site-to-Site Tunnels with the ASDM or CLI

on the ASA
Verify IKEv1 IPSec VPN Tunnel

Verify the IKEv1 IPSec VPN Tunnel is up in Cisco ASA Firewall

ASAv# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 121.121.43.50

Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

Verify the IKEv1 IPSec VPN Tunnel is up in FortiGate Firewall

FG60 # diag vpn tunnel list

list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN-ToAIMS ver=1 serial=4 121.121.43.50:0->103.18.246.208:0
dst_mtu=1500
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520
options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=16 ilast=0 olast=0 ad=/0

stat: rxp=6786 txp=12136 rxb=1982700 txb=798028
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-ToAIMS-P2 proto=0 sa=1 ref=8 serial=1
src: 0:192.168.1.0/255.255.255.0:0
dst: 0:10.10.10.0/255.255.255.0:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=27741/0B
replaywin=1024
seqno=207a esn=0 replaywin_lastseq=00001a80 itn=0 qat=0
hash_search_len=1
life: type=01 bytes=0/0 timeout=28529/28800
dec: spi=f6f35fd9 esp=aes key=32
c514b693e2159a42e91fe36ed8a71892c4c82fd31dab47d67535214461eaeb05
ah=sha1 key=20 052cca8b83f7b93ed4651d981daef29c13c6cd06
enc: spi=fcbc266d esp=aes key=32
6b5a3c915d960beed0019fff31d968e0de5e8528c288f954221a1456b8898a66
ah=sha1 key=20 bdb7357fbb82cef0aa4d421509d4dbfaf18e7517
dec:pkts/bytes=6786/1982580, enc:pkts/bytes =12096/1046112
npu_flag=03 npu_rgwy=103.18.246.208 npu_lgwy=121.121.43.50 npu_selid=3
dec_npuid=1 enc_npuid=1
run_tally=1

Verify the workstations at both sites can ping to each other

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :

IPv4 Address. . . . . . . . . . . : 192.168.1.177
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

C:\Users\kwyong>ping 10.10.10.186

Pinging 10.10.10.186 with 32 bytes of data:

Reply from 10.10.10.186: bytes =32 time=11ms TTL=127
Reply from 10.10.10.186: bytes =32 time=13ms TTL=127
Reply from 10.10.10.186: bytes =32 time=13ms TTL=127
Reply from 10.10.10.186: bytes =32 time=21ms TTL=127
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

IPv4 Address. . . . . . . . . . . : 10.10.10.186
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.8

C:\Users\admin>ping 192.168.1.236

Pinging 192.168.1.236 with 32 bytes of data:

Reply from 192.168.1.236: bytes =32 time=5ms TTL=63
Reply from 192.168.1.236: bytes =32 time=5ms TTL=63
Reply from 192.168.1.236: bytes =32 time=7ms TTL=63

IKEv2 IPSec VPN Between FortiGate And Cisco ASA