Mikrotik To Cisco ASA IPsec VPN
Mikrotik To Cisco ASA IPsec VPN
Mikrotik To Cisco ASA IPsec VPN
We needed to setup IPsec VPN for a client with a remote location that already had Cisco
ASA. So, here is a Mikrotik to Cisco ASA IPsec howto.
Tutorial Scenario
Cisco ASA site
Mikrotik site
Create NAT rule to bypass the traffic that should to trough the tunnel
Move the rule to the top
Now you can connect your branch offices using Mikrotik Routers even if you have Cisco
ASA’s installed on the other locations
Make sure that the default proposal has Authentication algorithm sha1 and Encryption
algorithm 3des
Setting ShrewSoft VPN Client
Put the Mikrotik router Public IP address in Remote Host and change the Local
Host to Use existing adapter and current address
Disable NAT Traversal and IKE Fragmentation if you are not using NAT Traversal
If you need WINS and Local DNS put it manually, otherwise disable this parameters
Under Authentication set Authentication Method as Mutual PSK, Local Identity as IP
Address and put the secret in Credential -> Pre Shared Key
Set the Phase1 Parameters to match Mikrotik Peer configuration: main, group2, 3des,
md5, 86400
Set the Phase2 Parameters to match Mikrotik default proposal: esp-3des, sha1, group2,
and change the Key Life Time limit to 1800 because in Mikrotik default
proposal Lifetime is 00:30:00
Finally we need to add the local network (10.20.30.0/24) that we want to route trough
the IPSec VPN connection.
That’s it! You have your 50$ IPSec VPN Concentrator without the need to buy additional
licences or expensive routers
Some time ago i had a client that needed Site-to-Site IPSec VPN connection between 5
locations but ware not ready to pay for Cisco routers.
The solution was simple, I’m going to build a Miktorik Site to Site VPN with my
favorite cheep but reliable routers, Mikrotik
They didn’t need any special requirements, on the main location they had a server with a
application and a on the other locations they had a few PC’s that needed to contact the
database on that server. I purchased 5 RB751G-2HnD routers and applyed this
configuration.
Create list of addresses that will have full access to the
router
/ ip firewall address-list
# Router 1 - Router 2
# Router 2 - Router 1
This article serves as an extension to our popular Cisco VPN topics covered here on Firewall.cx.
While we’ve covered Site to Site IPSec VPN Tunnel Between Cisco Routers (using static public
IP addresses), we will now take a look on how to configure our headquarter Cisco router to
support remote Cisco routers with dynamic IP addresses. One important note to keep in mind
when it comes to this implementation, is that Site-to-Site VPN networks with Dynamic remote
Public IP addresses can only be brought up by the remote site routers as only they are
aware of the headquarter's router Public IP address.
IPSec VPN tunnels can also be configured using GRE (Generic Routing Encapsulation) Tunnels
with IPsec encryption. GRE tunnels greatly simply the configuration and administration of VPN
tunnels and are covered in our Configuring Point-to-Point GRE VPN Tunnels article. Lastly,
DMVPNs – a new VPN trend that provide outstanding flexibility and almost no administration
overhead can also be examined by reading our Understanding Cisco Dynamic Multipoint VPN
(DMVPN), Dynamic Multipoint VPN (DMVPN) Deployment Models &
Architectures and Configuring Cisco Dynamic Multipoint VPN (DMVPN) - Hub, Spokes ,
mGRE Protection and Routing - DMVPN Configuration articles.
ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential
to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange),
is the negotiation protocol that allows two hosts to agree on how to build an IPsec security
association. ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2
creates the tunnel that protects data. IPSec then comes into play to encrypt the data using
encryption algorithms and provides authentication, encryption and anti-replay services.
Our Headquarters is assigned an internal network of 10.10.10.0/24, while Remote Site 1 has
been assigned network 20.20.20.0/24. and Remote Site 2 network 30.30.30.0/24. The goal is to
securely connect both remote sites with our headquarters and allow full communication, without
any restrictions.
We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have
five different remote sites and configured five different ISAKMP Phase 1 policies (one for each
remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five
policies and use the first match that is accepted by both ends. Since we only have one ISAKMP
policy, this will be used for all remote VPN routers.
Next we are going to define a pre-shared key for authentication with our peers (R2 & R3 routers)
by using the following command:
The peers pre-shared key is set to firewallcx and note that we are defining a remote public IP
address of 0.0.0.0 0.0.0.0. This tells our headquarter router that the remote routers have dynamic
public IP addresses and ensures it will try to negotiate and establish a VPN tunnel with any
router that requests it.
Configure IPSec
To configure IPSec we need to setup the following in order:
Because we are dealing with two separate VPN tunnels, we’ll need to create one set of access-
lists for each:
First we create a crypto map named VPN which will be applied to the public interface of our
headquarter router, and connect it with the dynamic crypto maps we named as hq-vpn.
Notice how we create one dynamic map for each remote network. The configuration is similar
for each dynamic crypto map, with only the instance number (10 , 11) and match address
(VPN1-TRAFFIC , VPN2-TRAFFIC) changing.
Adding additional remote sites in the future is as easy as simply adding more dynamic crypto
maps, incrementing the index number and specifying the match address extended access-lists for
each remote network.
interface FastEthernet0/1
crypto map VPN
Note that you can assign only one crypto map to an interface.
As soon as we apply crypto map on the interface, we receive a message from the router that
confirms isakmp is on: “ISAKMP is ON”.
At this point, we have completed the IPSec VPN configuration on our headquarter router and we
can move to the remote endpoint routers.
Configuring Remote Endpoint Routers (Dynamic Public IP
Addresses)
Our remote routers connect to the Internet and are assigned a dynamic IP address which changes
periodically by the ISP. In most part, the configuration is similar to that of the headquarter
router, but with a few minor changes.
In the configuration below, IP address 74.200.90.5 represents the public IP address of our
headquarter router.
This is easily done by inserting a deny statement at the beginning of the NAT access lists as
shown below:
For the headquarter router, deny NAT for packets destined to the remote VPN networks, but
allow NAT for all other networks (Internet):
For Remote Site 1 Router, deny NAT for packets destined to the headquarter network:
For Remote Site 2 Router, deny NAT for packets destined to the headquarter network:
Site to Site VPN networks with Dynamic remote Public IP addresses can only be brought up by
the remote sites.
The reason for this is simple and logical. Only the remote site routers are aware of the
headquarter’s public IP address (74.200.90.5) because it is static, and therefore only the remote
router can initiate the VPN tunnel.
The first ping received a timeout, but the rest received a reply, as expected. The time required to
bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first ping to
timeout.
To verify the VPN Tunnel, use the show crypto session command:
Again, the first ping received a timeout, but the rest received a reply, as expected. The time
required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first
ping to timeout.
To verify the VPN Tunnel, use the show crypto session command:
Issuing the show crypto session command at the headquarter router will reveal all remote
routers public IP addresses. This is usually a good shortcut when trying to figure out the public
IP address of your remote routers
IKE called Internet Association and key management protocol. I KE that used for two
host agree to hoe build an IPSec security association. There are two part of IKE
negotiation that are phase1 and phase2.
Topology Diagram
R1>enable
R1#conf t
R1 (config)#hostname Ciscorouter1
Ciscorouter1 (config)#interface fastethernet 0/0
Ciscorouter1 (config-if)#ip address 192.168.1.1 255.255.255.252
Ciscorouter1 (config-if)#no shutdown
Ciscorouter1 (config-if)#exit
Ciscorouter1 (config)#interface loopback 1
Ciscorouter1 (config-if)#ip address 10.1.0.1 255.255.255.0
Ciscorouter1 (config-if)#no shutdown
Ciscorouter1 (config-if)#exit
Mikrotik Configuration:
[admin@MikroTik] > interface bridge add name=loopback1
[admin@MikroTik] > interface bridge add name=loopback2
[admin@MikroTik] > interface bridge add name=loopback3
[admin@MikroTik] > interface bridge add name=loopback4
[admin@MikroTik] > ip address add address=192.168.1.2/30 interface=ether1
[admin@MikroTik] > ip address add address=192.168.99.1/32 interface=loopback4
[admin@MikroTik] > ip address add address=172.16.30.1/24 interface=loopback3
[admin@MikroTik] > ip address add address=172.16.20.1/24 interface=loopback2
[admin@MikroTik] > ip address add address=172.16.10.1/24 interface=loopback1
OSPF Configuration
[admin@MikroTik] /routing ospf> interface add interface=all
[admin@MikroTik] /routing ospf> network add network=192.168.1.0/30
area=backbone
[admin@MikroTik] /routing ospf> network add network=192.168.99.1/32
area=backbone
[admin@MikroTik] /routing ospf> network add network=172.16.10.0/24
area=backbone
[admin@MikroTik] /routing ospf> network add network=172.16.20.0/24
area=backbone
[admin@MikroTik] /routing ospf> network add network=172.16.30.0/24
area=backbone
Ciscorouter1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
Show ip route comment tell us about all directly connected routers and possible all
path
To the destination. We see that our all route will exit the routing table.
Ciscorouter1#sh ip ospf neighbor
Shown in the output we see that 192.168.1.2 is BDR state bcz Cisco Router have
highest loopback interface and highest loopback interface also be win to DR election
process.
This tutorial is for configuring Cisco ASA Failover into Active/Standby mode, assuming
your primary Cisco ASA is configured and working.
enable
config t
no shutdown
monitor-interface if_name
no monitor management
Enable failover
conf t
failover
Verify your Cisco ASA Failover
show failover
config t
no failover
no nameif
no shutdown
failover
Automatic Configuration Copy from Primary to Secondary Cisco ASA
The device configurations are automatically copied from the primary Cisco ASA device
to the secondary Cisco ASA device using the following commands:
config t
no shutdown
show failover
This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel
between a WatchGuard Firebox and a MikroTik device.
Integration Summary
The hardware and software used in this guide include:
WatchGuard M400
o Fireware v12.7.2
MikroTik RB2011iL-RM
o Version RouterOS v7.1.3
Test Topology
This diagram shows the topology used to connect your WatchGuard Firebox and a
MikroTik device through a VPN.
5. In the Credential Method section, select Use Pre-Shared Key and String-
Based.
10.Select By IP Address.
11.In adjacent text box, type the primary IP address of the External Firebox
interface.
14.In the adjacent text box, type the public IP address of your MikroTik
connection.
15.Select By IP Address.
16.In the adjacent text box, type the public IP address of your MikroTik
connection.
18.Click OK.
Next, configure the Phase 1 settings.
4. Click Save.
Next, configure the Tunnels:
1. On the Branch Office VPN page, in the Tunnels section, click Add.
The Branch Office VPN Tunnel configuration interface opens.
2. From the Gateway drop-down list, select the gateway that you added.
3. In the Addresses section, click Add to configure tunnel routes for the tunnel.
The Tunnel Route Settings dialog box opens.
5. In the Network IP text box, type the Network IP address, which is the
internal network IP address of the WatchGuard Firebox.
7. In the Network IP text box, type the Network IP address, which is the
internal network IP address of the MikroTik device.
10.Click Save.
For more information about Branch Office VPN configuration on the Firebox,
see Configure Manual BOVPN Gateways and Configure Manual BOVPN Tunnels
1. Log on to the MikroTik Web UI. The default IP address and port
are http://192.168.88.1 and ether2 .
7. In the Src. Address text box, type the Network IP address, which is the
internal network IP address of the MikroTik device.
8. In the Dst. Address text box, type the Network IP address, which is the
internal network IP address of the Firebox.
3. In the Name text box, type the proposal name or keep the default name.
12.In the Address text box, type the IP address of the External interface of the
Firebox.
13.In the Local Address text box, type the IP address of the ether1 interface of
the MikroTik.
20.From the Auth. Method drop-down list, select pre shared key.
21.In the Secret text box, type the secret. The secret must be the same as
the pre-shared key specified in the Firebox settings.
34.Select Tunnel.
35.In the Src. Address text box, type the Network IP address, which is the
internal network IP address of the MikroTik device.
36.In the Dst. Address text box, type the Network IP address, which is the
internal network IP address of the WatchGuard Firebox.
1. From the from the MikroTik Web UI, select IP > IPsec > Policies.
Finally, verify that Host1 and Host2 can ping each other successfully. In our
example, Host1 is a computer behind the Firebox. Host2 is a computer behind the
MikroTik device
edit LAN-192.168.1.0
set subnet 192.168.1.0 255.255.255.0
end
Proposal = AES256-SHA1
DH GRoup = 2
Remote Gateway = 103.18.246.208
Pre-Share Key = P@ssw0rd
Key Lifetime (Seconds) = 86400
Perfect Forward Secrecy (PFS) makes keys more secure because new
keys are not made from previous keys. If a key is compromised, new
session keys are still secure. When you specify PFS during Phase 2, a
Diffie-Hellman exchange occurs each time a new SA is negotiated.
Reference Link
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
C:\Users\kwyong>ping 10.10.10.186
C:\Users\admin>ping 192.168.1.236