Mikrotik as cisco VPN client

ALEX63RU · March 31, 2009, 10:54am

I have group login and password

also have user login and password

Can Mikrotik as cisco VPN client ???

normis · March 31, 2009, 10:58am

http://www.mikrotik.com/testdocs/ros/3.0/vpn/pptp.php

ALEX63RU · April 1, 2009, 3:11am

Remote peer is not pptp server ---------------------is cisco ASA
on my Ubuntu I use vpnc - client for Cisco VPN3000 Concentrator, IOS and PIX

sudo vpnc
Enter IPSec gateway address: 1.1.1.1
Enter IPSec ID for 1.1.1.1: xxxxxxxxxx
Enter IPSec secret for xxxxxxx@1.1.1.1:yyyyyyy
Enter username for 1.1.1.1: test
Enter password for test@1.1.1.1:zzzzzzzzzzzzzz

normis · April 1, 2009, 6:13am

ok, so then it’s IPSec:

http://www.mikrotik.com/testdocs/ros/3.0/vpn/ipsec.php
http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

(in other words - it’s all in the manual)

savage · April 1, 2009, 6:36am

It’s actually not Normis.

The Cisco VPN and associated VPN Client, uses propriatory extensions. I’d also be very interested in this. Tried a while ago, but gave up after a few weeks of not getting it to work.

From what I understand, it’s a combination of IPSec and L2TP, but afaik - was never able to get it working.

normis · April 1, 2009, 6:37am

you need to post logs from both sides. many people use it and it works

mravojed · April 1, 2009, 7:39pm

I am also interested in this. However, at the moment, I have no clue on where to start? I would be happy to provide logs, but with all the info I have that I use with vpnc, I am yet to find howto or documentation on where to input all these:
IPSec gateway xx.yy.zz.qq (public ip of cisco box)
IPSec ID tunnel-id
IPSec secret somesecretword
Xauth username myname
Xauth password mypassword

spiderik · August 11, 2009, 8:30am

Hey I am also very interested in this one. I have tried several howtos and I am playing with that already some 3weeks and can not get anywhere. I would really appreciate anybody who has this working to show up the light at the end of the VPN tunnel

thadem · August 11, 2009, 1:35pm

a plain cisco-vpn (afaik its called dvpn) cannot be used with a mt-device, otherwise on a linux box you wouldn’t need vpnc but could use openswan which does ipsec, but thats not the case. the protocol is ipsec, but modified and with some dirty hacks imho
what you can do is configure a proper ipsec-connection on the asa and use that with mikrotik.

that http://wiki.openswan.org/index.php/Openswan/CiscoPIX should give you an idea.

mushmx · August 17, 2009, 3:48am

Hi

About 1 month ago I tried to configure the MKT like VPN Client but I couldn’t do because Cisco ASA use other options like (group, user and password) so I couldn’t found how to do it?.

When I do only the IPSec connection (MKT to ASA) works fine but the trouble begins when ASA uses (group, user and pass). So if anybody know it,please tell us how did you do it?

Best regard.

thadem · August 17, 2009, 11:39am

i think you are referring to XAUTH, which is afaik not supported on mikrotik ros.
so at least at the moment your only choice is a plain ipsec-connection.

mushmx · August 17, 2009, 5:30pm

Ok. Actually I have a plain IPSec connection.

Thanks.

santajosh · January 27, 2010, 9:29am

Hi EveryOne!

Is there a chance to use this kind of VPN with Mikrotik OS, new version 4.x? I’m also have to create (dvpn) vpn to cisco with Xauth username on a Mikrotik OS.

Thanks in advice.

Josh

gregsowell · January 29, 2010, 7:59pm

Hi guys!

I’ve got slides and a video tutorial on Mikrotik VPN. It includes MTK to Cisco and even shows you how to configure your ASA for the tunnel.

http://gregsowell.com/?p=1290

I hope this helps

frankar · July 10, 2010, 9:41am

Hi guys!

About http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

in the ip ipsec policy, I thinlk

src-address

and

dst-address

are inverted
-in the last firewall rule

ip firewall add

, must be:

ip firewall filter add

or

ip firewall nat add

?

in the last firewall rule I read:

chain=customer

but I have not this rule defined

Thanks for your reply
Franco

normis · July 12, 2010, 6:34am

That article is written by a forum user, it’s not a MikroTik article. You have the ability to change it. I can’t vouch for it’s accuracy.

MikroTik articles are marked with category “manual”

mknos · July 18, 2010, 4:49am

I’ve got a laptop dedicated to running vpnc as that’s the only thing I can’t do on mikrotik. I can’t configure the other end so I’m stuck with running vpnc.

Would it be possible for me to cross compile vpnc and get it running on my RB433?

fewi · July 18, 2010, 4:57am

No. You cannot put custom code on RouterOS.

mknos · July 19, 2010, 6:05am

Er, doesn’t RouterOS have a linux based kernel? If so, why is it not possible to put custom code on it?

normis · July 19, 2010, 6:08am

because it’s routeros. if you want custom code, there are many distributions for that.

RouterOS is organized in a certain way, and it’s got tech support. When you start modifying it, it becomes just like anything else.