Cannot establish IKEV1 tunnel to Cisco ASA 5516x

THEMCV · April 14, 2020, 5:46pm

I am trying to establish a baseline site to site policy that can be deployed to the upcoming routerboards we’re going to give to users for home use, so they can have IP phones and no need for client software to connect. I should note that this means the routerboards will be sitting behind their existing router.

For reference, x is the remote IP & Y is my public IP

Here is my IPSEC policy:

/ip ipsec mode-config
    set [ find default=yes ] src-address-list=local-wfh 

    /ip firewall address-list print
    Flags: X - disabled, D - dynamic 
     #   LIST                             ADDRESS                                              CREATION-TIME        
    TIMEOUT             
     0   local-wfh                        192.168.100.0/24                                     apr/08/2020 18:33:22

    /ip ipsec peer
    add address=xxx.xxx.xxx.xxx/32 local-address=yyy.yyy.yyy.yyy name=peer1

    /ip ipsec profile
    set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 name=phase1

    /ip ipsec proposal
    set [ find default=yes ] enc-algorithms=aes-256-ctr lifetime=1d pfs-group=modp1536

    /ip ipsec identity
    add peer=peer1

    /ip ipsec policy
    add dst-address=10.4.0.0/16 peer=peer1 sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=yyy.yyy.yyy.yyy src-address=192.168.100.0
    tunnel=yes

Firewall Policy: (note rules are disabled for testing)

    /ip firewall address-list
    add address=192.168.100.0/24 list=local-wfh
    /ip firewall address-list
add address=192.168.100.0/24 list=local-wfh
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward protocol=ipsec-esp
add action=accept chain=forward dst-address=yyy.yyy.yyy.yyy protocol=ipsec-ah src-address=xxx.xxx.xxx.xxx
add action=accept chain=forward dst-address=yyy.yyy.yyy.yyy protocol=udp src-address=xxx.xxx.xxx.xxx src-port=4500
add action=accept chain=forward dst-address=yyy.yyy.yyy.yyy protocol=udp src-address=xxx.xxx.xxx.xxx src-port=500
add action=drop chain=forward connection-state=invalid ipsec-policy=in,none tcp-flags=""
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Info ASA side:

 object network Mikrotik_24
     subnet 192.168.100.0 255.255.255.0

    access-list outside_cryptomap_31 extended permit ip 10.4.0.0 255.255.0.0 object Mikrotik_24

I also confirmed through packet-tracer that the route is allowed.

From the Mikrotik side- the error message I’m getting is:

 phase1 negatiation failed due to time up. *myip*[500]<=>*remoteip*[500]

Any hints on where to go from here would be amazing.

Thank you.

andriys · April 14, 2020, 6:55pm

Please have a look at this thread: http://forum.mikrotik.com/t/configuring-ipsec-on-the-cisco-asa/138191/1 I believe that should be a good starting point in understanding the basics. For your situation, however, it is going to be more like a traditional road-warrior, not lan-to-lan VPN. So in comparison to what’s discussed in that thread you will have to use ‘tunnel-group type remote-access’ plus a whole bunch of RA-specific options (like address pool, split-tunnel configuration, etc) on your ASA, and then on Mikrotik side you will have to use dynamic policy generation and client side mode-config.

If looking through that thread does not help, then please post your full IPsec configuration from both ASA and Mikrotik. Again, I believe you should get an idea of what full IPsec config is by looking trough that other thread as well.