Cisco <-> IPIP+IPSec <-> MT

bjohns · April 18, 2007, 8:13pm

Currently I have a pair of Cisco 857’s running with a IPSec ‘tunnel’ between.

I would like to replace one of the Cisco’s with a MT router.

What would the RouterOS config to match the following Cisco config be?

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key ######### address 1.1.1.1
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
 mode transport
!
crypto map vpn 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set strong
 match address 101
!
interface Tunnel0
 ip address 192.168.254.1 255.255.255.252
 tunnel source Dialer0
 tunnel destination 1.1.1.1
 tunnel path-mtu-discovery
 crypto map vpn

fatonk · April 19, 2007, 6:11am

You have an example in RouterOS manual, the only difference from the manual is that in RouterOS IPSec policy do not use TUNNEL just transport mode.

Regards.

Faton

fatonk · April 19, 2007, 10:05am

Hi again,

I have just posted my IPSec configuration including IPIP tunnel and 3DES encryption, this configuration is between RouterOS and Cisco IOS also using dynamic routing RIP.

/ ip ipsec policy
add src-address=192.168.28.31/32:any dst-address=172.16.0.1/32:any protocol=ip-encap action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=192.168.28.31 sa-dst-address=172.16.0.1 proposal=IPSec manual-sa=none dont-fragment=clear disabled=no

/ ip ipsec peer
add address=172.16.0.1/32:500 secret=“KEY” generate-policy=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5
enc-algorithm=3des dh-group=modp1024 lifetime=52w1d lifebytes=0 disabled=no

/ ip ipsec proposal
add name=“IPSec” auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no

/ interface ipip
add name=“Tunnel” mtu=1480 local-address=192.168.28.31 remote-address=172.16.0.1 comment=“” disabled=no

/ ip address
add address=192.168.0.5/30 network=192.168.0.4 broadcast=192.168.0.7 interface=Tunnel comment=“” disabled=no

/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 metric-bgp=1
update-timer=30s timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=Tunnel receive=v2 send=v2 authentication=none authentication-key=“” prefix-list-in=“” prefix-list-out=“”
/ routing rip neighbor
add address=192.168.0.6
/ routing rip network
add address=192.178.77.0/24
add address=192.168.0.5/32
add address=192.168.0.0/24

In Cisco IOS you should aplly the following rule in the Tunnel interface
tunnel protection ipsec profile encrypt_to_peer

Regards.

Faton

bjohns · April 19, 2007, 9:18pm

Thanks for that.

It’s useful having a tunnel for dynamic routing purposes, plus it makes QoS etc easier.