Cisco site-to-site - close but no cigar

RouterOS Beginner Basics
1

Hello,

Apologies if this is a stupid question. I am new to both Cisco and Mikrotik.

I am trying to set up a series of remote office VPNs using Mikroik 951G-2HnDs (running 5.24) to a central Cisco 1941w. The remote sites are on Dynamic IPs and the central Cisco is on a fixed range of IPs behind a NATless set of bonded ADSL lines (1.1.1.128/25 in this case… obfuscated for obvious reasons).

I’ve managed to get a tunnel working using the guides here http://www.mikrotik.com/testdocs/ros/3.0/vpn/ipsec.php and here http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC and have read several other quick config guides but I cannot manage to access resources on the other side of the tunnel. So far, this is what I have done:

  1. Added peer (with phase1 configuration parameters), 3DES and SHA1 will be used to protect IKE traffic

Mikrotik:

[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled 
 0   address=1.1.1.129/32 port=500 auth-method=pre-shared-key secret="test" 
     generate-policy=no exchange-mode=main send-initial-contact=yes 
     nat-traversal=no my-id-user-fqdn="" proposal-check=obey 
     hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d 
     lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

Cisco:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key test address 0.0.0.0 0.0.0.0
!
  1. Set encryption proposal (phase2 proposal - settings that will be used to encrypt actual data) to use 3DES to encrypt data

Mikrotik:

[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m 
      pfs-group=modp1024

Cisco:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
! se mode to tunnel… which seems to be default
  mode tunnel 
!
  1. Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode

Mikrotik:

[admin@MikroTik] /ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=192.168.5.0/24 src-port=any dst-address=1.1.1.128/25 
     dst-port=any protocol=all action=encrypt level=require 
     ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 
     sa-dst-address=1.1.1.129 proposal=default priority=0

Cisco:

crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-MD5 
 match address 100
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 1.1.1.128 0.0.0.127 192.168.5.0 0.0.0.255
!
interface GigabitEthernet0/0
  crypto map SDM_CMAP_1
!
  1. Set NAT on the Mikrotik (to make sure that packets are going through the tunnel):
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=accept src-address=192.168.5.0/24 
     dst-address=1.1.1.128/25 

1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway

I have also created a firewall rule to allow VPN traffic through from the outside to 1.1.1.129, which the behind the set of bonded ADSL lines. After establishing the tunnel it seems to be up:

Mikrotik:

[admin@MikroTik] /ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0xAE90866 src-address=1.1.1.129 dst-address=[THE.REMOTE.DYNAMIC.IP]
      auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature 
      auth-key="3f3a0e6d04d5c6652cf4b846099ace9e" 
      enc-key="6b5c571d524685b7f21b4d20bad69b230e5066ee4ae6c0d6" 
      add-lifetime=24m/30m 

1 E  spi=0x413352F9 src-address=[THE.REMOTE.DYNAMIC.IP] dst-address=1.1.1.129 
      auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature 
      auth-key="8509280cf5a6e8bf9d8857fe53ab97c2" 
      enc-key="8d9b29268fd25c1bd06c12a8454e0f22fa49ee3ef42ca963" 
      addtime=mar/05/2013 17:57:36 expires-in=12m2s add-lifetime=24m/30m 
      current-bytes=5760

Cisco:

firewall#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: SDM_CMAP_1, local addr 1.1.1.129

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.128/255.255.255.128/0/0)
   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer [THE.REMOTE.DYNAMIC.IP] port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 231, #pkts decrypt: 231, #pkts verify: 231
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.129, remote crypto endpt.: [THE.REMOTE.DYNAMIC.IP]
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x8226DC8(136474056)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0xBE4A2A77(3192531575)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2113, flow_id: Onboard VPN:113, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4585250/1001)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8226DC8(136474056)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2114, flow_id: Onboard VPN:114, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4585250/1001)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

So… the tunnel seems to be up but I just can’t seem to access resources on one side from the other.

I’ve run a tunnel test using CCP and It reports that the tunnel is fine. I’ve tried packet tracing on the Mikrotik gateway interface and encrypted packets seem to be exiting but I do not seem to be able to verify that the packets are entering on the other side or if they are being routed once there.

This guide talks about Dynamic Routing: http://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco but seems to require an IPIP connection. In my case I do not believe that it will work with dynamic IPs.

My gut feel is that the packets are not be routed properly on the Cisco but I can not figure out why nor can I determine how to prove this. Packet tracing seems difficult on the Cisco.

Is there anyone here who might be able to help point me in the right direction?

Thanks & Regards
Chris

2

I’m not exactly clear as regards the Cisco end - e.g. is the 1941w acting as firewall and router and how its WAN and LAN facing IPs are laid out.

Is the LAN<>LAN traffic being allowed by the relevant rules - e.g. ACLs at Cisco end and forwarding filters at Mikrotik end?

3

The Cisco is acting as a firewall and router. The ADSL connections all map to our public range (1.1.1.128/25). Hopefully this diagram will illustrate:

The central network does not use NAT so for the purpose of this scenario the WAN and LAN IPs are the same.

I have he Cisco configured to only allow permissible traffic into the network.

this rule allows VPN traffic into 1.1.1.129:

 
class-map type inspect match-all SDM_VPN_PT
 match access-group 103
 match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP

ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any

ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any

! out-zone to in-zone
policy-map type inspect ccp-permit-inservice
 class type inspect SDM_VPN_PT
  pass

! out-zone to self (I am not sure why this is required but it seems to be necessary)
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass

access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip any any

! The internal Ethernet interface is [b]in-zone[/b]
interface GigabitEthernet0/0
 description Internal$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$$ETH-LAN$
 ip address 1.1.1.129 255.255.255.128
 ip flow ingress
 ip virtual-reassembly in
 zone-member security in-zone
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
!

So… if I understand your question re LAN<>LAN traffic “class-map type inspect match-all SDM_VPN_PT” allows any IP that matches class-map SDM_VPN_TRAFFIC from out-zone to in-zone and from out-zone (using policy-map type inspect ccp-permit-inservice) and to self (using policy-map type inspect ccp-permit). in-zone is interface GigabitEthernet0/0 where the tunnel should terminate.

I am not sure what you men by forwarding filters at the Mikrotik end? Once the tunnel is established on he target IP range I thought it was the bridge config that sent the packets over he tunnel. I am using the standard bridge:

 [admin@MikroTik] /interface bridge> print
Flags: X - disabled, R - running 
 0  R name="bridge-local" mtu=1500 l2mtu=1598 arp=enabled 
      mac-address=D4:CA:6D:6D:7A:6F protocol-mode=rstp priority=0x8000 
      auto-mac=no admin-mac=D4:CA:6D:6D:7A:6F max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m

and have not imposed any filters. Do I need to create filters on the Mikrotik end?

Thanks
Chris

4

I’m not sure if you really want to use a bridge at the remote end. Typically you would still be SRC NATing the remote office LAN traffic to the internet and using the firewall capabilities of the routerboard to protect those LAN devices. If you want the remote end of the IPsec tunnel to see the private IPs you ensure that traffic headed to the tunnel is not NATed.

Are the public IPs on the ADSL facing interfaces also in the 1.1.1.128/25 range or a distinct range?

5

I’ve not specifically set up a bridge. It’s what was there when I first initialized (and subsequently cleared/reset) the Mikrotik. I had just assumed that the default bridge was relaying traffic between the networks that the Mikrotik new about. Do I need to specifically configure the bridge to route packets to 1.1.1.129 through the tunnel?

Yes, the remote end is NATing and I created a Firewall/NAT rule on he Mikrotik to exclude 1.1.1.128/25 from NATing. I believe that rule 0:

  0   chain=srcnat action=accept src-address=192.168.5.0/24 
     dst-address=1.1.1.128/25

tells the Mikrotik to accept rather than NAT anything going to 1.1.1.128/25.

The 2 outside ADSL IPs are on a completely different range. They are managed by my ISP… AAISP route traffic to my range through them. I had tried to tunnel to one of these (dialers) but I could not get a link. I think that this was because anything from my router or 1.1.1.128/25 might exit on either one of the ADSL lines but I did not spend too much time debugging. A tunnel to the internal/external IP (1.1.1.129) with the outside to inside rule worked (except, of course, for the packet routing problem).

Thanks agan for the help!
Chris

6

Using an accept to avoid the masquerade is fine.

Can you try doing a trace route on the remote Mikrotik using a source address on the local subnet and one of your 1.1.1.128/25 addresses but not the IPsec termination address. Does it appear to be sending that traffic to the central termination address or to the upstream provider’s gateway?

The output from /export compact on Mikrotik would be useful.You can either clean it up or email it to me if you prefer.

7

I’ve mailed you the information that you requested.

Thanks
Chris