Cisco-to-Cisco VPN over RouterOS NAT

KirkOmit · June 14, 2016, 6:26pm

Model: 1100AHx2 v3.24
RouterOS: v6.35

We have a Cisco>Cisco IPSEC VPN that works okay when passing through an old SOHO NAT router (WRT54G w/Tomato), but not when passing through the Mikrotik. I’m trying to replace the old router with the Mikrotik but can’t get this VPN to establish. I setup both the WRT and the Mikrotik personally and did not do anything special on the WRT to make this work, and have not yet found the secret to making the VPN pass through the Mikrotik. I did not setup the Cisco>Cisco VPN originally.

Skill level: Fairly new with Mikrotik but comfortable with most functions via the GUI and learning more daily. Starting to explore the command line which seems intuitive. I’m not a Cisco expert, but know enough to be able to make incremental changes in the CLI without bricking the box. Ideally there would be no need to change the Cisco config since the problem clearly resides with my Mikrotik config.

The Mikrotik has been setup identically with the same IP addresses and NAT functionality as the WRT and it works flawlessly in all other respects with other systems that traverse it when I drop it in place of the WRT. This Cisco VPN is the only hang up.

Basic config:

Internal LAN: 192.168.1.0/24
Internal Cisco: 192.168.1.20
Mikrotik Internal: 192.168.1.1
Mikrotik Public: 208.20.20.10 (fake)
Remote Cisco: 208.30.30.10 (fake)

As we have multiple public IPs I have set the Mikrotik to src-nat using one of those ToAddresses for anything coming from the LAN.

Snips from the Miktotik config:

/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=208.20.20.10/24 interface=ether6 network=208.20.20.0
...
/ip firewall filter
add chain=input protocol=icmp
add chain=input  connection-state=established,related
add action=drop chain=input in-interface=ether6
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether6
add chain=forward connection-state=established,related
...
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether6 src-address=192.168.1.0/24 to-addresses=208.20.20.10

Thank you for any advice!

j23 · September 26, 2016, 8:49pm

I have the same problem too.
How did you to make it work?