Hi all,
I have a routerboard 750 which connects me to the internet via a cable modem.
It works great but I now need to put a cisco router behind the routerboard which will run a cisco ipsec vpn.
It will connect to another cisco router at another site.
I have had the cisco router as my firewall in the past and the vpn was working well at that point.
so I have reconfigured it so it is just a vpn endpoint and not doing any natting.
It basically just sits behind the router board and tries to do the vpn but no luck as yet.
so I need to pass all the ipsec vpn traffic through the mikrotik to the cisco router.
I have read numerous online docs etc but I can’t seem to get this working.
I know I will need to pass on udp500, udp4500, protocol 50 and 51.
I have tried to do this but nothing is working.
Any idea’s,
Ps I am new to mikrotik’s so any help is appreciated.
That’s demanding very specific answer. Therefore you’ll need to make your question more specific. Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip firewall export” and an accurate network diagram.
Hi,
I don’t want to post my real addresses so how about I make up some fake addresses and if someone could show me how to accomplish this it would be appreciated.
My Mikrotik Wan IP: 1.1.1.1
My Mikrotik Lan IP: 192.168.20.254/24
My Cisco IP: 192.168.20.253/24
Note the cisco has just one address at present - hopefully that is ok.
The remote Cisco that the vpn needs to connect to:
Remote Cisco Wan IP: 2.2.2.2
Remote Cisco Lan IP: 192.168.10.254/24
So what I want to do is create the IPSec VPN Tunnel between the 2 Cisco Routers.
The remote one is the gateway to the internet at that site.
On my site, I have a Cisco Router behind a Mikrotik Router, so the Mikrotik Router is the Gateway to the Internet.
The Ciscos will have to establish an IPsec connection via NAT-T (NAT traversal) as the Mikrotik is a NAT router between the two. NAT-T is negotiated during the initial ISAKMP phases: if turned on (you’ll have to turn it on on both Cisco routers) they add an ISAKMP attribute to the negotiation where they put their IP and port into the message. The other side then compares that attribute to what it actually observed. If they don’t match there’s a NAT router in the way, and NAT-T must be used. NAT-T takes ESP/AH packets (IP protocols 50 and 51) and wraps them in UDP/4500 packets. That’s because IP protocols don’t have the concept of ports, so NAT often works poorly. Additionally ESP and AH take all packet fields (including header IPs) and run a hash on them, and append that to the packet to enable the other side to discover tampering. NAT changes those IP header fields so the hashes no longer match. Wrapping everything in UDP/4500 gives the NAT gateways something to tamper with that the IPsec routers won’t care about.
tl;dr: you need NAT-T on your Cisco routers, and using NAT-T means you only need to forward udp/500 (ISAKMP) and udp/4500 (the wrapper around the actual data connection once it’s established.
On your Mikrotik router add this:
If you have any firewall filters in the forward chain dropping traffic you may have to make sure those packets can pass through the filter. One simple and broad approach would be this: