Cisco VPN Client support w/PSK+XAuth native on RouterOS

RouterOS General
1

I just got the RB400 and am most disappointed that I’ve been unable, after many hours of trying, to set up the router as a VPN client to a Cisco VPN concentrator. I am able to do this from Linux via ‘vpnc’ and/or “Strongswan” and on OS X on my Macbook Pro which supports connecting to our corporate VPN flawlessly. IPSec as it currently is on RouterOS is useless to me when connecting to our corporate VPN - and before you even suggest it, no, most of us cannot modify VPN rules on the server side to suit RouterOS’ IPSEC VPN client.

Please provide a native solution for RouterOS that supports Cisco VPN/IPSec in the same vein as “vpnc”, “StrongSwan” or OS X - this is a must and I am quite surprised this hasn’t been done so far. Running MetaRouters and such is a kludge and I’d like to use RouterOS and not flash the RB400 with OpenWRT, if possible.

2

What feature exactly is missing for you to connect?

3

IPSec as Cisco implements it. I use a username/password (XAuth), shared key and a group name to connect w/StrongSwan (Linux) and “Cisco IPSec VPN” in Network Preferences via OS X.

The “feature” is the ability for your existing IPSec client to connect to my Cisco VPN concentrator. It will not. Everything else I use does. I can provide a Strongswan config file if it’s going to be of any help to you. Or you can see what “vpnc” does. I have not been able to configure the IPSec client on the RB400 to connect… and I tried, believe me.

4

please provide strong swan config.

5

ipsec.conf - strongSwan IPsec configuration file

basic configuration

version 2
config setup
strictcrlpolicy=no
charondebug=“ike 4, knl 4, cfg 2” #useful debugs

conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=xauthpsk

conn “ezvpn”
keyexchange=ikev1
ikelifetime=1440m
keylife=60m
ike=3des-sha1-modp1024
aggressive=yes
xauth=client #Xauth client mode
left=%defaultroute #local IP used to connect to IOS
leftid=IPSECRemoteUser #IKEID (group name) used for IOS
leftsourceip=%config #apply received IP
leftauth=psk
rightauth=psk
leftauth2=xauth #use PSK for group RA and Xauth for user cisco
right=70.168.54.2 #gateway (IOS) IP
rightsubnet=172.16.0.0/16
xauth_identity=martin #identity for Xauth, password in ipsec.secrets
auto=add

6

and what was your routeros config?

7

How can I dump the entire configuration that is under IPSec over here in some format?

8

Here’s the Peer config:

[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic
0 ;;; Unsafe configuration, suggestion to use certificates
address=70.168.54.2/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret=“privatekey” generate-policy=no
policy-template-group=*2 exchange-mode=aggressive send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@MikroTik] /ip ipsec peer>

9

Two problems with your config

  1. policy template group is missing.
  2. “auth-method” should be “pre-shared-key-xauth” if you want to use xauth.

If it still doesn’t work enable ipsec debug logs and see what other parameters you need to change.

10

Hi,

I have the exact same problem, so exact same request.

The main problem I’ve found so far is the lack of possibilities for the “My ID” parameter in the IPSEC configuration.
For “Cisco IPSEC”, we should be able to enter it as a “Key Identifier” (for ISAKMP packet, “Identification Payload”, ID type should be " KEY_ID" ) - “KEY_ID”, which is not possible for now (only “auto”, “fqdn” & “user_fqdn” proposed so far).

The only solution provided so far, back in 2009 on this topic : http://forum.mikrotik.com/t/mikrotik-as-cisco-vpn-client/27450/1 requires to install an OpenWRT metarouter, with vpnc.

Other topics also refers about this problem, like this one : http://forum.mikrotik.com/t/roadwarrior-setup-for-ros/87440/1

Having this working in my Mikrotik equipment would be a great plus.

Best Regards ;

Lobogc.

11

To add a little bit more detail here:

The Group ID is encoded the same way FQDN ID is, but it has an ID_TYPE of 11 rather than 3.

Can this be implemented relatively easily/quickly? It seems it only needs one more enum value. A snippet from the source of VPNC:

/* IPSEC Identification types. */
enum isakmp_ipsec_id_enum {
ISAKMP_IPSEC_ID_RESERVED = 0,
ISAKMP_IPSEC_ID_IPV4_ADDR,
ISAKMP_IPSEC_ID_FQDN,
ISAKMP_IPSEC_ID_USER_FQDN,
ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET,
ISAKMP_IPSEC_ID_IPV6_ADDR,
ISAKMP_IPSEC_ID_IPV6_ADDR_SUBNET,
ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE,
ISAKMP_IPSEC_ID_IPV6_ADDR_RANGE,
ISAKMP_IPSEC_ID_DER_ASN1_DN,
ISAKMP_IPSEC_ID_DER_ASN1_GN,
ISAKMP_IPSEC_ID_KEY_ID
};

12

There is a new ipsec peer option to allow Cisco VPM client to connect when Group ID is used.

compatibility-options=skip-peer-id-validation
13

Hello there!
I’m suppose feature request is to add KEY-ID in Mikrotik Ipsec Peer config, to use Mikrotik as client to ASA.
It was not request to use “EasyVPN Cisco client” as client with Mikrotik.
ASA allow create different psk groups, not default only.
While mikrotik try to establish connection to ASA it din’t provide an group name, and ASA use default group, this is not applicable. Usually default group used as template, not as working one.

So I’m next in such feature, two hands raised for it. =)
Thank you!

14

Hello,

Well, as explained by drkop, “compatibility-options=skip-peer-id-validation” parameter is not the appropriate solution here.
Testing my setup with this one, the result is still the same.

The detailed demand has been well explained by Circuitsoft : the ID_TYPE for Group ID needs to be completed, “KEY_ID” is the one expected but I guess all the other missing may be added at the same time too.

Thank you in advance ;